Testing, Verification and Validation Lecture 10 1 Outline  Validation and verification  Static analysis  Testing and its stages  Testing of non-functional properties 2 Validation and Verification Lecture 10/Part 1 3Chapter 8 Software testing Program testing  Testing is intended to show that a program does what it is intended to do and to discover program defects before it is put into use.  When you test software, you execute a program using artificial data.  You check the results of the test run for errors, anomalies or information about the program’s non-functional attributes.  Can reveal the presence of errors NOT their absence.  Testing is part of a more general verification and validation process, which also includes static validation techniques. Chapter 8 Software testing 4 Testing process goals  Validation testing  To demonstrate to the developer and the system customer that the software meets its requirements  This means that there should be at least one test for every requirement or system feature.  A successful test shows that the system operates as intended.  Defect testing  To discover faults or defects in the software where its behaviour is incorrect or not in conformance with its specification  A successful test is a test that makes the system perform incorrectly and so exposes a defect in the system. 5Chapter 8 Software testing  Validation: "Are we building the right product”.  The software should meet user expectations, conform to user requirements (high-level user specification).  Verification: "Are we building the product right”.  The software should be defect-free, conform to low-level programmer specification (e.g. test cases). Validation vs. Verification 6Chapter 8 Software testing  Static verification. Concerned with analysis of the static system representation to discover problems – e.g. software inspections  May be supplement by tool-based document and code analysis.  Dynamic verification. Concerned with exercising and observing product behaviour – e.g. software testing  The system is executed with test data and its operational behaviour is observed. Static and dynamic verification 7Chapter 8 Software testing Inspections and testing 8Chapter 8 Software testing Software inspections  These involve people examining the source representation with the aim of discovering anomalies and defects.  Inspections do not require execution of a system so may be used before implementation.  They may be applied to any representation of the system (requirements, design,configuration data, test data, etc.).  They have been shown to be an effective technique for discovering program errors. 9Chapter 8 Software testing Advantages of inspections  During testing, errors can mask (hide) other errors. Because inspection is a static process, you don’t have to be concerned with interactions between errors.  Incomplete versions of a system can be inspected without additional costs. If a program is incomplete, then you need to develop specialized test harnesses to test the parts that are available.  As well as searching for program defects, an inspection can also consider broader quality attributes of a program, such as compliance with standards, portability and maintainability. Chapter 8 Software testing 10 Static Analysis Lecture 10/Part 2 11 Chapter 15 Dependability and Security Assurance Static analysis  Static analysis techniques are system verification techniques that don’t involve executing a program.  Inspections and reviews are a form of static analysis, which also includes:  Formal verification  Model checking  Automated program analysis  Static analysis has its value whenever it is cheaper to find and remove faults than to pay for system failure – in critical systems namely. 12 Chapter 15 Dependability and Security Assurance Verification and formal methods  Formal methods can be used when a mathematical specification of the system is produced.  They are the ultimate static verification technique that may be used at different stages in the development process:  A formal specification may be developed and mathematically analyzed for consistency. This helps discover specification errors and omissions.  Formal arguments that a program conforms to its mathematical specification may be developed. This is effectivein discovering programming and design errors. 13 Chapter 15 Dependability and Security Assurance Arguments for formal methods  Producing a mathematical specification requires a detailed analysis of the requirements and this is likely to uncover errors.  Concurrent systems can be analysed to discover race conditions that might lead to deadlock. Testing for such problems is very difficult.  They can detect implementation errors before testing when the program is analyzed alongside the specification. 14 Chapter 15 Dependability and Security Assurance Arguments against formal methods  Require specialised notations that cannot be understood by domain experts.  Very expensive to develop a specification and even more expensive to show that a program meets that specification.  Proofs may contain errors.  It may be possible to reach the same level of confidence in a program more cheaply using other V & V techniques. 15 Chapter 15 Dependability and Security Assurance Model checking  Involves creating an extended finite state model of a system and, using a specialized system (a model checker), checking that model for errors. 16 Chapter 15 Dependability and Security Assurance Model checking 17 Chapter 15 Dependability and Security Assurance  The model checker explores all possible paths through the model and checks that a user-specified property is valid for each path.  Model checking is particularly valuable for verifying concurrent systems, which are hard to test.  Although model checking is computationally very expensive, it is now practical to use it in the verification of small to medium sized critical systems. Automated static analysis  Static analysers are software tools for source text processing.  They parse the program text and try to discover potentially erroneous conditions and bring these to the attention of the V & V team.  They are very effective as an aid to inspections - they are a supplement to but not a replacement for inspections. 