An Abstract Framework for Choreographic Testing
JJ. Lange, A. Mavridou, L. Safina, A. Scalas (Eds.):13th Interaction and Concurrency Experience (ICE 2020).EPTCS 324, 2020, pp. 43–60, doi:10.4204/EPTCS.324.5 This work is licensed under theCreative Commons Attribution License.
An Abstract Framework for Choreographic Testing ∗ Alex Coto
GSSI, Italy [email protected]
Roberto Guanciale
KTH, Sweden [email protected]
Emilio Tuosto
GSSI, Italy and Univ. of Leicester, UK [email protected]
We initiate the development of a model-driven testing framework for message-passing systems. Thenotion of test for communicating systems cannot simply be borrowed from existing proposals. There-fore, we formalize a notion of suitable distributed tests for a given choreography and devise an al-gorithm that generates tests as projections of global views. Our algorithm abstracts away from theactual projection operation, for which we only set basic requirements. The algorithm can be in-stantiated by reusing existing projection operations (designed to generate local implementations ofglobal models) as they satisfy our requirements. Finally, we show the correctness of the approachand validate our methodology via an illustrative example.
We propose model-driven testing to complement the correctness-by-construction principle of choreo-graphies. We introduce a testing approach based on choreographies which we deem suited to developmodel-driven testing that may help to tame the problems of correctness of distributed applications.
Context
In the quest for correct-by-construction solutions, formal choreographic models have proventhemselves to be valuable approaches. These models are gaining momentum, for instance, in the contextof business processes and message-passing applications. The fundamental idea of choreographic mod-els (originally proposed by WS-CDL [18]) is that specifications of systems consist of global and localviews . The global view describes the behaviour of a system in terms of the interactions among (the role )of components. The diagram below is an example of a global view of a protocol; we will use this as arunning example throughout the paper.This protocol is a simplified view of the main interactions that a client C willingto withdraw some cash has to perform, together with an ATM A , and a bank B . The protocol starts with the interaction C withdraw −−−−−→ A with which participant C instructs the ATM A about the intention to withdraw some cash. In the nextinteraction A authW −−−→ B , A asks the bank B to authorise the withdrawal. Observethat payloads are abstracted away; for instance, the message withdraw is inten-ded to be a data type carrying e.g., the amount of requested cash. A distributedchoice starts at the branching point + , where the bank B decides whether todeny or grant the withdrawal. Note that the choice is non-deterministic since,besides from data, this model abstracts away from local computations. De-pending on the local decision of B , the next interaction is either B deny −−−→ A or B allow −−−→ A . In each case the client is notified of the decision with interactions A bye −−→ C (in the first case) or A money −−−→ C if the operation is granted by the bank. ∗ Research partially supported by the EU H2020 RISE programme under the Marie Skłodowska-Curie grant agreement No778233 , MIUR project PRIN 2017FTXR7S
IT MATTERS (Methods and Tools for Trustworthy Smart Systems) and theTrustFull project, funded by the Swedish Foundation for Strategic Research An Abstract Framework for Choreographic Testing
A main source of problems in distributed protocols is reaching consensus among participants in distrib-uted choices. Indeed, participants have partial knowledge about the global state of the protocol. And,for the protocol to run “smoothly”, the partial knowledge of each participant should be consistent withrespect to the global state of the protocol. For distributed choices this boils down to require awareness of each participant about the branch to follow. For instance, in the example above, the bank is aware ofthe choice since it decides what to do next and the other participants become aware of the choice fromthe messages they exchange.The correctness-by-construction principle of choreographic models is usually realised through theidentification of well-formedness conditions on global views. These are sufficient conditions guarantee-ing that the protocol can be executed distributively, without breaking the consistency between the globalstate and the local knowledge of participants. In particular, formal choreographic approaches (suchas [17, 10, 14, 15, 11, 7] to mention a few) study notions of well-formedness to guarantee the safetyof communications (usually, deadlock-freedom, no message losses, etc.). The local view of a protocolindeed provides a specular specification of the behaviour of (the role of) each component “in isolation”.In this way, the local view yields a set of computational units enacting the communications specified inthe global view. For instance, the local view of the bank B above consists of an artefact waiting for amessage authW from A to which it replies by sending either of the messages deny or allow . Note thatthe client and the bank are “oblivious” of each other, in the sense that they interact only with the ATM.The typical scheme to realise the correctness-by-construction principle consists of the steps below:1. provide an artefact defining the global view of the system;2. revise the global view until well-formedness is achieved;3. project global views into local views;4. verify that code implementing the local view of a component complies with its projection.(It is also possible to avoid step (4) and project global views directly on code.) Steps (1) and (2) aremainly human activities, although some algorithmic support is offered by the verification of well-formedness conditions. The remaining steps can instead be supported by algorithms. In fact, (an approx-imation of) compliance is usually decidable and projections can often be straightforwardly computed by“splitting” interactions into complementary send and receive actions. Problem
Although paramount for the development of message-passing applications, the correctness-by-construction principle advocated by formal choreographies is not enough. At first sight this utter-ance may look controversial. In fact, we do not contend that correctness-by-construction is not worthpursuing (or not achievable: many models including those mentioned above do realise the correctness-by-construction principle). But, even in a correctly implemented choreographic solution problems mayarise. We list three major causes of possible disruption.
Local computation
As said, formal choreographies focus on the interactions among components whileabstracting away from local computations. Therefore, errors may still be introduced when de-veloping code; for instance, a component expected to receive an integer and return a string, afterinputting the integer may diverge on a local computation before delivering the expected string andcause a malfunction in the communication protocol. Some authors have considered the problem of supporting designers in the identification of problems in non well-formedchoreographies [3, 4, 19]. . Coto, R. Guanciale, E. Tuosto Evolution
Software is often subject to continuous changes for instance to increase efficiency or to ac-commodate evolving requirements. For example, to reduce the communication overhead, a com-ponent may be modified so that two outputs are merged into one so to spare an interaction. Be-sides introducing bugs in the new code for local computations, these changes may alter the originaldesign breaking the compliance required in step (4) of the scheme above.
Openness
Increasingly, applications are built by composing computational elements developed inde-pendently and available off-the-shelf, over which the developer might have no control. This is forinstance the main approach to develop service-oriented architectures. New releases or modifica-tions of third-party components (libraries, run-time support, etc.) may introduce malfunctions inapplications using it. For example, a new release of a service invoked by an application may enrichthe spectrum of possible messages delivered to some components not designed to handle such newmessages.
