Testing, Verification and Validation
Lecture 10
1
Outline
 Validation and verification
 Static analysis
 Testing and its stages
 Testing of non-functional properties
2
Validation and Verification
Lecture 10/Part 1
3Chapter 8 Software testing
Program testing
 Testing is intended to show that a program does what it is
intended to do and to discover program defects before it is put
into use.
 When you test software, you execute a program using
artificial data.
 You check the results of the test run for errors, anomalies or
information about the program’s non-functional attributes.
 Can reveal the presence of errors NOT their
absence.
 Testing is part of a more general verification and validation
process, which also includes static validation techniques.
Chapter 8 Software testing 4
Program testing goals
 To demonstrate to the developer and the customer that
the software meets its requirements.
 For custom software, this means that there should be at least
one test for every requirement in the requirements document.
For generic software products, it means that there should be
tests for all of the system features, plus combinations of these
features, that will be incorporated in the product release.
 To discover situations in which the behavior of the
software is incorrect, undesirable or does not conform to
its specification.
 Defect testing is concerned with rooting out undesirable system
behavior such as system crashes, unwanted interactions with
other systems, incorrect computations and data corruption.
5Chapter 8 Software testing
Validation and defect testing
 The first goal leads to validation testing
 You expect the system to perform correctly using a given set of
test cases that reflect the system’s expected use.
 The second goal leads to defect testing
 The test cases are designed to expose defects. The test cases in
defect testing can be deliberately obscure and need not reflect
how the system is normally used.
6Chapter 8 Software testing
Testing process goals
 Validation testing
 To demonstrate to the developer and the system customer that
the software meets its requirements
 A successful test shows that the system operates as intended.
 Defect testing
 To discover faults or defects in the software where its behaviour
is incorrect or not in conformance with its specification
 A successful test is a test that makes the system perform
incorrectly and so exposes a defect in the system.
7Chapter 8 Software testing
An input-output model of program testing
8Chapter 8 Software testing
 Verification:
"Are we building the product right”.
 The software should conform to its specification.
 Validation:
"Are we building the right product”.
 The software should do what the user really requires.
Verification vs validation
9Chapter 8 Software testing
V & V confidence
 Aim of V & V is to establish confidence that the system is
‘fit for purpose’.
 Depends on system’s purpose, user expectations and
marketing environment
 Software purpose
• The level of confidence depends on how critical the software is to
an organisation.
 User expectations
• Users may have low expectations of certain kinds of software.
 Marketing environment
• Getting a product to market early may be more important than
finding defects in the program.
10Chapter 8 Software testing
 Software inspections. Concerned with analysis of
the static system representation to discover problems
(static verification)
 May be supplement by tool-based document and code analysis.
 Software testing. Concerned with exercising and
observing product behaviour (dynamic verification)
 The system is executed with test data and its operational
behaviour is observed.
Inspections and testing
11Chapter 8 Software testing
Inspections and testing
12Chapter 8 Software testing
Software inspections
 These involve people examining the source
representation with the aim of discovering anomalies and
defects.
 Inspections do not require execution of a system so may
be used before implementation.
 They may be applied to any representation of the system
(requirements, design,configuration data, test data, etc.).
 They have been shown to be an effective technique for
discovering program errors.
13Chapter 8 Software testing
Advantages of inspections
 During testing, errors can mask (hide) other errors.
Because inspection is a static process, you don’t have to
be concerned with interactions between errors.
 Incomplete versions of a system can be inspected
without additional costs. If a program is incomplete, then
you need to develop specialized test harnesses to test
the parts that are available.
 As well as searching for program defects, an inspection
can also consider broader quality attributes of a
program, such as compliance with standards, portability
and maintainability.
Chapter 8 Software testing 14
Static Analysis
Lecture 10/Part 2
15
Chapter 15 Dependability and Security
Assurance
Static analysis
 Static analysis techniques are system verification
techniques that don’t involve executing a program.
 Inspections and reviews are a form of static analysis,
which also includes:
 Formal verification
 Model checking
 Automated program analysis
 Static analysis has its value whenever it is cheaper to
find and remove faults than to pay for system failure – in
critical systems namely.
