I)
This model
accommodates all
confimance testing
activities and lets
you
translate data and
behavior into a
common
notation.
lesting
Lommunicat
ion
Protocols
KSHIRASAGAR
NAIK,
Concordia University
,
Montreal
BEHCET SARIKAYA,
Bilkent University, Ankara
tocols are the d e s that govern communi- cation among components in a distributed system. Functions are usually partitioned into a hierarchical structure of protocol layers, as in the standard Open System In- terconnection basic reference model.’
The box on pp. 30-3 1 is an overview of protocol design, implementation, and test concerns. Careful protocol description is important for many reasons. Early in the protocol’s life cycle, descriptions give de- signers, who may be workmg on different protocol parts, a reference for cooperation and help them check the design for logical correctness. Later in the cycle, clear de- scriptions make it easy to check compli- ance across many implementations.
Informal techmques like narrative de- scriptions for protocol design and walk- throughs for protocol test are invaluable, but painful experience shows they are in- adequate when used alone. Formal-speci-
fication methods from general software- engineering practices are also necessary.’ These methods provide not only a more reliable way to verify the specification but also a method for partially automating protocol design, implementation, and conformance testing.
Specification languages like Lotos (Language for Temporal Ordering Sys- tems),’ Estelle, and SDL (Specification Description Language) have been devel- oped for writing OS1 protocols and ser- vices. Formal languages for specifymg test suites include Abstract Syntax Notation- 1, which describes data structures, and Tree and Tabular Combined Notation: which describes test cases.
Unfortunately, these specification and test-suite languages (or notations) are in- compatible. A Lotos specification’s data is described in abstract data types, for exam- ple, while its behavior part is based on pro- cess algebra. TTCN is a tabular notation
specification TProtocol [ci,L]no exit behavior TP-Simplep,L] where
process TP-Simple[U,L]: noexit :=
U?TCONreq;L!CR
(L?CC;L!DR;U!TDISid;L?DC;TP-simple[ts,ns]
11
L?CC;U!TCONconf;Open[ts,m] )[ I
L?CR( L!DR;TP-simple[U,L]11
U!TCONind( Uclose[u,L][ I
U?TCONresp;L ! CC;Open [U&] )
1
endproc
process Open&J,L]: noexit :=
(U?TDATAreq;L!DT;Open[U,L]
[ ] L?DT;U!TDAThd;Open&J&] [1
L?AK;Open[U,LI [1
Uclose&J,Ll [ ] Rclose[U,L] [ ] i;U!TDISind;L!DR,L?DC;Open~,L] [ ] i;L!AK;Open[U,L] ) endprocprocess Uclose[U,L]: noexit := endproc
process Rclose[U,L]: noexit := L?DR,U!TDISind;L!DC endproc
U?TDISreq;L!DR;L?DC;Open[U,L]
endspec
Figuve I . d Lotos sppeclfirntimi for 11 n-iiiispoi-t protocol
aith data and b e h a h - parts that are
sqn-
tactically and semantically different fi-om those in Lotos specifications. Thus you cannot directly compare a test case's be- havior with the protocol specification to veri@ a test case.
Ilie have developed a u n i h g , common intermediate model that lets you translate Lotos specifications and TTCN test suites
Doto h/pe declaration
~ ~ _ _ ~
Field
Options
,
Options-type1
1
Credit1
Credit t w e II
into extended finite-state Inachines, pro- viding a single medium for conformance testing. We chose to work aith Lotos and TTCAT because they are becoming in- creasingly important in the standardlza- tion of specifications. We chose an ex- tended-hte-state-machine model because state machines are a proven technique for protocol modeling.
Calling
Figure 2. (A) Dei.Innition of N protocol datn iiizit (PDU) thrt is a ii"rtioiz 7squest (CR) oilcl (B) n
dei-lilrntio71
uf;l
co7z.in.ni1it U I I t h ~ t regliest.2 8
SPECIFYING A PROTOCOL IN LOTOS
A Lotos specification consists of data and behavioral descriptions. Data is described in terms of abstract data types; behavior is de- scribed using the algebraic theory of pro- cesses, based on Mher's CCS (Calculus of Communicating Systems). Behavioral de- scription is essentially a hierarchy of nested processes that interact using gates.
Figure 1 shows the behavior of a trans- port protocol (layer 4 ofthe OS1 reference model) expressed in Lotos. For simplicity, we have omitted all data-tqpe definitions.
Because Lotos is based on process al- gebra, it uses operators to express inter- process relationships. For example, a choice of the behavior expressions B1 and BZ is expressed as B1 [
1
BZ. A parallel composition with no symchroni7ation of B1 and BZ is expressed as R1 I I I BZ. If B1 andBZ
are two processes that interact through a list of gates G, the parallel coni- position of B1 and BZ is expressed as B1 I [GI IBZ.