Contribution
We take a first step to equip known choreography-based approaches with testing. Moreprecisely, we start addressing step (3) above. Our main technical contribution is an algorithm to auto-matically derive (abstract) test cases out of a well-formed choreography (cf. Section 3.2). We developour results in the setting of global choreographies [14, 26] and communicating finite state machines [6].The former is the model we adopt to represent global views and the latter is a well-known model forspecifying communication protocols that will serve to represent local views.Our key contributions are: • An abstract framework of well-formedness that captures the essential elements of formal cho-reographic models. This abstract framework makes our algorithm parametric with respect to thenotion of well-formedness. • We lay down the definitions that transfer various notions of (standard) software testing to com-munication protocols. Formally this is done by adapting a few concepts from traditional softwaretesting such as the notions of test (Definition 4), oracle (Definition 7), and test compliance (Defin-ition 5). Again, the abstract framework paves the way for several alternative developments. Wedecided to explore one of them first; we discuss alternatives in Section 5. • As we will see, not all test cases are “meaningful”, therefore we identify when tests are suitable for a choreography (Definition 6). • We apply our framework to a non-trivial example (cf. Section 4).
We survey the main definitions and constructs needed in the rest of the paper. We focus on global cho-reographies (g-choreographies for short) for the global view [15], and borrow from [6] communicatingfinite-state machines (CFSMs) for the local views. G-choreographies were chosen because they offer anintuitive visual description together with a precise semantics [26, 16]. We adopt CFSMs because theyhave many similarities with programming languages based on message-passing, such as Erlang.
The global view of a choreography can be suitably specified as a global choreography [26, 14, 13]. Thismodel is appealing as it has a syntactic and diagrammatic presentation, and has been given a formal6
An Abstract Framework for Choreographic Testing semantics in terms of pomsets, which enable for automatic processing.Fix a set P of participants and a set M of message (types) such that P ∩ M = /0; let A , B , . . . rangeover P and m , n , . . . range over M . A global choreography (or g-choreography) is a term derivable fromthe following grammar: G :: = ( o ) empty (cid:12)(cid:12) A m −→ B interaction (cid:12)(cid:12) G | G fork (cid:12)(cid:12) G + G choice (cid:12)(cid:12) G ; G sequential (cid:12)(cid:12) repeat G iterationThe empty choreography ( o ) yields no interactions; trailing occurrences of ( o ) may be omitted.An interaction A m −→ B represents the exchange of a message of type m between A and B , provided that A (cid:54) = B . We remark that data are abstracted away: in A m −→ B , the message m is not a value and shouldrather be thought of as (the name of) a data type . G-choreographies can be composed sequentially orin parallel ( G ; G (cid:48) and G | G (cid:48) ). A (non-deterministic) choice G + G specifies the possibility to continueaccording to either G or G . The body G in an iteration repeat G is repeated until a participant in G (non-deterministically) chooses to exit the loop. Although for simplicity we do not consider iterativeg-choreographies in our examples, the techniques we introduce further on can work on arbitrary finiteunfoldings of the loops, as is commonplace in software testing or in verification techniques such asbounded model-checking. Example 1.
The g-choreography for the example introduced in Section 1 is G ATM = C withdraw −−−−−→ A ; A authW −−−→ B ; { B deny −−−→ A ; A bye −−→ C + B allow −−−→ A ; A money −−−→ C } where we assume that sequential composition takes precedence over choice. The semantics of a g-choreography as defined in [14, 26] is a family of pomsets (partially orderedmultisets); each pomset in the family is the partial order of events occurring on a particular “branch”of the g-choreography. Events are therefore labelled by (communication) actions l occurring in the g-choreography. The output of a message m ∈ M from participant A ∈ P to participant B ∈ P is denotedby A B ! m , while the corresponding input is denoted by A B ? m . More formally, L act = { A B ! m , A B ? m | A , B ∈ P and m ∈ M } is the set of (communication) actions and l ranges over L act . The subject of an action is defined as sbj ( A B ! m ) = A and sbj ( A B ? m ) = B .It is not necessary to restate here the whole constructions for the semantics which is given by induc-tion on the structure of the g-choreography; we simply give an informal account. The semantics [[( o )]] isthe set { ε } containing the empty pomset ε , while for interactions we have [[ A m −→ B ]] = (cid:2) AB ! m AB ? m (cid:3) namely, the semantics of an interaction is a pomset where the output event precedes the input event.The semantics of the other operations is basically obtained by composing the semantics of sub g-choreographies. More precisely, We leave implicit the grammar of data types; in the examples we will assume that m ranges over basic types such as int , bool , string , etc. . Coto, R. Guanciale, E. Tuosto • for a choice we essentially have [[ G + G (cid:48) ]] = [[ G ]] ∪ [[ G (cid:48) ]] ; • the semantics of the parallel composition G | G (cid:48) is essentially built by taking the disjoint union ofeach pomset in [[ G ]] with each one in [[ G (cid:48) ]] ; • the semantics of the sequential composition [[ G ; G (cid:48) ]] is the disjoint union of each pomset in [[ G ]] with each one in [[ G (cid:48) ]] and, for every participant A , making every output of A in [[ G ]] precede allevents of A in [[ G (cid:48) ]] . Example 2.
Consider G ATM of Example 1. We have [[ G ATM ]] = (cid:104) CA ! withdraw CA ? withdraw AB ! authW AB ? authW BA ! deny BA ? deny AC ! bye AC ? bye (cid:105) , (cid:104) CA ! withdraw CA ? withdraw AB ! authW AB ? authW BA ! allow BA ? allow AC ! money AC ? money (cid:105) For the sake of illustration, the singleton CA ! withdraw CA ? withdraw AB ! authW AB ? authW BA ! deny BA ? deny AC ! bye AC ? bye BA ! allow BA ? allow AC ! money AC ? money is the semantics of the g-choreography obtained by replacing choice with parallel composition in G ATM . The language of a g-choreography G , written L [ G ] , is the closure under prefix of the set of all linearizations of [[ G ]] where a linearisation of a pomset is a permutation of its events that preserves theorder of the pomset. Example 3.