16
Chapter 15 Dependability and Security
Assurance
Verification and formal methods
 Formal methods can be used when a mathematical
specification of the system is produced.
 They are the ultimate static verification technique that
may be used at different stages in the development
process:
 A formal specification may be developed and mathematically
analyzed for consistency. This helps discover specification errors
and omissions.
 Formal arguments that a program conforms to its mathematical
specification may be developed. This is effectivein discovering
programming and design errors.
17
Chapter 15 Dependability and Security
Assurance
Arguments for formal methods
 Producing a mathematical specification requires a
detailed analysis of the requirements and this is likely to
uncover errors.
 Concurrent systems can be analysed to discover race
conditions that might lead to deadlock. Testing for such
problems is very difficult.
 They can detect implementation errors before testing
when the program is analyzed alongside the
specification.
18
Chapter 15 Dependability and Security
Assurance
Arguments against formal methods
 Require specialised notations that cannot be understood
by domain experts.
 Very expensive to develop a specification and even more
expensive to show that a program meets that
specification.
 Proofs may contain errors.
 It may be possible to reach the same level of confidence
in a program more cheaply using other V & V
techniques.
19
Chapter 15 Dependability and Security
Assurance
Model checking
 Involves creating an extended finite state model of a
system and, using a specialized system (a model
checker), checking that model for errors.
 The model checker explores all possible paths through
the model and checks that a user-specified property is
valid for each path.
 Model checking is particularly valuable for verifying
concurrent systems, which are hard to test.
 Although model checking is computationally very
expensive, it is now practical to use it in the verification
of small to medium sized critical systems.
20
Chapter 15 Dependability and Security
Assurance
Model checking
21
Chapter 15 Dependability and Security
Assurance
Automated static analysis
 Static analysers are software tools for source text
processing.
 They parse the program text and try to discover
potentially erroneous conditions and bring these to the
attention of the V & V team.
 They are very effective as an aid to inspections - they
are a supplement to but not a replacement for
inspections.
22
Chapter 15 Dependability and Security
Assurance
Automated static analysis checks
Faultclass Static analysis check
Data faults Variablesused before initialization
Variablesdeclared butneverused
Variablesassignedtwice butneverused betweenassignments
Possible arraybound violations
Undeclaredvariables
Control faults Unreachable code
Unconditional branches into loops
Input/output faults Variablesoutputtwice with no intervening assignment
Interfacefaults Parameter-typemismatches
Parameternumbermismatches
Non-usageof the results of functions
Uncalled functionsand procedures
Storage management faults Unassignedpointers
Pointerarithmetic
Memory leaks
23
Chapter 15 Dependability and Security
Assurance
Levels of static analysis
 Characteristic error checking
 The static analyzer can check for patterns in the code that are
characteristic of errors made by programmers using a particular
language.
 User-defined error checking
 Users of a programming language define error patterns, thus
extending the types of error that can be detected. This allows
specific rules that apply to a program to be checked.
 Assertion checking
 Developers include formal assertions in their program and
relationships that must hold. The static analyzer symbolically
executes the code and highlights potential problems.
24
Chapter 15 Dependability and Security
Assurance
Use of static analysis
 Particularly valuable when a language such as C is used
which has weak typing and hence many errors are
undetected by the compiler.
 Particularly valuable for security checking – the static
analyzer can discover areas of vulnerability such as
buffer overflows or unchecked inputs.
 Static analysis is now routinely used in the development
of many safety and security critical systems.
25
Chapter 15 Dependability and Security
Assurance
Key points
 Static analysis is an approach to V & V that examines
the source code (or other representation) of a system,
looking for errors and anomalies.
 Model checking is a formal approach to static analysis
that exhaustively checks all states in a system for
potential errors.
26
Chapter 15 Dependability and Security
Assurance
Testing and its Stages
Lecture 10/Part 3
27Chapter 8 Software testing
Topics covered
 Development testing
 Unit testing
 Component testing
 System testing
 Release testing
 User testing
28Chapter 8 Software testing
Stages of testing
 Development testing, where the system is tested during
development to discover bugs and defects.
 Release testing, where a separate testing team test a
complete version of the system before it is released to
users.