The disabling of Bl by 112 isexpressed as B1 [> BZ, which means thc actixities of B2 can stop the operation of B1 a t any time. A process's hnctions -
the set of values it retums when it tenni- nates - can be passed to another process using the enabling consmict B1 >> BZ. T h i s means that once B1 ternlinates suc- cessfully, its functions are transferred to
BZ,
andBZ
is invoked.Nondeterninaq is an iinpomwt no- tion that distinguishes specification lan- guages froin programming languages. Lotos offers several fiacilities for specifcing nondetenniilate behaxior. T h e main one is the choice ([
1)
operator, which is usedwith thc intemal event i.
I'rotocol desigiers can use i to repre- sent many protocol features abstractly. Examples are the achowledgnient poli- cies in a transport protocol -the reasons for sending it -and the unreliable nature of a protocol's underlying service pro-
\;der. The Open process in Figure 1 con- sists of seven altemative behaviors. T h e behavior i;L!;u< states that the acknowl- edgment policies are represented ab- snactly by an internal event.
Sirnilarly, the behavior i;U!TDISind indicates that the underlying sercice pro-
vider cannot provide the desired service reliably all the time. Hence the transport protocol may issue a disconnect-indica- tion event (TDISind) at any time. You can thus easily model loss, duplication, and message reordering in a specification that uses an unreliable medium.
SPECIFYING TEST SUITES IN TTCN
A T T C N specification consists of an overview, declarations, constraints, and dynamic behavior. The overview, written in English, describes the scope of the test suite. Th e declaration declares test-suite parameters, points ofcontrol and observa- tion, protocol data units, abstract service primitives, and timers. Constraints let you specify values for each field of the protocol data unit and abstract service primitive.
Figure 2a shows a declaration of a pro- tocol data unit that is a connection request. Figure 2b shows a declaration of a con- straint on that request. A constraint table contains a constraint name for the abstract service primitive or protocol data unit and a list of parameter names and their values. The parameter values in a constraint on an abstract service primitive or protocol data unit are sent if the primitive or unit ap- pears in a send event. The parameter Val- ues are the values received if the primitive or unit appears in a receive event.
The connection request in Figure 2a has four fields: Called, Calling, Options, and Credit. T he constraint in Figure 2b defines the values of these four fields. If a connection request with the constraint ap- pears in a send event in a test case’s dy- namic part, the test case sends a connec- t io n request t hat assigns the cor- responding values to the parameters.
A test case’s dynamic behavior specifies combinations of test-event sequences the test-suite specifier will allow. The events are combined as either sequences or sets of alternatives. A sequence of events is repre- sented as one h e after the other. Each new event is indented once from the left to represent the progression of time.
Figure 3a shows four event sequences:
Vl C,
F,
G), (A, ClFl
H), (A, B, Dl 1 andw,
B,4.
However, (A, C, B, D] is not a correct sequence. Also, events C and B con-stitute a set of alternative events; either Cor
B occurs but both do not occur at the same
time. Events F, D, and E do not form a set of altemative events because they do not have the Same p r e d e m r event; the predecessor ofFis C, and the predecessorofDand Eis B.
Figure 3b shows a test-case description structured as a tree. Test events are nodes; verdict assignments are leaves. r h e box on pp. 30-31 describes how verdicts are used in test verification.) Test events with the same indentation belong to the same prede- cessor event These represent the alternative events that could occur at that time. Alterna- tive test events are specified in the order in which the tester will repeatedly attempt them until one OCCUTS. You can trap all the undesired extemal input events by specify- ing an Otherwise event as an altemative to the desired events. In a sequence of altema- tive events, an Otherwise will be the last event or the event just before a Timeout
You can also structure a test case by using test steps, as Figure 3c shows, where Step is a test step. The description of the structured test case in Figure 3c is shown as a structured tree in Figure 3d.
Every test case has an associated pur- pose. Th e correcmess of test-event se- quences, the correcmess of test verdicts, and the purpose of a test case are closely related. In the test-case model based on extended hte-s tate machines, you ex- press the test purpose using a regular ex- pression on the interactions between the test case and the protocol specification.
To illustrate how a test case works, we chose a test case from a real test suite de- veloped at the Naeonal Computing Cen- ter in Manchester.’ The test case, which is shown in Figure 4, is for the basic inter- connection testing of a Class 2 transport protocol. As the figure shows, the test case starts with lower tester L sending a con- nection request to an implementation. Then
L
sends a data protocol data unit if the connection request is accepted. After it receives an acknowledgment protocol data unit from the implementation, it dis- connects the connection. In h s example, the test purpose is denoted by {L!CR.U?TCONind. U!TCONresp. L?CC.