The language of the last pomset in Example 2 is the set of prefixes of words obtained byconcatenating
C A ! withdraw C A ? withdraw A B ! authW A B ? authW with both B A ! deny B A ? deny A C ! bye A C ? bye and B A ! allow B A ? allow A C ! money A C ? money . As in [20, 13], we adopt communicating finite state machines (CFSMs) as local artefacts. We borrowthe definition of CFSMs in [6] adapting it to our context. A CFSM M = ( Q , q , −→ ) is a finite transitionsystem where • Q is a finite set of states with initial state q ∈ Q , and • −→ ⊆ Q × L act × Q ; we write q l −→ q (cid:48) for ( q , l , q (cid:48) ) ∈−→ .Machine M is local to a participant A ∈ P (or A -local ) if sbj ( l ) = A for each transition q l −→ q (cid:48) of M .A (communicating) system is a map S = ( M A ) A ∈ P where M A = ( Q A , q A , −→ A ) is a A -local CFSM foreach A ∈ P . The set of channels (fixed for all communicating systems) is C = { A B (cid:12)(cid:12) A (cid:54) = B ∈ P } ;for all A B ∈ C , it is assumed that there is an unbound finite multiset b AB = {| m , . . . , m n |} containing themessages that M A sends to M B and from which M B consumes the messages sent by M A . We use (cid:100) formultiset union and − for multiset difference.The semantics of communicating systems is defined in terms of transition systems , which keep trackof the state of each machine and the content of each buffer. Let S = ( M A ) A ∈ P be a communicatingsystem. A configuration of S is a pair s = (cid:104) (cid:126) q ; (cid:126) b (cid:105) where (cid:126) q = ( q A ) A ∈ P with q A ∈ Q A and (cid:126) b = ( b AB ) AB ∈ C mapping each channel to a multiset of messages; q A keeps track of the local state of machine M A in s and8 An Abstract Framework for Choreographic Testing
Client MachineClient MachineBank MachineBank MachineATM MachineC1B1A2 C4C2 C3B4B2 B3A1 A3 A4A6 A5A7CA!withdraw AC?byeAC?moneyAB?authWithdraw BA!denyBA!allowCA?withdraw AB!authWithdraw BA?denyBA?allow AC!byeAC!money
Figure 1: CFSMs for the protocol in Section 1buffer b AB keeps track of the messages sent from A to B . The initial configuration s is the one where,for all A ∈ P , q A is the initial state of the corresponding CFSM and all buffers are empty.A configuration s (cid:48) = (cid:104) (cid:126) q (cid:48) ; (cid:126) b (cid:48) (cid:105) is reachable from another configuration s = (cid:104) (cid:126) q ; (cid:126) b (cid:105) by firing an l-transition , written s l = ⇒ s (cid:48) , if there is a message m ∈ M such that either (1) or (2) below holds: l = A B ! m , (cid:126) q ( A ) l −→ A (cid:126) q (cid:48) ( A ) , anda. (cid:126) q (cid:48) = (cid:126) q [ A (cid:55)→ (cid:126) q (cid:48) ( A )] andb. (cid:126) b (cid:48) = (cid:126) b [ A B (cid:55)→ (cid:126) b ( A B ) (cid:100) {| m |} ] l = A B ? m , (cid:126) q ( B ) l −→ B (cid:126) q (cid:48) ( B ) , (cid:126) b ( A B )( m ) >
0, anda. (cid:126) q (cid:48) = (cid:126) q [ A (cid:55)→ (cid:126) q (cid:48) ( A )] andb. (cid:126) b (cid:48) = (cid:126) b [ A B (cid:55)→ (cid:126) b ( A B ) − {| m |} ] (where f [ x (cid:55)→ y ] is the usual update operation that redefines function f on an element x of its domain with y ). Condition (1) puts m on channel AB , while (2) gets m from channel AB . In both cases, any machineor buffer not involved in the transition is left unchanged in the new configuration s (cid:48) .Note that this construction differs from the original definition in [6], (where unbounded FIFO queueswere used) in order to make the communication model similar to the one of Erlang. Example 4.
A local view of the protocol in Section 1 is given by the CFSMs in Fig. 1. Notice how theevents reflected in the global view have been split into their send and receive counterparts.The starting state of each CFSM is the leftmost one. The CFSM of the client initiates the protocolby sending a withdraw message to the ATM, which reacts by sending a message to the bank to checkwhether the client can actually perform this withdrawal. CFSMs A and B will gradually proceed as theytake messages out from the queues existing between all pairs of participants.State B2 of B is the internal choice state that corresponds to the branching point of the g-choreography.Namely, in B2 , the bank locally chooses how to proceed. As soon as B sends either an allow or a deny message, the ATM either delivers the money or finishes the conversation with a bye message. A configuration s = (cid:104) (cid:126) q ; (cid:126) b (cid:105) is stable if all buffers are empty (note that stability does not impose anyrequirement on a machine’s enabled transitions): s is stable for C (cid:48) ⊆ C if all buffers in C (cid:48) are emptyin s , and it is a deadlock if s (cid:54) = ⇒ and either there is a participant A ∈ P such that (cid:126) q ( A ) AB ? m −−−→ A or s is not stable. This definition is adapted from [9] and is meant to capture communication misbehaviour.Observe that, according to this definition, a configuration s where all machines are in a state with nooutgoing transitions and all buffers are empty is not a deadlock configuration even though s (cid:54) = ⇒ . . Coto, R. Guanciale, E. Tuosto Π ( S , s ) be the set of runs of a communicating system S starting from a configuration s of S , thatis the set of sequences π = { ( ˆ s i , l i , ˆ s i + ) } ≤ i ≤ n with n ∈ N ∪ { ∞ } such that ˆ s = s , and ˆ s i l i = ⇒ ˆ s i + for every0 ≤ i ≤ n ; we say that run π is maximal if n = ∞ or ˆ s n (cid:54) = ⇒ and denote with Π ( S ) the runs of S startingfrom its initial state. The language of a communicating system S is the set L [ S ] = (cid:91) π ∈ Π ( S ) { trace of π } where the trace of a run { ( ˆ s i , l i , ˆ s i + ) } ≤ i ≤ n ∈ Π ( S ) is the sequence l . . . l n − . Notice that L [ S ] ⊆ L ω act ∪ L (cid:63) act (where L ω act is the set of infinite words over L act ) and it is prefix-closed. The goal of model-driven testing is to find mismatches between a specification and an implementation.We focus on component-testing , which in our setting corresponds to test a single participant of a g-choreography. We dub component under test (CUT) an implementation which should be tested.
