Professional Documents
Culture Documents
VCS
PSTN
ISDN
Figure 4.1: A typical environment of the VCS 3020S system
VCS 3020 is one of the central products of the company FREQUENTIS and has
been chosen as the target system in the rst project. Voice communication among
air trac controllers and between the controllers and the pilots is crucial to the
safety of commercial aviation. The voice communication system is responsible for
transmitting the commands of the air-trac controllers, concerning starting and
landing clearances, positioning of the air-planes, emergency situations etc.
The work in this domain demonstrates the crucial role that formal specication
techniques play in software engineering. They may serve as a tool for validating
both, the functional requirements as well as existing system-level test-cases. It will
be shown by the data that the validation process of the requirements is essential for
the design of black-box test-cases.
4.1.2 Voice Communication in Air Trac Control
Among other important systems on an airport, like radars, instrument landing sys-
tems, etc., the voice communication system can be seen as the nerve system of
the airport. It serves as the sole communication system between the pilots, the air-
trac control personnel working on the airport (denoted by in Fig. 4.1), the ground
personnel on the runways, other parties external to the airport and even other air-
ports. This typical environment of the FREQUENTIS voice communication system
VCS 3020S is shown in Fig. 4.1.
The system oers all well known services of PABX
3
or PSTN
4
systems, i.e. call
set up and termination, conferencing, call forwarding, call diversion, etc. In contrast
to these systems, it also supports voice communication via radio. The system makes
a clear distinction between line bound duplex voice communication (voice can be
3
PABX . . . Private Automatic Branch Exchange
4
PSTN . . . Public Switched Telephone Network
4.1. THE APPLICATION DOMAIN 45
OP
OP
OP
RIF
LIF
LIF
LIF
VCS 3020S System
PSTN/PABX/
phone set
ISDN
MFC
radio set
SWITCH
Figure 4.2: VCS 3020S system overview
transmitted and received at the same time) and simplex communication via radio
(voice must be either transmitted or received).
Figure 4.2 shows the essential units of the system as well as the interfaces to the
external components. The main voice communication path is established between
the operators working at the operator positions (OP) and line bound parties as well
as radio parties (shown at the left side of the gure). The radio sets, necessary for
communication via radio, are external to the system and are connected to it via
radio interfaces (RIFs). Line bound voice communication is established via the line
interfaces (LIFs), which are highly congurable.
The VCS 3020S system is a switched system intended for real-time transmission
of continuous voice data. This makes it easy to distinguish the VCS 3020S from
both, non-switched broadcast systems and data networks, which are not intended
for real-time transmission of continuous media. The architecture of the system is
distributed and the components are connected by means of bi-directional interfaces.
Furthermore, the safety critical core components of the system are duplicated and
operate in hot stand-by mode.
4.1.3 A Network of Voice Communication Systems
In contrast to the rst project, which covered the already existing voice commu-
nication system VCS 3020S, the second project considered a new communication
system still under development.
The primary goal of the new system is the complete interconnection of air trac
control centers via a fully digital network. The digital network lines will be used for
voice (telephone and radio) and data transmissions. There are several interlinked
air trac control centers, each of them consisting of a network node and a voice
communication system (VCS). See Figure 4.3 for an example of such a network
connecting the main airports in Austria.
One of the advantages of the new system is that lines between the network nodes
46 CHAPTER 4. INDUSTRIAL EXPERIENCES
VCS
VCS
VCS
VCS
VCS VCS
N1
N3
N5
N6
N4 N2
Figure 4.3: A network for air trac control
are allocated dynamically. Therefore, additional lines can be allocated to compen-
sate a broken line or to provide additional bandwidth in times of high network trac.
This dynamic allocation is also valuable from a cost eectiveness point of view.
Another important concept are roles. Roles are simply functionalities: for in-
stance the functionality to control a certain sector of air trac. These roles - or
functionalities - are not bound to specic OPs, but can be distributed within the net-
work, to optimize the work-load on the controllers. Therefore, it should be possible
to control air space, independent of the physical location of the controller.
4.2 Experiment I
The specication work in this project has been carried out by Johannes Horl, a
student of the author. He had a training of a one semester course in VDM, but
no domain knowledge of voice communication in air trac control. In this project,
VDM
++
has been used the rst time in our group for specifying the requirements
of a non-trivial system.
4.2.1 Requirements Validation
In the following, the techniques and results of modeling the system in VDM
++
are
presented. First, the informal UML model of the object-oriented architecture and
its tool-based mapping to VDM
++
classes are outlined. Then the specication of
frequency coupling serves to demonstrate the specication language of VDM
++
.
Finally, the statistics of the errors found in the informal requirement documents is
presented.
4.2. EXPERIMENT I 47
Architecture of the System
In order to structure the specication, an object-oriented architecture reecting
the physical components has been chosen. The states and methods of the four
classes OP, SWITCH, LIF and RIF dene the main functionality of the system.
Additional auxiliary classes have been used to dene system-wide constraints and
conguration details. Figure 4.4 shows the relations between these classes in UML
notation. The UML class diagrams have been automatically generated from the
formal class specication using the IFAD VDM
++
Toolbox link to the Rational
Rose 98 CASE-tool [IFA98].
LIF
id : LIF_ID
s witch : @SWITCH
RIF
id : RIF_ID
s witch : @SWITCH
OP
id : OP_ID
s witch : @SWITCH
SWITCH
ops : s et of @OP
lifs : s et of @LIF
rifs : s et of @RIF
lifs
0..*
switch
0..*
rifs
switch
switch
0..*
ops 0..*
0..*
0..*
Figure 4.4: Main class relations (in UML notation).
The following specication describes the architecture of the VCS 3020S system in
VDM
++
notation. Here, the specications of the classes RIF and LIF are skipped,
since they are similar to the one of the OP class.
class OP
instance variables
id : OP-ID;
switch : @SWITCH
end OP
class SWITCH
instance variables
ops : @OP-set;
inv ops
card ops 24;
lifs : @LIF-set;
inv lifs
card lifs 96;
rifs : @RIF-set;
inv rifs
card rifs 48
end SWITCH
The bidirectional associations between the components are specied as sets of
references to each other. Additional invariants constrain the number (cardinality)
of possible operator positions and interfaces.
48 CHAPTER 4. INDUSTRIAL EXPERIENCES
An Example of the Systems Functionality
Within the scope of this project, specication has been limited to the radio commu-
nication system part, since this is the most safety critical part and thus of particular
interest for analyzing the use of formal methods. In order to keep the demonstration
example small, discussion is primarily focussed on the function Coupling/Radio
Re-transmission in this thesis.
Note, that a physical frequency used for voice transmission is associated with
a single Radio Interface (RIF) of the system. The RIF includes hardware and
software necessary for the voice communication and the associated signaling, like
the PTT signal and the SQUELCH-Break signal. It is not possible to change the
physical frequency on which voice is sent or received from within the VCS 3020S
system. The system represents these frequencies as frequency objects, which have a
number of possible operations. The Coupling/Radio Re-transmission function is
one of them.
With this function the operator can couple two or more frequencies. This means
that voice received on one frequency is automatically (re-)transmitted on the other
coupled frequencies. By means of this feature, two pilots, operating on dierent
frequencies, are enabled to talk to each other using the VCS 3020S system. Coupling
can be switched on/o for each frequency at the operator position and all frequencies
coupled form a so-called coupling group. Consequently, several dierent coupling
groups may exist, one at each operator position.
The instance variable frq-couplings of the class SWITCH stores the coupling
groups as a nite mapping from operator positions to sets of frequencies. The
SWITCH has to guarantee, that a frequency can only be member of a single coupling
group and that not more than 15 frequencies are in one coupling group. This
property is expressed by means of a data-invariant denoted by the keyword inv.
instance variables
frq-couplings : OP-ID
m
(FRQ-ID-set);
inv frq-couplings
(s rng frq-couplings card s 15)
(card rng frq-couplings > 1
rng frq-couplings = );
init objectstate
frq-couplings : = ;
The following two methods are called from the OP if frequency coupling is
switched on or o for a frequency. The purpose of the method O-FrqCouplingStart
is to decide, whether frequency coupling is allowed for the given frequency or not.
If the invariant of frq-couplings would be violated, false is returned, otherwise the
frequency is added to the coupling group associated with the OP.
4.2. EXPERIMENT I 49
methods
O-FrqCouplingStart (op : OP-ID, frq : FRQ-ID) value B
if frq
rng frq-couplings
(op dom frq-couplings card frq-couplings (op) > 14)
then return false
else ( if op dom frq-couplings
then frq-couplings : = frq-couplings
op frq frq-couplings (op)
else frq-couplings : = frq-couplings op frq;
return true
)
pre op frqs (frq).tx
The method O-FrqCouplingEnd is the counterpart of the previous one. It is
used to switch o the coupling of a particular frequency. The frequency is either
removed from the coupling group, or the whole coupling group entry is removed, if
the frequency was the last one in the coupling group.
methods
O-FrqCouplingEnd (op : OP-ID, frq : FRQ-ID)
if card frq-couplings (op) = 1
then frq-couplings : = op frq-couplings
else frq-couplings : = frq-couplings op frq-couplings (op) frq
pre op dom frq-couplings frq frq-couplings (op)
The specication of the OP is not shown here. It mainly deals with details of the
MMI (Man Machine Interface) in order to call methods of the SWITCH. However,
the specication of the OP has been important, to be able to formulate system
test-cases at the appropriate level of abstraction.
Analysis of Identied Issues
During the formal specication of the VCS 3020S system a total number of 64
ambiguous, contradictory, unclear or erroneous issues have been found in the various
documents of the system. Figure 4.5 shows the statistics of them. The issues
categorized as Reading have been detected by active reading the documents, having
a clear vision of the modeling method to be carried out.
After about a month of practical experience with the system parts, the informal
documents have been read again and thereby more issues have been found, which
have been categorized as Reading with system knowledge. Next the conguration, i.e.
the static initial state of the system, and the functionality of the system have been
specied. The issues found thereby have been named Specication of conguration
and Specication of functionality, respectively. The reader should note that there
is an enormous dierence in the type of issues found by reading the documents
50 CHAPTER 4. INDUSTRIAL EXPERIENCES
20
8
5
17
12
0 0
2
0
5
10
15
20
25
Reading Reading with system-
knowledge
Specification of
configuration
Specification of
functionality
I
s
s
u
e
s
Ambiguous, contradictiory or unclear issues
Erroneous issues
Figure 4.5: Statistics of the identied issues
in comparison to those found by writing the formal specication. A typical error
found by reading the documents would be a missing character in a table of valid
characters for a congurable name. Contrary to this, an issue found by specifying
the functionality of the system typically deals with undened behavior of the system
under certain conditions or/and after a specic sequence of user actions. It would
have been very dicult or even impossible to nd such issues only by reading or
reviewing the documents, even if this is carried out by a VCS 3020S system expert.
The identied issues have been resolved and the results have been integrated into
the informal documents, which is certainly helpful to improve the overall quality of
the system.
4.2.2 Test Case Validation
The formalization of the test cases is shown by means of an example. Figure 4.6
is a copy of the informal test case Frequency Coupling out of the Internal Test
Specication of FREQUENTIS.
It can be seen in Fig. 4.6 that a test case is divided into several steps. Each step
requires an action from the test-personnel. The expected reaction of the VCS 3020S
system, which is considered to be correct is specied in the reaction column for each
test-step. The test-personnel has to check, whether the reaction of the system is
identical to the specied behavior or not.
The formal specication of test cases follows the informal specication closely.
The actions required for every step of the informal specication are explicitly speci-
ed as method invocations. These methods have a prex E- to indicate the exter-
nal call mechanism. The informally specied reactions after the actions are formally
dened as calls to observation methods with the prex Test-. The VDM
++
spec-
ication in Figure 4.7 is the formalization of the informal test case presented in
4.2. EXPERIMENT I 51
Step
No.
Actions Reactions OK Remarks
1 Couple frequency 1 with
frequency 2 by pressing the
<CPL> key on both frequency
objects.
The frequencies are coupled
(the coupling symbol
appears for both frequencies).
All audio received on
frequency 1 is transmitted on
frequency 2 and vice versa.
2 Press PTT Voice is routed to frequency 1
and 2
3 Activate TX for frequency 3 Frequency 1 and 2 are still
coupled, so all audio received on
frequency 1 is transmitted on
frequency 2 and vice versa.
Attention: no voice is routed to
frequency 3
4 Press PTT Voice is routed to frequency 1, 2
and 3.
5 Stop the frequency coupling by
pressing the <CPL> key on
both frequency objects again.
The frequency coupling symbol
( ) disappears.
Figure 4.6: Informal test case for the Coupling/Radio Re-transmission feature.
Figure 4.6.
The action part of the rst step of the informal test case is represented by the
rst two calls of the method E-FrqChangeCoupling of the class op1 (which represents
an Operator Position). This call turns the frequencies with the ids 1 and 2 into
transmit mode and couples them. The following two calls to the method Test-
IsFrqCoupled check if it succeeded. This corresponds to the reaction part of the
informal test case. These test methods return a boolean value and the conjunction
of these values is the total result of the test case.
The test steps 24 have been formalized using the same pattern. The steps 2
and 4 require, that the PTT key has to be pushed (formalized with the E-PttPush
method). Note, that the PTT key also needs to be released after the reaction has
been tested (formalized with the E-PttRelease method). This is not mentioned in
the informal test case. Furthermore, the last three method invocations are not part
of the informal test case specication. These method invocations bring the system
back into its initial state. This is very important, since the next test case to be run
assumes that the system is in this initial state. When the real system is tested, it is
assumed that the the test personnel sets the system into an appropriate state before
a test is performed.
The example shows how the specication based test automation leads to a more
precise test case description. The results of a test case are not relevant for the test
coverage analysis, but further condence into the formal specication is gained by
checking them.
52 CHAPTER 4. INDUSTRIAL EXPERIENCES
methods
TestCoupling () value B
( dcl result : B : = true;
op1!E-FrqChangeCoupling (mk-FRQ-ID (1)) ;
op1!E-FrqChangeCoupling (mk-FRQ-ID (2)) ;
result : = result op1!Test-IsFrqCoupled (mk-FRQ-ID (1))
op1!Test-IsFrqCoupled (mk-FRQ-ID (2));
op1!E-PttPush () ;
result : = result rif 1!Test-IsPttActiveBy (mk-OP-ID (1))
rif 2!Test-IsPttActiveBy (mk-OP-ID (1));
op1!E-PttRelease () ;
op1!E-FrqChangeTx (mk-FRQ-ID (3)) ;
op1!E-PttPush () ;
result : = result rif 1!Test-IsPttActiveBy (mk-OP-ID (1))
rif 2!Test-IsPttActiveBy (mk-OP-ID (1))
rif 3!Test-IsPttActiveBy (mk-OP-ID (1));
op1!E-PttRelease () ;
op1!E-FrqChangeCoupling (mk-FRQ-ID (1)) ;
op1!E-FrqChangeCoupling (mk-FRQ-ID (2)) ;
result : = result op1!Test-IsFrqCoupled (mk-FRQ-ID (1))
op1!Test-IsFrqCoupled (mk-FRQ-ID (2));
op1!E-FrqChangeRx (mk-FRQ-ID (1)) ;
op1!E-FrqChangeRx (mk-FRQ-ID (2)) ;
op1!E-FrqChangeRx (mk-FRQ-ID (3)) ;
return result
)
Figure 4.7: Formalized test cases.
Coverage Analysis Results
By means of the IFAD VDM
++
Toolbox all test cases for the specied functionality
have been animated. Thereby, runtime information, i.e. which expressions/statements
have been evaluated, has been collected.
The overall result of this analysis is that approximately 80% of the formal spec-
ication is covered by the test cases, leaving some 20% of the specications func-
tionality untested! The result is of major importance since it points out that an
unacceptable large part of the radio functionality of the VCS 3020S system remains
untested in the system integration test phase. A more detailed summary is shown
in Table 4.1.