L!DT. U?TDATAind.
L?AK.
L!DR.U?TDISind. L?DC}.
igure 3. (A) A test case, (B) a tert caJe 112 wee Itation, (C) a .wuctwed tert case u d a test step,
id (D) a structured test case in wee rlotatioiz Solid
its denote ezwtr, open dots dmote zwdirts
L!CR Start(timer A) WTCONind I U!TCONresp I L’CC I I Cancel(timerA) I I L!DT I I U?TDATAind I I IL?AK I I I I L!DR I I I I WTDISind I I I I IL?DC I I I I I L?OTHERWISE Fail I I I I U?OTHERWISE Fail I I IL?OTHERWISE Fail I I U?OTHERWISE Fail I ?Timeout(timerA) Fail I L?OTHERWISE Fail L?DR Inconclusive UOTHERWISE Fail
igure 4. A sample test case.
2 9
TRANSLATING SPECIFICATIONS TO CIM
Our common intermediate model
maps Lotos and TTCN specifications to extended finite-state machnes and ac- commodates all conformance-testing ac- tivities. Protocol and test-entity behavior is described as a set of transitions, each triggered by an input, an output, or an internal event. Data is described in ab- stract data types.
CIM's extended hte-state machme is
a six-tuple: M = 4,
V,jo,
Jr; R, E>, where Jis a set of states, Vis a set of data declara- tions (variables),jo is the initial state, +is a
set of final states, R is a set of transitions, and E is a set of initial value assignments to some variables in K
A transition of an extended hte-state machine is also a six-tuple: r = <j ,j', a,
p , f ;
pr>,
wherej is the From state of r,j' is the To state ofr, a is an action (the event clause of r),p
is the provided clause of r,fis the assignment clause of r, a n d p is the prior- ity number of the transition.Figure 5 illustrates the execution se- mantics of a transition. T h e Begin
...
End block in a CIM transition contains only assignment statements, no predicate or output events.PROTOCOL DESIGN, IMPLEMENTATION, AND TEST
Because protocol systems are not the same as traditional s o b a r e systems, they have spe- cial design and implementation concerns. Traditional systems consist of functions that go from an initial state to a final
state. Systems accept all input
at the beginning of their opera- tions and yield their output at
termination.
These systems are called
transfarmational because they
transform an initial state to a
hal state. Typical examples are batch, off-line data processing, and numerical packages.
But some systems,
like
oper-ring only to their initial and 6nal states. Instead you must refer to their continued behav- ior, which may be an infinite se- quene of states and YO events. Communication-protocol systems are reactive systems with several unique characteris- tics: Each protoml input may not have a corresponding out- put, and one input may have many outputs.
The correctness of a protocol's output depends on the values of its preceding out- put Therefore, a protocol sys- tem may be nondeterminate. ating systems and process-con- Proto<oldesigGirJRmentpti#l
trol systems, may never termi-
nate. These are called redctive
syst-.
The purpose of running re- adve systems is not to get a
hal output, but rather to main- tain some interaction with the system's environment. A reac- tive system is not restricted to accepting input on initiation and generating output on ter- mination. Some of its input de- pends on intermediate output.
Thus, you cannot adequately
speafy reactive systems by refer-
Protocol specification is based on the communication senice to be provided and the commu- nication service that the proto- col will use. For the most part, protocol design is intuitive. De-
signers must also check the pro- tocol specification to ensure that it is correct and consistent, provides the desired communi- cation service, and offers ser- vices with acceptable efficiency.
The protocol must satisfy the rules in its specification as well as any constraints in its en-
Translating a Lotos specification and i
TTCN test suite involves
1. Translating the behavior part of :
Lotos specification into an extended fi- nite-state machme.
2 . Translating the TTCN declara- tions and constraints to abstract data types
3 . Translating TTCN dynamic b e havior to an extended hte-state machme T h e data part of a Lotos specification i! already described in abstract data types, sc it does not require translation.
Translaling Lotos into an EFSM. Translating
a Lotos specification into an extended
6.
vironment Implementation, which can be in hardware, soft- ware, or a combination, con- sists of generating a concrete, executable representation from an abstract, formal description.
The process is largely man- ual and involves design deci-
sions like how to support man-
datory, optional, and negotiable features, including the choice of addressing mode and timer values.
on performance requirements and the protocol's runtime en-
vironment
The decisions made depend
conforn#ne test& When a protocol implementation con- forms with its specification, it behaves according to the specification's rules. The most feasible way to determine con- formance is to test the imple- mentation with a set of test Cases.