Top-down approaches of choreographies define projection functions that generate local models fromglobal models. In order to parameterise our framework with respect to these notions, we introduce abstract projections on g-choreographies.
Definition 1 (Abstract projection) . A map (cid:23) is an abstract projection if it takes a g-choreography G anda participant A ∈ P and returns an A -local CFSM. Given a g-choreography G , the system induced by (cid:23) is defined as G (cid:23) = ( G (cid:23) A ) A ∈ P . There are several ways to define projection operations that are instances of Definition 1. For example,in [14, 26] a g-choreography is projected on a participant A in two steps, which we briefly summarisesince we will illustrate our framework by adopting this operation in our examples. By induction on thestructure of the g-choreography, the first step transforms each interaction in the transition of an automatonaccording to the role of A in that interaction. More precisely, the interaction becomes an output or aninput transition depending on whether A is the sender or the receiver; otherwise the iteration correspondsto a silent transition. In the second step, the CFSM obtained as above is determinised. Example 5.
The CFSMs shown in Fig. 1 are obtained by means of the projection operation in [14, 26]applied to the g-choreography G ATM in Example 1 where some equivalent states (e.g., A5 and A7 ) arereplicated for readability. Not every g-choreography can be faithfully projected. In fact, the asynchronous semantics of com-municating systems may introduce behaviour that does not correspond to the intended behaviour of theg-choreography. In concrete instances, sufficient conditions on g-choreographies are given so that thesemantics of projected communicating systems reflect the semantics of the g-choreography. These con-ditions are abstractly captured in the next definition.
Definition 2 (Abstract well-formedness) . A predicate on g-choreographies is an abstract well-formednesscondition if WF ( G ) implies that there is a communicating system S with initial configuration s such that • L [ S ] ⊆ L [ G ] and • no run in Π ( s ) contains a deadlock configuration; An Abstract Framework for Choreographic Testing in this case we say that S realises G . Note that Definition 2 admits trivial instances such as the predicate which does not hold on anyg-choreography. The choreography in Section 1 is considered well-formed in the majority of existingwork. In this example there is only one participant that makes a choice (i.e., the bank) and the rest of theparticipants are informed of which decision was taken. Intuitively, this avoids coordination problems andtherefore the choreography can be correctly realized by CFSMs, such as the ones in Fig. 1. In this case,the language of the choreography is the same as the language of the projected communicating system,which is deadlock-free.Hereafter, we assume projections that respect abstract well-formedness.
Definition 3 (Compatible projections) . An abstract projection (cid:23) is compatible with WF when, for allg-choreographies G , if WF ( G ) then the system induced by (cid:23) realises G . An abstract projection mapping all participants to a machine without any transitions is trivially com-patible with any abstract well-formedness condition. Of course, we are interested in abstract projectionsfor which L [ G (cid:23) ] = /0 only if G = ( o ) .We can now formalise the main notions of our choreographic testing framework. A test case fora CUT A is a set of CFSMs with a distinguished set of success states; the outcome of a test case isdetermined by its interaction with A . Definition 4 (Test case) . A test case for a CUT A ∈ P is a set T = {(cid:104) M , Q (cid:105) , . . . , (cid:104) M n , Q n (cid:105)} such thatfor every ≤ i , j ≤ n, M i = ( Q i , q i , −→ i ) is a CFSM with Q i ⊆ Q i and • if q l −→ i q (cid:48) then sbj ( l ) (cid:54) = A (1) • if q BC ! m −−−→ i q (cid:48) and q l −→ i q (cid:48)(cid:48) then l = B C ! m (2) • if q l −→ i q (cid:48) and q l −→ i q (cid:48)(cid:48) then q (cid:48) = q (cid:48)(cid:48) (3) • if q l −→ i q and q (cid:48) l (cid:48) −→ j q (cid:48) and sbj ( l ) = sbj ( l (cid:48) ) then i = j (4)We dub Q i the success states of M i . We briefly justify the conditions in Definition 4. Condition (1) forces the CUT not to be the subject ofany transition, since tests cannot force it directly to take specific actions. Conditions (2) and (3) togetherenforce that there is always a single possible output for the system to proceed, that the machines aredeterministic and, in particular, that they cannot have internal choice or mixed states. The rationalebehing conditions (2) and (3) is to “confine” non-determinism in the CUT and its concurrent executionwith the test so that it is easier to analyse the outcome of tests. The last condition enforces transitionsacross machines to have different subjects: if this was not the case, generating code for each participantcould be significantly more complex. Note that this does not force the CFSMs in a test case to benecessarily local; in fact, Definition 4 admits different subjects in the labels of different transitions.The following example shows the requirements of Definition 4 and a violation of those requirements. Example 6.
Consider M A , M B and M C in Fig. 1 that respectively are the CFSMs of the ATM, the bank,and the client. Then T = {(cid:104) M A , { A5 , A7 }(cid:105) , (cid:104) M C , { C3 , C4 }(cid:105)} is a test case for B (i.e., bank). In fact, M A and M C are deterministic, internal choice-free and do not include any transitions where the subject is B .Instead, T = {(cid:104) M B , { B3 , B4 }(cid:105) , (cid:104) M C , { C3 , C4 }(cid:105)} is not a test case for A (i.e., the ATM) because M B hasan internal choice in state B2 . A mixed choice state is one with both input and output outgoing transitions. . Coto, R. Guanciale, E. Tuosto Definition 5 (Test compliance) . Let C (cid:48) ⊆ C be a set of channels, ˆ M a CFSM, and T a test case. Denotewith ˆ M ⊗ T the communicating system consisting of ˆ M and the CFSMs in T . We say that ˆ M is T -compliant w.r.t C (cid:48) ( ˆ M (cid:46) C (cid:48) T ) if every finite maximal run of ˆ M ⊗ T contains a stable configuration s for C (cid:48) such that for every (cid:104) M , Q (cid:105) ∈ T the local state of M in s is in Q.
In the following, we dub the configuration s in Definition 5 a successful configuration for T and weuse ˆ M (cid:46) T for ˆ M (cid:46) C T . Notice that the parametrization on C (cid:48) allows a CFSM to be considered complianteven if some runs leave channels in C \ C (cid:48) not empty. The next series of examples illustrate the notionof test compliance with four tests for CUTs in Fig. 1. Example 7.