 User testing, where users or potential users of a system
test the system in their own environment.
Chapter 8 Software testing 29
Development testing
 Development testing includes all testing activities that
are carried out by the team developing the system.
 Unit testing, where individual program units or object classes are
tested. Unit testing should focus on testing the functionality of
objects or methods.
 Component testing, where several individual units are integrated
to create composite components. Component testing should
focus on testing component interfaces.
 System testing, where some or all of the components in a
system are integrated and the system is tested as a whole.
System testing should focus on testing component interactions.
Chapter 8 Software testing 30
Unit testing
 Unit testing is the process of testing individual
components in isolation.
 It is a defect testing process.
 Units may be:
 Individual functions or methods within an object
 Object classes with several attributes and methods
 Compositecomponents with defined interfaces used to access
their functionality.
31Chapter 8 Software testing
Object class testing
 Complete test coverage of a class involves
 Testing all operations associated with an object
 Setting and interrogating all object attributes
 Exercising the object in all possible states.
 Inheritance makes it more difficult to design object class
tests as the information to be tested is not localised.
32Chapter 8 Software testing
The weather station object interface
33Chapter 8 Software testing
Weather station testing
 Need to define test cases for reportWeather, calibrate,
test, startup and shutdown.
 Using a state model, identify sequences of state
transitions to be tested and the event sequences to
cause these transitions
 For example:
 Shutdown -> Running-> Shutdown
 Configuring-> Running-> Testing -> Transmitting -> Running
 Running-> Collecting-> Running-> Summarizing -> Transmitting
-> Running
34Chapter 8 Software testing
Automated testing
 Whenever possible, unit testing should be automated so
that tests are run and checked without manual
intervention.
 In automated unit testing, you make use of a test
automation framework (such as JUnit) to write and run
your program tests.
 Unit testing frameworks provide generic test classes that
you extend to create specific test cases. They can then
run all of the tests that you have implemented and
report, often through some GUI, on the success of
otherwise of the tests.
Chapter 8 Software testing 35
Automated test components
 A setup part, where you initialize the system with the test
case, namely the inputs and expected outputs.
 A call part, where you call the object or method to be
tested.
 An assertion part where you compare the result of the
call with the expected result. If the assertion evaluates to
true, the test has been successful if false, then it has
failed.
Chapter 8 Software testing 36
Unit test effectiveness
 The test cases should show that, when used as
expected, the component that you are testing does what
it is supposed to do.
 If there are defects in the component, these should be
revealed by test cases.
 This leads to 2 types of unit test case:
 The first of these should reflect normal operation of a program
and should show that the component works as expected.
 The other kind of test case should be based on testing
experience of where common problems arise. It should use
abnormal inputs to check that these are properly processed and
do not crash the component.
37Chapter 8 Software testing
Testing strategies
 Partition testing, where you identify groups of inputs that
have common characteristics and should be processed
in the same way.
 You should choose tests from within each of these groups.
 Guideline-based testing, where you use testing
guidelines to choose test cases.
 These guidelines reflect previous experience of the kinds of
errors that programmers often make when developing
components.
Chapter 8 Software testing 38
Partition testing
 Input data and output results often fall into different
classes where all members of a class are related.
 Each of these classes is an equivalence partition or
domain where the program behaves in an equivalent
way for each class member.
 Test cases should be chosen from each partition.
39Chapter 8 Software testing
Equivalence partitioning
40Chapter 8 Software testing
Equivalence partitions
41Chapter 8 Software testing
Testing guidelines (sequences)
 Test software with sequences which have only a single
value.
 Use sequences of different sizes in different tests.
 Derive tests so that the first, middle and last elements of
the sequence are accessed.
 Test with sequences of zero length.
42Chapter 8 Software testing
General testing guidelines
 Choose inputs that force the system to generate all error
messages
 Design inputs that cause input buffers to overflow
 Repeat the same input or series of inputs numerous
times
 Force invalid outputs to be generated
 Force computation results to be too large or too small.
43Chapter 8 Software testing
Component testing
 Software components are often composite components
that are made up of several interacting objects.