Conformance tesdng is im-
portant, because it ensures that independently generated imple- mentations of the same proto- col can work with each other. Figure A shows the confor- mance testing activities.
Conformance testing starts with test design, in which you develop an abstract test suite. A test suite is a collection of test
cases, each ofwhich is used to
test one protocol feature. Test- suite development is either manual or semiautomatic. Man& design is the con- ventional way to design a test suite. The designer usually has
expertise in the protocol stan-
dard and is familiar with the fi-amework and methodology of conformance testing. But manual design is complicated and error-prone.
ktgmh. Most test gener- ators for ~ o r m a t i o n a l sys-
tem use symbolic d u a t i o n to derive test data. But beclause a protocol system is reactive, it re- gulres Werent
techtllques.
Thetechnique
used
depends on the protocol-specification model.Id+, test peration should be Illy automatic, andmuch re- d is bemg done on automatic techmques However, sofiswe-
testingingenemlandprotoad d e d a state that lets you a m -
maticallygaterate a set of@
testingin
partiallar have not yetnite-state machine' consists of
+
Normalizing the Lotos specifica- tion by transforming an enable operator to a semantically equivalent parallel opera- tor. (An interleaving parallel operator is transformed into a generalized parallel operator.) In this step, all process refer- ences are expanded by their definitions in a top-down manner until a process refer- ence appears in its expanded form in in- stances of indirect recursions. All variables are uniquely renamed.+
Translating the normalized specifi- cation to an extended finite-state machine by applying a transformation rule to eachFrom j To. j' Priority pr Event a(parameters) Provided p
P pr is the priority of the transition. */
P a is an event p i b l y with a set of parameters. */
P p is a predicate. */ P Sequence of assignments. */ Begin { f
I
EndFigure li. Structure oja wansition in a CIM extendedfinite-state machine.
usable test cases &om a s p e d - cation. Instead, semiautomatic test generation is used.
ki
dKahm. A communica-tion protocol is made up ofevent sequences, which appear at its service-access points. Events con- sist of input events to the protc- col and output events that are the protml's responses.
whether the implementation satisfies the protocol specifica- tions and the test purpose. It does this by applying sequences of input events that the proto- col specification allows.
If the implementation be- havior is allowable and the test purpose is satisfied, the test case assigns a Pass verdict. If the im- plementation behavior is not al- lowable, it assigns a Fail verdict. If the implementation behavior is allowable but the test pur- pose is not satisfied, it assigns an Inconclusive verdict.
Therefore, a test case's ver- dict of correct or incorrect con- formance depends on the cor- rectness of the input-event sequences and the expected protocol events.
The test case checks
To verify a test case, you compare its behavior with the protocol's behavior and deter- mine any design e m r s in the test ease.
h
s$eaicn andpommeteniorian.The protocol may not support
all the functions or features stated in the specifcation, so only a subset of the entire pro- tocol test suite may apply. Ex- tracting that subset is called test selection. Test parameteriza- tion is assigning values to the test-suite parameters.
hi
e x e i u h To test an imple- mentation, you generate exe- cutable test cases from selected and parameterized test cases. The test-execution system must let a test case and an im- plementation communicate, provide a way to monitor testexecution, and provide a mech- anism to record a test case's exe- cution history for tiIrther analy-
sis. In this way, you can trace test cases in which the imple- mentation fails against a formal protocol specification and more effectively diagnose the
reason for failure. Figwe A. Using fmlapproaches m m-r$nnrmce ming.
Figure 6. The extendedfinite-state machine fw the rransport-protocolspecification in Ficgi?-e I ; State 1 is bot,
the initial and final state.
type CR-PDU is T-~fJh-type,options-type,~edit-~e,pdu sortsCR PDU
opns CR-PDU T-sufJh-sort,T-sufJh-sort,options-sort,credit-sort -> pdu TSAP-id-called : pdu -> T-suffix-sort
TSAP-id-calling : pdu -> T-sufi-sort credit : pdu -> credit-sort options-ind : pdu -> options-sort eqns forall called: T-sufik-sort, calling:T-su&x-sort,
options:options-sort, creditcredit-sort ofsort T-suEix~sort TSAP-id-called(CR-PDU(calied,calling,options,credit)) = called;
TSAP-id-calling(CR-PDU(called,&-g,options,c~dit))
= calling; options-ind(CR-PDU(called,calling,options,credit)) = options; credit(CR-PDU(called,allhg,options,credit)) = credit;IsCR-PDU(CR-PDU(called,&g,options,credit))
= true; ofsort options-sort ofsort credit-sort endtypeFigure 7. An abstract-data-type representatian of the connection r e p s t in Fiqire 20 Lotos operator. Conceptually, each trans-
formation rule derives all possible sequen- tial behavior from two operand behaviors related by the operator. You need transfor- mation rules only for the operators not eliminated during normalization.