The IFAD VDM
++
Toolbox can also generate a colored specication, i.e. the
covered and not covered parts of the specication are pretty-printed with dierent
4.2. EXPERIMENT I 53
Class Name Number of Methods Coverage
OP 31 91%
RIF 11 70%
SWITCH 35 79%
average 83%
Table 4.1: Summary of the test coverage results
colors. The colored specication can be used to nd missing test cases. At present,
it is not possible to generate the missing test cases automatically, however, it is
possible to nd the missing test cases systematically. Based on this information
new test cases have been specied and a re-run of the test coverage analysis showed,
that 99% of the formal specication were covered by the combination of the old and
the new test cases, which is an acceptable coverage ratio.
4.2.3 Remarks on Experiment I
Issues
The whole model is about 2400 lines
5
of VDM
++
specication. About 1000 lines
have been used for the test cases and the Workspace, which was necessary to make
the specication executable.
During the development of the formal model, a total number of 64 defects have
been found in the informal system documents. These ambiguous, contradictory,
unclear or erroneous issues have been summarized in a catalogue of questions. All
of them have been resolved, supported by system experts.
A main result of this work was the realization that only 80% of the systems
radio functionality has been covered by the former existing test cases. Consequently,
additional test cases have been derived out of the formal specication. Furthermore,
the specication high-lighted how much more economic test cases could be designed,
in order to cover more system functionality in a single run.
Eorts
During the whole work of this project, the amount of time spent on dierent tasks
has been recorded. The summary in Fig. 4.8 shows the eorts, which have been
necessary for the dierent tasks. This information can be used for estimating the
costs of future projects.
Note, that the time-eorts have been recorded on a per hour basis. This means
that the values have not been estimated after an activity has been performed. The
eort has rather been recorded while the work has been performed.
5
The VDM
++
LOCs have been determined by removing all comments and counting only lines
with more than 2 characters
54 CHAPTER 4. INDUSTRIAL EXPERIENCES
1,2
2,3
3,5
1,2
1,1
3,0
Read FRQ Documents
Read FM Literature
Formal Specification
Test Coverage Analysis
Modification
Meetings, Presentations
Working times are given in
40 hour units (approx. 1 week)
Figure 4.8: Time analysis for the whole work
As can be seen from the gure, the time eorts have been categorized. The time
spent on reading the documents of the VCS 3020S system (Read FRQ Documents)
was rather short because of an additional practical work with the existing VCS 3020S
system. About twice the time has been spent on reading literature about formal
methods (Read FM Literature). For the specication of the architecture and the
functionality of the system 3
1
2
weeks have been used. The amount of time spent
on the test coverage analysis also includes the time spent to nd the additional
test cases. The time used for the coverage analysis and for modications due to
requirement changes seems to be extremely short. About three weeks have been
spent to prepare and make several presentations and for numerous meetings.
Experience with VDM
++
The specication was done using the VDM
++
language denition of the IFAD
VDM
++
Toolbox version 6.0. Besides some minor errors which have been discovered
in the Toolbox, the main drawbacks, that have been discovered, were found on the
VDM
++
language itself, three of them are worth being pointed out:
Type denitions inside a class are not public. Thus, types dened in one class
cannot be used in another. The consequence is that an articial inheritance
hierarchy has to be created in order to make types available to more than one
class.
Method calls are not allowed in expressions.
Member variables are private and can therefore only be accessed via methods.
This property combined with the previous one can be considered as the worst
drawback of VDM
++
, since it is not possible to make implicit specications
without either calling methods from within expressions in order to retrieve
values from other objects member variables, nor is it possible to get access to
these member variables directly.
4.3. EXPERIMENT II 55
The consequence of these limitations is, that it is in most cases impossible to give
implicit specications, and so we felt that the specication became much too explicit.
It is worth mentioning, that IFAD has also identied these drawbacks independently
and a newer version of the Toolbox with a changed language denition is already
available.
The success and acceptance of our method depends mainly on tool support.
Consequently, the development of tools to support the generation of test cases can
be identied as a central issue for future work. One experience is that professional
testers are seriously interested in the presented techniques, since they try to improve
their testing techniques continuously.
Concerning VDM
++
, the new language version has to be evaluated. Future
case studies will show, if the reported weaknesses have been solved. For the next
experiment, the author has taken the decision that conventional VDM-SL is sucient
for our purposes.
However, it should be pointed out that the encouraging results convinced FRE-
QUENTIS to take the second step: A new project in co-operation with our institute
has been carried out. This time, VDM-SL is used in parallel to an ongoing project,
in which a safety-critical system has to be developed from scratch. The results are
reported in the next section.
4.3 Experiment II
The specication work in this project has been carried out by Andreas Gerstinger, a
student of the author. Due to our experiences with VDM
++
in this project VDM-SL
has been used as the specication language. This decision proved to be right since
a higher level of abstraction of the VDM prototype could be observed.
4.3.1 Requirements Validation
The requirements are contained in a regularly updated document of almost 3000 re-
quirements formulated in natural language. The task of the formal methods engineer
was to create an executable model of a part of the systemspecically a network
nodewhich plays a crucial role. There was also a rst version of the architectural
design document available which was helpful for gaining a general overview of the
network node, however, the formal specication is solely based on the requirements.
The formal methods engineer had no domain knowledge in air trac control.
Therefore, he was introduced to the domain and the system to be developed in a
1
1
2
day training session held by a system engineer. It should be mentioned that
the formal methods engineer was not directly involved in the main projectthe
formalization was done in parallel.
The rst step was an intense study of the requirements and architectural design
document. The formal methods engineer was not given a list of requirements to be
56 CHAPTER 4. INDUSTRIAL EXPERIENCES
formalized, he was rather instructed to formalize certain functionalities. Although
the requirements document did contain some structure, one of the most challenging
tasks was the selection of the relevant requirements.
The next step was the actual formalization of the selected requirements. The for-
mal model was constructed in two stages: rst a model of the systems state, using
types constrained by data-invariants, then the functional model containing the op-
erations. This formalization process yielded the most valuable output. Formalizing
requirements requires understanding them rigorously and in an unambiguous way.
Since natural language requirements are doomed to be ambiguous, several questions
have been raised during the formalization process. These questions have been incor-
porated into a catalog of questions which was regularly exchanged between the
formal methods engineer and the requirements manager. During the whole project,
108 questions have been raised, with 33 of them resulting in changes in the require-
ments document. These questions uncovered inconsistencies, ambiguities, errors,
omissions, redundancies and inaccuracies in the requirements documentwhich are
unavoidable in textual requirements documents of this size. This led to an improve-
ment in the quality of the requirements.
Studying the documents and selecting the relevant requirements took 5.5 weeks,
the actual formalization process took another 6.5 weeks for 140 requirements. The
size of the formal specication was 60 pages including comments.
This phase could have been completed in considerably shorter time if it would
have been performed by a domain expert. We believe however, that in this phase,
the lack of domain knowledge is not a disadvantagein contrastit might be advan-
tageous because of the type of unbiased questions which arise. This phase resembles
a validation of the requirements.
4.3.2 Examples of Requirement Issues
The following examples demonstrate the kind of issues being raised during the for-
malization process. Relatively simple examples are chosen to keep the explanations
at a minimum.
Layout of a Touch Panel
The example is about the key layout on the touch panels of the OPs. If an OP
handles the functionality of a specic role, we say the OP has the role assigned.
Roles are grouped into function groups. A function group contains roles which have
similar functionality. A VCS may have a special OP with additional functionality
which is called Test-OP. The original requirements for displaying the correct layout
of a touch panel are summarized in Figure 4.9.
If these requirements in plain text are read quickly, they seem to be quite rea-
sonable. However, if they are read more thoroughly they give rise to questions. If
they are read with the process of formalization in mind, they give rise to even more
4.3. EXPERIMENT II 57
ID Text
#0025 A function group contains all roles which have about the
same function and therefore have the same key layout.
There are up to 9 function groups 1..9. Each role belongs
to exactly one function group. The function group 0
contains the key layout for OPs which own roles from
more than one function group.
#0042 If an OP has roles from more than one function group
assigned, a default layout shall be displayed.
#0062 If all assigned roles belong to the same function group,
the key layout corresponding to the function group shall
be displayed.
#1047 The key layout of the Test-OP must always be the layout
of the function group 0.
Figure 4.9: Requirements for the touch panel layout on OPs
questions. And once the actual formalization takes place, even more issues may be
raised. This was the process by which the whole project was conducted: some issues
were detected just by reading and having the formalization in mind, but some issues
require the actual formalization to be raised. Since the goal of the formalization
was an executable specicationa high level prototypethe focus was also on im-
plementation. Issues were raised which might otherwise have been detected much
later in the project, namely in the implementation phase.
The most obvious inconsistency is the following. Requirement #0025 is inconsis-
tent in itself: First, it is stated that there are 9 function groups which are numbered
from 1 to 9. The same requirement, however, mentions function group 0! This is
an easy-to-detect inconsistency, which probably does not require formalization to be
uncovered.
However, if we read on, it will be seen that requirement #0042 talks about a
certain default layout. If we dont have the formalization in mind, we might just
think about this as a certain layout. However, if we view the default layoutin
connection with the other requirements, the question is raised if the layout of the
function group 0and the default layoutare equivalent. This is in fact true, so
there is an inconsistent terminology in the requirements.
An unambiguous specication can be given using VDM type denitions:
Functiongroup = N
inv f
f 1, . . . , 9;
Layout = Functiongroup [ DEFAULT;
58 CHAPTER 4. INDUSTRIAL EXPERIENCES
A data-invariant and a union type model the fact that there are 9 function groups
numbered 1 to 9, but ten layouts: one for each function group plus an additional
default layout.
During the formal specication of the actual layout calculation another issue was
raised. So far we know:
if an OP has roles from only one function group, the layout of the function
group shall be displayed.
if an OP has roles from more than one function group, the default layout shall
be displayed.
the Test-OP shall always display the default layout.
Below, the formal denition is shown:
CalcLayout : APLID VCSID
o
Layout
CalcLayout (opid, vcsid)
( if is-TestOP (vcss, opid)
then return DEFAULT
else let assigned-roles = get-roles-of -OP (rv, opid),
functiongroups = get-fg (roles, vcsid, rid) [ rid assigned-roles in
cases functiongroups:
return DEFAULT,
f return f ,
others return DEFAULT
end
)
The if-clause is used to display the correct layout on the Test-OP. Then, the set
of assigned function groups is constructed from the set of assigned roles with the
help of a set comprehension expression. In the following cases statement, a layout
is returned depending on the set of function groups. A set can have one, more, or
no elements. The case for one or more function groups (i.e. the second and third
branch of the cases statement) is covered in the requirements. However, what if an
OP has no roles (and therefore no function groups) assigned? This case (i.e. the
rst branch of the cases statement) is not covered in the requirements!
This is not necessarily an error in the requirements, since this case may have
been deliberately omitted, and left to the discretion of the engineers responsible
for the following phases. In this case, it could have been left open in the formal
specication as well. However, it was not meant to be left open. There should be a
requirement saying:
If an OP has no roles assigned, a default layout shall be displayed.
4.3. EXPERIMENT II 59
ID Text
#1735 If several roles come into question, then an InterCOM
connection will be prioritized. If no InterCOM role is
available, the lowest role will be used.
Figure 4.10: Part of the rules to determine the source of a call
Order of Roles
This is an example of an ambiguity in the requirements. A controller can initiate calls
to other controllers by using the devices on his OP. On the receiving controllers OP,
the call is signaled, together with the source information of who initiated the call, i.e.
a caller can be identied before the call is answered. The diculty with this concept
is the following: since OPs can be assigned functionalities (called roles) dynamically,
the source information depends on the assigned roles of the initiating OP. Therefore,
there have to be some rules of how the source information is determined. The
requirement in gure 4.10 is part of these rules.
It is not important to understand the requirement. However, when formalizing
this requirement, there willat some pointbe the need to determine the lowest
role from a set of roles.
In order to formalize this requirement correctly, there must be a total order
dened on the roles. However, this is not the casethe corresponding requirement
is missing. It is interesting to note, that it was not even clear among the system
specialists which order is meant, since roles can be ordered by dierent attributes.
Even test cases were generated, based on a wrong assumption of an engineer. The
requirement has been claried by exactly stating the desired order of the roles.
4.3.3 Test-Case Validation
For parts of the functionality covered by the formal specication, conventionally
designed test-cases already existed. These test-cases were formulated in a very
clearwe call it semi-formalway. Each test case is broken down to atomic actions
and the results of each action are specied in great detail.
The task of the formal methods engineer was to formalize these test-cases and
animate them on the formal specication using the interpreter tool. There were 65
test-cases consisting of approximately 200 single steps of which 60% were formal-
ized. Due to the detailed specication of the test cases, their formalization was a
straightforward task.
By comparing the expected results specied in the original test-cases with the
results returned by the formal specicationwhich acted as a prototypea test-
case validation has taken place. 16 errors within the original test-cases have been
detected and could therefore be corrected. Furthermore, the animation of test cases
60 CHAPTER 4. INDUSTRIAL EXPERIENCES
also led to a validation of the formal model. Seven minor errors were found in the
formal specication and consequently corrected. Another output of this stage was
the calculation of the test coverage of the formalized test cases with the help of the
test coverage metrics built-in in IFADs VDMTools.
It was realized that this coverage metrics, which is basically expression coverage,
is rather weak and that complete coverage was quickly attained. This is also due to
the fact that the conventional test-cases were designed in a very thorough manner:
for each requirement one or more test-cases have been specied. The time eort for
the formalization and animation of the test-cases was 2 weeks.
4.3.4 Remarks on Experiment II
Summing up, the formalization of 140 requirements uncovered 108 open issues lead-
ing to 33 changes in the requirements document, and 16 errors in the acceptance
test-cases have been detected. This was done in 14 man weeks. Considering the
fact that requirements engineering is one of the most dicult parts in a project this
eort seems to be acceptable. Especially, in a safety-critical domain like air trac
control, where voice communication must not fail. The customer Austro-Control
appreciated the increased rate of early questions for clarication. The requirement
engineer Robert Aster said:
In the mentioned project, the application of VDM took place at a rela-
tively late stage. At this time, each member of the project team already
possessed a high level of insider-knowledge. Considering this fact, it was
even more astonishing, that the VDM-engineer quickly became familiar
with the complex subject. Subsequently, the application of VDM quickly
led to qualied questions. Consequently, several inconsistencies in the
requirements were uncovered and corrected prior to the implementation
phase. Apart from this, it was realized that several requirements were
well known to the members of the project team without being actually
written down.
This emphasizes the important catalyst role the formalization plays in validation.
However, the experience indicates that this method could be much more eective if
it would be more tightly integrated into the conventional development process.
4.4 Summary and Discussion
In this chapter the results of two experiments of applying light-weight formal meth-
ods to testing, have been presented. The experiments have been carried out in an
industrial environment in the highly safety-critical domain of voice-communication
for air-trac control. Both experiments followed the method as described in Chap-
ter 3. Examples of parts of the abstract prototype specication served to illustrate
the formalisms and their role in validation.
4.4. SUMMARY AND DISCUSSION 61
Experiment I detected 64 problems in the requirement documentation of the
existing voice communication system. Furthermore, an unacceptable low coverage
rate of 80 % has been analyzed by testing the abstract prototype with the existing
system-level test-cases. As a consequence, additional test-cases have been derived
from the formal specication. The work has been done in less than 13 man-weeks.
Experiment II detected 33 problems in the requirements documentation of the
new voice communication network under development. This time the existing test-
cases covered 100 % of the abstract prototype, but the 65 test-cases with 200 test-
steps contained 16 faults. Since almost all detected faults occurred in dierent test-
cases, this means that approximately 25 % of the test-cases have been erroneous.
The eort took 14 man-weeks.
