Proceedings of the 16th International RCRA workshop (RCRA 2009): Experimental Evaluation of Algorithms for Solving Problems with Combinatorial Explosion Reggio Emilia, Italy, 12 December 2009
Software Testing via Coverage Analysis is the most used technique for software veri cation in industry, but, since manual generation is involved, remains one of the most expensive process of the software development. Many tools have been proposed for the automatic test generation: on one hand they reduce the cost of the testing generation process, on the other hand the quality of the test set so generated is lower than the quality of the test set manually generated by domain experts. In fact, most of the time, the test set automatically generated contains redundant tests, i.e. test that does not contribute to reach the property of 100% of coverage: if they are eliminated by the set, the property still holds. Indeed, these redundant tests are useless from the perspective of the coverage, are not easy to detect and then to eliminate a posteriori, and, if maintained, imply additional costs during the veri cation process.
In this paper we present a methodology for the automatic
generation of test set for Coverage Analysis, containing only non redundant
test. We experimented it on a subset of modules of the ERTMS/ETCS
source code, an industrial system for the control of the tra c railway,
provided by Ansaldo STS, where we were able to verify completely
31 di erent modules of the ERTMS: On 20 modules we were able to
generate a set of minimal test covering the 100% of the code for each
function in each module; on 7 of them we generate a set of tests that
does not cover the 100% of the branches due to unreachable code; the
last 4 modules were not completely veri ed due to CBMC exponential
blow-up explosion. The use of our methodology for test generation
led to a dramatic increase in the productivity of the entire Software
Development process by substantially reducing the number of tests
generated and thus the costs of the testing phase.
Testing [
In this section we rst present some basic notions used through the paper, then the basic algorithm is presented, under the assumption of not having to test program with unfeasible paths and nally we present the advanced algorithm taking into account also the unfeasible paths. 2.1 A
N is a set of nodes ow graph is a directed graph C = (N,E,ns,ne) where
E is a binary relation on N (a subset of N x N ), referred to a set of edges; ns 2 N and ne 2 N are unique entry (start) and unique exit nodes respectively.
A control ow graph is a representation, using graph notation, of all paths
that might be traversed by a program during its execution. Each node in the
graph represents a basic block, i.e. a piece of code without any jump or jump
target; jump targets start a block and jumps end a block. Directed edges are
used to represent jumps in the control ow. In most representations there
are two specially designated blocks: the entry block, through which control
enters into the ow graph, and the exit block, through which all the control
ows leave. Moreover, for each edge, it is also annotated which branch
condition, if any, it represents. We say that a branch predicate guards a basic
block if the true value of the predicate implies the execution of the block.
Given a control ow graph G, a path p in G is a sequence p = fn1; n2; :::nkg of
nodes such that n1 = ns and nk = ne and for all i; 1 i k, (ni; ni+1) 2 E.
Notice that an assignment to the input variables determines a path along
the control ow graph, but the contrary is not always true. We say that a
path is feasible if it exists an assignment to the program's input X for which
the path is traversed during the program execution, otherwise the path is
unfeasible. Given a set of path of a control ow graph, an independent path is
a path such that: there is at least an edge in the path that does not occur in
any other path in the set. A branch is de ned as any decision outcome in the
source code. This is re ected in the unwinded ow graph: for every decision
we have one or more nodes with two or more outgoing edges, representing
the branches. Di erent edges in the unwinded graph may refer to the same
original branch. Covering a branch requires producing at least a test that
contains at least an edge which referes to that branch. CBMC is a Bounded
Model Checker for software veri cation [
Given the property P and a program D both in SSA form, the formula
D ^ :P is rst converted into a bit-vector equation, i.e. each variable is
represented by a bit-vector of xed size, and the operations are converted into
bit-vector operations. Finally, it is converted into a propositional formula
in Conjunctive Normal Form (CNF), by adding intermediate variables. If
applying a SAT solver to the CNF, the equation is satis able, then the
property does not hold, and an assignment to the variables making the formula
true is returned. Starting from this assignment, it is possible to construct
an error trace showing where the property does not hold in the program.
