

## Model-Based Testing

### Electronic Funds Transfer (EFT)



2

## Example Scenarios



## Example Scenarios



## Black-Box Testing



5

## Black-Box Testing



6

## Specification by Use Cases



7

## Example: Purchase Use Case

### Alternate flows:

- 3-a) If the response from core is not parseable according to the core/switch protocol, the message is discarded and the switch waits for the core response
- 3-a-1) If the number of invalid responses received from the core during the use case exceeds 3, an error message is sent to the POS and is recorded by the system, and the use case terminates

**The Problem:**

It is not easy to enumerate all possible scenarios of interaction from informal use case descriptions

including  
concurrency

**Solution: Model-Based Testing**

- Modeling the specification formally
- Deriving test cases (scenarios) from the model



## Black-Box Testing



14

## Model-Based Black-Box Testing



15

## Model-Based Black-Box Testing



16

## Equivalence By Observation



17



THEORY:

## I/O CONFORMANCE TESTING (IOCO)

19

## Trace Equivalence

 $S_1$  $S_2$  $\approx_{\text{tr}}$  $\text{traces}(S_1) = \{\epsilon, a, ab\}$  $\text{traces}(S_2) = \{\epsilon, a, ab\}$ 

20



*But, these two are not “equivalent”*



21

## Testing Machine v.1



22

## Testing Machine v.1



23

## Testing Machine v.1



24

## Testing Machine v.1



No more action: Trace Completed!

25

## Completed Trace Equivalence

$$I \approx_{ctr} S$$

$$\text{traces}(I) = \text{traces}(S)$$

$$c\_traces(I) = c\_traces(S)$$

26

 $S_1$  $S_2$  $\approx_{tr}$  $\not\approx_{ctr}$ 

$$\begin{aligned} \text{traces}(S_1) &= \{\varepsilon, a, ab\} \\ c\_traces(S_1) &= \{a, ab\} \end{aligned}$$

$$\begin{aligned} \text{traces}(S_2) &= \{\varepsilon, a, ab\} \\ c\_traces(S_2) &= \{ab\} \end{aligned}$$

27

What about these two?



28

Testing Machine v.2



The buttons enable or disable actions that can be performed by the system

29

## Testing Machine v.2



30

## Testing Machine v.2



31

## Testing Machine v.2



32

What Jason did  
using switches



Environment



System

33

## Testing Equivalence

$$I \approx_{te} S$$

*for every environment E:*

$$\text{traces}(E \parallel I) = \text{traces}(E \parallel S)$$

$$c\text{-traces}(E \parallel I) = c\text{-traces}(E \parallel S)$$

34

## Failure Pairs

$$f\text{-pairs}(s) = \{ (\sigma, A) \in \text{Act} \times 2^{\text{Act}} \mid (s \text{ after } \sigma) \text{ refuses } A \}$$

$$s \text{ after } \sigma = \{ s' \mid s \xrightarrow{\sigma} s' \}$$

$$S \text{ refuses } A = \exists s \in S . \forall a \in A . s \not\xrightarrow{a}$$



35

## Testing Equivalence

$$I \approx_{te} S$$

*iff*

$$f\text{-pairs}(I) = f\text{-pairs}(S)$$

There is no sign of “environment” in the definition!

36

$$I \approx_{te} S$$

*for every environment E:*

$$\text{traces}(E \parallel I) = \text{traces}(E \parallel S)$$

$$c\text{-traces}(E \parallel I) = c\text{-traces}(E \parallel S)$$

Extensional  
Characterization

$$I \approx_{te} S$$

*iff*

$$f\text{-pairs}(I) = f\text{-pairs}(S)$$

Intentional  
Characterization



## Testing Machine v.3



40

## Testing Machine v.3



41

## Testing Machine v.3



42

## Testing Machine v.3



43

## Testing Machine v.3



44

## Testing Machine v.3



45

## Testing Machine v.3



46

## Testing Machine v.3



47

## Testing Machine v.3



48

## Testing Machine v.3



*Now, we know that we have completed a trace.*

49



## Refusal Equivalence

$$I \approx_{rf} S$$

*for every environment E:*

$$\text{traces}(E \parallel I) = \text{traces}(E \parallel S)$$

$$c\text{-traces}(E \parallel I) = c\text{-traces}(E \parallel S)$$

52

## Failure Traces

- Sequence over  $Act \cup 2^{Act}$ 
  - Single actions denote occurrence of an action
  - Action sets denote idle periods with enabled switches in the action set
- Example:
  - {a,b} c d b {b,c} {b,c,d} a Act

53

## Failure Traces and Refusal Self-Loops



54

## Refusal Equivalence (Intensional Characterization)

$$I \approx_{rf} S$$

*iff*

$$f\text{-traces}(I) = f\text{-traces}(S)$$

55



## Defining specifications at a higher-level



*Leaving out some decisions into the implementation*

58

## Testing Pre-order

$$I \sqsubseteq_{te} S$$

*for every environment E:*

$$\text{traces}(E \parallel I) \subseteq \text{traces}(E \parallel S)$$

$$c\_\text{traces}(E \parallel I) \subseteq c\_\text{traces}(E \parallel S)$$

59

## Refusal Pre-order

$$I \sqsubseteq_{rf} S$$

*for every environment E:*

$$\text{traces}(E \parallel I) \subseteq \text{traces}(E \parallel S)$$

$$c\text{-traces}(E \parallel I) \subseteq c\text{-traces}(E \parallel S)$$

60

## Restriction to Specification



61

## Restriction to Specification

$I \text{ conf } S$

*for every environment E:*

$$\text{traces}(E \parallel I) \cap \text{traces}(S) \subseteq \text{traces}(E \parallel S)$$

$$c\text{-traces}(E \parallel I) \cap \text{traces}(S) \subseteq c\text{-traces}(E \parallel S)$$

62

## I/O Transition Systems

Distinguishing between input and output actions



64

## Pre-orders on I/O transition systems

- The same notions apply here
  - I/O test pre-order
  - I/O refusal pre-order

$$I \sqsubseteq_{\text{ior}} S$$

for every environment E:

$$\text{traces}(E \parallel I) \subseteq \text{traces}(E \parallel S)$$

$$c\text{-traces}(E \parallel I) \subseteq c\text{-traces}(E \parallel S)$$

65

## I/O Conformance

Informally:

I/O Conformance = I/O Refusal restricted to specification traces

$$I \text{ ioco } S$$





67



68

## ioco Test Cases

- I/O transition systems
- The only terminal states:  and 
- Reversed I/O actions
- Special action  $\theta$
- Finite and deterministic



69

## Automatic Test Case Generation

- Init:
  - Generate an initial state
- Recursion:
  - At each point in the recursion choose non-deterministically between:
    1. Stopping the recursion
    2. Supplying an input
    3. Observing an output (one transition per output action)

70



71



72

## Specification Structure

Purchase Transaction



73

## Concurrent Transactions



POS #1



POS #2



*One LTS instance per transaction in the Switch*

74

## Business Transaction Model



## Verifying the Specification

$\text{A}[] \text{ forall } (i : \text{int}[0, \text{MAX\_TX}]) \text{ TransactionFlow}[i].\text{start} \rightarrow \text{TransactionFlow}[i].\text{finish}$



## Results so far

- Have found a few bugs in the system
  - One traced back to null-pointer dereferencing
  - Poor exception handling
  - Resource pooling problems
- Code coverage of about 40%



77

## Final Comments

- Scalability issues
- Modeling language and tool limitations
  - Modeling data-related business rules
  - Now using UML Statecharts
- Handling time constraints



78