These results indicate the ecient applicability of our light-weight approach in
practice. The high number of faults in the requirements reect the fact that require-
ments engineering is a dicult task. It has been shown that formal specications
may help to raise the quality of both, the requirements and the system-level test
cases. That supervised students could do this work underpins our opinion that the
method could be adopted by practicing engineers. Furthermore, the author thinks
that the eorts are justiable, especially for such safety-critical applications.
However, the experiments also showed that more can be achieved. We learned
that executable specications have the disadvantage that non-experienced users tend
to think too operationally. Consequently, the prototypes lack abstraction and in-
corporate too many design details. However, the engineers liked the availability of
test-cases to validate our formal specications.
The solution is a test-case generation method that derives the complex test-
cases from a general non-executable formal specication. These test-cases have to
be correct by denition. A premise for using test-cases for validating a specication
is that they are correct with respect to the specication.
Therefore, a new test-case synthesis method has been developed by the author
and is presented in the following. The general correctness relation for all kinds of
test-cases is abstraction, as is explained in the following chapter.
62 CHAPTER 4. INDUSTRIAL EXPERIENCES
Chapter 5
Test-Cases are Abstractions!
In this chapter, the foundation for the new test-case synthesis approach is presented.
It is shown that test-cases are abstractions of model-based formal specications. The
framework of the renement calculus is used for formally dening and proving this
abstraction relation for simple input-output test cases, non-deterministic test cases,
partition test cases and test scenarios for interactive systems. A short introduction
to the renement calculus is included.
5.1 The New Idea
5.1.1 Motivations
In the concluding discussion of the previous chapter, the motivation for our new
test-synthesis approach has been given: Test-cases must be correct with respect to
the formal specication. Here, by the correctness of a test-case it is meant that
the functionality described by a test-case (for a given input) must be consistent
with the functionality described by the formal specication. The reason is that the
test-cases should serve as a tool for validating an abstract possibly non-executable
formal requirement specication. Test-cases can be easily understood by a customer
or engineer who is not familiar with a formal specication language.
A further motivation for this work is the need of a general formal framework
for certifying test-case generation tools. Simon Burton has a similar motivation in
his work on Z that has been recently published [Bur00]. However, our framework is
more general as will be seen in the following.
5.1.2 Test-Design as a Formal Synthesis Problem
As can be seen in the previous chapter, test-cases are complex algorithms that have
to be executed either by a tester manually, or by test drivers.
The goal of our framework, is the derivation of such test-cases T from a formal
specication S. A test-case T should be correct with respect to S, and a program
63
64 CHAPTER 5. TEST-CASES ARE ABSTRACTIONS!
P that implements S should be tested with T. Thus, the derivation of T from S
constitutes a formal synthesis problem. In order to formalize a certication criteria
for this synthesis process, the relation between T, S and P must be claried.
It is well-known that the relation between a specication S and its correct im-
plementation P is called renement. We write
S _ P
for expressing that P is a correct renement (implementation) of S. The problem
of deriving an unknown P? from a given S is generally known as program synthesis:
S _ P?
In this chapter, it is shown that correct test-cases T are abstractions of the
specications S, or:
T _ S _ P
Consequently, test-case synthesis is a reverse renement problem. The reverse
renement from a given S into an unknown test-case T? is here called abstraction,
and denoted as:
S _ T?
Hence, formal synthesis techniques can be applied for deriving test-cases from
a formal specication. This is the most important idea in this thesis. Its main
contribution is to use the theory of Back and von Wrights renement calculus
[BvW98] for formulating abstraction rules for deriving correct test-cases.
The renement calculus is a theory for reasoning about the correctness and the
renement of programs. In the following it is shown how its program synthesis
techniques can be applied to test-case synthesis.
5.2 The Renement Calculus
5.2.1 Contracts
The prerequisite for testing is some form of contract between the user and the
provider of a system that species what it is supposed to do. In case of system-
level testing usually user and software requirement documents dene the contract.
Formal methods propose mathematics to dene such a contract unambiguously and
soundly. In the following two chapters the formal contract language of Back and von
Wright [BvW98] is used. It is a generalization of the conventional pre- and post-
condition style of formal specications known in VDM, B and Z. The foundation of
this renement calculus is based on lattice-theory and higher-order logic (HOL).
5.2. THE REFINEMENT CALCULUS 65
A system is modeled by a global state space . A single state x in this state
space is denoted by x : . Functionality is either expressed by functional state
transformers f or relational updates R. A state transformer is a function f :
mapping a state space to the same or another state space .
A relational update R : Bool species a state change by relating the
state before with the state after execution. In HOL, relations are modeled by func-
tions mapping the states to Boolean valued predicates. For convenience, a relational
assignment (x: = x
, holds.
The language further distinguishes between the responsibilities of communicating
agents in a contract. Here, the contract models the viewpoint of one agent called
the angel who interacts with the rest of the system called the demon. In our work
following [BvW98, BMvW99], the user is considered the angel and the system under
test the demon. Relational contract statements denoted by R express relational
updates under control of the angel (user). Relational updates of the demon are
denoted by [R] and express updates that are non-deterministic from the angels
point of view. Usually, we take the viewpoint of the angel.
The contract statement f ) denotes a functional update of the state determined
by a state transformer f . There is no choice involved here, neither for the angel nor
the demon agent, since there is only one possible next state for a given state.
Two contracts can be combined by sequential composition C
1
; C
2
or choice op-
erators. The angelic choice C
1
. C
2
and the demonic choice C
1
C
2
dene non-
deterministic choice of the angel or demon between two contracts C
1
and C
2
. Fur-
thermore, predicate assertions p and assumptions [p] dene conditions the an-
gel, respectively the demon, must satisfy. In this language of contract statements
p; f ) denotes partial functions and p; [R] pre-postcondition specications. Fur-
thermore, recursive contracts, using the least x-point operator and the greatest
x-point operator , are possible for expressing several patterns of iteration.
The core contract language used in this work can be summarized by the following
BNF grammar, where p is a predicate and R a relation.
C: = p [ [p] [ R [ [R] [ C; C [ C . C [ C C [ X C
To simplify matters, we will extend this core language by our own contract
statements. However, all new statements will be dened by means of the above
core language. Thus, our language extensions are conservative. This means that no
inconsistencies into the theory of the renement calculus are introduced by our new
denitions.
5.2.2 Example Contracts
A few simple examples should illustrate the contract language. The following con-
tract is a pre- postcondition specication of a square root algorithm:
66 CHAPTER 5. TEST-CASES ARE ABSTRACTIONS!
x 0 e > 0; [x: = x
[ -e x x
2
e]
The precondition is an assertion about an input variable x and a precision e. A
relational assignment expresses the demonic update of the variable x to its new value
x
. Thus, the contract is breached unless x 0 e > 0 holds in the state initially.
If this condition is true, then x is assigned some value x
2
e
holds.
Consider the following version of the square root contract that uses both kinds
of non-determinism:
x, e : = x
, e
[ x
0 e
> 0; [x: = x
[ -e x x
2
e]
In this contract the interaction of two agents is specied explicitly. This contract
requires that our agent, called the angel, rst chooses new values for x and e. Then
the other agent, the demon, is given the task of computing the square-root in the
variable x.
The following example should demonstrate that programming constructs can be
dened by means of the basic contract statements. A conditional statement can be
dened by an angelic choice as follows:
if P then S
1
else S
2
P; S
1
. P; S
2
Thus, the angel agent can choose between two alternatives. The agent will,
however, always choose only one of these, the one for which the assertion is true,
because choosing the alternative where the guard is false would breach the contract.
Hence, the agent does not have a real choice if he wants to satisfy the contract.
Alternatively, we could also dene the conditional in terms of choices made by
the other agent (demon) as follows:
if P then S
1
else S
2
[P]; S
1
[P]; S
2
These two denitions are equivalent. The choice of the demon agent is not
controllable by our agent, so to achieve some desired condition, our agent has to
be prepared for both alternatives. If the demon agent is to carry out the contract
without violating our agents assumptions, it has to choose the rst alternative when
P is true and the second alternative when P is false.
Iteration can be specied by recursive contracts (X C). Here X is a variable
that ranges over contract statements, while (X C) is the contract statement C,
where each occurrence of X in C is interpreted as a recursive invocation of the
contract C. For example, the standard while loop is dened as follows:
while g do S od (X if g then S; X else skip )
We write skip = id) for the action that applies the identity function to the
present state.
5.2. THE REFINEMENT CALCULUS 67
5.2.3 Semantics
The semantics of the contract statements is dened by weakest precondition pred-
icate transformers. A predicate transformer C : ( Bool) ( Bool) is a
function mapping postcondition predicates to precondition predicates. The set of
all predicate transformers from to is denoted by ( Bool)
( Bool).
The dierent roles of the angel and the demon are reected in the following
weakest-precondition semantics. Here q denotes a postcondition predicate and
a particular state, p is an arbitrary predicate, and R a relation. Following the
convention, we identify contract statements with predicate transformers that they
determine. The notation f .x is used for function application instead of the more
common form f (x).
p.q p q (assertion)
[p].q p q (assumption)
R.q. ( R.. q.) (angelic update)
[R].q. ( R.. q.) (demonic update)
(C
1
; C
2
).q C
1
.(C
2
.q) (sequential composition)
(C
1
. C
2
).q C
1
.q C
2
.q (angelic choice)
(C
1
C
2
).q C
1
.q C
2
.q (demonic choice)
In this semantics, the breaching of a contract by our angel agent, means that the
weakest-precondition is false. If a demon agent breaches a contract, the weakest-
precondition is trivially true. The semantics of the specication constructs above
can be interpreted as follows:
The weakest precondition semantics of an assertion contract reects the fact
that, if the nal state of the contract should satisfy the post-condition q,
then in addition the assertion predicate p must hold. It can be seen that the
global state is not changed by an assertion statement. Consequently, the angel
breaches this contract if p q evaluates to false.
The semantics of an assumption shows that the demon is responsible for satis-
fying an assumption predicate p. If the assumption does not hold, the demon
breaches the contract and the angel is released from the contract. In this case,
the weakest-precondition trivially evaluates to true.
The angelic update denition says that a nal state must exist in the rela-
tion R, such that the postcondition q holds. The existential quantier in the
weakest-precondition shows that the angel has control of this update. The an-
gel can satisfy the contract, as long as one update exists that satises the post-
condition. In the set notation this update is dened as R.q. R.q ,= .
68 CHAPTER 5. TEST-CASES ARE ABSTRACTIONS!
This is in contrast to the denition of the demonic update. Here, all possible
nal states have to satisfy the postcondition. The reason is that the demonic
update is out of our control. It is not known, to which of the possible states,
described by the relation R, the state variables will be set. In the set notation
this update is dened as [R].q. R. q.
The weakest-precondition of two sequentially combined contracts is dened by
the composition of the two weakest-preconditions.
The angelic choice denition shows that the weakest-precondition is the union
of the weakest-precondition of the two contracts. Thus, a further choice of the
angel, further weakens the weakest-preconditions.
The demonic choice is dened as the intersection of the weakest-preconditions
of the two contracts. Thus, demonic choice means a strengthening of the
weakest-preconditions.
For further details of the predicate transformer semantics, we refer to [BvW98].
5.2.4 Renement and Abstraction
The notion of contracts includes specication statements as well as programming
statements. More complicated specication statements as well as programming
statements can be dened by the basic contract statements presented above. The
renement calculus provides a synthesis method for rening specication statements
into programming statements that can be executed by the target system. The re-
nement rules of the calculus ensure by construction that a program is correct with
respect to its specication.
Formally, renement of a contract C by C
, written C _ C
, is dened by the
pointwise extension of the subset ordering on predicates: For being the after state
space of the contracts, we have
C _ C
q ( Bool) C.q C
.q
This ordering relation denes a lattice of predicate transformers (contracts) with
the lattice operators meet and join .. The top element is magic.q true, a
statement that is not implementable since it can magically establish every postcon-
dition. The bottom element of the lattice is abort.q false dening the notion
of abortion. The choice operators and negation of contracts are dened by point-
wise extension of the corresponding operations on predicates. A large collection of
renement rules can be found in [BvW98, Mor90].
Abstraction is dual to renement. If C _ C
to express C
is an abstraction of C. Trivially,
abstraction can be dened as
C _ C
_ C
Hence, abstraction is dened as the reverse of renement.
5.3 Test-Cases as Abstractions
In the following we will demonstrate that test-cases common in software engineering
are in fact contracts highly abstract contracts. To keep our discussion simple,
we do not consider parameterized procedures, but only global state manipulations.
In [BvW98] it is shown how procedures can be dened in the contract language.
Consequently, our approach scales up to procedure calls.
5.3.1 Input-Output Tests
The simplest form of test-cases are pairs of input i and output o data. We can
dene such an input-output test-case TC as a contract between the user and the
unit under test:
TC i o x = i ; [y: = y
[ y
= o]
Intuitively, the contract states that if the user provides input i , the state will be
updated such that it equals o. Here, x is the input variable and y the output
variable.
In fact, such a TC is a formal pre-postcondition specication solely dened for a
single input i . This demonstrates that a collection of n input-output test-cases TCs
are indeed pointwise dened formal specications:
TCs TC i
1
o
1
. . . . . TC i
n
o
n
Moreover, such test-cases are abstractions of general specications, if the specica-
tion is deterministic for the input-value of the test-case, as the following theorem
shows.
Theorem 5.1 Let p : Bool be a predicate, Q : Bool a relation on
states, and TC i o a test-case with input i in variable x and output o in variable
y. Then
p; [Q] _ TC i o (x = i ) p ([ x = i [; Q) [ y: = o [
, where
[ p [ denotes the coercion of a predicate p : Bool to a relation (here x = i ).
The relation [ p [ : Bool is dened as follows:
[ p [ .. = andp.
70 CHAPTER 5. TEST-CASES ARE ABSTRACTIONS!
[ f [ denotes the coercion of a state transformer f : to a relation (here
y: = o). The relation [ f [ : Bool is dened as follows:
[ f [ .. f . =
the composition operator ; is overloaded for relations. The relation composition
P; Q is dened as follows:
(P; Q).. ( P.. Q..)
Proof.
p; [Q] _ TC i o
by denitions
r p. Q. r (x = i ). [y: = y
[ y
= o].r
by denition of demonic relational assignment
r p. Q. r (x = i ). ( y
(y
= o) r[y: = y
])
by simplication of update
r p. Q. r (x = i ). r[y: = o]
by denition of substitution r: = (y: = y
[ y
= o).
p. Q. (y: = y
[ y
= o). (x = i ).
distributivity, subset denition
( (x = i ). p.)
(
(x = i ). Q..
(y: = y
[ y
= o)..
)
denitions
(x = i ) p [ x = i [; Q [ y: = o [
The fact that test-cases are indeed formal specications and as Theorem 1 shows
abstractions of more general contracts explains why test-cases are so popular. They
are abstract, and thus easy to understand. Furthermore, they are formal and thus
unambiguous.
Furthermore, the selection of certain test-cases out of a collection of test-cases
can be considered as abstraction:
5.3. TEST-CASES AS ABSTRACTIONS 71
Corollary 5.2
TC i
1
o
1
. . . . . TC i
n
o
n
_ TC i
k
o
k
for all k, 1 k n.
Proof. The theorem is valid by denition of the join operator a .b _ a or a .b _ b,
respectively.
[ ]
For being a correct test-case with respect to a contract this type of test-case
should be an abstraction of the contract.
Theorem 5.2 Let p : Bool be a predicate, Q : Bool a relation on
states, and TC2 i o a test-case with input i in variable x and output in variable y
such that the output predicate holds . Then we have:
p; [Q] _ TCp i (x = i ) p ([ x = i [; Q) [ [
The theorem shows that a test-case for non-deterministic results can be calcu-
lated by strengthening the precondition to a single input value and weakening the
postcondition to the outputs of interest. The fact that the output predicate might
be weaker than Q represents the case that not all properties of an output might be
observed. This can be useful if not all variables or only selected properties of the
output should be checked.
