Professional Documents
Culture Documents
81
0-8186-8002-4/97 $10.00 0 1997 IEEE
structure of the partitioning are fulfilled. This would not and complete classifications are formed. Classes resulting
justify the overhead of partitioning and of keeping track of from these classifications may be further classified itera-
which subdomains have been tested or not. However, fur- tively. The stepwise partition of the input domain by means
ther analyses of the relationship between partition and ran- of classifications is represented graphically in the form of
dom testing have shown that partition testing can be much a tree. Subsequently, test cases are formed by combining
better than random testing, again according to the quanti- classes of different classifications. This is done by using
tative model mentioned above, if the subdomain definitions the tree as the head of a combination table in which test
are fault-based [20, 21. This means that the effectiveness of cases are selected appropriately.
a particular partition testing strategy depends on how well The use of the classification-tree method will be ex-
that strategy groups together the failure-causing inputs. We plained by giving an example. The test object is a simpli-
believe that regardless of any quantitative model for confi- fied part of the discrete control logic of a speed and distance
dence in the software, a solid basis for such a confidence can control system (SpeDi) for individual vehicles. SpeDi is an
only be provided if all the requirements have been checked adaptive cruise control system which supports the driver of
systematically. This cannot be achieved by random testing the controlled car by maintaining the desired speed of the
or a pure fault-based partitioning. Furthermore, a test strat- controlled car and a safe distance between the controlled
egy based on random testing only could be catastrophic for and a preceding car [ 141.
safety-critical systems because there is no guarantee that the
input data relevant for safety-critical aspects are actually se-
lected. This point is also true for a test which is only based
on failure-causing inputs.
Concerning the above considerations, we took partition
testing as the basis of our approach to the systematic de-
termination and description of test cases for a test object
based on its formal specification written in Z. Any imple-
mented operation, whose specification is given by a Z op-
eration schema, can be considered to be a test object. The
approach uses the classification-tree method (CTM) [6] and Figure 1. Speed and distance control system
the idea of partitioning the input domain by using a trans- (SpeDi): Fanning the road (left) and cruise
formation into a disjunctive normal form (DNF) [5,4]. control switch.(right)
The following section describes the original approaches,
the classification-tree method, and the disjunctive normal
The road in front of the vehicle is fanned by infrared
form approach, and motivates their combination. In sec-
beams in search of vehicles ahead as shown in Figure 1. As
tion 3, the chosen concept for test case design is explained
long as no vehicle is detected, SpeDi provides an ordinary
and applied to this example on the basis of its Z specifi-
speed control function, i.e. driving at the speed set by the
cation. The main steps of this concept are summarized in
driver. If a vehicle is detected in front, the system automat-
section 3.1. Section 4 characterizes the envisaged tool sup-
ically switches to the distance control mode. It forces the
port based on the existing classification-tree editor (CTE).
controlled vehicle to drive at the same speed as the preced-
Finally, section 5 summarizes the report and gives an out-
ing vehicle at a safe distance. As long as the distance be-
look to future work.
tween the two vehicles is uncritical, the behaviour of SpeDi
in the distance control mode is the same as in the speed con-
2. Combining the Classification-Tree Method trol mode. SpeDi is controlled by the cruise control switch
with the DNF Approach (Figure 1) located near the steering wheel. The driver can
define the current speed as the desired speed either through
2.1. The Classification-Tree Method the Set+ or Ser- command. With each subsequent use of
Set+ or Set-, the desired speed is incremented or decre-
The classification-tree method [6] is a special approach mented, respectively, by a fixed amount. Off switches the
to (black-box) partition testing partly by using and improv- system off, and Resume retrieves the last desired speed.
ing ideas from the category-partition method [15]. It has A possible classification tree for generating test cases on
been used successfully in various application fields of the the basis of this informal specification is shown in Figure 2.
Daimler-Benz Group. In the classification-tree method, the The root of this tree is the complete input domain of the
input domain of a test object is analysed on the basis of its control software corresponding to the above specification.
functional specification with respect to various aspects con- The possible inputs for this software are data regarding a
sidered to be relevant for the test. For each aspect, disjoint vehicle in front and the control switch. Appropriate classi-
82
fication aspects in this case are, for example, the position of Si may look like this:
SI = [Signarure I Pil A Pi2 A . . . A Pi,].
h
83
which is well suited for visualization in a modem graphical problem, the disjointedness of the generated test cases
user interface. It can, however, happen that the test cases must be achieved. This is done by extending the rewri-
obtained with the classification-tree method are not detailed ting system for a DNF to generate a canonical disjunc-
enough for the uniformity hypothesis [3] to be applicable'. tive normal form. The idea [4] is based on the natural
This can happen if some classification aspects are hidden partitioning of the union of two arbitrary sets:
at the first sight of the specification. It is especially im- A U B = (A f l B ) U ( A f l B )U ( A f l B ) ,
portant to unfold all classification aspects of fault-causing whose syntactical counterpart in propositional logic is
inputs. Such aspects become apparent when one test case at the following rule:
the classification tree level results in multiple test cases af- PV Q b ( P A Q) V (7 P A Q) V ( P A 7 Q),
ter transformation in a disjunctive normal form. Therefore, The or connector (V) on the right side of this rule is, in
some aspects or parts of the software can remain untested fact, an exclusive or operator. It can be seen easily that
with test cases from the classification-tree method. More- if a schema is a disjunction of m conjunctions, then
over, these test cases do not necessarily contain information the application of the above rule results in a canonical
for evaluating the test results. DNF with '2" - 1 conjunctions. Therefore, to reduce
A significant advantage of the DNF approach is that it a combinational explosion, all possibilities for reduc-
is purely syntax based and, therefore, can be automated in ing m (e.g., through simplification of terms, through
a straightforward way for formal specifications. The test recognition and discarding of inconsistent predicates)
cases obtained cover all the specified aspects of the software should be exploited before the application of this rule.
