Test Template Framework

The Test Template Framework (TTF) is a model-based testing (MBT) framework proposed by Phil Stocks and David Carrington in for the purpose of software testing. Although the TTF was meant to be notation-independent, the original presentation was made using the Z formal notation. It is one of the few MBT frameworks approaching unit testing.

Introduction
The TTF is a specific proposal of model-based testing (MBT). It considers models to be Z specifications. Each operation within the specification is analyzed to derive or generate abstract test cases. This analysis consists of the following steps:


 * 1) Define the input space (IS) of each operation.
 * 2) Derive the valid input space (VIS) from the IS of each operation.
 * 3) Apply one or more testing tactics, starting from each VIS, to build a testing tree for each operation. Testing trees are populated with nodes called test classes.
 * 4) Prune each of the resulting testing trees.
 * 5) Find one or more abstract test cases from each leaf in each testing tree.

One of the main advantages of the TTF is that all of these concepts are expressed in the same notation of the specification, i.e. the Z notation. Hence, the engineer has to know only one notation to perform the analysis down to the generation of abstract test cases.

Important concepts
In this section the main concepts defined by the TTF are described.

Input space
Let $$Op$$ be a Z operation. Let $$x_{1} \dots x_{n}$$ be all the input and (non-primed) state variables referenced in $$Op$$, and $$T_{1} \dots T_{n}$$ their corresponding types. The Input Space (IS) of $$Op$$, written $$IS_{Op}$$, is the Z schema box defined by $$[x_{1}:T_{1} \dots x_{n}:T_{n}]$$.

Valid input space
Let $$Op$$ be a Z operation. Let $$\text{pre } Op$$ be the precondition of $$Op$$. The Valid Input Space (VIS) of $$Op$$, written $$VIS_{Op}$$, is the Z schema box defined by $$[IS_{Op} | \text{pre } Op]$$.

Test class
Let $$Op$$ be a Z operation and let $$P$$ be any predicate depending on one or more of the variables defined in $$VIS_{Op}$$. Then, the Z schema box $$[VIS_{Op} | P]$$ is a test class of $$Op$$. Note that this schema is equivalent to $$[IS_{Op} | \text{pre } Op \land P]$$. This observation can be generalized by saying that if $$C_{Op}$$ is a test class of $$Op$$, then the Z schema box defined by $$[C_{Op} | P]$$ is also a test class of $$Op$$. According to this definition the VIS is also a test class.

If $$C_{Op}$$ is a test class of $$Op$$, then the predicate $$P$$ in $$C'_{Op} == [C_{Op} | P]$$ is said to be the characteristic predicate of $$C'_{Op}$$ or $$C'_{Op}$$ is characterized by $$P$$.

Test classes are also called test objectives, test templates and test specifications.

Testing tactic
In the context of the TTF a testing tactic is a means to partition any test class of any operation. However, some of the testing tactics used in practice actually do not always generate a partition of some test classes.

Some testing tactics originally proposed for the TTF are the following:

\begin{array}{l|l} S = \emptyset, T = \emptyset & S \neq \emptyset, T \neq \emptyset, S \subset T \\ \hline S = \emptyset, T \neq \emptyset & S \neq \emptyset, T \neq \emptyset, T \subset S \\ \hline S \neq \emptyset, T = \emptyset & S \neq \emptyset, T \neq \emptyset, T = S \\ \hline S \neq \emptyset, T \neq \emptyset, S \cap T = \emptyset & S \neq \emptyset, T \neq \emptyset, S \cap T \neq \emptyset, \lnot (S \subseteq T), \lnot (T \subseteq S), S \neq T \end{array} $$
 * Disjunctive Normal Form (DNF). By applying this tactic the operation is written in Disjunctive Normal Form and the test class is divided in as many test classes as terms are in the resulting operation's predicate. The predicate added to each new test class is the precondition of one of the terms in the operation's predicate.
 * Standard Partitions (SP). This tactic uses a predefined partition of some mathematical operator . For example, the following is a good partition for expressions of the form $$S \spadesuit T$$ where $$\spadesuit$$ is one of $$\cup$$, $$\cap$$ and $$\setminus$$ (see Set theory).
 * As can be noticed, standard partitions might change according to how much testing the engineer wants to perform.
 * Sub-domain Propagation (SDP). This tactic is applied to expressions containing:
 * Two or more mathematical operators for which there are already defined standard partitions, or
 * Mathematical operators which are defined in terms of other mathematical operators.
 * In any of these cases, the standard partitions of the operators appearing in the expression or in the definition of a complex one, are combined to produce a partition for the expression. If the tactic is applied to the second case, then the resulting partition can be considered as the standard partition for that operator. Stocks and Carrington in illustrate this situation with $$R \oplus G = (\text{dom } G \ntriangleleft R)\cup G$$, where $$\ntriangleleft$$ means domain anti-restriction, by giving standard partitions for $$\ntriangleleft$$ and $$\cup$$ and propagating them to calculate a partition for $$\oplus$$.
 * Specification Mutation (SM). The first step of this tactic consists in generating a mutant of the Z operation. A mutant of a Z operation is similar in concept to a mutant of a program, i.e. it is a modified version of the operation. The modification is introduced by the engineer with the intention of uncovering an error in the implementation. The mutant should be the specification that the engineer guesses the programmer has implemented. Then, the engineer has to calculate the subset of the VIS that yields different results in both specifications. The predicate of this set is used to derive a new test class.