5.3.3 Partition Tests
Partition analysis of a system is a powerful testing technique for reducing the pos-
sible test-cases: Here, a contract is analyzed and the input domains are split into
partitions. A partition is an equivalence class of test-inputs for which the tester
assumes that the system will behave the same. These assumptions can be based
on a case analysis of a contract, or on the experience that certain input values are
fault-prone.
In case of formal specications, the transformation into a disjunctive normal
form (DNF) is a popular partition technique as already mentioned in the discussion
of the related work in Section 1. This technique is based on rewriting according the
rule A B (A B) (A B) (A B).
72 CHAPTER 5. TEST-CASES ARE ABSTRACTIONS!
A partitioning of a contract statement p; [R] is a collection of n disjoint par-
titions p
i
; [R
i
], such that
p; [R] = p
1
; [R
1
] . . . . . p
n
; [R
n
]
and
i , j 1, . . . , n i ,= j p
i
p
j
=
These partitions describe classes of test-cases, here called partition test-cases.
Often in the literature, if the context is clear, a partition test-case is simply called
a test-case.
Partition test-cases are abstractions of specications, too:
Theorem 5.3 Let p
i
; [R
i
] be a partition of a specication p; [R]. Then
p; [R] _ p
i
; [R
i
]
Proof. The result follows directly from the denition of partitioning above, and the
denition of ..
Above, only the commonly used pre-postcondition contracts have been consid-
ered. They are a normal form for all contracts not involving angelic actions. This
means that arbitrary contracts excluding . and R can be formulated in a pre-
postcondition style. (see Theorem 26.4 in [BvW98]). However, our result that
test-cases are abstractions holds for general contract statements involving user inter-
action. In order to justify this, user-interaction has to be discussed with respect to
testing. The next section will introduce the necessary concepts.
5.4 Testing Interactive Systems
The synthesis of black-box tests for an interactive system has to consider the pos-
sible user actions. Furthermore, simple input-output test-cases are insucient for
practical systems. Moreover, sequences of interactions, called scenarios, are nec-
essary for setting the system under test into the interesting states. Consequently,
scenarios of the systems use have to be developed for testing.
Scenarios are gaining more and more popularity in software engineering. The
reasons are the same as for other test-cases: Scenarios are abstractions of an inter-
active system. For a comprehensive introduction into the dierent roles of scenarios
in software engineering see [JKS98]. In this work, the focus is on validation and
verication.
5.4. TESTING INTERACTIVE SYSTEMS 73
5.4.1 User Interaction
Testing interactive systems, typically involves the selection of a series of parameters.
Some of these parameters can be entered directly, some have to be set up, by initiat-
ing a sequence of preceding actions. Adequate test-cases should distinguish between
these two possibilities of parameter setup. Therefore, simple pre-postcondition con-
tracts are not sucient to specify test-cases. Moreover, the testers interaction with
the system has to be modeled.
We dene an atomic interaction IA of a tester, as a composition of the testers
system update T and the following systems response Q.
IA T; [Q]
The fact that we dene an atomic interaction by means of angelic and demonic
updates does not exclude other contract statements for modeling interaction. Theo-
rem 13.10 in [BvW98] states that T;[Q] is a normal form, thus arbitrary contract
statements can be dened by means of interactions.
In this context a simple input-output test-case TCI i o includes the actual setting
of the input variable to i .
TCI i o x: = x
[ x
= i ; [y: = y
[ y
= o]
Again the abstraction relation holds for this kind of test-cases.
Theorem 5.4 Let T : Bool and Q : Bool relations on states,
and TCI i o a test-case with input i in variable x and output o in variable y. Then
T; [Q] _ TCI i o [ x: = i [ T Q [ y: = o [
Proof.
The theorem holds by homomorphism and monotonicity properties. For ab-
stracting an interaction, demonic updates may be weakened and angelic updates
strengthened.
(X S; X . skip)
Therefore, we have
do
n
i
g
i
: : S
i
od = (g
1
; S
1
. . . . . g
n
; S
n
)
Iterative choice should not be mixed with guarded command iterations used by
Dijkstra [Dij76]. Guarded command iterations are strong iterations dened by S
This abstraction rule denes the calculation of valid test scenarios. The goal
predicate is a condition that denes the states that should be reached by a sequence
of interactions. Trivially, it can be chosen to be true. For developing a scenario for
setting a system to a certain state, this goal predicate represents the corresponding
state description.
The theorem above shows that the question if a scenario terminates, can be
reduced to the question if two following interactions are composeable. From this
observation a new testing strategy will be derived in the next section.
5.5 Summary and Discussion
In this chapter, the theory of the renement calculus have been used for showing
that test-cases are abstractions of formal specications (contracts). The abstraction
relation have been proved for dierent kinds of test-cases. Simple input-output test-
cases, non-deterministic test-cases, test partitions, and test-sequences, here called
76 CHAPTER 5. TEST-CASES ARE ABSTRACTIONS!
test scenarios, have been covered. The presented theorems clarify the role that
test-cases play in a development process, formally we have:
test-cases _ specication _ implementation
The fact that many dierent types of test-cases can be handled, demonstrates
the generality of our approach of choosing abstraction as the correctness criterion for
test-cases. In contrast to previous work on testing, one criterion covers the simplest
form of input-output test-cases as well as the most complex sequences of test-cases.
Susan Stepney did use an abstraction relation, as well [Ste95]. However, in her
work abstraction is mainly used for nding and structuring partition test-cases for
object-oriented Z specications. She covered neither input-output test-cases, nor
test-sequences.
The important conclusion that can be drawn from this chapter is: Test-cases are
abstract formal contracts that partially dene a systems functionality.
The fact that test-cases are more abstract than formal specications that cover
the whole input-output domain, like pre- postconditions, does not imply that test-
cases are better suited for specication purposes.
Test-cases are indeed too abstract for replacing specications using a formal spec-
ication language. However, the reasons why test-cases are so popular in software-
engineering can be given in the presented context:
Test-cases are formal contracts. Therefore, they are more precise than natural
language specications.
Test-cases are abstract. The fact that test-cases include less detail than pro-
grams or pre- postcondition specications is the reason why they are easily
and quickly understood by engineers as well as by customers.
The theorems that have been presented in this chapter, are the prerequisite for
developing formal synthesis rules for testing. In the following chapter, such formal
abstraction rules are presented. The rules dene how test-cases can be calculated
from a formal specication. The dierent kinds of rules represent the dierent test
strategies how useful test cases are to be selected.
Chapter 6
Testing Strategies
A strategy for selecting test-cases is based on a hypothesis about faults in a pro-
gram. This chapter shows that such strategies can be formulated as formal synthesis
rules for deriving test-cases. This is a consequence of our observation that correct
test-cases are abstractions of contracts, as has been explained in Chapter 5. The ab-
straction rules of the prominent strategies of partition testing and mutation testing
are presented. In addition, it is shown that structural testing strategies are covered
by this approach.
Furthermore, a new technique for calculating sequences of test-cases, here called
scenarios, is presented. In contrast to previous work on test sequencing, our ap-
proach does not need to compute a nite state machine. This is in contrast to
previous work on testing from state-based specications. A well-known example
from the testing literature serves to demonstrate this unusual application of the
renement calculus in order to synthesize tests rather than implementations.
6.1 Partition Testing
Partition testing techniques are based on a uniformity hypothesis. This strategy
assumes that a system shows the same behavior for a certain partition of input
values. Therefore, once the equivalence partitions are selected, it is sucient to test
one case for every partition.
For partitioning model-based specications, [DF93] proposed the rewriting of
specications into their disjunctive normal form (DNF). This popular technique is
based on rewriting disjunctions with:
a b (a b) (a b) (a b)
The proof of the following abstraction rule for this well-known strategy high-
lighted a problem with this technique. In general, DNF-rewriting results in disjoint
partitions. Applied to a relational specication it gives disjoint input-output rela-
tions, but the input partitions (the domain of the relation) may overlap.
77
78 CHAPTER 6. TESTING STRATEGIES
In such pathological cases, selecting a test-case for each partition is not cor-
rect. If test-cases are derived for overlapping domains and the specication is non-
deterministic then two test-cases with the same input may dene two dierent de-
terministic outputs.
Therefore, the disjointness of the resulting input partitions dom.Q
i
is assumed
in the following synthesis rule.
Theorem 6.1 Let a and b be arbitrary Boolean expressions and Q
1
, Q
2
, Q
3
be
relations. The following rule for deriving partition test-cases from pre-postcondition
contracts is then generally valid:
[x: = x
[ a b] _ [Q
1
],
[x: = x
[ a b] _ [Q
2
],
[x: = x
[ a b] _ [Q
3
],
i , j 1, 2, 3 i ,= j dom.Q
i
dom.Q
j
=
[x: = x
[ a b] _ dom.Q
1
; [Q
1
] .
dom.Q
2
; [Q
2
] .
dom.Q
3
; [Q
3
]
Proof.
[x: = x
[ a b]
= by the DNF-partitioning rule
[x: = x
[ (a b) (a b) (a b)]
= by denition of demonic choice
[x: = x
[ (a b)] [x: = x
[ a b] [x: = x
[ a b]
_ by _-assumptions and monotonicity of
[Q
1
] [Q
2
] [Q
3
]
= by explicitly stating the domains as assumption
[dom.Q
1
]; [Q
1
] [dom.Q
2
]; [Q
2
] [dom.Q
3
]; [Q
3
]
= by the fact that the choice is deterministic, since:
(1) the domains are disjoint by assumption,
(2) the whole input domain is covered,
since abstraction cannot reduce the domain of a relational update.
dom.Q
1
; [Q
1
] . dom.Q
2
; [Q
2
] . dom.Q
3
; [Q
3
]
The derivation rule of Theorem 6.1 yields three disjoint partitions, although a
derived partition might be empty, thus dom.Q
i
= false. It follows from Theorem 5.3
that each of these partitions is an abstraction of the original contract. It is obvious
that the rule has to be applied recursively to the resulting partitions if further sub-
partitions are needed.
The proof of Theorem 6.1 shows that the derivation rule yields partition test-
cases that cover the full input domain. Furthermore, it follows from the assumptions
that for one partition more non-determinism can be introduced due to abstraction.
This reects the possibility of weakening certain tests.
6.1. PARTITION TESTING 79
Weakening of Tests: The rule shows that test-cases can be further abstracted
by weakening a demonic update. In the rule above, for example the premise [x: =
x
[ a b] _ [Q
1
] indicates such a possible weakening of a test-case. This form of
weakening a test-case is a further strategy for test-case design. The reason for this
further abstraction of a partition might be that
a tester does not wish to observe the (demonic) changes of the whole state
space, or
not the whole state and thus its updates are observable.
Therefore, parts of the demonic updates of the system are skipped in the test-case
specications. Formally this is an abstraction process carried out by weakening a
post-condition.
Example 6.1 The rule is illustrated by deriving the test-cases from a specication
of the computation of the minimum of two numbers.
[z : = z
[ (z
= x x y) (z
= y x y)]
= by the partitioning rule
x < y; [z : = z
[ (z
= x x y) (z
,= y x < y)] .
x > y; [z : = z
[ (z
,= x x > y) (z
= y x y)] .
x = y; [z : = z
[ (z
= x x y) (z
= y x y)]
= by simplication
x < y; [z : = z
[ z
= x] .
x > y; [z : = z
[ z
= y] .
x = y; [z : = z
[ z
= x z
= y]
In the third test partition x = y a further abstraction by weakening the rela-
tional update might be applied. For testing the correct computation for input x = y,
a tester might-choose to compare the new value z
[ z
= x] .
x > y; [z : = z
[ z
= y] .
x = y; [z : = z
[ z
= x]
[ z
= 0 z
= 1]
_ by a wrong application of the partitioning rule
true; [z : = z
[ z
= 0 z
,= 1] .
true; [z : = z
[ z
,= 0 z
= 1] .
false; [z : = z
[ z
= 0 z
= 1]
= by simplication
true; [z : = z
[ z
= 0] . true; [z : = z
[ z
= 1]
_ by selecting input-output test-cases
(TC 1 0) . (TC 1 1)
The result of this wrong application of the rule is the derivation of two deter-
ministic test-cases for a non-deterministic result. If applied in testing an implemen-
tation of this specication, these test-cases indicate an error in the implementation
that does not exist. The correct solution, for non-disjoint domains is to merge the
partitions. Then, only non-deterministic test-cases would have been possible, like
TCp 1 (z
= 0 z
= 1).
1
,
C
2
_ C
2
if P then C
1
else C
2
_ P; C
1
. P; C
2
Proof.
The rule is valid by the denition of the if-statement and the monotonicity of the
_ relation.
Synthesis rules, like the one for if-statements, can be given for arbitrary speci-
cation statements. Each such syntax oriented synthesis rule reects a test-selection
strategy, known from white-box testing. For example, the rule above represents
branch testing, a strategy, where every branch in the control-ow should be tested
once.
The following example demonstrates that a structural strategy might help to
reduce the set of test-cases.
Example 6.3 The rule is illustrated by deriving the test-cases from an alternative
specication of the computation of the minimum of two numbers.
if x y then [z : = z
[ z
= x] else [z : = z
[ z
= y]
= by the partitioning rule for if-statements
x y; [z : = z
[ z
= x] . x > y; [z : = z
[ z
= y]
In contrast to the three test-cases of Example 6.1, here only two test-cases are
derived for the same problem.
[ z
= x] else [z : = z
[ z
= y]
In mutation testing, the assumption is made that programmers produce small
errors. A common fault made by programmers is that operators are mixed. In this
example a possible fault would be to implement the < operator instead of the .
Hence, a mutation operator
m(... ...) = ... ...
is dened that changes all occurrences of in a contract to . Applying this
mutant operator m.C = C
m
computes the following mutant:
if x y then [z : = z
[ z
= x] else [z : = z
[ z
= y]
6.4. CALCULATING SCENARIOS FOR TESTING 83
The synthesis rule says that a successful test-case for this mutation must not be
an abstraction. Since
if x y then [z : = z
[ z
= x] else [z : = z
[ z
= y] ,_ x < y; [z : = z
[ z
= x]
but
if x y then [z : = z
[ z
= x] else [z : = z
[ z
= y] _ x < y; [z : = z
[ z
= x]
a test-case x < y; [z : = z
[ z
[ z
p p
1
g
1
S
j
.(p
2
g
2
)
do
n
i
g
i
: : S
i
od _
T
g
i
; S
i
; g
j
; S
j
; g
k
; S
k
In order to generate valid scenarios, a tester can e.g. start by an initial interaction
with a guard equal to true and then he further searches for compositions leading to
his test-goal. Which scenarios and how many scenarios are tested, depends on the
testing strategy.
6.4.4 Scenario Based Testing Strategies
The new test approach can be divided into three phases:
1. calculation of interesting partitions for each interaction.
6.5. EXAMPLE: PROCESS SCHEDULER 85
2. calculation of compositions.
3. combination of compositions to validate or to generate test-scenarios.
Dierent test-coverage strategies can be derived, determined by the strategy for
combining the compositions. Interesting scenario analysis strategies are:
Derive scenarios that include for each partition
one composition consisting of the partition: for each partition one scenario.
all possible compositions consisting of the partition: for each partition, one
scenario for each interaction reaching the partition.
all possible combinations of compositions between two interactions of interest:
all scenarios leading from one interaction of interest to another.
all possible combinations of compositions: all possible scenarios.
The strategies are similar to the testing strategies used in data-ow testing
[Bei90]. The dierence is that here atomic scenarios, called compositions, are con-
sidered, and in data-ow testing data-objects. An example will serve to demonstrate
the approach at work.