Otherwise, if the resulting CNF is false the property holds. However, we
can not conclude by saying that the program is veri ed, but we can say that
it is veri ed for a given k. Choosing another k0 > k does not ensure that
the property holds. In order to use CBMC as a test generator we need to
modify the code in input as rstly presented in [
T = ft1; t2; t3; t4g generated covers the 100% of the branches for construction, and for example set of paths pathGenerator(C) 0 P = fg; 1 Au = update(P,C); 2 while jAuj 6= 0 do 3 P = P [ genApath(ns,Au); 4 return P; path genApath(n,Au) 5 if n ne then return fng 6 maxn = succ(n).first(); 7 foreach si 2 succ(n) do 8 if jAu(maxs)j < jAu(si)j then 9 maxs = si 10 else if jAu(maxs)j == jAu(si)j then 11 if E(n; maxs) 2= Au then 12 maxs = si 13 Au = update(P,C); 14 return fng [
genApath(maxs,Au) they could be:
t1: (a = 10), t2: (a = 6), t3: (a = 5), t4: (a = 4) However it may be the case that eliminating one or two test from the set the 100% of branch are still covered, for example also the test set T 0 = ft1; t3g covers the 100% of the branches. In the naive algorithm we always generate more test of the ones needed to grant the 100% of branch coverage. This may increase the costs associated to the testing phase, in particular during the regression phase. In order to reduce the size of the test set we rst construct a set of independent paths covering the 100% of the branches of the control ow graph. Then, given a path in the set, it is possible to instrument CBMC in order to generate a test following the path. The testing process is presented in gure 1. It assumes that all the paths are feasible. This is a big restriction that is made only for a better comprehension of the algorithm. In the next subsections the algorithm that takes s0 b1 b3 s4 s4 int Test1(int[ ] a, int size) b1 s0 int b = 0; int c = 0; b3 b1; b2, s1 for ( ; (c < size); c++) s4 b3; b4 if (a[c] < 0) b1 s2 b++; s3 return b; int Test1(int[ ] a, int size) int b = 0; int c = 0; assume(c < size); assume(a[c] < 0); b++; c++; assume(c < size); assume(!(a[c] < 0));
c++; assume(!(c < size)); assert(); s13 return b; into account unfeasible paths is presented.
The process in gure 1 rstly analyzes the code under test and it
constructs a set of independent paths covering the 100% of the branches in the
control ow graph associated to the program under test (pathGenerator),
i.e. each path covers at least a branch not covered by any other path. Then,
from each path, the module ATG via CBMC will generate a test in a way
similar to the one presented in [
ATGviaCBMC is a function that takes as input a set of paths and it will
return (if exists) a test for the program under test representing each path.
T is the set of tests generated, initially empty (line 15). Then for each
path the program D is modi ed, i.e. opportunely instrumented,(line 17)
and a new program, D0 is created. D0 is then passed to the tool CBMC(line
18) that returns as assignment to the input variables exploring the path
in input. D0 has to be carefully instrumented in order to generate a test.
