Frédéric Dadeau

Symbolic animation of JML specifications

This paper presents a model-based framework for the symbolic animation of object-oriented specifications. A customized set-theoretic solver is used to simulate the execution of the system and handle constraints on state variables. We define a framework for animating object-oriented specifications with dynamic object creations, interactions and inheritance. We show how this technique can be applied to Java Modeling Language (JML) specifications, making it possible to animate Java programs that only contain method interfaces and no code!

JML-Testing-Tools: A Symbolic Animator for JML Specifications Using CLP

This paper describes a tool for symbolically animating JML specifications using Constraint Logic Programming. A customized solver handles constraints that represent the value of instance fields. We have extended a model-based approach to be able to handle object-oriented specifications. Our tool is also able to check properties during the simulation and exhibit counter-examples for false properties. Therefore, it can be used both for semi-automated verification and for validation purposes.

Automated boundary test generation from JML specifications

We present an original approach for the automated computation of model-based test cases from specifications written in Java Modeling Language (JML). We aim at activating all the behaviors from the JML method specifications. Therefore, we extract each behavior and we compute the pertinent test data for the input parameters; we select the boundary values of the ordered domains, and we consider specific features for the objects, involving inheritance and aliasing. Finally, a preamble for each test case is computed by symbolic animation of the JML specification using constraint logic programming techniques. Thus, we are able to automatically generate executable Java test sequences to be run on the system under test. Moreover, this process requires the less possible intervention from a validation engineer.

Checking JML specifications with b machines

This paper presents a solution to the lack of tool-support for the JML models verification. We propose an approach for expressing JML specifications within the B abstract machines notation. The B machines generated from the JML can then be checked to ensure their correctness. Thus, we deduce the correctness of the original JML specification, ensured by rewriting rules which give the semantical equivalence of the two models. More generally, this translation can be applied to object-oriented specification languages using before-after predicates.

Combining Scenario- and Model-Based Testing to Ensure POSIX Compliance

We present in this paper a way to produce test suites for the POSIX mini-challenge, based on a formal model of a file system manager, written using a B machine. By this case study, we illustrate the limitations of a fully-automated testing process, which justifies the use of scenarios that complements the classical functional testing approach. Scenarios are expressed through schemas, focusing only on operation chaining. They are played on the model using a symbolic animation engine in order to automatically compute pertinent operation parameter values, based on model coverage criteria such as behavioral or data coverage. We concretize our experimentation by testing the POSIX conformance of two different file systems: a recent Linux distribution, and a customized Java implementation of POSIX used to evaluate the relevance of our approach.

Safety property driven test generation from JML specifications

This paper describes the automated generation of test sequences derived from a JML specification and a safety property written in an ad hoc language, named JTPL. The functional JML model is animated to build the test sequences w.r.t. the safety properties, which represent the test targets. From these properties, we derive strategies that are used to guide the symbolic animation. Moreover, additional JML annotations reinforce the oracle in order to guarantee that the safety properties are not violated during the execution of the test suite. Finally, we illustrate this approach on an industrial JavaCard case study.

Scenario-based testing from UML/OCL behavioral models: Application to POSIX compliance

We present in this article a way to produce test suites applied to the POSIX mini-challenge based on a behavioral model of a file system manager written in UML/OCL. We illustrate the limitations of a fully automated test generation approach, which justifies the use of test scenarios as a complement to a functional testing approach. Scenarios are expressed through regular expressions describing sequences of operations, possibly punctuated by intermediate states that have to be reached by the execution of the model. Scenarios are unfolded into extended sequences of operations that are played on the model using symbolic animation techniques. We experimented our approach by testing the conformance of two different file systems w.r.t. the POSIX standard: a recent Linux distribution and a customized Java implementation of POSIX used to evaluate the relevance of our approach and its complementarity with a structural test generation approach.

Instantiation of parameterized data structures for model-based testing

Model-based testing is bound, by essence, to use the enumerated data structures of the system under test (SUT). On the other hand, formal modeling often involves the use of parameterized data structures in order to be more general (such a model should be sufficient to test many implementation variants) and to abstract irrelevant details. Consequently, the validation engineer is sooner or later required to instantiate these parameters. At the current time, this instantiation activity is a matter of experience and knowledge of the SUT. This work investigates how to rationalize the instantiation of the model parameters. n nIt is obvious that a poor instantiation may badly influence the quality of the resulting tests. However, recent results in instantiation-based theorem proving and their application to software verification show that it is often possible to guess the smallest most general data enumeration. We first provide a formal characterization of what a most general instantiation is, in the framework of functional testing. Then, we propose an approach to automate the instantiation of the model parameters, which leaves the specifier and the validation engineer free to use the desired level of abstraction, during the model design process, without having to satisfy any finiteness requirement. n nWe investigate cases where delaying the instantiation is not a problem. This work is illustrated by a realistic running example. It is presented in the framework of the BZ-Testing-Tools methodology, which uses a B abstract machine for model-based testing and targets many implementation languages.

Grammar-Based Testing Using Realistic Domains in PHP

This paper presents an integration of grammar-based testing in a framework for contract-based testing in PHP. It relies on the notion of gtypes, that make it possible to assign domains to data, by means of contract assertions written inside the source code of a PHP application. Then a test generation tool uses the contracts to generate relevant test data for unit testing. Finally a runtime assertion checker validates the assertions inside the contracts (among others membership of data to gtypes) to establish the conformance verdict. We introduce here the possibility to generate and validate complex textual data specified by a grammar written in a dedicated grammar description language. This approach is tool-supported and experimented on the validation of web applications.

JML2B: checking JML specifications with b machines

This paper introduces a tool, named JML2B, destined to check the consistency of JML specifications. JML2B is a solution to the lack of tool-support for the JML models verification. Our tool translates JML specifications into the B abstract machines notation. The generated B machines can then be checked to ensure their correctness. When the proof fails, it is possible to retrieve the mistakes in the original JML specification.