18 Chapter 15 Dependability and Security Assurance Automated static analysis checks Faultclass Static analysis check Data faults Variablesused before initialization Variablesdeclared butneverused Variablesassignedtwice butneverused betweenassignments Possible arraybound violations Undeclaredvariables Control faults Unreachable code Unconditional branches into loops Input/output faults Variablesoutputtwice with no intervening assignment Interfacefaults Parameter-typemismatches Parameternumbermismatches Non-usageof the results of functions Uncalled functionsand procedures Storage management faults Unassignedpointers Pointerarithmetic Memory leaks 19 Chapter 15 Dependability and Security Assurance Levels of static analysis  Characteristic error checking  The static analyzer can check for patterns in the code that are characteristic of errors made by programmers using a particular language.  User-defined error checking  Users of a programming language define error patterns, thus extending the types of error that can be detected. This allows specific rules that apply to a program to be checked.  Assertion checking  Developers include formal assertions in their program and relationships that must hold. The static analyzer symbolically executes the code and highlights potential problems. 20 Chapter 15 Dependability and Security Assurance Use of static analysis  Particularly valuable when a language such as C is used which has weak typing and hence many errors are undetected by the compiler.  Particularly valuable for security checking – the static analyzer can discover areas of vulnerability such as buffer overflows or unchecked inputs.  Static analysis is now routinely used in the development of many safety and security critical systems. 21 Chapter 15 Dependability and Security Assurance Key points  Static analysis is an approach to V & V that examines the source code (or other representation) of a system, looking for errors and anomalies.  Model checking is a formal approach to static analysis that exhaustively checks all states in a system for potential errors. 22 Chapter 15 Dependability and Security Assurance Testing and its Stages Lecture 10/Part 3 23Chapter 8 Software testing Topics covered  Development testing  Unit testing  Component testing  System testing  Release testing  User testing 24Chapter 8 Software testing Stages of testing  Development testing, where the system is tested during development to discover bugs and defects.  Release testing, where a separate testing team test a complete version of the system before it is released to users.  User testing, where users or potential users of a system test the system in their own environment. Chapter 8 Software testing 25 Development testing  Development testing includes all testing activities that are carried out by the team developing the system.  Unit testing, where individual program units or object classes are tested. Unit testing should focus on testing the functionality of objects or methods.  Component testing, where several individual units are integrated to create composite components. Component testing should focus on testing component interfaces.  System testing, where some or all of the components in a system are integrated and the system is tested as a whole. System testing should focus on testing component interactions. Chapter 8 Software testing 26 Unit testing  Unit testing is the process of testing individual components in isolation.  It is a defect testing process.  Units may be:  Individual functions or methods within an object  Object classes with several attributes and methods  Compositecomponents with defined interfaces used to access their functionality. 27Chapter 8 Software testing Object class testing  Complete test coverage of a class involves  Testing all operations associated with an object  Setting and interrogating all object attributes  Exercising the object in all possible states.  Inheritance makes it more difficult to design object class tests as the information to be tested is not localised. 28Chapter 8 Software testing The weather station object interface 29Chapter 8 Software testing Weather station testing  Need to define test cases for reportWeather, calibrate, test, startup and shutdown.  Using a state model, identify sequences of state transitions to be tested and the event sequences to cause these transitions  For example:  Shutdown -> Running-> Shutdown  Running-> Collecting-> Running-> Summarizing -> Transmitting -> Running 30Chapter 8 Software testing Automated testing  Whenever possible, unit testing should be automated so that tests are run and checked without manual effort.  Test automation frameworks (such as JUnit) can be used to write and run program tests.  Unit testing frameworks provide generic test classes that you extend to create specific test cases. They can then run all of the tests and report, often through some GUI, on the success of the tests.  Test structure: setup – call – assertion evaluation, which compares the result of the call with the expected result Chapter 8 Software testing 31 Testing strategies  Partition testing, where you identify groups of inputs that have common characteristics and should be processed in the same way.  You should choose tests from within each of these groups.  Focus on both the expected inputs (verifying normal execution) and abnormal inputs (localizing defects).  Guideline-based testing, where you use testing guidelines to choose test cases.  These guidelines reflect previous experience of the kinds of errors that programmers often make when developing components. Chapter 8 Software testing 32 Partition testing  Input data and output results often fall into different classes where all members of a class are related.  The classes form equivalence partitions where the program behaves in an equivalent way for each member.  Test cases should be chosen from each partition. 33Chapter 8 Software testing Equivalence partitions 34Chapter 8 Software testing General testing guidelines  Choose inputs that force the system to generate all error messages  Design inputs that cause input buffers to overflow  Repeat the same input or series of inputs numerous times  Force invalid outputs to be generated  Force computation results to be too large or too small. 