The TTF is a specific proposal of model-based testing. It considers models to be Z specifications. Each operation within the specification is analyzed to derive or generate [|abstract test cases]. This analysis consists of the following steps:
Define the input space of each operation.
Derive the valid input space from the [|IS] of each operation.
Apply one or more testing tactics, starting from each [|VIS], to build a [|testing tree] for each operation. Testing trees are populated with nodes called test classes.
Prune each of the resulting [|testing trees].
Find one or more abstract test cases from each leaf in each testing tree.
One of the main advantages of the TTF is that all of these concepts are expressed in the same notation of the specification, i.e. the Z notation. Hence, the engineer has to know only one notation to perform the analysis down to the generation of abstract test cases.
Important concepts
In this section the main concepts defined by the TTF are described.
Input space
Let be a Z operation. Let be all the input and state variables referenced in, and their corresponding types. The Input Space of, written, is the Z schema box defined by.
Valid input space
Let be a Z operation. Let be the precondition of. The Valid Input Space of, written, is the Z schema box defined by.
Test class
Let be a Z operation and let be any predicate depending on one or more of the variables defined in. Then, the Z schema box is a [|test class] of. Note that this schema is equivalent to. This observation can be generalized by saying that if is a test class of, then the Z schema box defined by is also a test class of. According to this definition the VIS is also a test class. If is a test class of, then the predicate in is said to be the characteristic predicate of or is characterized by. Test classes are also called test objectives, test templates and test specifications.
Testing tactic
In the context of the TTF a testing tactic is a means to partition any test class of any operation. However, some of the testing tactics used in practice actually do not always generate a partition of some test classes. Some testing tactics originally proposed for the TTF are the following:
Disjunctive Normal Form. By applying this tactic the operation is written in Disjunctive Normal Form and the test class is divided in as many test classes as terms are in the resulting operation's predicate. The predicate added to each new test class is the precondition of one of the terms in the operation's predicate.
Standard Partitions. This tactic uses a predefined partition of some mathematical operator. For example, the following is a good partition for expressions of the form where is one of, and .
:
:As can be noticed, standard partitions might change according to how much testing the engineer wants to perform.
Sub-domain Propagation. This tactic is applied to expressions containing:
# Two or more mathematical operators for which there are already defined standard partitions, or
:In any of these cases, the standard partitions of the operators appearing in the expression or in the definition of a complex one, are combined to produce a partition for the expression. If the tactic is applied to the second case, then the resulting partition can be considered as the standard partition for that operator. Stocks and Carrington in illustrate this situation with, where means domain anti-restriction, by giving standard partitions for and and propagating them to calculate a partition for.
Specification Mutation. The first step of this tactic consists in generating a mutant of the Z operation. A mutant of a Z operation is similar in concept to a mutant of a program, i.e. it is a modified version of the operation. The modification is introduced by the engineer with the intention of uncovering an error in the implementation. The mutant should be the specification that the engineer guesses the programmer has implemented. Then, the engineer has to calculate the subset of the VIS that yields different results in both specifications. The predicate of this set is used to derive a new test class.
Some other testing tactics that may also be used are the following:
In Set Extension. It applies to predicates of the form. In this case, it generates test classes such that a predicate of the form is added to each of them.
Mandatory Test Set. This tactic associates a set of constant values to a VIS' variable and generates as many test classes as elements are in the set. Each test class is characterized by a predicate of the form where is the name of the variable and is one of the values of the set.
Numeric Ranges. This tactic applies only to VIS' variables of type . It consists in associating a range to a variable and deriving test classes by comparing the variable with the limits of the range in some ways. More formally, let be a variable of type and let be the associated range. Then, the tactic generates the test classes characterized by the following predicates:,,,,.
Free Type. This tactic generates as many test classes as elements a free type has. In other words, if a model defines type and some operation uses of type, then by applying this tactic each test class will by divided into three new test classes: one in which equals, the other in which equals, and the third where equals.
Proper Subset of Set Extension. This tactic uses the same concept of ISE but applied to set inclusions. PSSE helps to test operations including predicates like. When PSSE is applied it generates test classes where a predicate of the form with and, is added to each class. is excluded from because is a proper subset of.
Subset of Set Extension. It is identical to PSSE but it applies to predicates of the form in which case it generates by considering also.
Testing tree&
The application of a testing tactic to the VIS generates some test classes. If some of these test classes are further partitioned by applying one or more testing tactics, a new set of test classes is obtained. This process can continue by applying testing tactics to the test classes generated so far. Evidently, the result of this process can be drawn as a tree with the VIS as the root node, the test classes generated by the first testing tactic as its children, and so on. Furthermore, Stocks and Carrington in propose to use the Z notation to build the tree, as follows.
Pruning testing trees
In general a test class' predicate is a conjunction of two or more predicates. It is likely, then, that some test classes are empty because their predicates are contradictions. These test classes must be pruned from the testing tree because they represent impossible combinations of input values, i.e. no [|abstract test case] can be derived out of them.
An abstract test case is an element belonging to a test class. The TTF prescribes that abstract test cases should be derived only from the leaves of the testing tree. Abstract test cases can also be written as Z schema boxes. Let be some operation, let be the VIS of, let be all the variables declared in, let be a test class of the testing tree associated to, let be the [|characteristic predicates] of each test class from up to , and let be constant values satisfying. Then, an abstract test case of is the Z schema box defined by.