We have implemented t h ~ s translation algorithm in Prolog. T h e algorithm ap- plied to the transport protocol in Figure 1 generates the extended finite-state ma- chme in Figure 6.
Translating l I C N data into abstract data types. T C N uses a number of predefined data types, like integer, Boolean, bit string, hex string, octet string, and character
Figure 7 is an example of how to translate the tabular declaration of the connectior request (protocol data unit) in Figure 2a tc
an abstract data type.
Given a protocol data unit’s individua fields, you should be able to construct it Conversely, given the protocol data unit you should be able to identify its type anc extract its individual fields. Therefore, tc
translate a protocol data unit into an ab- stract data type, you define one construc- tor operator to construct the protocol dat; unit, one operator to identify the unit type from a constructed protocol data unit, anc one selector operator to select each field ir the protocol data unit.
Translating l l C N behavior to an E M . Yo1 can algorithmically derive an extended fi- nite-state machine from the dynamic par of a TTCN test case.7 Translation consist: of expanding default behaviors, deriving an extended finite-state rnachine from thc main tree and each subtree, and resolving subtree attachments by combining corre- sponding extended finite-state machines Each event line in a test case is modeled a a transition in extended-finite-state-ma, chine notation.
For example, let L!CK_PL)U [initiate == true]
(called = “him”, calling = “ m e ” ,
options = “nil”, credit = 10)
be the first event line in a set of alternative in a TTCN test case. Initiate is a test-suitc parameter such that if its value is true, thc
string. Test cases have two frequently used classes of structured data types: the ab- stract service primitive and the protocol data unit. In any test architecture, the tes- ters and the protocol entity communicate among themselves by exchanging abstract service primitives, some of which may contain protocol data units. In 7TChT, abstract service primitives and protocol data units are in tabular form. To be able to compare the data values generated by a test case with those accepted by a protocol specification, you must translate the ?TCN test case’s tabular descriptions of the abstract service primitives and proto- col data units to abstract data types.
/* Let the transition occur from From M
To N
Event L!CR-PDU(called, calling, Provided [initiate == true]
state M to N. */ Priority 1 options, credit) Begin { called = “him”, calling = “me”, options = nil, credit = 10
1
Figure 8. Tramtion of an event line t o CILW
e~te~zded-fiiiite-st~te-lnnchr7ze notation.
I
I
@’ F @)P
Figure 9. The extendedfinite-state machine for the test case in Figure 4 Cgenevatedfj-on1 TTCY; OTH =
Othenuise, P = Pass, F = Fail, I =Inconclusive.
test case establishes a connection with the implementation by sending a connection request (protocol data unit). Figure 8 shows the transition of& event h e to an extended-finite-state-machine notation.
Figure 9 shows the test case in Figure 4 represented in extended-finite-state-ma- chine notation.
TEST GENERATION
After you map a Lotos specification to an extended finite-state machine, you must derive test cases from it. T h e first step is to algorithrmcally generate the test- case control structures needed to test a de- sired protocol behavior. These structures are called test-case skeletons. T h e second step is to manually transform test-case skeletons into complete 7TCN test cases. T h e number of test-case skeletons derived depends on the number of transitions e and the nu m b er of states n i n th e protocol’s extended ht e- s tate machine. Th e upper bound is given by the well- known cyclomatic complexity e - n
+
2.I E E E S O F T W A R E
Generating test-tase skeletons. If a protocol model is determinate, then each test case consists of a test-event sequence derived by some well-established test-generation techques.’ If a protocol model is non-
determinate, however, you cannot repre- sent a test case with a pure event sequence. To correctly judge the behavior of such a protocol, a test case must also account for the expected altemative behavior.
Thus, the test-generation algorithm consists of the following steps. Input is the extended finite-state machme generated from the Lotos specification, and output is the test-case skeletons in the form of ex- tended iinite-state machines.
1. In the given extended finite-state machme, generate a new sequence of tran- sitionsstartingand endmgintheinitialstate. We call h . s sequence a partial test case.
2. In the extended finite-state ma- chine, if there is a transition Y having an
internal event that is an altemative to a transition in the partial test case, then up- date the partial test case by adding a tran- sition sequence such that the sequence
Figure 10. A test-case skeleton generatedfvom the pl-otocol specification
starts with Y and ends in a state belonging
to the partial test a s e . Then repeat thls step or go to step 3.
3. The partial test case is a test-case skeleton. If all test-case skeletons are gen- erated, then stop. Otherwise go to step 1.