6.5 Example: Process Scheduler
In this section, the application of our test synthesis method is demonstrated by
an example, well known in the formal methods testing literature. It is the process
scheduler introduced in [DF93] and translated to Back and von Wrights contract
notation. We have chosen this example, although it is not new, because it allows a
comparison to the traditional FSM approach most easily. Test-cases for industrial
examples from our projects have been calculated, too. These more complex examples
will be published in future publications.
6.5.1 Interactive Process Scheduler
The system consists of processes either ready to be scheduled or waiting to become
ready and, optionally, a single active process. These processes are identied by a
unique Pid Nat. A process cannot be both ready and waiting, and the active
process is neither ready nor waiting. In addition, there must be an active process
whenever there are processes ready to be scheduled. The scheduling algorithm is
not further specied.
We can model the interactions with this process scheduler as shown in Figure 6.1.
In this specication a : Pid [ nil is a global variable representing an optional active
process, the global variable r : set of Pid and w : set of Pid represent the sets of ready
86 CHAPTER 6. TESTING STRATEGIES
Init [a, r, w: = a
, r
, w
[ a
= nil r
= ]
New p: = p
[ p
,= a p
, (r w); [w: = w
[ w
= w p
set
]
Ready p: = p
[ p
w; [a, r, w: = a
, r
, w
[w
= w-p
set
a = nil (r
= r a
= p)
a ,= nil (r
= r p
set
a
= a)]
Swap a ,= nil; [a, r, w: = a
, r
, w
[r = (a
= nil r
= )
r ,= (a
r r
= r-a
set
)
w
= w a
set
]
Figure 6.1: Contracts of the process schedulers initialization and interactions.
and waiting processes. Furthermore, p : Pid is a global input variable solely used for
setting a parameter.
New introduces another process, Ready puts a process into the ready state, and
Swap changes the active process. In order to prevent a confusion with assertions,
p
set
and a
set
are used for denoting the sets p, a containing the single element
p and a. Swap is an example of an operation with a precondition a ,= nil that
cannot be directly satised by choosing a parameter. This is in contrast to Ready,
where the precondition w ,= follows from the angelic update p: = p
[ p
w
and thus must not be explicitly stated.
The interactive process scheduler can be dened by iterative choice of these
interactions. The initialization statement should be executed once prior to user
interaction. In Figure 6.2 this model is shown. Note that the precondition of Swap
has become a guard. Furthermore, necessary conditions such that a parameter
selection is possible are documented in the guards. Here w ,= is such a precondition
of Ready.
Scheduler Init; do true : :New
w ,= : :Ready
a ,= nil : :Swap
od
Figure 6.2: Contract of the interactive process scheduler.
6.5. EXAMPLE: PROCESS SCHEDULER 87
Ready
1
a = nil; p: = p
[ p
w; [a, r, w: = a
, r
, w
[w
= w-p
set
r
= r a
= p ]
Ready
2
a ,= nil; p: = p
[ p
w; [a, r, w: = a
, r
, w
[w
= w-p
set
r
= r p
set
a
= a]
Swap
1
a ,= nil r = ; [a, r, w: = a
, r
, w
[(a
= nil r
= )
w
= w a
set
]
Swap
2
a ,= nil r ,= ; [a, r, w: = a
, r
, w
[(a
ready r
= r-a
set
)
w
= w a
set
]
Figure 6.3: Partitioned process scheduler.
6.5.2 Interaction Partitioning
For test-case synthesis, we rst partition the basic interactions. Here, our parti-
tion strategy will be based solely on the case distinctions in the contract. As a
consequence, the interaction New is not partitioned. Figure 6.3 presents the new
partitions after some simplication.
Further partitioning based on interesting states would be possible. Here, for
example, New may be further partitioned into cases where w = nil and w ,= nil .
Any partition is possible and can be formulated as a rewriting rule, such that the
resulting partitions are correct abstractions as stated in Theorem 2.
As a consequence of this partitioning, a new interactive system contract can be
given. In this new description shown in Figure 6.4, the partition preconditions are
incorporated into the guards. This is necessary such that our scenario synthesis
approach works.
Scheduler
, r
[ 1 o
opmax 1 r
rmax;
#ops[o][roles] < 16;
ops[o][enabled];
roles[r][fg] ops[o][fgs];
[ops: = ops
[ op (r ops
[op][roles] op = o)
(r , ops
[op][roles] op ,= o)]
Releasing a role, RelRole, is specied by rst selecting an appropriate operator
position o and a role r, and then removing the role from the operator position. The
users (angelic) selection is restricted to operator positions that have the role to be
released.
RelRole o, r: = o
, r
[ 1 o
opmax 1 r
rmax;
ops[o][enabled];
r ops[o][roles];
[ops: = ops
[ op r , ops
[op][roles] ]
A Call to another operator position via the phone number of a role, involves the
selection of the calling operator position o1 and the role number n. A selection is
valid if there exists both, a role with this number, and an enabled and not calling
target operator position with this role associated. Furthermore, the calling operator
position must not take part in a call already. For valid input, the system successfully
selects the target operator position o2 and establishes a call to o2.
102 CHAPTER 8. CASE STUDY
Call o1, n: = o1
, n
[ 1 o1
opmax;
ops[o1][enabled];
,c calls c[src] = o1 c[trg] = o1;
r, op roles[r][num] = n
r ops[op][roles]
ops[op][enabled]
c calls c[trg] ,= op c[src] ,= op;
[o2: = o2
[ r roles[r][num] = n r ops[o2
][roles]];
[calls: = calls
[ calls
[ 1 o
opmax;
c calls c[src] = o c[trg] = o;
[calls: = calls
[ c calls
[ 1 o
opmax;
ops[o][enabled];
ops[o][enabled]: = T
DisableOp disables an enabled operator position. As a consequence, all roles of
the operator position are released.
DisableOp o: = o
[ 1 o
opmax;
ops[o][enabled];
ops[o][enabled]: = F;
ops[o][roles]: = ;
With these denitions our abstract view on the functionality of the voice commu-
nication system is precisely dened. However, in the next section it will be seen that
for testing purposes the possible user interactions of the system should be explicitly
specied.
8.2 Tester-System Interactions
In the previous section, the operations of the system have been formally specied.
Most of the formal methods, like VDM and Z, stop the specication process at this
point. However, in Back and von Wrights contract language the behavior of the
user, her interactions, can be dened more precisely.
8.2. TESTER-SYSTEM INTERACTIONS 103
One possibility would be to include the operations in an iterative choice state-
ment as has been done in the process scheduler example of Chapter 6. However, from
a testers perspective this would not be the most elegant choice for this example.
The dierence to the process scheduler is that the communication system has a
distributed interface the operator positions. Consequently, a single tester has to
move locally when operations from a dierent operator position are to be initiated.
Therefore, it makes sense to
separate the selection of operator positions from the other user interactions;
design test scenarios such that operations initiated at one operator position
are grouped together.
The result of this considerations is the specication of the voice communication
system below. In this contract, the selection of the operator position is separated
from the other selections and is included in an enclosing iterative choice statement.
Furthermore, the operations have been divided into their angelic contract part
and their demonic contract part. The angelic part of an Operation is denoted by
Operation
a
and represents the users inputs (angelic updates) and his constraints
(assertions). The demonic part is denoted by Operation
d
and represents the reactions
of the system (demonic updates). This separation makes the contract more readable,
but has its advantages for deriving the test scenarios, too, as will be seen later.
VCS ops, roles, calls: = ops
, roles
, calls
[ ops
[roles] = calls
= ;
do true : :o: = o
[ 1 o opmax;
do ops[o][enabled] #ops[o][roles] < 16 : : ReqRole
a
; ReqRole
d
ops[o][enabled] ops[o][roles] ,= : : RelRole
a
; RelRole
d
ops[o][enabled]
(c calls c[src] = o c[trg] = o) : : Call
a
; Call
d
ops[o][enabled]
(c calls c[src] = o c[trg] = o) : : HangUp
d
ops[o][enabled] : : Enable
d
ops[o][enabled] : : Disable
d
od
od
The contract of the VCS can be interpreted from a testers point of view as
follows:
1. In advance of the actual testing, the testing environment has to be set up. This
involves the installation of function groups at operator positions, the entering
of role data (function group and number). Furthermore, certain operator
positions may be disabled in advance. These data can be t into the system
104 CHAPTER 8. CASE STUDY
over a special working place for parameterizing the VCS. This initialization
is modeled by an angelic update with the constraints that no calls can be
established in advance, and no roles can be previously associated.
2. The tester selects an operator position and initiates one of the following oper-
ations:
(a) If an enabled operator position has less than 16 roles associated, then a
new role may be requested:
ReqRole
a
r: = r
[ 1 r
rmax roles[r
][fg] ops[o][fgs]
ReqRole
d
[ops: = ops
[ op (r ops
[op][roles] op = o)
(r , ops
[op][roles] op ,= o)]
(b) If an enabled operator position has at least one role associated, then a
role can be released:
RelRole
a
r: = r
[ 1 r
rmax r
ops[o][roles]
RelRole
d
[ops: = ops
[ op r , ops
[op][roles]]
(c) If an enabled operator position is not already involved in a call, then a
call can be initiated:
Call
a
n: = n
[ r, op roles[r][num] = n
r ops[op][roles]
ops[op][enabled] c calls c[trg] ,= op c[src] ,= op
Call
d
[o2: = o2
[ r roles[r][num] = n r ops[o2
][roles]];
[calls: = calls
[ calls
[ c calls
, roles
, calls
[ ops
[roles] = calls
= ;
do true : :o: = o
[ 1 o opmax;
do ops[o][enabled] #ops[o][roles] < 16 : : ReqRole
a
; ReqRole
d
ops[o][enabled] ops[o][roles] ,= : : RelRole
a
; RelRole
d
ops[o][enabled]
(c calls c[src] = o c[trg] = o) : : Call
a
; Call
d
ops[o][enabled] (c calls c[src] = o) : : HangUp
d
ops[o][enabled] (c calls c[trg] = o) : : HangUp
d
ops[o][enabled] : : Enable
d
ops[o][enabled] : : Disable
d
od
od
The contract VCS is an example of a class of systems where domain partitioning
is trivial and thus not sucient. The complex guards indicate that, here, the chal-
lenging task is the sequencing of the tests the test scenario synthesis. As explained
in the previous chapter, our strategy starts with the search for valid compositions.
8.4 Scenario Synthesis
8.4.1 Interaction Compositions
Our test synthesis method for test scenarios is based on compositions (see Chap-
ter 6). These compositions are pairwise sequential compositions of interactions.
Their construction plays three dierent roles:
1. compositions are atomic elements for nding possible scenarios;
2. the compositions highlight which interactions are more interesting than others
with respect to testing;
3. by searching valid compositions, the preconditions and guards of the interac-
tions of a contract are validated.
In the following, a set of compositions for each of the interactions in the VCS
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled] roles
[1][fg] ops
[1][fgs];
o: = o
[ o
= 1;
(C5) Enable
d
;
ReqRole
a
; ReqRole
d
(T2) ops, roles, calls: = ops
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled] roles
[1][fg] ops
[1][fgs];
o: = o
[ o
= 1;
(C5) Enable
d
;
(C6) ReqRole
a
; ReqRole
d
;
RelRole
a
; RelRole
d
(T3) ops, roles, calls: = ops
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled] ops
[2][enabled]
roles
[1][fg] ops
[1][fgs];
o: = o
[ o
= 1;
(C5) Enable
d
;
ReqRole
a
; ReqRole
d
;
o: = o
[ o
= 2;
Enable
d
;
Call
a
; Call
d
(T4) ops, roles, calls: = ops
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled] ops
[2][enabled] roles
[1][fg] ops
[1][fgs];
o: = o
[ o
= 1;
(C5) Enable
d
;
ReqRole
a
; ReqRole
d
;
o: = o
[ o
= 2;
Enable
d
;
(C11) Call
a
; Call
d
;
HangUp
d
8.4. SCENARIO SYNTHESIS 113
(T5) ops, roles, calls: = ops
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled] ops
[2][enabled]
roles
[1][fg] ops
[1][fgs];
o: = o
[ o
= 1;
(C5) Enable
d
;
ReqRole
a
; ReqRole
d
;
o: = o
[ o
= 2;
Enable
d
;
(C11) Call
a
; Call
d
;
o: = o
[ o
= 1;
HangUp
d
(T6) ops, roles, calls: = ops
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled];
o: = o
[ o
= 1;
Enable
d
;
Disable
d
It should be noted that the test-case (T1) is included in (T2), and (T3) is included
in (T4). Therefore, the two test-cases (T1) and (T3) can be skipped for testing all
operations once. They are redundant.
It should be obvious that all these tests have to be carried out on all operator
position in the voice communication system.
Strategy 2
Next, the scenarios for covering all of the 12 compositions are presented. Here, we
will skip those scenarios that are detected to be redundant during the development
of the test-cases, i.e. scenarios that would test compositions that are already covered
by other test scenarios.
Scenarios for Testing Each Composition
(T1) ops, roles, calls: = ops
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled] roles
[1][fg] ops
[1][fgs]
roles
[2][fg] ops
[1][fgs];
o: = o
[ o
= 1;
(C5) Enable
d
;
(C1) ReqRole
a
; r = 1; ReqRole
d
;
ReqRole
a
; r = 2; ReqRole
d
114 CHAPTER 8. CASE STUDY
(T2) ops, roles, calls: = ops
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled] roles
[1][fg] ops
[1][fgs];
o: = o
[ o
= 1;
(C5) Enable
d
;
(C2) ReqRole
a
; r = 1; ReqRole
d
;
ReqRole
a
; r = 1; ReqRole
d
(T3) ops, roles, calls: = ops
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled] roles
[1][fg] ops
[1][fgs];
o: = o
[ o
= 1;
(C5) Enable
d
;
(C6) ReqRole
a
; r = 1; ReqRole
d
;
(C3) RelRole
a
; r = 1; RelRole
d
;
ReqRole
a
; r = 1; ReqRole
d
(T4) ops, roles, calls: = ops
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled] ops
[2][enabled]
roles
[1][fg] ops
[1][fgs] roles
[1][fg] ops
[2][fgs];
o: = o
[ o
= 1;
(C5) Enable
d
;
ReqRole
a
; r = 1; ReqRole
d
;
o: = o
[ o
= 2;
Enable
d
;
(C4) Call
a
; roles[1][num] = n; Call
d
;
ReqRole
a
; r = 1; ReqRole
d
(T5) ops, roles, calls: = ops
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled] roles
[1][fg] ops
[1][fgs]
roles
[2][fg] ops
[1][fgs];
o: = o
[ o
= 1;
(C5) Enable
d
;
(C1) ReqRole
a
; r = 1; ReqRole
d
;
ReqRole
a
; r = 2; ReqRole
d
;
(C7) RelRole
a
; r = 1; RelRole
d
;
RelRole
a
; r = 2; RelRole
d
8.4. SCENARIO SYNTHESIS 115
(T6) ops, roles, calls: = ops
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled] ops
[1][enabled]
roles
[1][fg] ops
[1][fgs] roles
[2][fg] ops
[2][fgs];
o: = o
[ o
= 1;
(C5) Enable
d
;
ReqRole
a
; r = 1; ReqRole
d
;
o: = o
[ o
= 2;
(C5) Enable
d
;
ReqRole
a
; r = 2; ReqRole
d
;
(C8) Call
a
; roles[1][num] = n; Call
d
;
RelRole
a
; roles[r][num] = n; RelRole
d
(T7) ops, roles, calls: = ops
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled] ops
[2][enabled]
roles
[1][fg] ops
[1][fgs];
o: = o
[ o
= 1;
(C5) Enable
d
;
ReqRole
a
; r = 1; ReqRole
d
;
o: = o
[ o
= 2;
Enable
d
;
(C11) Call
a
; roles[1][num] = n; Call
d
;
(C9) HangUp
d
;
Call
a
; roles[1][num] = n; Call
d
(T8) ops, roles, calls: = ops
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled] ops
[2][enabled]
roles
[1][fg] ops
[1][fgs] roles
[2][fg] ops
[2][fgs];
o: = o
[ o
= 1;
(C5) Enable
d
;
ReqRole
a
; r = 1; ReqRole
d
;
o: = o
[ o
= 2;
(C5) Enable
d
;
ReqRole
a
; r = 2; ReqRole
d
;
(C11) Call
a
; roles[1][num] = nCall
d
;
o: = o
[ o
= 1;
(C10) HangUp
d
;
Call
a
; roles[2][num] = n; Call
d
116 CHAPTER 8. CASE STUDY
(T9) ops, roles, calls: = ops
, roles
, calls
[ calls
= ops
[roles] =
ops
[1][enabled];
o: = o
[ o
= 1;
(C12) Enable
d
;
Disable
d
These nine test scenarios include all twelve compositions that have been identied
to be of interest for testing. Test-case (T5) includes composition (C1) and thus test-
case (T1) might be skipped. However, a tester may want to check the results of the
compositions at the end of a test-case. Then, test-case (T5) should be included and
the other skipped test-cases for composition (C5), (C6), and (C11) may be added.
