Using Model Checking to Generate Tests From Specifications
P E. Ammann, Paul E. Black, William J. Majurski
We apply a model checker to the problem of test generation using a new application of mutation analysis. We define syntactic operators, each of which produces a slight variation on a given model. The operators define a form of mutation analysis at the level of the model checker specification. A model checker generates counterexamples which distinguish the variations from the original specification. The counterexamples can easily be turned into complete test cases, that is, with inputs and expected output. We define two classes of operators: those that produce test cases from which a correct implementation must differ, and those that produce test cases with which it must agree. There are substantial advantages to combining a model checker with mutation analysis. First, the generation of test cases is automatic; each counterexample serves as a complete test case. Second, in sharp contrast to program-based mutation analysis, the identification of equivalent mutants is also automatic; the model checker simply reports that the mutant satisfies the constraints, and hence no counterexample is produced. We apply our method to an example specification and evaluate the resulting test sets with coverage metrics on a corresponding implementation in Java.
December 1, 1998
Brisbane, 1, AS
IEEE International Conference on Formal Engineering Methods
formal specification, Java, model checking, test generation
, Black, P.
and Majurski, W.
Using Model Checking to Generate Tests From Specifications, IEEE International Conference on Formal Engineering Methods, Brisbane, 1, AS
(Accessed November 28, 2023)