Some other testing tactics that may also be used are the following:


 * In Set Extension (ISE). It applies to predicates of the form $$expr \in \{expr_{1}, \dots, expr_{n}\}$$. In this case, it generates $n$ test classes such that a predicate of the form $$expr = expr_{i}$$ is added to each of them.
 * Mandatory Test Set (MTS). This tactic associates a set of constant values to a VIS' variable and generates as many test classes as elements are in the set. Each test class is characterized by a predicate of the form $$var = val$$ where $var$ is the name of the variable and $val$ is one of the values of the set.
 * Numeric Ranges (NR). This tactic applies only to VIS' variables of type $$\mathbb{Z}$$ (or its "subtype" $$\mathbb{N}$$). It consists in associating a range to a variable and deriving test classes by comparing the variable with the limits of the range in some ways. More formally, let $n$ be a variable of type $$\mathbb{Z}$$ and let $$[i,j]$$ be the associated range. Then, the tactic generates the test classes characterized by the following predicates: $$nj$$.
 * Free Type (FT). This tactic generates as many test classes as elements a free (enumerated) type has. In other words, if a model defines type $COLOUR ::= red | blue | green$ and some operation uses $c$ of type $COLOUR$, then by applying this tactic each test class will by divided into three new test classes: one in which $c$ equals $red$, the other in which $c$ equals $blue$, and the third where $c$ equals $green$.
 * Proper Subset of Set Extension (PSSE). This tactic uses the same concept of ISE but applied to set inclusions. PSSE helps to test operations including predicates like $$expr \subset \{expr_{1}, \dots, expr_{n}\}$$. When PSSE is applied it generates $$2^{n} - 1$$ test classes where a predicate of the form $$expr = A_{i}$$ with $$i \in [1, 2^{n} -1]$$ and $$A_{i} \in \mathbb{P} \{expr_{1}, \dots, expr_{n}\} \setminus \{\{expr_{1}, \dots, expr_{n}\}\}$$, is added to each class. $$\{expr_{1}, \dots, expr_{n}\}$$ is excluded from $$\mathbb{P} \{expr_{1}, \dots, expr_{n}\}$$ because $expr$ is a proper subset of $$\{expr_{1}, \dots, expr_{n}\}$$.
 * Subset of Set Extension (SSE). It is identical to PSSE but it applies to predicates of the form $$expr \subseteq \{expr_{1}, \dots, expr_{n}\}$$ in which case it generates $$2^{n}$$ by considering also $$\{expr_{1}, \dots, expr_{n}\}$$.

Testing tree&
The application of a testing tactic to the VIS generates some test classes. If some of these test classes are further partitioned by applying one or more testing tactics, a new set of test classes is obtained. This process can continue by applying testing tactics to the test classes generated so far. Evidently, the result of this process can be drawn as a tree with the VIS as the root node, the test classes generated by the first testing tactic as its children, and so on. Furthermore, Stocks and Carrington in propose to use the Z notation to build the tree, as follows.

$$ \begin{align} VIS & == [IS | P]\\ TCL_{T_{1}}^{1} & == [VIS | P_{T_{1}}^{1}]\\ &\dots\\ TCL_{T_{1}}^{n} & == [VIS | P_{T_{1}}^{n}]\\ TCL_{T_{2}}^{1} & == [TCL_{T_{1}}^{i} | P_{T_{2}}^{1}]\\ &\dots\\ TCL_{T_{2}}^{m} & == [TCL_{T_{1}}^{i} | P_{T_{2}}^{m}]\\ &\dots\\ TCL_{T_{3}}^{1} & == [TCL_{T_{2}}^{j} | P_{T_{3}}^{1}]\\ &\dots\\ TCL_{T_{3}}^{k} & == [TCL_{T_{2}}^{j} | P_{T_{3}}^{k}]\\ &\dots\\ &\dots\\ &\dots \end{align} $$

Pruning testing trees
In general a test class' predicate is a conjunction of two or more predicates. It is likely, then, that some test classes are empty because their predicates are contradictions. These test classes must be pruned from the testing tree because they represent impossible combinations of input values, i.e. no abstract test case can be derived out of them.

Abstract test case
An abstract test case is an element belonging to a test class. The TTF prescribes that abstract test cases should be derived only from the leaves of the testing tree. Abstract test cases can also be written as Z schema boxes. Let $$Op$$ be some operation, let $$VIS_{Op}$$ be the VIS of $$Op$$, let $$x_{1}:T_{1} \dots x_{n}:T_{n}$$ be all the variables declared in $$VIS_{Op}$$, let $$C_{Op}$$ be a (leaf) test class of the testing tree associated to $$Op$$, let $$P_{1} \dots P_{m}$$ be the characteristic predicates of each test class from $$C_{Op}$$ up to $$VIS_{Op}$$ (by following the edges from child to parent), and let $$v_{1}:T_{1} \dots v_{n}:T_{n}$$ be $$n$$ constant values satisfying $$P_{1} \land \dots \land P_{m}$$. Then, an abstract test case of $$C_{Op}$$ is the Z schema box defined by $$[C_{Op} | x_{1} = v_{1} \land \dots \land x_{n} = v_{n}]$$.