Let B be the CUT and T be the test case in Example 6. Then M B is T -compliant. In fact,the system consisting of M B and (the CFSMs in) T is exactly the system implementing the choreographyof the running example. However, M B is not compliant with the test case {(cid:104) M A , { A3 }(cid:105) , (cid:104) M C , { C3 , C4 }(cid:105)} .In fact, C can reach C3 or C4 only after that A has left state A3 . Similarly, M B is not compliant with thetest case {(cid:104) M A , { A7 }(cid:105) , (cid:104) M C , { C3 }(cid:105)} , since the success states of A and C represent conflicting branches. Example 8.
Suppose that the CUT is the CFSM M (cid:48) B obtained by removing the transition B A ! allow from M B . Then M (cid:48) B (cid:46) T however, M (cid:48) B is not compliant with {(cid:104) M A , { A7 }(cid:105) , (cid:104) M C , { C4 }(cid:105)} . This is dueto the fact that the test and the CUT select different branches. Similarly, M (cid:48) B is not compliant with {(cid:104) M (cid:48) A , { A7 }(cid:105) , (cid:104) M C , { C3 , C4 }(cid:105)} , where M (cid:48) A is obtained by removing the transition B A ? deny from M A . Example 9.
Finally, let A be the CUT and M (cid:48) B be the CFSM obtained by removing the transition B A ! allow from M B . Then M A is compliant with {(cid:104) M (cid:48) B , { B3 }(cid:105) , (cid:104) M C , { C3 , C4 }(cid:105)} . We finally define when a test case is meaningful for a choreography, by requiring that the correctimplementation (i.e., the projection) of the choreography is compliant with the test.
Definition 6 (Test suitability) . Test T is ( G , A ) − suitable if G (cid:23) A (cid:46) T .
To generate tests we follow a straightforward strategy: we start from the projections of the participantsthat are not the CUT and we remove their internal choices. The intuition is that for well formed g-choreographies, the projections are “compatible” with any implementation that restricts internal choiceswith respect to the projection of the CUT. We use the following auxiliary function to identify non-deterministic states. These are the states that the algorithm uses to split the transitions to obtain determ-inistic tests. Given a CFSM M = ( Q , q , −→ ) , let nds ( M ) = (cid:110) q (cid:12)(cid:12) ∃ q l −→ q (cid:54) = q l −→ q : l = l ∨ { l , l }∩ ∈ L !act (cid:54) = /0 ) (cid:111) be the set of non-deterministic states of M , that is the states with at least two different transitions thateither have the same label or one of which is an output transition. For convenience, we let M ( q ) denotethe set of outgoing transitions of q in M and M − t (resp. M + t ) be the operation that removes from(resp. adds to) M transition t (these operations extend element-wise to sets of transitions). The following2 An Abstract Framework for Choreographic Testing function produces sets of machines that are internal choice free: split ( M ) = (cid:40) { M } if nds ( M ) = /0 (cid:83) q ∈ nds ( M ) split ( M , q ) otherwise split ( M , q ) = (cid:91) q AB ! m −−−→ q (cid:48) split ( M − M ( q ) + q AB ! m −−−→ q (cid:48) ) if M ( q ) has output transitions (cid:91) q AB ? m −−−→ q (cid:48) (cid:54) = q AB ? m −−−→ q (cid:48)(cid:48) split ( M − q AB ? m −−−→ q (cid:48) ) otherwiseOnce these simpler CFSMs are obtained, success states have to be set for each of them. This isanalogous to problem commonly known in software testing as the oracle problem : deciding when atest is successful. This decision is application-dependent and its solutions usually requires human in-tervention [2]. In our setting, this corresponds to single out configurations of communicating systemsaccording to a sub-tree of a choreography as defined below. Intuitively, we would like success statesfrom the CFSMs to correspond to the execution of specific syntactic subtrees of the choreography.We now introduce an additional definition that helps us determine the success states for our tests.In the following, given a g-choreography G , let T ( G ) be the set of sub-trees of the abstract syntax treeproducing G once we fix a suitable precedence among the operators. Our algorithm relies on abstractsyntax trees of g-choreographies, but it does not depend on the precedence relation chosen. Definition 7 (Oracle scheme) . Let G be a g-choreography, (cid:23) an abstract projection compatible with agiven well-formedness condition WF . An oracle scheme of G for (cid:23) is a function Ω G , (cid:23) mapping a pair ( A , τ ) ∈ P × T ( G ) on a set of states of the CFSM G (cid:23) A such that if WF ( G ) and S is the communicatingsystem induced by (cid:23) , then for every τ ∈ T ( G ) and maximal run π ∈ Π ( S ) there exists a stable configur-ation s in π such that, for each A ∈ P , for the local state q A of A in s we have that q A ∈ Ω G , (cid:23) ( A , τ ) . The main purpose of the oracle scheme Ω G is to map a participant and a subtree ( A , τ ) ∈ P × T ( G ) to a set of states of G (cid:23) A that correspond to the states the system can be in after the execution of thesub-tree τ of G . Example 10.