Depending on the need and on the test hypothesis made, more tests can be
designed. The following possibilities for extending the set of test-cases can be con-
sidered:
More scenarios may be developed following the other scenario strategies.
The scenarios should be tested on all operator positions in the voice commu-
nication system.
Dierent roles than the rst two might be chosen.
Additionally, extreme values might be chosen. Examples are maximum and
minimum numbers of roles and function groups at an operator position.
Additional mutation tests might be invented from the specication. Then, it
can be checked if the test scenarios would detect the specication mutations,
by showing that the derived scenarios are not abstractions of the specication
mutants.
8.5 Summary and Discussion
In this chapter, an important functionality of a real voice communication system
has served as a case study for illustrating our new test approach based on formal
contracts. An abstract model of the operations for role management has been con-
structed. Next, a contract that denes the possible tester-system interactions has
been presented, and then test-scenarios have been derived (abstracted) from this
formal contract. Therefore, the contract had been rst partitioned and then inter-
action compositions have been developed. From these compositions, a set of test
scenarios has been constructed.
8.5. SUMMARY AND DISCUSSION 117
The example demonstrates that a rather complex functionality, as the manage-
ment of roles in a voice communication system, can be specied in a rather coarse
contract. The key to this simplicity of the contract is abstraction abstraction to
a level needed for system testing, not for testing the specication.
The roles management functionality has been part of our second experiment
on light-weight approaches as described in Chapter 4. The executable VDM-SL
specication turned out to be much more complex (30 pages). One reason is the
large set of auxiliary functions that has to be dened for manipulating the state
space. In our contract, these state updates are specied implicitly by relations
expressed by quantiers that are not executable but more compact.
The second reason, why the implicit model of this chapter is less complex, is more
trivial: Requirements concerning exceptional behavior and architectural details have
been skipped. Mathematically, this means that data-abstraction has been applied
for modeling the central behavior rst. And the test scenarios of the example show
that this central behavior is complex enough. It is our strong opinion that, rst,
the most important parts of a system have to be understood, validated and tested.
Then, the view on a system (its model) may be rened further and more details
can be considered. The renement calculus provides the theory for this step-wise
top-down approach.
Renement is an important aspect in our new test approach. In our method
the use of the renement calculus supports the data-renement of a specication
together with its test-cases, since both are contracts. This is in contrast to test-
approaches that use nite state machines (FSM), where renement is rather dicult.
Derrick and Boiten showed that states and transitions in the FSM might disappear
or are to be added under data-renement [DB99]. In our approach the interaction
compositions and thus the scenarios can be data-rened quite straight-forwardly.
See [BMvW99] for an example of data-renement of an interactive system in the
renement calculus.
Finally, the validation aspect of constructing the compositions should be pointed
out. Several missing preconditions have been detected, due to this scenario synthesis
method. Further questions have been raised by considering, if a possible composi-
tion of interactions does indeed reect the intended behavior. This questions are
easily communicated to a customer, since they are caused by concrete examples of
behavior.
118 CHAPTER 8. CASE STUDY
Chapter 9
Concluding Remarks
In this thesis three formal development techniques have been examined regarding
their support in the testing of computer-based systems: Light-weight approaches to
formal methods, the renement calculus, and data-reication techniques. As a re-
sult, novel testing techniques have been developed. In this chapter some concluding
remarks regarding this work are provided. This is done by rst reviewing the results
of this research. This is followed by a presentation of areas of future work.
9.1 Research Results
The research of this thesis resulted in three new approaches to testing:
1. a light-weight approach to specication based testing that has been suc-
cessfully applied in industry,
2. an abstraction-based test synthesis method that uses the mathematical
framework of the renement calculus,
3. a method for using abstract formal specications as automated test-oracles.
In the following the contributions of these test methods are discussed in more detail.
9.1.1 Light-Weight Approach
The presented light-weight approach uses abstract VDM prototypes for assessing
and designing test-cases. It is light-weight in the sense that no proofs are carried
out in this method. Two industrial experiments in the domain of air-trac control
demonstrated the relevance of our method.
This part of the work is an application of an existing light-weight formal method
to testing. However, the strong emphasis of the approach on the validation of
both, the requirements as well as the test-design is new. Especially, to our present
knowledge, it is the rst time that this light-weight method has been applied in two
119
120 CHAPTER 9. CONCLUDING REMARKS
industrial experiments and that detailed empirical data have been collected data
about the eorts and eciency of the method. The results of these experiments
demonstrated the main advantages of our method:
the formal specication of the requirements is a catalyst in validation in the
sense that many questions are raised during the modeling process: Exper-
iment I detected 64 problems in the given requirement documentation and
Experiment II found 33 problems;
previously designed test-cases can be improved: Experiment I uncovered an
unacceptable low coverage of appr. 80 % in the existing test-cases. Experiment
II found that appr. 25 % of the existing test-cases were erroneous;
engineers like the availability of test-cases to validate our formal specications.
Having an abstract prototype, an engineer or customer is not forced to under-
stand the formal specication. The test-cases demonstrate the consequences
of the model by examples;
the eorts are acceptable low.
However, the experiments also showed that more can be achieved. We learned that
executable specications have the disadvantage that non-experienced users tend to,
and sometimes are forced to, think too operationally. Consequently, the specica-
tions lack abstraction and incorporate too many design details.
9.1.2 Abstraction-Based Test Synthesis
This part of the work resulted in the most important contributions of this thesis.
It has been observed that test-cases are abstractions of formal specications. This
lead to a new test synthesis approach based on program synthesis. In this thesis
it is the rst time that the renement calculus is applied to the problem of test
synthesis. The result is an abstraction calculus for testing in order to calculate test-
cases according to a testing strategy. New formal synthesis rules for several test
strategies have been dened. This research has identied and proved the following
facts:
test-cases can be viewed as formal contracts,
test-cases are abstractions of formal specications,
program synthesis techniques can be applied to the test-case synthesis problem,
the renement calculus of Back and von Wright provides a powerful mathe-
matical framework for dening an abstraction calculus for testing,
simple input-output test-cases as well as complex test scenarios can be treated
by an abstraction approach to testing,
9.2. FUTURE WORK 121
rather dierent testing strategies can be formulated as formal abstraction rules:
partition testing, structural testing, mutation testing, and scenario testing
(test sequencing).
It is the authors opinion that an abstraction calculus for testing, provides deeper
insight into the methods of test-case derivation. Especially, the understanding of
new black-box testing strategies is supported by reasoning about the synthesis pro-
cess. The examined testing strategies showed that even existing techniques reveal
interesting properties. New test-case generation techniques may be the result.
For example, the presented synthesis rules for scenario calculation dene an
alternative method for nding sequences of interactions. In contrast to nite state
machine (FSM) based approaches, the focus is on nding possible compositions
of interactions. Which compositions are possible is determined by the abstraction
rules.
9.1.3 Formal Specications as Oracles
In this part of the research, the possibilities to automate the test-result verication
through formal requirement specications have been explored. More precisely, the
formal method VDM (Vienna Development Method) serves to demonstrate that
abstract requirement models can be used as test oracles for concrete software. It
is shown that techniques of VDMs invent and verify development method can be
adapted to set up a test environment.
Our ideas dier to most of the previous work on test-result verication in two
aspects:
a possibly non-executable specication may serve as a rather general oracle
for checking the test results. Non-deterministic test results can be handled as
well.
the abstraction problem is solved by using VDMs data-reication techniques
to relate the test-data for the implementation to the abstract specication
oracle.
9.2 Future Work
Naturally, further extensions to our new abstraction calculus for test-synthesis must
be included in the list of future work. More synthesis rules can be found that
represent other test strategies that are not considered in this thesis. This includes,
strategies for testing several forms of iterations, procedure calls and data-types.
One could think of a calculus for design-patterns that provides a testing strat-
egy for each pattern. Integration tests could be designed for certain software ar-
chitectures, like for pipe-and-lters, object-oriented architectures and black-board
systems.
122 CHAPTER 9. CONCLUDING REMARKS
Furthermore, the test calculus could be extended to handle concurrency. The
framework of action systems [BS94], an extension of the renement calculus for
describing reactive systems, could be used for dening new rules.
The synthesis rules could be rened such that they dene a structural operational
semantics of the test-selection strategy. Like for programming languages it should
be possible to derive test-case generators out of this operation semantics denition.
Furthermore, program transformation tools could be applied to derive the test-cases
semi-automatically.
The development of future tools that support our test-synthesis process is one
of our central interests. We envisage the use of a theorem prover to calculate the
scenarios. The author has already started rst experiments with constructive proofs
in Isabelle [Pau94]. Alternatively, model-checkers may be used for checking the
abstraction relations. However, for the application in industry new interfaces are
needed that hide the complex interior of a theorem prover. The advantage of our
method is that a test-case generator based on our approach can be certied by
proving that the correct abstractions are calculated.
We hope that the presented work stimulates further research on test-synthesis
based on other program-synthesis approaches. Especially, the application of program
synthesis and transformation tools for testing could be a promising topic of future
research.
9.3 Epilogue
The introduction started with the sentence Software testing is a challenging task.
If testing is taken seriously, it could be as challenging as the development of the pro-
gram itself. Therefore, the test design deserves the same level of rigor than software
design. In this thesis, we have provided new methods that facilitate this aim. The
view that test-cases are abstractions of specications should help to further unify
eorts in the testing and formal methods community. We conclude by expressing
the hope that in future more people will be aware of the central property:
test-cases _ specication _ implementation
Bibliography
[Abr96] Jean-Raymond Abrial. The B-Book: Assigning Programs to Mean-
ings. Cambridge University Press, Trumpington Street, Cambridge
CB2 1RP, Great Britain, 1996.
[Aer98] Lionel Van Aertryck. Une methode et un outil pour laide `a la
generation de jeux de tests de logiciels. PhD thesis, Universite de
Rennes, January 1998.
[AGA00] Bernhard K. Aichernig, Andreas Gerstinger, and Robert Aster. Formal
specication techniques as a catalyst in validation. In Proceedings of
the 5th Conference on High-Assurance Software Engineering, 15th17th
November 2000, Albuquerque, New Mexico, USA. IEEE, 2000.
[AH00] S. Antoy and D. Hamlet. Automatically checking an implementation
against its formal specication. IEEE Transactions on Software Engi-
neering, 26(1):5669, 2000.
[Aic98] Bernhard K. Aichernig. Automated requirements testing with abstract
oracles. In ISSRE98: The Ninth International Symposium on Soft-
ware Reliability Engineering, Paderborn, Germany, pages 2122, IBM
Thomas J.Watson Research Center, P.O.Box 218, Route 134, York-
town Heights, NY, USA, November 1998. Ram Chillarege. ISBN 3-00-
003410-2.
[Aic99a] Bernhard K. Aichernig. Automated black-box testing with abstract
VDM oracles. In John Fitzgerald and Peter Gorm Larsen, editors,
Workshop Materials: VDM in Practice!, Part of the FM99 World
Congress on Formal Methods, Toulouse. Springer, 1999.
[Aic99b] Bernhard K. Aichernig. Automated black-box testing with abstract
VDM oracles. In M. Felici, K. Kanoun, and A. Pasquini, editors, Com-
puter Safety, Reliability and Security: proceedings of the 18th Interna-
tional Conference, SAFECOMP99, Toulouse, France, September 1999,
volume 1698 of Lecture Notes in Computer Science, pages 250259.
Springer, 1999.
123
124 BIBLIOGRAPHY
[Aic99c] Bernhard K. Aichernig. Executable specications in software reliability
engineering. In 2nd Workshop on Formal Descriptions and Software
Reliability (FDSR), Boca Raton, Florida, 31st of October 1999.
[Aic01] Bernhard K. Aichernig. Test-case calculation through abstraction. In
Proceedings of Formal Methods Europe 2001, FME 2001, March 1216
2001, Berlin, Germany, Lecture Notes in Computer Science. Springer
Verlag, 2001. To be published.
[AK00] Bernhard K. Aichernig and Reinhold Kainhofer. Modeling and validat-
ing hybrid systems using VDM and Mathematica. In C.Michael Hol-
loway, editor, Lfm2000, Fifth NASA Langley Formal Methods Work-
shop, Williamsburg, Virginia, June 2000, number CP-2000-210100 in
Conference Publication, pages 3546. NASA, June 2000.
[ALR98] Sten Agerholm, Pierre-Jean Lecoeur, and Etienne Reichert. Formal
specication and validation at work: A case study using VDM-SL.
In Proceedings of Second Workshop on Formal Methods in Software
Practice, Florida, Marts. ACM, 1998.
[BCGM00] Simon Burton, John Clark, Andy Galloway, and John McDermid. Au-
tomated V & V for high integrity systems, a targeted formal methods
approach. In C.Michael Holloway, editor, Lfm2000, Fifth NASA Lan-
gley Formal Methods Workshop, Williamsburg, Virginia, June 2000,
number CP-2000-210100 in Conference Publication. NASA, June 2000.
[Be80] D. Bjrner and O. Oest (eds.). Towards a Formal Description of Ada,
volume 98 of Lecture Notes in Computer Science. Springer-Verlag,
1980.
[Bec99] Kent Beck. Extreme Programming Explained: Embrace Change.
Addison-Wesley, 1999.
[Bee86] D. Beech, editor. Concepts in User Interfaces: A (VDM) Reference
Model for Command and Response Languages, volume 234 of Lecture
Notes in Computer Science. Springer-Verlag, 1986.
[Bei90] Boris Beizer. Software Testing Techniques. Van Nostrand Reinhold,
New York, 2nd edition, 1990.
[Bei95] Boris Beizer. Black-Box Testing: Techniques for Functional Testing of
Software and Systems. John Wiley & Sons, Inc., 1995.
[BF86] R.E. Bloomeld and P.K.D. Froome. The application of formal methods
to the assessment of high integrity software. IEEE Transactions on
Software Engineering, SE-12(9):988993, September 1986.
BIBLIOGRAPHY 125
[BFL
+
94] Juan C. Bicarregui, John S. Fitzgerald, Peter A. Lindsay, Richard
Moore, and Brian Ritchie. Proof in VDM: A Practitioners Guide.
FACIT. Springer-Verlag, 1994.
[BFL96] T.M. Brookes, J.S. Fitzgerald, and P.G. Larsen. Formal and informal
specications of a secure system component: Final results in a com-
parative study. In Marie-Claude Gaudel and Jim Woodcock, editors,
FME96: Industrial Benet and Advances in Formal Methods, pages
214227. Springer-Verlag, March 1996.
[BG81] Timothy A. Budd and Ajei S. Gopal. Program testing by specication
mutation. Computer Program Testing, pages 129148, 1981.