35Chapter 8 Software testing Guidelines for testing sequences  Test software with sequences which have only a single value.  Use sequences of different sizes in different tests.  Derive tests so that the first, middle and last elements of the sequence are accessed.  Test with sequences of zero length. 36Chapter 8 Software testing Component testing  Software components are often composite components that are made up of several interacting objects.  For example, in the weather station system, the reconfiguration component includes objects that deal with each aspect of the reconfiguration.  You access the functionality of these objects through the defined component interface.  Testing composite components should therefore focus on showing that the component interface behaves according to its specification.  You can assume that unit tests on the individual objects within the component have been completed. Chapter 8 Software testing 37 Interface testing  Objectives are to detect faults due to interface errors or invalid assumptions about interfaces. 38Chapter 8 Software testing Interface errors  Interface misuse  A calling component calls another component and makes an error in its use of its interface e.g. parameters in the wrong order.  Interface misunderstanding  A calling component embeds assumptions about the behaviour of the called component which are incorrect.  Timing errors  The called and the calling component operate at different speeds and out-of-date information is accessed.  The caller is violating the protocol (assumed ordering of service calls) of the calling component. 39Chapter 8 Software testing Interface testing guidelines  Design tests so that parameters to a called procedure are at the extreme ends of their ranges.  Always test pointer parameters with null pointers.  Design tests which cause the component to fail.  Use stress testing in message passing systems.  In shared memory systems, vary the order in which components are activated. 40Chapter 8 Software testing System testing  System testing during development involves integrating components to create a version of the system and then testing the integrated system.  The focus in system testing is testing the interactions between components.  System testing checks that components are compatible, interact correctly and transfer the right data at the right time across their interfaces.  Components developed by different teams and thirdparty components are integrated at this stage. System testing is a collective rather than an individual process. 41Chapter 8 Software testing Testing policies  Exhaustive system testing is impossible so testing policies which define the required system test coverage may be developed.  Examples of testing policies:  All system functions that are accessed through menus should be tested.  Combinations of functions (e.g. text formatting) that are accessed through the same menu must be tested.  Where user input is provided, all functions must be tested with both correct and incorrect input.  All use cases must be executed during testing. Chapter 8 Software testing 42 Test-driven development  Test-driven development (TDD) is an approach to program development in which tests are written before code and ‘passing’ the tests is the driver of development. Is TDD connected with a specific process method? 43Chapter 8 Software testing Benefits of test-driven development  Code coverage  Every code segment that you write has at least one associated test so all code written has at least one test.  Regression testing  A regression test suite is developed incrementally as a program is developed.  Simplified debugging  When a test fails, it should be obvious where the problem lies. The newly written code needs to be checked and modified.  System documentation  The tests themselves are a form of documentation that describe what the code should be doing. 44Chapter 8 Software testing Regression testing  Regression testing is testing the system to check that changes have not ‘broken’ previously working code.  In a manual testing process, regression testing is expensive but, with automated testing, it is simple and straightforward. All tests are rerun every time a change is made to the program.  Tests must run ‘successfully’ before the change is committed. 45Chapter 8 Software testing Release testing  Release testing is the process of testing a particular release of a system that is intended for use.  The primary goal of the release testing process is to convince the supplier of the system that it is good enough for use.  Release testing, therefore, has to show that the system delivers its specified functionality, performance and dependability, and that it does not fail during normal use.  The use-cases developed to identify system requirements can be used as a basis for release testing.  Release testing is usually a black-box testing process where tests are only derived from the system specification. 46Chapter 8 Software testing Release testing and system testing  Release testing is a form of system testing.  Important differences:  A separate team that has not been involved in the system development, should be responsible for release testing.  System testing by the development team should focus on discovering bugs in the system (defect testing). The objective of release testing is to check that the system meets its requirements and is good enough for external use (validation testing). 47Chapter 8 Software testing Requirements based testing  Requirements-based testing involves examining each requirement and developing a test or tests for it.  MHC-PMS requirement:  If a patient is known to be allergic to any particular medication, then prescription of that medication shall result in a warning message being issued to the system user.  Tests: • Patient record with no allergies. Prescribe medication. Check that a warning message is not issued by the system. • Patient record with a known allergy. Prescribe the medication to that the patient is allergic to, and check that the warning is issued. • Prescribe two drugs that the patient is allergic to. Check that two warnings are correctly issued. 