Below is a fragment of a possible oracle scheme for the g-choreography from Example 1and the CFSMs shown in Fig. 1. Ω G , (cid:23) ( A , G ) = { A5 , A7 } and Ω G , (cid:23) ( B , G ) = { B3 , B4 } and Ω G , (cid:23) ( C , G ) = { C3 , C4 } Ω G , (cid:23) ( A , B allow −−−→ A ) = { A6 , A4 } and Ω G , (cid:23) ( B , B allow −−−→ A ) = { B3 , B4 } and Ω G , (cid:23) ( C , B allow −−−→ A ) = { C3 , C4 } Notice that for the whole g-choreography G , the oracle scheme Ω G , (cid:23) yields the last states of the CFSMs,and for the sub-tree B allow −−−→ A it returns the first state that allows the participant to acknowledge eitherthe execution of the interaction or the selection of an alternative branch. Test cases are then built by combining machines obtained by the split function and by identifying thesuccess states via the oracle function, i.e. states that correspond to the execution of the interactions ofthe subtrees of the g-choreography: tests ( G , A ) = (cid:8) ( (cid:104) M B , Ω G , (cid:23) ( B , τ ) (cid:105) ) B (cid:54) = A ∈ P (cid:12)(cid:12) ∀ B (cid:54) = A ∈ P : M B ∈ split ( G (cid:23) B ) ∧ τ ∈ T ( G ) (cid:9) (1) . Coto, R. Guanciale, E. Tuosto split and combine them (exhaustively) into test cases. Each test case corresponds to a unique path of execution(i.e. selection of internal choices) of the original g-choreography. Theorem 1. If WF ( G ) then every test case in tests ( G , A ) is ( G , A ) − suitable. We now delve into a larger example in order to demonstrate the test generation procedure in a morecomplex scenario. Fig. 2 shows a choreography involving the participants
A B , and C , i.e., respectivelythe ATM, the bank, and a client as in the running example used so far. Observe that the running exampleFigure 2: The complete choreography for the ATM scenariois a sub-choreography of the g-choreography in Fig. 2. The bigger scenario can be straightforwardlyrepresented as a g-choreography as done in Example 1 for the choreography in Section 1.4 An Abstract Framework for Choreographic Testing
Client MachineClient MachineClient MachineClient MachineClient MachineBank MachineBank MachineBank MachineBank MachineBank MachineATM MachineATM MachineATM MachineATM MachineCA!auth AC?authFailAC?granted CA!withdrawCA!quitCA!checkBalance AC?byeAC?moneyAC?balanceAB?authReq BA!deniedBA!granted AB?authWithdrawAB?getBalanceAB?quit BA!denyBA!allowBA!balanceCA?auth AB!authReq BA?deniedBA?granted AC!authFailAC!granted CA?withdrawCA?quitCA?checkBalance AB!authWithdrawAB!quitAB!getBalance BA?denyBA?allow AC!byeAC!moneyBA?balance AC!balance
Figure 3: Projections of the choreography of Fig. 2The client starts a session of the protocol by authenticating with the ATM machine ( auth ). The ATMthen delegates the authentication to the bank, which can either reject or accept the request by replyingwith either a denied or a granted message. In both cases the ATM forwards the authentication result tothe client. The choreography terminates if the authentication fails. If authentication is successful then theATM offers three options to the client: (M) withdraw money ( money ), (Q) terminate the session ( quit ),or (B) check the account balance checkBalance .In case (B), the ATM requests to the bank the balance and forwards the result to the client via a balance message. In case (Q), the ATM simply notifies the bank of the termination of the session. Case(M) is the choreography of Section 1 whereby the withdrawal request is forwarded to the bank whichdecides if to allow or deny the request.We demonstrate the test case generation for the ATM (i.e., participant A in Fig. 2 is our CUT). Wefirst project the g-choreography corresponding to the choreography in Fig. 2, using again the projectionoperation in [26]. We obtain the three CFSMs of Fig. 3. The oracle scheme is visually represented bydecorating states only for two sub-trees of the choreography. More precisely: • double-circles denote the states marked by the oracle scheme for the whole choreography, and • gray-circles correspond to the states marked by the oracle scheme for the interaction B allow −−−→ A .It is straightforward to check that the system consisting of these three CFSMs effectively generates thesame language as the one generated by the g-choreography.The two machines for B and C of Fig. 3 cannot be directly used as a test for A since they have stateswith internal choices. These states, obtained by applying nds to the CFSMs of B and C , are the setsof red states shown in the figure. At this point the algorithm applies split ( B ) to compute a set of fourmachines, say M B . This is done by selecting in all possible ways one of the output transitions from statesof B (according to the second clause in the definition of split ). Likewise for C , the algorithm produces aset of three machines, say M C . The resulting sets of CFSMs are shown in Figs. 4 and 5 where, for thesake of conciseness, we remove unreachable states, also omitting isomorphic CFSMs. For a sub-tree ofthe choreography, we obtain a test case by combining a machine from M B and one from M C and definingtheir success states using the oracle scheme. Function tests ( G , A ) generates all the test cases by freelychoosing the machines as above and exhaustively iterating over the sub-trees of the choreography. . Coto, R. Guanciale, E. Tuosto M-Bank 3M-Bank 3M-Bank 3M-Bank 3M-Bank 2M-Bank 2M-Bank 2M-Bank 1M-Bank 1M-Bank 1AB?authReq BA!deniedAB?authReq BA!granted AB?authWithdrawAB?getBalance BA!denyBA!balanceAB?authReq BA!granted AB?authWithdrawAB?getBalance BA!allowBA!balance
Figure 4: CFSMs resulting from splitting the projected CFSMs for the bank
M-Client 3M-Client 3M-Client 3M-Client 2M-Client 2M-Client 2M-Client 2M-Client 1CA!auth AC?authFailAC?granted CA!withdraw AC?byeAC?moneyCA!auth AC?authFailAC?granted CA!quitCA!auth AC?authFailAC?granted CA!checkBalance AC?balance
Figure 5: CFSMs resulting from splitting the projected CFSMs for the clientThis process results in nine tests for each sub-tree of the g-choreography. For the tree correspondingto the whole g-choreography, the success states are those depicted as double-circles. For the tree cor-responding to the interaction B allow −−−→ A , the success states are those in gray. Notice that some states aresuccess states for both trees. Moreover, all the resulting tests satisfy the requirements of Definition 4. We started the exploration of mechanisms to support model-driven testing of message-passing systemsbased on choreographies. To this purpose, we decided to rely on the so called top-down approach featuredby an existing choreographic model. The choreographic model adopted here is rather abstract, but it isclose to real programming paradigms such as those of Erlang.We exploited the notion of projection of global views of choreographies in order to devise an auto-matic test generation mechanism. The design of our algorithm required us to fix the basic notion of test,test feasibility, and test success within the framework of g-choreographies and communicating systems.Although we tried to give a general framework that abstracts away from actual projection operations, wetook some design decisions for the identification of our framework.The notion of test case considered here (Definition 4) requires tests not to contain mixed-choicestates (that is, states with both output and input outgoing transitions). In fact, without assumptions onthe projection operation mixed-choice states cannot be split easily as they are. Consider the system6
