Rendszermodellezés (BMEVIMIAA00), 2015. tavaszi félév λ λ λ μ μ μ 5th excercise – Model verification and testing 1. exercise Check the following procces model. [x] B A [z] F [y] C [w] a. b. c. d. e. D E [s] [t] Under what conditions is the process complitely specified? Under what conditions is the process also deterministic? Under what conditions is the process also deadlock-free? Under what further conditions is the process terminating? Is the process well structured? If not, how would you make it so? Does it help the problems? 2. exercise Listed below are the requirements on function f(). • R1. Function f() must write something to the output at least once in each execution. • R2. Function f() must terminate for any sequence of inputs. • R3. The last output of function f() must be 0. The following C code is one possible implementation of the function. int readInput(); void writeOutput(int out); void f() { int x = readInput(); int y = readInput(); int z = x + y; writeOutput(x * y); while (x > 0 && y > 0) { if (1 == readInput() % 2) { y--; z--; } else { x--; y++; } writeOutput(z + x * y * y - x - y); } } Rendszermodellezés (BMEVIMIAA00), 2015. tavaszi félév λ λ λ μ μ μ Check the operation of the function in the following steps. a. Represent the function’s control flow as a process model. b. Build a state machine that operates equivalently to f(). Model readInput() calls as input channel, and writeOutput() call as output channel. Model the termination of function f() such that the automaton gives a special output and transitions to a state without any outgoing transitions. c. Why is it sure that R1 is fulfilled? d. Additional exercise: Why is it sure that R2 is fulfilled? e. Check requirement R3 by testing. Build a test oracle automaton that can decide whether the requirement has been violated during a particular execution by the function’s input/output sequence and termination. f. The first test case for requirement R3 is the input sequence t1 = ⟨1, 2, 4, 1, 2, 4, ...⟩. Does the test oracle detect error for this test case? g. Build a data flow network that connects the automaton model under test (SUT) the test oracle and a component generating the upper input sequence. h. Calculate command-level test coverage, i.e. the percentage of the commands executed during the execution of the test. How does this metrics appear on the control flow and the automaton model? i. The second test case is the input sequence t2 = ⟨2, 3, 5, 7, 11, 13, ...⟩. Is there any error detected? What is the command coverage of the test set consisting of these two test cases? j. Is any part of the control flow or the automaton model left out of the coverage? What kind of coverage metrics could evince this? k. Home work: add input sequences t3 = ⟨0, 1, 2, 3, 4, 5, ...⟩ and t4 = ⟨1, 2, 3, 4, 5, 6, ...⟩ as further test cases to the test set. Is any error detected? How do the coverage metrics change? l. Provide a test case that evinces an error in the program. Based on what principle could you have suspected that the former test needs to be completed? m. Additional exercise: describe exactly which input sequences violate R3 and propose a bugfix.