Gregor von Bochmann

Test selection based on finite state models

A method for the selection of appropriate test case, an important issue for conformance testing of protocol implementations as well as software engineering, is presented. Called the partial W-method, it is shown to have general applicability, full fault-detection power, and yields shorter test suites than the W-method. Various other issues that have an impact on the selection of a suitable test suite including the consideration of interaction parameters, various test architectures for protocol testing and the fact that many specifications do not satisfy the assumptions made by most test selection methods (such as complete definition, a correctly implemented reset function, a limited number of states in the implementation, and determinism), are discussed. >

Formal Methods in Communication Protocol Design

While early protocol design efforts had to rely largely on seat-of-the-pants methods, a variety of more rigorous techniques have been developed recently. This paper surveys the formal methods being applied to the problems of protocol specification, verification, and implementation. In the specification area, both the service that a protocol layer provides to its users and the internal operations of the entities that compose the layer must be defined. Verification then consists of a demonstration that the layer will meet its service specification and that each of the components is correctly implemented. Formal methods for accomplishing these tasks are discussed, including state transition models, program verification, symbolic execution, and design rules.

Protocol testing: review of methods and relevance for software testing

Communication protocols are the rules that govern the communication between the different components within a distributed computer system. Since protocols are implemented in software and/or hardware, the question arises whether the existing hardware and software testing methods would be adequate for the testing of communication protocols. The purpose of this paper is to explain in which way the problem of testing protocol implementations is different from the usual problem of software testing. We review the major results in the area of protocol testing and discuss in which way these methods may also be relevant in the more general context of software testing.

Semantic evaluation from left to right

This paper describes attribute grammars and their use for the definition of programming languages and compilers; a formal definition of attribute grammars and a discussion of some of its important aspects are included. The paper concentrates on the evaluation of semantic attributes in a few passes from left to right over the derivation tree of a program. A condition for an attribute grammar is given which assures that the semantics of any program can be evaluated in a single pass over the derivation tree, and an algorithm is discussed which decides how many passes from left to right are in general necessary, given the attribute grammar. These notions are explained in terms of an example grammar which describes the scope rules of Algol 60. Practical questions, such as the relative efficiency of different evaluation schemes, and the ease of adapting the attribute grammar of a given programming language to the left-to-right evaluation scheme are discussed.

Formal description techniques

Early in the development of OSI, it was recognized that formal description techniques (FDTs) would be required to accomplish the goals of OSI. This paper is a brief history and a report on the status of the work of ISO/TC97/SC16/WG1 ad hoc Group on Formal Description Techniques. The group comprises three subgroups: the first working on architectural concepts; the second, on an FDT based on extended finite-state machines; and the third, on an FDT based on temporal ordering of interaction primitives. An overview of the techniques developed by each of these groups, as of December, 1982, is presented.

On the Construction of Submodule Specifications and Communication Protocols

The problem of elaborating the specification for the submodules of a system is considered. A new method for the construction of submodule specifications is described. If the system is to consist of n submodules and the system as well as (n 1) submodules are specified, then the method described determines the specification of the additional n t h submodule. A formula is given which defines the specification of the additional submodule in the general case where module specifications are given in terms of sets of possible execution sequences, and interaction occurs when several modules participate in the execution of an atomic interaction. For the restricted context of finite-state machines, a constructive algorithm for the evaluation of the formula is given. The use of this design method is demonstrated by examples, including a simple communication protocol involving error detection and retransmission. Possible applications in other areas, as well as remaining problems, are indicated.

A Test Design Methodology for Protocol Testing

Communication protocol testing can be done with a test architecture consisting of remote Lower Tester and local Upper Tester processes. For real protocols, tests can be designed based on the formal specification of the protocol which uses an extended finite state machine model. The specification is transformed into a simpler form consisting of normal form transitions. It can then be modeled by a control and a data flow graph. The graphs are decomposed into subtours and data flow functions, respectively. Tests are designed by considering parameter variations of the input primitives of each data flow function and determining the expected outputs. The methodology gives complete test coverage of all data flow functions and control paths in the specification. Functional fault models are proposed for functions that are not formally specified.

Synchronization and Specification Issues in Protocol Testing

Protocol testing for the purpose of certifying the implementations adherence to the protocol specification can be done with a test architecture consisting of remote tester and local responder processes generating specific input stimuli, called test sequences, and observing the output produced by the implementation under test. It is possible to adapt test sequence generation techniques for finite state machines, such as transition tour, characterization, and checking sequence methods, to generate test sequences for protocols specified as incomplete finite state machines. For certain test sequences, the tester or responder processes are forced to consider the timing of an interaction in which they have not taken part; these test sequences are called nonsynchronizable. The three test sequence generation algorithms are modified to obtain synchronizable test sequences. The checking of a given protocol for intrinsic synchronization problems is also discussed. Complexities of synchronizable test sequence generation algorithms are given and complete testing of a protocol is shown to be infeasible. To extend the applicability of the characterization and checking sequences, different methods are proposed to enhance the protocol specifications: special test input interactions are defined and a methodology is developed to complete the protocol specifications.

Testing deterministic implementations from nondeterministic FSM specifications

In this paper, conformance testing of protocols specified as nondeterministic finite state machines is considered. Protocol implementations are assumed to be deterministic. In this testing scenario, the conformance relation becomes a preorder, so-called reduction relation between FSMs. The reduction relation requires that an implementation machine produces a (sub)set of output sequences that can be produced by its specification machine in response to every input sequence. A method for deriving tests with respect to the reduction relation with full fault coverage for deterministic implementations is proposed based on certain properties of the product of specification and implementation machines.

On fault coverage of tests for finite state specifications

Testing is a trade-off between increased confidence in the correctness of the implementation under test and constraints on the amount of time and effort that can be spent in testing. Therefore, the coverage, or adequacy of the test suite, becomes a very important issue. In this paper, we analyze basic ideas underlying the techniques for fault coverage analysis and assurance mainly developed in the context of protocol conformance testing based on finite state models. Special attention is paid to parameters which determine the testability of a given specification and influence the length of a test suite which guarantees complete fault coverage. We also point out certain issues which need further study.