[BGL
+
00] S. Bensalem, V. Ganesh, Y. Lakhnech, C. Munoz, S. Owre, H. Ruesz,
J. Rushby, V. Rusu, N. Shankar, E. Singerman, and A. Tiwari. An
overview of SAL. In C.Michael Holloway, editor, Lfm2000, Fifth
NASA Langley Formal Methods Workshop, Williamsburg, Virginia,
June 2000, number CP-2000-210100 in Conference Publication, pages
187196. NASA, June 2000.
[BGM91] G. Bernot, M.-C. Gaudel, and B. Marre. Software testing based on for-
mal specications: A theory and a tool. Software Engineering Journal,
6(6):387405, November 1991.
[BGM92] G. Bernot, M.-C. Gaudel, and B. Marre. A formal approach to soft-
ware testing. In Maurice Nivat, Charles Rattray, and Teodor Rus,
editors, Proceedings of the Second International Conference on Alge-
braic Methodology and Software Technology, Workshops in Computing,
pages 243253, London, May 2225 1992. Springer-Verlag.
[Bj89] Dines Bjrner. Specication and transformation, towards a meaning
of M in VDM. Lecture notes to IFIP TC2/WG2.2 South America
Tutorial: Formal Description of Programming Concepts, April 1989,
February 1989. A revised and expanded version of a TAPSOFT article.
[BMvW99] Ralph Back, Anna Mikhajlova, and Joakim von Wright. Reasoning
about interactive systems. In Jeannette M. Wing, Jim Woodcock, and
Jim Davies, editors, FM99 Formal Methods, World Congress on
Formal Methods in the Development of Computing Systems, Toulouse,
France, September 1999, Proceedings, Volume II, volume 1709 of Lec-
ture Notes in Computer Science. Springer, 1999.
[Bod88] Grahan Boddy. The use of VDM within the Alvey Flagship Project. In
R. Bloomeld, L. Marshall, and R. Jones, editors, VDM 88: VDM
The Way Ahead, pages 153166. VDM-Europe, Springer-Verlag,
September 1988.
126 BIBLIOGRAPHY
[Boe75] B.W. Boehm. The high cost of software. In E. Horowitz, editor, Practi-
cal Strategies for Developing Large Software Systems. Addison-Wesley,
Reading MA, 1975.
[Boe81] Barry W. Boehm. Software Engineering Economics. Prentice-Hall,
Englewood Clis, NJ, 1981.
[Boe86] Barry W. Boehm. A spiral model of software development and en-
hancements. ACM Software Engineering Notes, 11(4):2242, 1986.
[Bri89] E. Brinksma. A theory for the derivation of tests. In Peter H.J. van Eijk,
Chris A. Vissers, and Michel Diaz, editors, The Formal Description
Technique LOTOS: Results of the ESPRIT/SEDOS Project, pages 235
247. Elsevier Science Publishers North-Holland, 1989.
[Bro75] Frederick P. Brooks. The Mythical Man-Month, Essays on Software
Engineering. Addison Wesley, 1975.
[Bry86] Randal E. Bryant. Graph-based algorithms for Boolean function ma-
nipulation. IEEE Transactions on Computers, 35(8):677691, August
1986.
[BS94] R.J.R. Back and K. Sere. From modular systems to action systems. In
Proceedings of Formal Methods Europe94, Spain, October 1994, Lec-
ture Notes in Computer Science. Springer-Verlag, 1994.
[Bur00] Simon Burton. Automated testing from Z specications. Technical re-
port, Department of Computer Science, University of York, November
2000.
[BvW98] Ralph-Johan Back and Joakim von Wright. Renement Calculus,
a Systematic Introduction. Graduate Texts in Computer Science.
Springer, 1998.
[BW99] Salimeh Behnia and Hel`ene Waeselynck. Test criteria denition for B
models. In Jeannette M. Wing, Jim Woodcock, and Jim Davies, editors,
FM99 Formal Methods, World Congress on Formal Methods in
the Development of Computing Systems, Toulouse, France, September
1999, Proceedings, Volume I, volume 1709 of Lecture Notes in Computer
Science, pages 509529. Springer, 1999.
[Cho78] T.S. Chow. Testing software design modeled by nite-state machine.
IEEE Transactions on Software Engineering, 4(3), 1978.
[Chu40] Alonzo Church. A formulation of the simple theory of types. Journal
of Symbolic Logic, 5:5668, 1940.
BIBLIOGRAPHY 127
[Coe92] Martin David Coen. Interactive Program Derivation. PhD thesis,
St. Johns College, University of Cambridge, 1992.
[Coh78] E.I. Cohen. A Finite Domain-Testing Strategy for Computer Program
Testing. PhD thesis, Ohio State University, June 1978.
[Cot84] I.D. Cottam. The rigorous development of a system version control
program. IEEE Transactions of Software Engineering, 10(2):143154,
March 1984.
[CS94] D. Carrington and P. Stocks. A tale of two paradigms: Formal meth-
ods and software testing. In Proceedings of the 8th Z User Meeting.
Springer-Verlag, 1994.
[Daw91] John Dawes. The VDM-SL Reference Guide. Pitman, 1991. ISBN
0-273-03151-1.
[DB99] John Derrick and Eerke Boiten. Testing renements of state-based
formal specications. Software Testing, Verication and Reliability,
9:2750, July 1999.
[DDH72] O.-J. Dahl, E.W. Dijkstra, and C.A.R. Hoare. Structured Programming,
chapter I. Notes on Structured Programming, page 6. A.P.I.C. Studies
in Data Processing. Academic Press, London and New York, 1972.
[DF93] Jeremy Dick and Alain Faivre. Automating the generation and sequenc-
ing of test cases from model-based specications. In J.C.P. Woodcock
and P.G. Larsen, editors, FME93: Industrial-Strength Formal Meth-
ods. Springer-Verlag, April 1993.
[DG95] Eug`ene D urr and Stephen Goldsack. The development of concurrent
and real-time systems using VDM
++
, June 1995.
[DGP95] Eugene D urr, Stephen J. Goldsack, and Nico Plat. Object reication in
VDM
++
. In M. Wirsing, editor, ICSE-17 Workshop on Formal Methods
Application in Software Engineering Practice, pages 194201, 2425
April 1995.
[Dij76] E.W. Dijkstra. A Discipline of Programming. Series in Automatic
Computation. Prentice-Hall International, 1976.
[DKLM98] Martin Dunstan, Tom Kelsey, Steve Linton, and Ursula Martin.
Lightweight formal methods for computer algebra systems. In IS-
SAC 98: International Symposium on Symbolic and Algebraic Com-
putation, University of Rostock, Germany, August 1998.
128 BIBLIOGRAPHY
[DLS78] R. DeMillo, R. Lipton, and F. Sayward. Hints on test data selection:
Help for the practicing programmer. IEEE Computer, 11(4):3441,
April 1978.
[DM91] P. Dauchy and B. Marre. Test data selection from algebraic spec-
ications: Application to an automatic subway module. In A. van
Lamsweerde and A. Fugetta, editors, 3rd European Software Engineer-
ing Conference, ESEC91, volume 550 of Lecture Notes in Computer
Science, 1991.
[dNH84] R. de Nicola and M. Hennessy. Testing equivalences for processes.
Theoretical Computer Science, 34, 1984.
[Don97] Michael R. Donat. Automating formal specication-based testing. In
Michel Bidoit and Max Dauchet, editors, TAPSOFT 97:Theory and
Practice of Software Development, 7th International Joint Conference
CAAP/FASE, volume 1214 of Lecture Notes in Computer Science,
pages 833847. Springer-Verlag, April 1997.
[Don98] Michael R. Donat. A Discipline of Specication-Based Test Derivation.
PhD thesis, Department of Computer Science, The University of British
Columbia, September 1998.
[Dro00] Georg Droschl. Formal Specication and Analysis of Requirements in
Software Development. PhD thesis, Institute for Software Technology,
TU-Graz, Austria, April 2000. Supervisor: Peter Lucas.
[ELC
+
98] S. M. Easterbrook, R. Lutz, R. Covington, J. Kelly, Y. Ampo, and
D. Hamilton. Experiences using lightweight formal methods for re-
quirements modeling. IEEE Transactions on Software Engineering,
24(1), January 1998.
[Fen00] Pascal Christian Fenkam. Dynamic user management system for web
sites. Masters thesis, Institute for Software Technology, TU-Graz, Aus-
tria, September 2000. Supervisor: Harald Gall and Peter Lucas.
[FGJM95] K. Futatsugi, J.A. Goguen, J.P. Jouannaud, and J. Meseguer. Princi-
ples of OBJ2. In Proceedings of the 12th ACM Symposium on Principles
of Programming Languages, New Orleans, pages 5266, 1995.
[FH88] P.A. Freeman and H.S. Hunt. Software quality improvement through
automated testing. In Fifth International Conference on Testing Com-
puter Software, Washington, DC, June 1316, 1988, 1988.
[FL96] Brigitte Frohlich and Peter Gorm Larsen. Combining VDM-SL speci-
cations with C++ code. In Marie-Claude Gaudel and Jim Woodcock,
BIBLIOGRAPHY 129
editors, FME96: Industrial Benet and Advances in Formal Methods,
pages 179194. Springer-Verlag, March 1996.
[FL98] John Fitzgerald and Peter Gorm Larsen. Modelling Sytems, Practical
Tools and Techniques. Cambridge University Press, 1998.
[fSSaCB91] ESA Board for Software Standardisation and Control (BSSC). ESA
Software Engineering Standards. European Space Agency Publications
Division, ESTEC, Noordwijk, The Netherlands, February 1991. Doc.
Id.: ESA PSS-05-0 Issue 2.
[FvBKG91] G. Fujiwara, S. von Bochmann, F. Khendek, and A. Ghedamsi. Test
selection based on nite-state models. IEEE Transactions on Software
Engineering, 17(6), 1991.
[Gau95] Marie-Claude Gaudel. Testing can be formal too. In TAPSOFT95:
Theory and Practice of Software Development, 6th International Joint
Conference CAAP/FASE, volume 915 of Lecture Notes in Computer
Science, pages 8296. Springer-Verlag, May 1995.
[GG93] M. Grochtmann and K. Grimm. Classication trees for partition test-
ing. Software Testing, Verication and Reliability, 3:6382, 1993.
[GH93] John V. Guttag and James J. Horning. Larch: Languages and Tools
for Formal Specication. Texts and Monographs in Computer Science.
Springer Verlag, 1993.
[GHW85] J.V. Guttag, J.J. Horning, and J.M. Wing. The Larch family of speci-
cation languages. IEEE Software, 2(5):2436, 1985.
[Gib94] W. Wayt Gibbs. Softwares chronic crisis. Scientic American, Septem-
ber 1994.
[GJ98] Marie-Claude Gaudel and Perry R. James. Testing algebraic data types
and processes: A unifying theory. Formal Aspects of Computing, 10(5
& 6):436451, 1998.
[Gri81] David Gries. The Science of Programming. Texts and Monographs in
Computer Science. Springer Verlag, 1981.
[Gro92] The RAISE Language Group. The RAISE Specication Language. The
BCS Practitioners Series. Prentice-Hall, 1992.
[Gro95] The RAISE Method Group. The RAISE Development Method. The
BCS Practitioners Series. Prentice-Hall, 1995.
130 BIBLIOGRAPHY
[GSPC99] Neil Gross, Marcia Stepanek, Otis Port, and John Carey. Software hell.
Business Week, pages 3844, December 1999.
[Gut77] J. Guttag. Abstract data types and the development of data structures.
Communications of the ACM, 20(6):369405, 1977.
[GWG95] M. Grochtmann, J. Wegner, and K. Grimm. Test case design using
classication trees and the classication-tree editor. In Proceedings of
the 8th International Quality Week, San Francisco, 1995.
[HA99] Johann Horl and Bernhard K. Aichernig. Formal specication of a voice
communication system used in air trac control, an industrial appli-
cation of light-weight formal methods using VDM++ (abstract). In
J.M. Wing, J. Woodcock, and J. Davies, editors, Proceedings of FM99
Formal Methods, World Congress on Formal Methods in the Devel-
opment of Computing Systems, Toulouse, France, September 1999, vol-
ume 1709 of Lecture Notes in Computer Science, page 1868. Springer,
1999.
[HA00a] Johann Horl and Bernhard K. Aichernig. Requirements validation of
a voice communication system used in air trac control, an industrial
application of light-weight formal methods (abstract). In Proceedings
of the Fourth International Conference on Requirements Engineering
(ICRE2000), June 1923, 2000, Schaumburg, Illinois, page 190. IEEE,
2000. Selected as one of three best papers.
[HA00b] Johann Horl and Bernhard K. Aichernig. Validating voice communi-
cation requirements using lightweight formal methods. IEEE Software,
pages 2127, May/June 2000.
[Ham77] Richard G. Hamlet. Testing programs with the aid of a compiler. IEEE
Transactions on Software Engineering, 3(4):279290, July 1977.
[Han94] Kirsten Mark Hansen. Formalising railway interlocking systems. In
Nordic Seminar on Dependable Computing Systems, pages 8394, Tech-
nical University of Denmark, August 1994. Department of Computer
Science.
[Har92] Andrew Harry. The value of reference implementations and proto-
typing in a formal design and testing methodology. Report 208/92,
National Physical Laboratory, Queens Road, Teddington, Middelsex
TW11 0LW, UK, October 1992.
[Hay86] I.J. Hayes. Specication directed module testing. IEEE Transactions
on Software Engineering, 12(1):124133, 1986.
BIBLIOGRAPHY 131
[Hen88] M. Hennessy. An algebraic theory of processes. MIT Press, 1988.
[Hen89] B.M. Henderson. Big brother automated test controller. In Sixth
International Conference on Testing Computer Software, Washington,
DC, May 2225, 1989, 1989.
[Hie97] R.M. Hierons. Testing from a Z specication. Software Testing, Veri-
cation and Reliability, 7:1933, 1997.
[HL93] Ivo Van Horebeek and Johan Lewi. Algebraic Specications in Software
Engineering, an Introduction. Springer Verlag, 1993.
[HM96] E.M. Horcher and E. Mikk. Test automation using Z specications. In
Tools for System Development and Verication, Workshop, Bremen,
Germany, BISS Monographs. Shaker Verlag, 1996.
[HNS97] Steen Helke, Thomas Neustupny, and Thomas Santen. Automating
test case generation from Z specications with Isabelle. In ZUM97,
1997.
[Hoa85] C.A.R. Hoare. Communicating Sequential Processes. International Se-
ries in Computer Science. Prentice Hall, 1985. ISBN 0-13-153271-5
(0-13-153289-8 PBK).
[HP94] Hans-Martin Horcher and Jan Peleska. The role of formal specications
in software testing. In Tutorial Notes for the FME94 Symposium.
Formal Methods Europe, October 1994.
[HP95] Hans-Martin Horcher and Jan Peleska. Using formal specications to
support software testing. Software Quality Journal, 4(4):309327, De-
cember 1995.
[HS96] Merlin Hughes and David Stotts. Daistish: Systematic algebraic testing
for OO programs in the presence of side-eects. In ISSTA96, 1996.
[HT88] R. Hamlet and R. Taylor. Partition testing does not inspire condence.
In Second Workshop on Software Testing, Verication and Analysis,
Ban, Canada, July 1921, 1988, 1988.
[IFA98] IFAD. INFORMA project EP23163: User manual for the Rose-VDM
++
link, January 1998. Doc.Id.: INFORMA-IFAD-40-V1.3.
[IFA00] The VDM Tool Group, IFAD. VDMTools: The IFAD VDM
++
Lan-
guage. The Institute of Applied Computer Science, Forskerparken 10,
5230 Odense M, Denmark/Europe, 6.6 edition, 2000.
132 BIBLIOGRAPHY
[Ins00] The Institute of Applied Computer Science, Forskerparken 10,
5230 Odense M, Denmark/Europe. VDMTools: VDM
++
Toolbox User
Manual, 6.6 edition, 2000.
[ISO89] ISO. Lotos: A formal description technique based on the temporal or-
dering of observational behaviour. Technical Report 8807, International
Standards Organisation, 1989.