An Abstract Framework for Choreographic Testing consisting of following CFSMs: M A = q q AB ! m M B = q q q q q B C ! n C B ? n C B ? n B C ! n AB ? m M C = q q q q C B ! n B C ? n B C ? n C B ! n (2)where M A is the CUT. The split of the mixed choices of M B and M C is unsafe, because the test includingthe dashed transitions has a run to a deadlock configuration despite the fact that M A behaves as expected.Note that with insights on the actual notion of well-formedness and of the projection operation onecan deal with mixed choices. For instance, the well-formedness condition and the projection operationin [26] yields mixed choice states only when projecting parallel g-choreographies. Therefore, it is safein a mixed-choice state, say q , to select a test starting with one of the output transitions of q and drop allthe others. Note that this yields “simpler” tests, in line with the principles of software testing.Another limitation of the algorithm is its efficiency. As noted in Section 3, our algorithm is ex-ponential in the size of the g-choreography. This is due to the fact that the oracle specification usedin the algorithm exhaustively considers all the syntactic sub-trees of the g-choreographies. This couldbe unfeasible for large g-choreographies. Note however that the oracle specification is a parameter ofour algorithm and, in practice, one can tune it up in order to consider only “interesting” parts of theg-choreography to target. Moreover, some optimisations are possible. A first optimisation can be thereduction of internal choices generated by the parallel composition as those for G par above. In fact, thosetests are redundant and one would be enough in the semantics of communicating systems adopted here(where channels are multisets of messages similar to Erlang’s mailboxes). Note that the tests would notbe redundant in the case of communicating systems interacting through FIFO queues. Another optim-isation relies on the analysis of the syntactic structure to exclude immaterial sub-trees. For instance, forthe g-choreography G ; A m −→ B ; X n −→ Y ; G (cid:48) it is not necessary to check A m −→ B ; X n −→ Y ; G (cid:48) because the sub-tree X n −→ Y ; G (cid:48) subsumes the runs that “go through” the former tree. A pre-processing of the oracle specific-ation may therefore improve efficiency. Note that adopting this approach probably requires a carefultransformation of the oracle specification. This may not be easy to attain. Another optimisation comesfrom the study of some notion of “dominance” of tests. The discussion above about mixed-choices isan example: in a mixed-choice state, the tests with a bias on first-outputs dominate those starting withinputs. For instance, the test with solid transitions in (2) above dominate the one with dashed transitions.This leads us to consider some other related open questions. In software testing it is widely accep-ted that it is unfeasible to perform a high number of tests. Hence, test suites are formed by carefullyselected tests that satisfy some coverage criteria. This yields a number of questions that we did not ad-dress yet: What is a good notion of coverage for communicating systems? Can choreographic modelshelp in identifying good coverage measures? What heuristics lead to good coverage? Remarkably, thisproblem pairs off with the problem of concretisation in model-driven testing [23]. Given an abstract test(as the ones we generate), how should it be concretised to test actual implementations? In fact, the ab-stract notion of coverage only considers distributed choices, but actual implementations may have localbranching computations that should also be covered to some extent. This probably requires our approachto be combined with existing approaches to testing.As said, we took some design decisions to devise our framework. Alternative approaches are pos-sible. Firstly, test generation may be done differently when adopting different types of tests. In fact, a . Coto, R. Guanciale, E. Tuosto M , and consider as testcases the CFSM obtained by dualising M . Note that this yields a non-local CFSM as a test case; wepreferred to explore first an approach which yields “standard” communicating systems.Definition 6 formalizes when a test case is meaningful for a choreography. It would be also desirableto relate traces of machines that are test-compliant with the language of the choreography. Ideally, fora choreography G an adherent test T should guarantee that for every T - compliant machine M the tracesof runs of M ⊗ T that end in a successful configuration are in L [ G ] . This property cannot be guaranteedby our framework for arbitrary choreographies. Firstly, the CUT may force causal relations. For ex-ample, consider A x −→ B ; B y −→ A ; A z −→ C where A is the CUT. The event B A ! y should always precede A C ! z .However, this dependency is enforced by A and cannot be checked by B and C without communicationbetween them. Secondly, in an asynchronous setting it may be impossible to distinguish some behaviorsof the CUT. For example, in A x −→ B ; A y −→ B the event A B ! x should always precede A B ! y , but this order isnot observable by B in case of asynchronous communication.In summary, the notion of adherence is not enforceable for all g-choreographies or all possible imple-mentations of the CUT. This hints to the following open problems: the identification of a proper notion ofadherence in an asynchronous setting, the identification of “interesting” subclasses of g-choreographiesfor which the strict notion of adherence is meaningful, and the extension of the testing framework toenforce such notion, either by adding communications between components or by using non-local ma-chines.In this work, we consider component testing. The level of granularity we adopt implies that par-ticipants are components, and our framework is designed to test a single component at a time. Anintriguing open problem is to apply our framework to support integration testing [24]. In fact, one couldthink of defining group projections, namely projection operations that generate communicating systemsrepresenting the composition of several participants. We believe that this approach could pay off whenthe group onto which the g-choreography is projected can be partitioned in a set of “shy” participantsthat interact only with participants within the group and others that also interact outside the group. Theformer set of participants basically corresponds to units that are stable parts of the system that and do notneed to be (re-)tested as long as the components in the other group pass some tests.Instead of concretising abstract tests, one could extract CFSMs from actual implementations and runthe tests on them. Machines could potentially be extracted directly from source code. If however sourcecode was not available it could still be possible to test components (e.g., by using some machine learningalgorithm to infer the CFSMs from data such as traces). Note that such technique should be more efficientthan concretisation (because it does not let abstract tests proliferate into many concrete ones). Moreover,another advantage of this approach could be that it enables us to exploit the bottom-up approach ofchoreographies, where global views are synthesised from local ones [20]. The synthesised choreographycan be compared with a reference one to derive tests that are more specific to the implementation at hand. In software engineering, testing is considered the tool for validating software and assuring its qual-ity. The Software Engineering Book of Knowledge available from describes software testing as (bold text is ours): Regrettably, barred for few exceptions, rigorous formal methods that