In [
An example of the algorithm behavior is presented below. Let's assume as a function under test the function presented in gure 4 which counts negatives in an array. The algorithm presented above takes as input C, i.e. the control ow graph representation of the function in gure 4, left already unwinded. The set of paths, line 0, is initially empty and the Au is updated (line 1) with all the branches of the Control Flow graph, Au = fb1; b2; b3; b4g. For each node n it is also updated Au(n). Notice that the function genApath will work on the control ow graph unwinded, which is shown in gure 5, right, assuming an unwind value of 3. Each function has a minimum unwind value k, necessary to reach full coverage, which depends on the cycles structure. Best way to set k would be to know such minimum a priori but that's not feasible in an automatic way so, a good alternative solution is to start testing with low k and increase it until coverage is reached. Lower k are faster to test but have less chances to reach full coverage while bigger k requires more time and e ort for both CBMC and our algorithm and also increase the chances that CBMC will fail to nd an answer in the given time. At the rst node there is only one branch (without any label) and then the recursive call to genApath(s1,Au) is executed. At this point since s1 is not the end node, its successor nodes (s2 and s13) would be explored. maxs = s2, since jAu(s13)j = 0 and jAu(s2)j = 4 (fb1; b2; b3; b4g). The current coverage status is then updated by deleting b1, which is the incoming edge used to reach s2, from both Au and from each Au(n) where n is a node in C. A new recursive call, genApath(s2,Au) is executed. Then the algorithm chooses between s3 and s4, having jAu(s3)j = jAu(s4)j = 3, (fb2; b3; b4g) and being both edges b3 and b4 uncovered, the algorithm breaks the ties by lexicographic order choosing s3. Au is updated deleting b4 and it is also updated for each node. From node s3 to node s5 there is a single path to be followed. On node s5 maxs = s6 with jAu(s6)j = 2 (fb2; b3g) against jAu(s13)j = 0. From s6, s8 will be chosen because even if jAu(s7)j = jAu(s8)j = 2, b3 is not yet covered. Finally the algorithm will go from s9 to s13, covering b2. As soon as the algorithm reaches the s13 node it will stop and backtrack until the root constructing the path, i.e. p1 = fs0; s1; s2; s3; s4; s5; s6; s8; s9; s13g. This path can cover all the branches, so no more calls will be necessary. The pathGenerator function will return a set of paths, P = fp1g and then the function ATGviaCBMC is called. The function instrument the code in order to force CBMC to follow the path. In gure 4, right, the modi ed code (C0) for the generated path is presented. Notice that: the instrumented code is already unwinded, unnecessary code is removed in order to help CBMC to nd a solution. Since we are exploring a path only the code explored by the path is necessary.
CBMC, taking as input the modi ed code, will generate a test, i.e. with the
following inputs, size = 2, a[0] = 1 and a[
In case of unfeasible paths the algorithm presented above will generate a set of tests that does not cover the 100% of the branches. In order to overcome the problem whenever a path is generated, a checker is used to analyze the path and return if the path is feasible or not. In case of unfeasible path a new path has to be generated. As feasibility checker we use CBMC: if a test is returned from CBMC then the path is feasible otherwise is not. The new algorithm is composed by a function CreateTestSet that uses the function generatePath, that it is similar to the one presented above: this function also takes as input a set of branches that have not to be covered from the path returned. In case that this set is empty the function is equivalent to the one presented above.
CreateTestSet is a function presented in gure 6 that given a set of branches(Au) and a program P returns a set of tests covering the 100% of the branches in Au. Given a nite set of paths of a program P (P k), generate a path covering as much branches in Au as possible CreateTestSet generates a path covering as much branches as possible of Au (line 2) starting from the basic path (bp) and avoiding the Forbidden branches (F). If such path exists, then CBMC is invoked (line 4) and if the path is feasible CBMC returns a vector of values for the input variables; then the test is added to the set of Tests T (line 8) and the branches traversed by P are eliminated from Au. If the path is unfeasible the function analisePath returns (if any) the subset of arch which make it feasible (bp) and the arches set of Tests createTestSet(Au; P; kmax) 0 k = 4; T = fg; bp = fnsg; F = fg 1 while jAuj > 0 & k < kmax do 2 p = generateP ath(Au; bp; F; P k) 3 if jpj > 0 then 4 t = generateT est(p; P k) 5 if t == t0 then 6 hbp; F i = analiseP ath(bp; p; F; P k) 7 else if t == tstop then 8 return T 9 else 10 T = T S ftg 11 bp = fnsg 12 Au = update(Au,p) 13 else 14 if bp 6= fnsg then 15 F = fbpg 16 bp = bp n tail(bp) 17 else 18 k=k*2; F =fg; bp = fnsg 19 return T making the path unfeasible are stored in F (line 6) so that the next path will be generated starting from bp and avoiding the forbidden path. If the path generated in line 2 is empty, i.e. does not exists any path starting from bp and covering at least a branch in Au such that the branch is forbidden, then a new basic path is computed, i.e. the tail of the basic path is removed and it became a forbidden arch. If bp was the root, jAuj is not equal to zero, then there are some branches not covered with the xed k: at this point (line 16) k is incremented and the search restarts again. The function returns the set of tests so computed.