[JKS98] Mathias Jarke and Reino Kurki-Suoni. Special issue on scenario man-
agement. IEEE Transactions on Software Engineering, 24(12), 1998.
[Jon90] Cli B. Jones. Systematic Software Development Using VDM. Series
in Computer Science. Prentice-Hall, second edition, 1990.
[Jon96] Cli B. Jones. Formal methods light: A rigorous approach to formal
methods. IEEE Computer, 29(4):2021, April 1996.
[Jon98] Cli B. Jones. Some mistakes I have made and what I have learned from
them. In Egidio Astesiano, editor, FASE98, volume 1382 of LNCS,
pages 720. Springer, 1998.
[JS93] P.S. Jackson and P.A. Stokes. Formal Specication and Animation of a
Water Level Monitoring System. Technical Report INFO-0428, Atomic
Energy Control Board, Ottawa, Canada, March 1993.
[JW94] B.C. Jeng and E.J. Weyuker. A simplied domain-testing strategy.
ACM Transactions on Software Engineering and Methodology, 3:254
270, July 1994.
[JW96] Daniel Jackson and Jeannette Wing. Formal methods light:
Lightweight formal methods. IEEE Computer, 29(4):2122, April 1996.
[KK97] John C. Kelly and Kathryn Kemp. Formal methods, specication and
verication guidebook for software and computer systems, volume ii: A
practitioners companion, planning and technology insertion. Technical
Report NASA-GB-001-97, NASA, Washington, DC 20546, May 1997.
[KL96] Stuart Kent and Kevin Lano. Axiomatic semantics for VDM
++
,
August 1996. ESPRIT project 6500: AFRODITE, Doc.ID.:
AFRO/IC/SKKL/SEM/V1,
ftp://theory.doc.ic.ac.uk/papers/Lano/VPP/skkl.ps.
[Kra50] Victor Kraft. Der Wiener Kreis. Der Ursprung des Neopositivismus.
Springer-Verlag, Vienna, Austria, 1950.
BIBLIOGRAPHY 133
[Kuh99] D. Richard Kuhn. Fault classes and error detection capability of
specication-based testing. ACM Transactions on Software Engineer-
ing and Methodology, 8(4):411424, October 1999.
[Lam91] Richard Lampard. Specication of the Two-way Handshake in VDM.
Report 188/91, National Physical Laboratory, Queens Road, Tedding-
ton, Middelsex TW11 0LW, UK, September 1991.
[Lan95] Kevin Lano. Formal Object-Oriented Development. FACIT. Springer-
Verlag, London, 1995.
[Lar95] Peter Gorm Larsen. Towards Proof Rules for VDM-SL. PhD thesis,
Technical University of Denmark, Department of Computer Science,
March 1995. ID-TR:1995-160.
[Lar00] Peter Gorm Larsen. The VDM bibliography. Technical report, The
Institute of Applied Computer Science, Forskerparken 10, DK-5230
Odense M, Denmark, 2000.
[Las90] Janusz Laski. Data ow testing in STAD. The Journal of Systems and
Software, 12(1):314, 1990.
[LHB
+
96] P. G. Larsen, B. S. Hansen, H. Bruun, N. Plat, H. Toetenel, D. J. An-
drews, J. Dawes, G. Parkin, et al. Information technology program-
ming languages, their environments and system software interfaces
Vienna Development Method specication language part 1: Base
language, December 1996. International Standard ISO/IEC 13817-1.
[Luc87] Peter Lucas. VDM: Origins, hopes, and achievements. In Bjrner,
Jones, Airchinnigh, and Neuhold, editors, VDM 87 VDM A Formal
Method at Work, pages 118. VDM-Europe, Springer-Verlag LNCS 252,
1987.
[LW69] P. Lucas and K. Walk. On the formal description of PL/I. Annual
Review Automatic Programming Part 3, 6(3), 1969.
[LY94] D. Lee and M. Yannakakis. Testing nite-state machines: state iden-
tication and verication. IEEE Transactions on Computers, 43(3),
1994.
[Lyu95] Michael R. Lyu, editor. Handbook of Software Reliability Engineering.
McGraw-Hill, 1995.
[Mar95] B. Marre. LOFT: A tool for assisting selection of test data sets from
algebraic specications. In TAPSOFT95: Theory and Practice of Soft-
ware Development, 6th International Joint Conference CAAP/FASE,
134 BIBLIOGRAPHY
volume 915 of Lecture Notes in Computer Science, pages 799800.
Springer-Verlag, May 1995.
[MC99] Ian MacColl and David Carrington. A model of specication-based
testing of interactive systems (abstract). In J.M. Wing, J. Woodcock,
and J. Davies, editors, Proceedings of FM99 Formal Methods, World
Congress on Formal Methods in the Development of Computing Sys-
tems, Toulouse, France, September 1999, volume 1709 of Lecture Notes
in Computer Science, page 1862. Springer, 1999.
[Mil86] E.F. Miller. Mechanizing software testing. In TOCG Meeting, Westlake
Village, CA, April 15, 1986, San Francisco, 1986. Software Research
Associates.
[Mil99] Robin Milner. Communicating and Mobile Systems: the Pi-Calculus.
Cambridge University Press, 1999.
[MIO90] John D. Musa, Anthony Iannino, and Kazuhira Okumoto. Software
Reliability: Professional Edition. McGraw-Hill, New York, 1990.
[ML85] P. Martin-Lof. Mathematical Logic and Programming Languages, chap-
ter Constructive mathematics and computer programming, pages 167
184. International Series in Computer Science. Prentice-Hall, 1985.
[Mor90] Carrol C. Morgan. Programming from Specications. Series in Com-
puter Science. Prentice-Hall International, 1990.
[Mos99] Peter D. Mosses. CASL: A guided tour of its design. In Proceedings of
WADT98, volume 1589 of Lecture Notes in Computer Science, pages
216240. Springer-Verlag, 1999.
[MS93] Paul Mukherjee and Victoria Stavridou. The formal specication of
safety requirements for storing explosives. Formal Aspects of Comput-
ing, 5(4):299336, 1993.
[MW92] Zohar Manna and Richard Waldinger. Fundamentals of deductive
program synthesis. IEEE Transactions on Software Engineering,
18(8):674704, August 1992.
[Mye79] G.J. Myers. The Art of Software Testing. John Wiley & Sons, New
York, 1979.
[MZ94] Peter Mataga and Pamela Zave. Formal specication of telephone fea-
tures. In J. P. Bowen and J. A. Hall, editors, Z User Workshop, Cam-
bridge 1994, Workshops in Computing, pages 2950. Springer-Verlag,
1994.
BIBLIOGRAPHY 135
[NAS95] NASA. Formal methods specication and verication guidebook for
software and computer systems, volume I: Planning and technology
insertion. Technical Report NASA-GB-002-95, NASA, Washington,
DC 20546, USA, July 1995.
[Nom87] T. Nomura. Use of software engineering tools in Japan. In Ninth Inter-
national Conference on Software Engineering, Monterey, CA, March
30April 2, 1987., 1987.
[NR69] Peter Naur and Brian Randell. SOFTWARE ENGINEERING. NATO
Science Committee, January 1969.
[OB88] T.J. Ostrand and M.J. Balcer. The category-partition method for spec-
ifying and generating functional tests. Communications of the ACM,
31(6):676686, 1988.
[oD89] The UK Ministry of Defence. Defence standard for military safety-
critical software 00-59. draft, 1989.
[OH95] Takahiko Ogino and Yuji Hirao. Formal methods and their applications
to safety-critical systems of railways. QR of RTRI, 36(4):198203, De-
cember 1995.
[OMG96] OMG. The common object request broker architecture and specica-
tion, revision 2.0. Technical report, OMG, July 1996.
[Par94] Graeme I. Parkin. Vienna development method specication language
(VDM-SL). Computer Standard & Interfaces, 16:527530, 1994. Special
issue with the general title: The Programming Language Standards
Scene, Ten Years On.
[Pau94] L.C. Paulson. Isabelle A Generic Theorem Prover, volume 828 of
Lecture Notes in Computer Science. Springer Verlag, 1994.
[Ped98] Jesper Pedersen. Automatic test case generation and instantiation for
VDM-SL specications. Masters thesis, Department of Mathematics
and Computer Science, Odense University, September 1998.
[Pel96] Jan Peleska. Test automation for safety-critical systems: Industrial
application and future developments. In Marie-Claude Gaudel and
Jim Woodcock, editors, FME96: Industrial Benet and Advances in
Formal Methods, pages 3959. Springer-Verlag, March 1996.
[Per86] I.M. Perelmuter. Directions of automation in software testing. In Third
Conference on Testing Computer Software, Washington, DC, Septem-
ber 29 October 1, 1986, 1986.
136 BIBLIOGRAPHY
[Per95] William Perry. Eective methods for software testing. John Wiley &
Sons, 1995.
[Pet77] J. Peterson. Petri nets. ACM Computer Surveys, 9(3):223252, 1977.
[Pet81] J.L. Peterson. Petri Net Theory and the Modelling of Systems.
McGraw-Hill, New York, 1981.
[PF90] D.H. Pitt and D. Freestone. The derivation of conformance tests from
LOTOS. IEEE Transactions on Software Engineering, 16(12), 1990.
[PF98] Andrej Pietschker and John S. Fitzgerald. Techniques for automated
test generation from system specications. In 28th International Sym-
posium on Fault-Tolerant Computing, Munich, June 23-25, 1998. IEEE
Computer Society, 1998.
[Pop35] Karl R. Popper. Logik der Forschung. Wien, 1935.
[Pop63] Karl R. Popper. Conjectures and Refutations. The Growth of Scientic
Knowledge. London, 1963.
[Pos96] Robert M. Poston. Automating Specication-Based Software Testing.
IEEE Computer Society Press, Los Alamitos, California, 1996.
[PS96] Jan Peleska and Michael Siegel. From testing theory to test driver
implementation. In Marie-Claude Gaudel and Jim Woodcock, editors,
FME96: Industrial Benet and Advances in Formal Methods, pages
538556. Springer-Verlag, March 1996.
[PS97] J. Peleska and M. Siegel. Test automation of safety-critical reactive
systems. South African Computer Jounal, 19:5377, 1997.
[PT89] Nico Plat and Hans Toetenel. Tool support for VDM. Technical Report
89-81, Delft University of Technology, November 1989.
[PT92] Nico Plat and Hans Toetenel. A formal transformation from the
BSI/VDM-SL concrete syntax to the core abstract syntax. Technical
Report 92-07, Delft University, March 1992.
[PvKT91] Nico Plat, Jan van Katwijk, and Hans Toetenel. Applications and
benets of formal methods in software development. Technical Report
91-33, Delft University of Technology, Faculty of Technical Mathemat-
ics and Informatics, April 1991.
[RC81] D.J. Richardson and L.A. Clarke. A partition analysis method to in-
crease program reliability. In Fifth International Conference on Soft-
ware Engineering, San Diego, CA, March 912, 1981, 1981.
BIBLIOGRAPHY 137
[Roy70] W.W. Royce. Managing the development of large software systems. In
IEEE WESCON, pages 19, August 1970.
[Rus00] John Rushby. Disappearing formal methods. In Proceedings of the
5th Conference on High-Assurance Software Engineering, 15th17th
November 2000, Albuquerque, New Mexico, USA, pages 9596. IEEE,
2000. Invited talk.
[Sad88] S.J. Sadler. Nuclear reactor protection software, an application of
VDM. Appendix to: VDM 88. VDM - The Way Ahead. Springer-
Verlag, 1988. From: Rolls-Royce and Associates Limited.
[SC93a] P.A. Stocks and D.A. Carrington. Test templates: A specication-
based testing framework. In Proceedings of the 15th International Con-
ference on Software Engineering, pages 405414, August 1993.
[SC93b] Phil Stocks and David Carrington. Test template framework: A
specication-based testing case study. In Proceedings of the Interna-
tional Symposium on Software Testing and Analysis, pages 1118, 1993.
[SCS97] Harbhajan Singh, Mirko Conrad, and Sadegh Sadeghipour. Test case
design based on Z and the classication-tree method. In Proceedings
of the 1st International Conference on Formal Engineering Methods
(ICFEM 97), 1997.
[Scu88] G.T. Scullard. Test case selection using VDM. In R. Bloomeld,
L. Marshall, and R. Jones, editors, VDM88, VDM The Way Ahead,
2nd VDM-Europe Symposium, Dublin, Ireland, September 1988, Pro-
ceedings, volume 328 of Lecture Notes in Computer Science, pages 178
186. Springer Verlag, 1988.
[Sen87] Dev Sen. Objectives of the British standardization of a language to
support the VDM. In Airchinnigh Bjrner, Jones and Neuhold, editors,
VDM 87 VDM A Formal Method at Work, pages 321323. VDM-
Europe, Springer-Verlag LNCS 252, 1987.
[Som92] Ian Sommerville. Software Engineering. International Computer Sci-
ence Series. Addison-Wesley, 4th edition, 1992.
[Spi88] J.M. Spivey. Understanding Z, a Specication Language and its formal
semantics. Cambridge University Press, 1988.
[Spi92] J. Michael Spivey. The Z Notation: A Reference Manual. Prentice-Hall
International Series in Computer Science. Prentice-Hall, New York,
N.Y., second edition, 1992.
138 BIBLIOGRAPHY
[SS98] S. Sadeghipour and H. Singh. Test strategies on the basis of extended
nite state machines. Technical report, Daimler-Benz AG, Research
and Technology, 1998.
[Sta89] M.E. Staknis. The use of software prototypes in software testing. In
Sixth International Conference on Testing Computer Software, Wash-
ington, DC, May 2225, 1989, 1989.
[Ste95] Susan Stepney. Testing as abstraction. In J. P. Bowen and M. G.
Hinchey, editors, ZUM 95: 9th International Conference of Z Users,
Limerick 1995, volume 967 of Lecture Notes in Computer Science.
Springer, 1995.
[Sto93] Philip Alan Stocks. Applying formal methods to software testing. PhD
thesis, The Department of computer science, The University of Queens-
land, 1993.
[Sto98] Ole Storm. The VDM Toolbox API users guide. Technical report,
IFAD, 1998.
[TaA88] G.S. Teo and M. Mac an Airchinnigh. The use of VDM in the spec-
ication of chinese characters. In VDM 88 VDM The Way Ahead,
pages 476499, September 1988.
[TDS98] H. Treharne, J. Draper, and S. Schneider. Test case preparation using
a prototype. In Didier Bert, editor, B98, volume 1393 of LNCS, pages
293311. Springer, 1998.
[Tre92] J. Tretmans. A Formal Approach to Conformance Testing. PhD thesis,
Universiteit Twente, the Netherlands, December 1992.
[Tur93] Kenneth J. Turner, editor. Using Formal Description Techniques
Estelle, LOTOS, SDL. John Wiley and Sons Ltd., 1993.
[vdBVW99] Manuel van den Berg, Marcel Verhoef, and Mark Wigmans. Formal
specication and development of a mission critical data handling sub-
system, an industrial usage report. In John Fitzgerald and Peter Gorm
Larsen, editors, Workshop Materials: VDM in Practice!, Part of the
FM99 World Congress on Formal Methods, Toulouse. Springer, 1999.
[VGvM80] U. Voges, L. Gmeiner, and A.A. von Mayerhauser. Sadat an
automated test tool. IEEE Transactions on Software Engineering,
16(3):286290, 1980.
[vW94] J. von Wright. Program renement by theorem prover. Technical re-
port, Abo Akademi University, Dept. of Computer Science, 1994.
BIBLIOGRAPHY 139
[WD96] Jim Woodcock and Jim Davies. Using Z Specication, Renement,
and Proof. International Series in Computer Science. Prentice Hall,
1996.
[Wit21] Ludwig Wittgenstein. Tractatus logico-philosophicus. Annalen der
Naturphilosophie, 1921.