aim to show absence of defects rather than theirpresence are less spread in current practices. We cannot embark in a discussion on this state of the matter here. An Abstract Framework for Choreographic Testing “the dynamic verification of the behaviour of a program on a finite set of test cases , suitablyselected from the usually infinite executions domain, against the expected behavior .”Our framework reflects the description above for model-driven testing of message-passing systems. Tra-ditional testing has been classified [25] according to parameters such as the scale of the system undertest, the source from which tests are derived (e.g., requirements, models, or code). There are also clas-sifications according to the specific characteristics being checked [22]; our work can be assigned to thecategory of behavioural testing.An immediate goal of ours is to experimentally check the suitability of the test cases obtained withour algorithm. For this, we plan to identify suitable concretisation mechanisms of the abstract testsgenerated by our algorithm, and verify Erlang or Golang programs.Since message-passing systems fall under the class of reactive systems we got inspiration from thework done on model-driven testing of reactive systems [8]. In particular, we showed that choreographiescan, at least to some extent, be used to automatically generate executable tests and as test case specifica-tions [23]. Technically, we exploited the so-called projection operation of choreographic models. Here,we gave an abstract notion of projection. A concrete projection was formalised for the first time in [17](for multiparty session types) and for g-choreographies in [14, 15, 26], elaborating on the projection ofglobal graphs [13]. As discussed in Section 5, in the future we will also explore the use of choreographicmodel-driven testing to address other problems related to testing message-passing systems.An interesting theoretical investigation would be to explore the relation between our approach andthe theory of testing [12]. At a first glance, our approach corresponds to the must-preorder of the testingtheory. In fact, the notion of test compliance (cf. Definition 5) imposes conditions on all the maximalruns of the CUT in parallel with the test. However, there are two key differences between the theoryof testing and our approach which make a precise analysis non trivial. The first difference is that weconsider asynchronous communications and the second is that our tests are “multiparty”, namely tests areobtained by composing many CFSMs. It might be that the results in [5], which extend to asynchronouscommunications the classical theory of testing, can be combined with the work in [21] to give a suitabletheoretical setting to our framework.According to [27], the generation of test cases is one of the ways model-based testing can supportsoftware verification. For example, a component-based testing framework to support online testing ofchoreographed services is proposed in [1] for BPMN2 models. Among other components, this worksketches a test generation procedure which is however not supported by a formal semantics as we dohere. Our model explicitly features a mechanism for test generation paired with the notion of an oraclescheme (cf. Definition 7) as a precise mechanism to identify the expected outcome of test cases. In fact,unlike in most cases, choreographic models contain enough information about the expected behaviourof the system under test in order to make accurate predictions. We believe that this is a highlight of ourapproach. References [1] Midhat Ali, Francesco De Angelis, Daniele Fan`ı, Antonia Bertolino, Guglielmo De Angelis & Andrea Polini(2014):
An Extensible Framework for Online Testing of Choreographed Services . IEEE Computer
The Oracle Problem inSoftware Testing: A Survey . TOSEM
Amending Contracts for Choreographies . In:
ICE , pp.111–129, doi:10.4204/EPTCS.59.10. . Coto, R. Guanciale, E. Tuosto [4] Laura Bocchi, Julien Lange & Emilio Tuosto (2012): Three Algorithms and a Methodology for AmendingContracts for Choreographies . Sci. Ann. Comp. Sci.
Trace and testing equivalence on asynchron-ous processes . Information and Computation
On Communicating Finite-State Machines . JACM
Contract Compliance and Choreography Conformance in thePresence of Message Queues . In:
Web Services and Formal Methods , 5387, Springer, Berlin, Heidelberg,pp. 37–54, doi:10.1007/978-3-642-01364-5˙3.[8] Manfred Broy, Bengt Jonsson, Joost-Pieter Katoen, Martin Leucker & Alexander Pretschner, editors (2005):
Model-Based Testing of Reactive Systems, Advanced Lectures . LNCS
Verification of programs with half-duplex communication . I&C
Global progress for dynamically interleaved multiparty sessions . MSCS
DynamicChoreographies - Safe Runtime Updates of Distributed Applications . In:
COORDINATION , pp. 67–82,doi:10.1007/978-3-319-19282-6 5.[12] Rocco De Nicola & Matthew C. B. Hennessy (1984):
Testing equivalences for processes . TCS
34, pp.83–133, doi:10.1016/0304-3975(84)90113-0.[13] Pierre-Malo Deni´elou & Nobuko Yoshida (2012):
Multiparty Session Types Meet Communicating Automata .In:
ESOP , LNCS, Springer, pp. 194–213, doi:10.1007/978-3-642-28869-2˙10.[14] Roberto Guanciale & Emilio Tuosto (2016):
An Abstract Semantics of the Global View of Choreographies .In:
Interaction and Concurrency Experience , pp. 67–82, doi:10.4204/EPTCS.223.5.[15] Roberto Guanciale & Emilio Tuosto (2018):
Semantics of Global Views of Choreographies . Journal of Logicand Algebraic Methods in Programming
95, pp. 17–40, doi:10.1016/j.jlamp.2017.11.002.[16] Roberto Guanciale & Emilio Tuosto (2019):
Realisability of pomsets . JLAMP
Multiparty Asynchronous Session Types . JACM . Working Draft 17 December 2004.[19] Ivan Lanese, Fabrizio Montesi & Gianluigi Zavattaro (2013):
Amending Choreographies . In:
Proceedings 9thInternational Workshop on Automated Specification and Verification of Web Systems, WWV 2013, Florence,Italy, 6th June 2013. , pp. 34–48, doi:10.4204/EPTCS.123.5.[20] Julien Lange, Emilio Tuosto & Nobuko Yoshida (2015):
From Communicating Machines to GraphicalChoreographies . In:
Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Prin-ciples of Programming Languages, POPL 2015, Mumbai, India, January 15-17, 2015 , ACM, pp. 221–232,doi:10.1145/2676726.2676964.[21] Rocco De Nicola & Hern´an C. Melgratti (2015):
Multiparty Testing Preorders . In:
Trustworthy GlobalComputing , pp. 16–31, doi:10.1007/978-3-319-28766-9 2.[22] William L. Oberkampf & Christopher J. Roy (2010):
Verification and Validation in Scientific Computing .Cambridge University Press, doi:10.1017/cbo9780511760396.[23] Alexander Pretschner & Jan Philipps (2005):
Methodological Issues in Model-Based Testing . In:
Model-Based Testing of Reactive Systems , 3472, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 281–291,doi:10.1007/11498490˙13. An Abstract Framework for Choreographic Testing [24] Muhammad Jaffar-ur Rehman, Fakhra Jabeen, Antonia Bertolino & Andrea Polini (2007):
Testing softwarecomponents for integration: a survey of issues and techniques . Software Testing, Verification and Reliability
Testing Concurrent Systems: A Formal Approach . In:
CONCUR ’99: ConcurrencyTheory, 10th International Conference, Eindhoven, The Netherlands, August 24-27, 1999, Proceedings , Lec-ture Notes in Computer Science
Semantics of global view of choreographies . Journal of Logicaland Algebraic Methods in Programming
95, pp. 17–40, doi:10.1016/j.jlamp.2017.11.002.[27] Mark Utting & Bruno Legeard (2007):
Practical Model-Based Testing - A Tools Approach . MorganKaufmann. Available at