 For example, in the weather station system, the reconfiguration
component includes objects that deal with each aspect of the
reconfiguration.
 You access the functionality of these objects through the
defined component interface.
 Testing composite components should therefore focus
on showing that the component interface behaves
according to its specification.
 You can assume that unit tests on the individual objects within
the component have been completed.
Chapter 8 Software testing 44
Interface testing
 Objectives are to detect faults due to interface errors or
invalid assumptions about interfaces.
45Chapter 8 Software testing
Interface errors
 Interface misuse
 A calling component calls another component and makes an
error in its use of its interface e.g. parameters in the wrong order.
 Interface misunderstanding
 A calling component embeds assumptions about the behaviour
of the called component which are incorrect.
 Timing errors
 The called and the calling component operate at different speeds
and out-of-date information is accessed.
46Chapter 8 Software testing
Interface testing guidelines
 Design tests so that parameters to a called procedure
are at the extreme ends of their ranges.
 Always test pointer parameters with null pointers.
 Design tests which cause the component to fail.
 Use stress testing in message passing systems.
 In shared memory systems, vary the order in which
components are activated.
47Chapter 8 Software testing
System testing
 System testing during development involves integrating
components to create a version of the system and then
testing the integrated system.
 The focus in system testing is testing the interactions
between components.
 System testing checks that components are compatible,
interact correctly and transfer the right data at the right
time across their interfaces.
 System testing tests the emergent behaviour of a
system.
48Chapter 8 Software testing
System and component testing
 During system testing, reusable components that have
been separately developed and off-the-shelf systems
may be integrated with newly developed components.
The complete system is then tested.
 Components developed by different team members or
sub-teams may be integrated at this stage. System
testing is a collective rather than an individual process.
 In some companies, system testing may involve a separate
testing team with no involvement from designers and
programmers.
Chapter 8 Software testing 49
Use-case testing
 The use-cases developed to identify system interactions
can be used as a basis for system testing.
 Each use case usually involves several system
components so testing the use case forces these
interactions to occur.
 The sequence diagrams associated with the use case
documents the components and interactions that are
being tested.
Chapter 8 Software testing 50
Collect weather data sequence chart
51Chapter 8 Software testing
Testing policies
 Exhaustive system testing is impossible so testing
policies which define the required system test coverage
may be developed.
 Examples of testing policies:
 All system functions that are accessed through menus should be
tested.
 Combinations of functions (e.g. text formatting) that are
accessed through the same menu must be tested.
 Where user input is provided, all functions must be tested with
both correct and incorrect input.
Chapter 8 Software testing 52
Test-driven development
 Test-driven development (TDD) is an approach to
program development in which you inter-leave testing
and code development.
 Tests are written before code and ‘passing’ the tests is
the critical driver of development.
 You develop code incrementally, along with a test for that
increment. You don’t move on to the next increment until
the code that you have developed passes its test.
 TDD was introduced as part of agile methods such as
Extreme Programming. However, it can also be used in
plan-driven development processes.
53Chapter 8 Software testing
Test-driven development
54Chapter 8 Software testing
TDD process activities
 Start by identifying the increment of functionality that is
required. This should normally be small and
implementable in a few lines of code.
 Write a test for this functionality and implement this as
an automated test.
 Run the test, along with all other tests that have been
implemented. Initially, you have not implemented the
functionality so the new test will fail.
 Implement the functionality and re-run the test.
 Once all tests run successfully, you move on to
implementing the next chunk of functionality.
55Chapter 8 Software testing
Benefits of test-driven development
 Code coverage
 Every code segment that you write has at least one associated
test so all code written has at least one test.
 Regression testing
 A regression test suite is developed incrementally as a program
is developed.
 Simplified debugging
 When a test fails, it should be obvious where the problem lies.
The newly written code needs to be checked and modified.
 System documentation
 The tests themselves are a form of documentation that describe
what the code should be doing.
56Chapter 8 Software testing
Regression testing
 Regression testing is testing the system to check that
changes have not ‘broken’ previously working code.
 In a manual testing process, regression testing is
expensive but, with automated testing, it is simple and
straightforward. All tests are rerun every time a change is
made to the program.
 Tests must run ‘successfully’ before the change is
committed.