Tmnsforming test-case skeletons into TTCN test
cas=.
To derive a meaningful test case from a skeleton test case, you have to modify the skeleton test case’s behavior to meet a test purpose and add two other behaviors, Timeout and Otherwise. In real-time systems, the notion of a timeout is well-known. But you cannot automati- cally derive timer information from a pro- tocol specification. A test case must have an Otherwise event as an altemative to any receive event to trap unexpected events from an incorrect implementation.When a test case is transformed into TTCN, all the input and output transi- tions in the test case’s extended h te - s t at e machme are transformed into output and input transitions in TTCN. An event se- quence in the test ase’s extended finite-
: :
.
U!TDSind : : : U?OTHERWISE : : L?OTHERWISE : : U!TDSind : : :L?DR : : : L!DC : : :L?OTHERWISE : : U?OTHERWISE : L?OTHERWISE : ?TIMEOUT(Timer A) U?OTHERWISE Cons. Verdict Pars Fail Fail Fail Intonc Fail Fail Fail Inconc Fail L-..-
Figure 1 I . A test case in TTCN.
-
Figure 12. (A) The test-verification Tstem fw the localsingle-layer test architenure and (B) the repesenta- tion of the global state, z h c h IS asix-tuple
state machme is transformed into a se- quence of left-indented, with each indent events, representing the progression of time. A set of alternative transitions is rep- resented as a set of altemative event h e s . Loops in the extended finite-state ma- chine are suitably represented by goto loops in T T C N . A Pass verdict is assigned to the final event in the intended path, and Inconclusive verdicts are assigned to the other paths derived from the protocol's
extended finite-state machme. Fail ver- dicts are assigned to Otherwise events.
A test-wse derivation To illustrate
how to derive a test case, we apply the algorithm for test generation to the ex- tended finite-state machine in Figure 6. As the figure shows, state 1 is the initial and final state. Applying step I, you select the sequence { L ? C R , U ! T C O N i n d , U ? T C O N r e s p , L!CC, L ? D T , U ! T
DATAind, L?DR, U!TDISind, L!DC}
traversingthestatesequence{1,5,6,7,10,
17, 10, 14, 15, l} as a partial test case. Be- cause the transitions from state 10 to l l and from state 10 to state 18 contain in- ternal events, you must then add the path {i,U!TDISind, L!DR, L?DC) and {it
L!AK}
to the p a l test case as step 2. Figure 10 shows the skeleton test case after its behavior is genemted from the protocol's extended linite-state m a b e . Figure 11 shows the complete test case in TTCN.
TEST
VERIFICATION
You do not have to verify a test case generated from a formal protocol specifi- cation; verification is required only for manually written test cases. To verify these test cases, you analyze the global states arising from the event sequences. T he global states represent all possible interac- tions between a test case and the protocol specification. The goal is to show that the global system's state space has no errors like unspecified receptions, blocking re- ceptions, deadlocks, Iivelocks, channel- overflow errors, and synchronization er- rors. Also you have to establish that the verdicts attached to the final global states
are correct.
You can easily generate the global state space that contains the interaction se- quences between the test and protocol specifications by using traditional reachability analysis. But you cannot use this method to verify test cases. You need some way to verify the test case's dynamic properties that arise from timers, special test behavior due to Otherwise events, and information about test verdicts. To gener- ate global behavior, we have extended the traditional reachability algorithm by add- ing a verdict-verification phase.
In the extended algorithm, verification consists of two distinct phases. First, the algorithm generates a global state space using extended reachability analysis. Sec- ond, it analyzes the global state space to verify test-event correctness and verifies the verdicts attached to the
final
global states.T he time complexity of generating the reachability graph of an extended h t e -
3 4
~ ~
'
I
' I state machine generated from a Lotos specification, called P-EFSM, with np states and an extended finite-state ma- chine generated kom T T C N , called T- EFSM, with n, states is
where cis all the channel capacities, Evq is the maximum number of executable tran- sitions in each P-EFSM's state, and is the maximum number of executable man- sitions in each T-EFSM's state.
Thus, the test-verification algorithm has as its input T-EFSM, P-EFSM, and the first-in, first-out channels and their ca- pacities.
mi,
x 77t x c x CEmp + Em3)Generating a g b l state space. To illus-
trate how to generate the global state space, we chose test cases written for the local single-layer test architecture. Figure 12a shows a test-verification system, in which a test case is modeled as aT-EFSM, the protocol specification as a P-EFSM, and the upper points of control and obser- vation (PCO (U)) by two FIFO channels, LJI and UO, and the lower points of con- trol and observation (PCO &)) by two
FIFO channels, LI and LO.