48Chapter 8 Software testing User testing  User or customer testing is a stage in the testing process in which users or customers provide input and advice on system testing.  User testing is essential, even when comprehensive system and release testing have been carried out.  The reason for this is that influences from the user’s working environment have a major effect on the reliability, performance, usability and robustness of a system. 49Chapter 8 Software testing Types of user testing  Alpha testing  Users of the software work with the development team to test the software at the developer’s site.  Beta testing  A release of the software is made available to users to allow them to experiment and to raise problems that they discover with the system developers.  Acceptance testing  Customers test a system to decide whether it is ready to be accepted from the developer and deployed in their environment.  Systematic activity with defined test criteria, test plan and result reports. 50Chapter 8 Software testing Key points  Testing can only show the presence of errors in a program. It cannot demonstrate that there are no remaining faults.  Development testing includes unit testing, in which you test individual objects and methods, component testing in which you test related groups of objects, and system testing, in which you test partial or complete systems.  Test-first development is an approach to development where tests are written before the code to be tested.  Acceptance testing is a user testing process where the aim is to decide if the software is good enough to be deployed and used in its operational environment. Chapter 8 Software testing 51 Testing of Non-Functional Properties Lecture 10/Part 4 52 Chapter 15 Dependability and Security Assurance Topics covered  Performance testing  Reliability testing  Security testing 53 Chapter 15 Dependability and Security Assurance Performance testing  Part of release testing may involve testing the emergent properties of a system, such as performance and reliability.  Tests should reflect the profile of use of the system.  Performance tests usually involve planning a series of tests where the load is steadily increased until the system performance becomes unacceptable.  Stress testing is a form of performance testing where the system is deliberately overloaded to test its failure behaviour. 54Chapter 8 Software testing Reliability testing  Reliability validation involves exercising the program to assess whether or not it has reached the required level of reliability.  Reliability measurement requires a specially designed data set that reflects expected system usage (unlike in defect testing where atypical usage receives higher attention), i.e. replicates expected input patterns 55 Chapter 15 Dependability and Security Assurance Reliability measurement problems  Operational profile uncertainty  The operational profile may not be an accurate reflection of the real use of the system.  Statistical uncertainty  You need a statistically significant number of failures to compute the reliability but highly reliable systems will rarely fail.  Recognizing failure  It is not always obvious when a failure has occurred as there may be conflicting interpretations of a specification.  High costs of test data generation  Costs can be very high if the test data for the system cannot be generated automatically. 56 Chapter 15 Dependability and Security Assurance Security testing  Testing the extent to which the system can protect itself from external attacks.  Problems with security testing  Security requirements are ‘shall not’ requirements i.e. they specify what should not happen. It is not usually possible to define security requirements as simple constraints that can be checked by the system.  The people attacking a system are intelligent and look for vulnerabilities. They can experiment to discover weaknesses and loopholes in the system.  Static analysis may be used to guide the testing team to areas of the program that may include errors and vulnerabilities. 57 Chapter 15 Dependability and Security Assurance Security validation  Experience-based validation  The system is reviewed and analysed against the types of attack that are known to the validation team.  Tiger teams  A team is established whose goal is to breach the security of the system by simulating attacks on the system.  Tool-based validation  Various security tools such as password checkers are used to analyse the system in operation.  Formal verification  The system is verified against a formal security specification. 58 Chapter 15 Dependability and Security Assurance Examples of entries in a security checklist Security checklist 1. Do all files that are created in the application have appropriate access permissions? The wrong access permissions may lead to these files being accessed by unauthorized users. 2. Does the system automatically terminate user sessions after a period of inactivity? Sessions that are left active may allow unauthorized access through an unattended computer. 3. If the system is written in a programming language without array bound checking, are there situations where buffer overflow may be exploited? Buffer overflow may allow attackers to send code strings to the system and then execute them. 4. If passwords are set, does the system check that passwords are ‘strong’? Strong passwords consist of mixed letters, numbers, and punctuation, and are not normal dictionary entries. They are more difficult to break than simple passwords. 5. Are inputs from the system’s environment always checked against an input specification? Incorrect processing of badly formed inputs is a common cause of security vulnerabilities. 59 Chapter 15 Dependability and Security Assurance Key points  Performance testing tests system performance properties.  Reliability testing relies on testing the system with a data set that reflects the operational profile of the software.  Security validation may be carried out using experiencebased analysis, tool-based analysis or ‘tiger teams’ that simulate attacks on a system. 60 Chapter 15 Dependability and Security Assurance