57Chapter 8 Software testing
Release testing
 Release testing is the process of testing a particular release
of a system that is intended for use outside of the
development team.
 The primary goal of the release testing process is to
convince the supplier of the system that it is good enough
for use.
 Release testing, therefore, has to show that the system delivers its
specified functionality, performance and dependability, and that it
does not fail during normal use.
 Release testing is usually a black-box testing process
where tests are only derived from the system specification.
58Chapter 8 Software testing
Release testing and system testing
 Release testing is a form of system testing.
 Important differences:
 A separate team that has not been involved in the system
development, should be responsible for release testing.
 System testing by the development team should focus on
discovering bugs in the system (defect testing). The objective of
release testing is to check that the system meets its
requirements and is good enough for external use (validation
testing).
59Chapter 8 Software testing
Requirements based testing
 Requirements-based testing involves examining each
requirement and developing a test or tests for it.
 MHC-PMS requirements:
 If a patient is known to be allergic to any particular medication,
then prescription of that medication shall result in a warning
message being issued to the system user.
 If a prescriber chooses to ignore an allergy warning, they shall
provide a reason why this has been ignored.
60Chapter 8 Software testing
Requirements tests
 Set up a patient record with no known allergies. Prescribe medication for
allergies that are known to exist. Check that a warning message is not
issued by the system.
 Set up a patient record with a known allergy. Prescribe the medication to
that the patient is allergic to, and check that the warning is issued by the
system.
 Set up a patient record in which allergies to two or more drugs are recorded.
Prescribe both of these drugs separately and check that the correct warning
for each drug is issued.
 Prescribe two drugs that the patient is allergic to. Check that two warnings
are correctly issued.
 Prescribe a drug that issues a warning and overrule that warning. Check
that the system requires the user to provide information explaining why the
warning was overruled.
Chapter 8 Software testing 61
Features tested by scenario
 Authentication by logging on to the system.
 Downloading and uploading of specified patient records
to a laptop.
 Home visit scheduling.
 Encryption and decryption of patient records on a mobile
device.
 Record retrieval and modification.
 Links with the drugs database that maintains side-effect
information.
 The system for call prompting.
Chapter 8 Software testing 62
User testing
 User or customer testing is a stage in the testing process
in which users or customers provide input and advice on
system testing.
 User testing is essential, even when comprehensive
system and release testing have been carried out.
 The reason for this is that influences from the user’s working
environment have a major effect on the reliability, performance,
usability and robustness of a system. These cannot be replicated
in a testing environment.
63Chapter 8 Software testing
Types of user testing
 Alpha testing
 Users of the software work with the development team to test the
software at the developer’s site.
 Beta testing
 A release of the software is made available to users to allow
them to experiment and to raise problems that they discover with
the system developers.
 Acceptance testing
 Customers test a system to decide whether or not it is ready to
be accepted from the system developers and deployed in the
customerenvironment. Primarily for custom systems.
64Chapter 8 Software testing
The acceptance testing process
65Chapter 8 Software testing
Agile methods and acceptance testing
 In agile methods, the user/customer is part of the
development team and is responsible for making
decisions on the acceptability of the system.
 Tests are defined by the user/customer and are
integrated with other tests in that they are run
automatically when changes are made.
 There is no separate acceptance testing process.
 Main problem here is whether or not the embedded user
is ‘typical’ and can represent the interests of all system
stakeholders.
66Chapter 8 Software testing
Key points
 Testing can only show the presence of errors in a
program. It cannot demonstrate that there are no
remaining faults.
 Development testing is the responsibility of the software
development team. A separate team should be
responsible for testing a system before it is released to
customers.
 Development testing includes unit testing, in which you
test individual objects and methods component testing
in which you test related groups of objects and system
testing, in which you test partial or complete systems.
Chapter 8 Software testing 67
Key points
 When testing software, you should try to ‘break’ the software by
using experience and guidelines to choose types of test case that
have been effective in discovering defects in other systems.
 Wherever possible, you should write automated tests. The tests are
embedded in a program that can be run every time a change is
made to a system.
 Test-first development is an approach to development where tests
are written before the code to be tested.