Figure 12b shows the structure of a global state, which is a six-tuple. If the T- EFSM's state has a verdict tag, the global state also gets a verdict tag. T h e contents ofa FIFO channel represent its state.
The following algorithm generates a global state space using state perturbation. A global state is perturbed when a new global state has been generated. A new global state is generated when one transi- tion is executed in any of the test-verifica- tion system's extended finite-state ma- chines.
1. Define a set of global states G that has only the initial state gl, whch consists of the initial states of the T-EFSM and the P-EFSM and all empty channels.
2. Find g
,
a member of G that has not been 1narke8;'pertmbed.~' If no such state exists, then stop.3. Compute Gp, the set of global states that can be reached by perturbingg using all the executable transitions in
de
twomachmes in their respective present states. If Gp is an empty set, then gp is a final state.
4.
Mark all the states in Gp, denoting32 3111 E
I""'
PI 20 E I E 1 E ] (Final state) E 12 E E 22 E Contel(A1 ~ DR IO 'TDISind ; E 22 E L!OT 191 OR 11 TOlSindl (final state) I E E E S O F T W A R E 3 5~~
Figure 14. Steps to derive an executable test suite.
Figure 1 F. A test-execution syctem.
channel-overflow error as “perturbed,” and add to G the remaining states of Gp not already in G.
5. Gotostep2.
Verify‘ng test VerdictS. Each final global state must have either a Pass
(P),
Fail(F),
or Inconclusive (I) verdict. T h e box on pp. 30-3 I defines the conditions for P, F, and
I. Because an erroneous final state means there is a test-event error, the verdict asso- ciated with that state is not necessarily valid. However, assume that a protocol specification has only valid behavior if a P
is attached to an error-free state. T h e ver- dict assignment is then correct if the event sequence leading to that state satisfies the test purpose. Conversely, if an I is attached to the error-free state, it is correct if the
3 6
event sequence leading to that state does not satisfy the test purpose. N o F can be attached to ‘any error-free global state.
To illustrate verification, we verified the simplified state machme in Figure 9
against that in Figure 6. For these ex- tended finite-state machines, we do not consider the parameters and the predi- cates. We assume that the capacity of all FIFO channels is two.
Figure 13 shows part of the global state space. Its analysis indicates that the test case has a few design errors. For example, state 16 represents an unspecified recep- tion error, and state 20 represents a block- ing-reception error. These errors arise be- cause the test case does not provide a way to receive a nondeterminate disconnection-in- dication event TDISind. The state space
also contains a few channel-overflow er- rors, which are due to the nondeterminate acknowledgment (protocol data unit), but they are not shown in the figure.
Because state 20, the h a l state, is erro- neous, we do not have to verify the F at- tached to it. T h e two error-kee h a l states in the state space are 6 and 34. Because the event sequence from the start state to the error-free state 34 satisfies the test purpose of {L!CR. U?TCONind. U!TCONresp. L ? C C . L!DT. U?TDATAind. L?AK.
L!DR.
U?TDISind. L?DC), the P at-tached to state 34 is correct Moreover, be- came the event sequence leadmg to the error- free state 6 does not satisfy the test purpose, the I attached to state 6 is also correct
TEST SELECTION
Figure 14 shows the possible temporal relationships among test selection, test pa- rameterization, and derivation of execut- able test cases within the OS1 confor- mance-testing framework.
In reality, a protocol specification pro- vides several communication functions with many mandatory and negotiable op- tional and alternative features in t e r m of protocol behavior, protocol parameters, and quality of service. However, a protocol implementation need not support all the communication function types stated in the specification. T he implementer pro- vides a statement to the test laboratory, called the Protocol Implementation Con- formance Statement, which identifies the features the implementation does or does not support. T h e test designer then uses PICS pro forma to select the test cases to be applied to the implementation under test.
TEST PARAMETERIZATION
Many protocol features are not explic- itly stated in the specification, but are de- termined during protocol implementa- tion. Examples of such features are addressing information, timeout intervals, and number of connections supported by
a connection-oriented protocol. T h e im- plementer provides another statement, called Pixit (short for Protocol Implemen-
tation Extra Information for Testing), that tells the values of the implementation-de- pendent parameters. This information is then used to assign values to test-suite pa- rameters.
TEST EXECUTION
An important step in test execution is translating abstract test cases to an execut- able form, an activity referred to as deriva-
tion in the conformance-testing standard.