Suppose, for example, that the function in gure 4 did not have the size of the array as an input, but instead it is hard coded in the cycle and it is greater than 2, i.e. 3. Also necessarily consider a greater unwind value, i.e. 4 instead of 3. In this case the previous algorithm would generate the exact same path but that would be unfeasible because it tries to exit from the cycle after two iterations, which cannot be done. The new algorithm will then exclude that possibility by removing and forbidding the last step from the path and compute another path with the same initial subpath which will stay in the cycle one more iteration and exit afterwards. This will be found feasible and reported as a test. manual 127 57 17 43 18 39 27 200 144 35 312 34 181 157 322 69 36 101 62 119 2100
Nowadays trains are equipped with up to six di erent navigational systems
which are extremely costly and take space on-board. A train crossing from
one European country to another must switch the operating standards as
it crosses the border. The European Rail Tra c Management System [
Ansaldo STS as part of the European Project produces the European Vital Computer (EVC) software, a fail-safe system which supervises and controls the speed pro les using the information received from the in-track balises transmitted to the train. Following the CENELEC standards Ansaldo STS needs to provide a certi cate of the integrity level required, i.e. it has to provide a set of tests covering the 100% of the branches. In order to simplify the readability, the Ansaldo STS implementation of the EVC is developed into di erent modules of xed size. In our experimental analysis we took a subset of the interconnected modules of the EVC and we applied the automatic test generation strategy seen in the section above. We get more than 130 di erent modules, containing more than 100.000 lines of code distributed in more than 1700 functions. As a comparison we only took 31 di erent modules, the modules on which we get informations about the tests manually generated by Ansaldo STS. As unwind, after a brief analysis, we start from k = 5 till k = 100, with step 2. We also set a 20 minutes timeout for both our algorithm and CBMC.
In gure 7 are reported the results on the module on which we reach
the 100% of branch coverage. The columns from left to right represent:
the name of the module (for copyright reasons they are coded), the number
of functions contained in the module, the number of tests needed to reach
the 100% of branch coverage using the naive method presented in [
In gure 8 are also reported the modules on which we were not able to obtain full coverage: the rst column reports the name, the second column the number of functions in the module, third the number of functions not covered due to unreachable code and the last column reports the number of functions not fully covered due to CBMC time-out. The functions that are not reported in the last two columns, have been fully covered, with less test than manual generation. As shown in the table, few functions have been reported as uncoverable, in particular the functions presenting unreachable codes have been manually checked. Also Ansaldo STS has reported that these functions can not be fully covered. The results, as shown in the tables, are that only 4 modules out of 31 can not be completely covered (13% of the modules) and the number of functions that can not be covered are 11 (resp. 13) for timeout (resp. unreachable code) out of 415. 4
In this paper we have presented a methodology for the automatic generation of test set for Coverage Analysis, containing only non redundant test. The generation goes through the construction of a set of feasible (if exist) independent paths. We have experimented our methodology on a subset of modules of the ERTMS/ETCS source code, an industrial system for the control of the tra c railway, provided by Ansaldo STS. With our methodology we were able to verify completely 20 out of 31 di erent modules of the ERTMS. On the remaining we were able to conclude that 7 out of 31 could not be covered due to unreachable code while for the last 4 out of 31 has been impossible to reach complete coverage since CBMC could not nish. This paper has shown that the use of our methodology for test generation led to a dramatic increase in the productivity of the entire Software Development process by substantially reducing the number of tests generated and thus the costs of the testing phase.