 Scenario testing involves inventing a typical usage scenario and
using this to derive test cases.
 Acceptance testing is a user testing process where the aim is to
decide if the software is good enough to be deployed and used in its
operational environment.
68Chapter 8 Software testing
Testing of Non-Functional Properties
Lecture 10/Part 4
69
Chapter 15 Dependability and Security
Assurance
Topics covered
 Performance testing
 Reliability testing
 Security testing
70
Chapter 15 Dependability and Security
Assurance
Performance testing
 Part of release testing may involve testing the emergent
properties of a system, such as performance and
reliability.
 Tests should reflect the profile of use of the system.
 Performance tests usually involve planning a series of
tests where the load is steadily increased until the
system performance becomes unacceptable.
 Stress testing is a form of performance testing where the
system is deliberately overloaded to test its failure
behaviour.
71Chapter 8 Software testing
Reliability testing
 Reliability validation involves exercising the program to
assess whether or not it has reached the required level
of reliability.
 This cannot normally be included as part of a normal
defect testing process because data for defect testing is
(usually) atypical of actual usage data.
 Reliability measurement therefore requires a specially
designed data set that replicates the pattern of inputs to
be processed by the system.
72
Chapter 15 Dependability and Security
Assurance
Reliability validation activities
 Establish the operational profile for the system.
 Construct test data reflecting the operational profile.
 Test the system and observe the number of failures and
the times of these failures.
 Compute the reliability after a statistically significant
number of failures have been observed.
73
Chapter 15 Dependability and Security
Assurance
Reliability measurement problems
 Operational profile uncertainty
 The operational profile may not be an accurate reflection of the
real use of the system.
 High costs of test data generation
 Costs can be very high if the test data for the system cannot be
generated automatically.
 Statistical uncertainty
 You need a statistically significant number of failures to compute
the reliability but highly reliable systems will rarely fail.
 Recognizing failure
 It is not always obvious when a failure has occurred as there
may be conflicting interpretations of a specification.
74
Chapter 15 Dependability and Security
Assurance
Security testing
 Testing the extent to which the system can protect itself
from external attacks.
 Problems with security testing
 Security requirements are ‘shall not’ requirements i.e. they
specify what should not happen. It is not usually possible to
define security requirements as simple constraints that can be
checked by the system.
 The people attacking a system are intelligent and look for
vulnerabilities. They can experiment to discover weaknesses
and loopholes in the system.
 Static analysis may be used to guide the testing team to
areas of the program that may include errors and
vulnerabilities.
75
Chapter 15 Dependability and Security
Assurance
Security validation
 Experience-based validation
 The system is reviewed and analysed against the types of attack
that are known to the validation team.
 Tiger teams
 A team is established whose goal is to breach the security of the
system by simulating attacks on the system.
 Tool-based validation
 Various security tools such as password checkers are used to
analyse the system in operation.
 Formal verification
 The system is verified against a formal security specification.
76
Chapter 15 Dependability and Security
Assurance
Examples of entries in a security checklist
Security checklist
1. Do all files that are created in the application have appropriate access permissions? The
wrong access permissions may lead to these files being accessed by unauthorized users.
2. Does the system automatically terminate user sessions after a period of inactivity?
Sessions that are left active may allow unauthorized access through an unattended
computer.
3. If the system is written in a programming language without array bound checking, are
there situations where buffer overflow may be exploited? Buffer overflow may allow
attackers to send code strings to the system and then execute them.
4. If passwords are set, does the system check that passwords are ‘strong’? Strong
passwords consist of mixed letters, numbers, and punctuation, and are not normal dictionary
entries. They are more difficult to break than simple passwords.
5. Are inputs from the system’s environment always checked against an input specification?
Incorrect processing of badly formed inputs is a common cause of security vulnerabilities.
77
Chapter 15 Dependability and Security
Assurance
Key points
 Performance testing tests system performance
properties.
 Reliability testing relies on testing the system with a data
set that reflects the operational profile of the software.
 Security validation may be carried out using experiencebased
analysis, tool-based analysis or ‘tiger teams’ that
simulate attacks on a system.
78
Chapter 15 Dependability and Security
Assurance