As
Figure 14 shows, you can do derivation in several ways.Automatic translation of ‘MCN test cases to an executable form is amactive -
to implementers for debugging and devel- opment and to test laboratories for con- formance testing - and several widely varylng techniques are in use.8
CIM also provides a way to automati- cally translate TTCN test cases to an exe- cutable form because you can use it as a test-execution language. Abstract data types can be stated using Backus-Naur Formnotations, so tools to manipulate ab- stract data types are already in use, and the operational semantics of an extended fi- nite-state machine contains only a few very simple programming constructs. Thus, you can express a test case’s ex- tended finite-state machne using a simple B N F grammar and implement a tool for translating an extended finite-state ina-
chme to C to generate an executable ver- sion of a test case.
A conformance test system contains modules for encoding or decoding proto- col data units, logging all test events, and interfacing with the implementation, pos- sibly through the underlying service. These modules are independent ofthe test cases. Executable test cases, on the other hand, are the test system’s core.
Figure 15 shows a prototype test-exe- cution system for the coordinated single- layer test archtecture running in the Unix environment.
ecause formal specification languages
B
are used in protocol and test specifi-rithout ambiguities. Although we consid- red Lotos as the protocol specification mguage and TTCN as the test specifica- ion language, the method outlined will rork for other languages, like Estelle and ,DL, because the algorithnis to translate lrotocol specifications in those languages
3 the extended finite-state machine nota-
ion are straightfoward.
More research must be done in mod- eling test purposes using temporal logic and parameterizing and selecting test cases using formal definitions of PICS and Pixit. To realize the potential of a conformance log in implementation de- bugging, we need a more precise and structured definition of the logging
mechanism.
+
. _ _
~- -
ACKNOWLEDGEMENT
This research has heen pamally supported by the Natural Science5 and Engineering Research Council of
Canada. Xaik‘c work is financially s u p p r t e d hy the < h a d I a n Commonwealth Fellowship Agency.
REFERENCES
1 , I S 0 O p n i Syrtm I ~ i t ~ i m i i n r r t i o i i ~ Rtim Refwenir Modd, ISCUIEC IS 7498, h i e i i c m h’at’l Standards Inst.,
2. IEEE ~S&xrr, special issoe o n formal methods, Sept. 1990, pp. 7-67.
3 . ’1; Kolognesi and E. Brinksma, “Introduction to I S 0 Specification Language LOTOS,” Cmputn- >Vet-
-I. OS1 <:onforinancc Xsting Afcthodology and Framework: ISO/LEC DIS9646 parts 1 to 6, I.
5 . . h t m ~ E.rt S t a t e f i i - 7imrpmt Pmtcml C h s 2, Nat’l Computing Center Ltd., Manchester, 1988.
6. f! Xipathy md B. Sarikip, “Test Generation from LOTOS Specificanonr,” IEEE 3 m s . Cmnpwtm, Apr.
i . IC Naik and B. Sarikayi, “-\n Estended Finite State Machine Model for ll-CiV,” N-oc. S.p’ Communica-
X. S. Fswara, et al., “ X ~ ~ a r d s Execution o f ? T C N T e s t C I n P m IFIP WG 6.1 Syntp. PmtocolSpenfiation,
S e w York, 1984.
m ~ k r a i d ISD.VSirtnn.r, Jan. 1987, pp. 2 5-59. 1991.
t i o x r , IWO, pp. 296-290.
~ ~ . s t t l / y , m d 1 ??7fiCl?tl0l/, 1990, pp. 99-1 12.
Kshirasagar Naik IS d PhD candidate at Concordla University, Montreal, where hs re- search interests include protocol verificanon and teshng based on formal specificanons
Nak received d bdchelor’s &Fee from Samhalpur Umversity, India, and a inasters
d e g x c from the Indian Insntute of Technology, Kharagpur ~ both m electrical com-
municanon e n p c e n n g He also received a maFters degree in computer science from the Univerut). of M’aterloo
Behcet Sarikaya is a n assmiate professor in the computer engineenng and mformation sciences department at Rilkent Uiuvcrsity in Ankara, Turkey. His research interests are all aspects of confoniiance testing and high-speed networks.
Sarikaya received a BSEE with honors from the Middle EastTechnical University in
h l r a , Turkey; an M S c in computer science kern M E T U ; and a PhD in computcr sci-
ence from ATcGill University, Montreal.
H e is an E E E senior member and an . K \ I member. He has published more than
U) papers, inost on coiiimunicanon protocols.
Address auestions ah( )ut this article to Sarikava, Dent. of <i)niuutcr Enlrincering and Infomiation Sciences, . 1 L Y
cations, You can a1!8nthmica11y Bilkcnt Cni\;rsity, Rilkent, Ankara 06533 Turke); Internet s a r i ~ a y a % t r b i l u n . b i t n ~ t ~ cunpm.cuny. edu or many aspects of conformance testing , Bimet sarika).a~trhilun.himt.l.