explicitly. Furthermore, these test cases contain all the in-
formation available from the formal specification about the Unstructured test cases: The test cases in the DNF (as
input as well as the output of the test object. On the other well as in the canonical DNF) approach are completely
hand, this approach as such has important shortcomings. In unstructured [ 171 as they all are generated at the same
the following, we discuss these shortcomings and suggest level. There is no schematic graphical representation
means to overcome them. to guide the user with respect to the relation between
the test cases and the corresponding input domain. We
e Inconsistent test cases: A test case is inconsistent if propose to overcome this shortcoming by combining
at least two of its predicates have a common variable the canonical DNF approach with the classification-
and the set containing the solution elements for these tree method (see section 2.4).
predicates is empty. Many inconsistent test cases are
generated during the process of generating a disjunc- In the following, the canonical disjunctive normal form ap-
tive normal form - even if the original schema is free proach will be used, i.e., hereafter DNF stands for canoni-
from any inconsistencies. Therefore, the generated test cal disjunctive normal form. Dick and Faivre [4] have sug-
cases must be analysed to identify inconsistent ones gested a rewriting system for transforming VDM predicates
which are then discarded. In order to identify incon- in disjunctive normal form and for simplifying them. We
sistent test cases on the basis of an empty solution set, plan to adapt their system for Z specifications and to im-
all possible inputs must be tried. As this problem is prove it by introducing relevant rules for making it more
not decidable, some simple heuristics and rules can be powerful in recognizing inconsistent test cases.
used to obtain a solution [13]. A family of rules in
this connection are rules expressing special syntactical 2.4. Combination
and semantic knowledge leading to the simplification
of the generated formulas. Such simplification can re- The major shortcoming of the disjunctive normal form
sult in recognizing the inconsistent test cases automati- approach lies in its completely unstructured test cases. This
cally. A rule of this category is, e.g.: P A ( P V Q)t- P . is shown schematically on the left side of Figure 3 where the
outermost rectangle represents the semantics of the whole
e Semantically indisjoint test cases: The test cases gen- schema under consideration, and each small square within
erated by using the rewriting system described in sec- this rectangle represents a different test case in the DNF ap-
tion 2.2 are in general not semantically disjoint. This proach. These test cases are all at the same (the lowest) level
can lead to the fact that the test data derived from dif- of complexity and cannot be refined further. Moreover, the
ferent test cases only test a common portion of the in- number of generated test cases quickly becomes very large
put domain for these test cases and that the remain- so that the whole process gets complicated for a user. Es-
ing input domain remains untested. To overcome this pecially, there is no guidance to find the relevant test cases
'According to the uniformity hypothesis, if a test object passes the test
for a particular input domain, the input domains not tested
for one value of the sub-domain, it passes the test for all the values of the so far, and whether or not a particular (for instance safety-
sub-domain. critical) input domain has been thoroughly tested.
84
I rU 6mt IewI At m d 1-
cannot be further refined).
whereby the basis of the classifications are the predicates in classifications can be carried out iteratively. Therefore,
Z, as shown in Figure 3 on the right. The original schema different classification aspects and their classes can be
together with the constraining predicates of a selected test determined automatically by using syntactical and semantic
case can be finally transformed into a disjunctive normal information about the schema variables. The syntactical
form as discussed in the two technical possibilities below. information is fully contained in the formal specification.
The correspondance between the test case S A ( Q A 42) For the semantic information, for instance, on standard data
and its DNF test cases is indicated by an arrow in the mid- types, an appropriate knowledge base can be used.
dle of Figure 3. In contrast to the test cases in the original A formal specification can lead to classification trees
classification-tree method, the test cases obtained here are with different structures depending on
refined and contain information, i.e. predicates over state 0 the order in which different classification aspects are
and output variables, for evaluating the test results. In the considered, and
following, the test cases generated with the classification-
tree method alone are called high level test cases; test cases 0 the nodes, the resulting classifications are attached to.
generated by using the DNF approach are, accordingly, This determines, for example, if the generated tree
called rejned test cases (or atomic test cases because they grows more in width or in depth.
85
The structure of a classification tree has a decisive effect through a systematic combination of leaf classes by using
on the quality and the number of the generated test cases. a graphical combination table. The test cases can be
Moreover, the number of inconsistent test cases may be specified either by the user or automatically. The aim is
much larger in a classification tree with one structure as to have maximum coverage of the functionality of the test
compared to the other. Consequently, well-considered de- object with a minimum possible number of test cases. An
cisions must be taken with respect to both the points listed automatic selection can be based on different strategies
above. For that, first of all, all the test-relevant semantic such as selecting each class at least once or selecting all
knowledge about the specification is required. Furthermore, logically possible combinations of classes of different
some general heuristics xv and strategies are needed for us- classifications. The first strategy, for example, can be
ing this knowledge to generate an appropriate classification supplemented through an intensive selection of those
tree for the given specification. Until such a knowledge base classes which are related to safety-critical aspects in the
and heuristics/strategies are developed, this role can be per- software. An automatic selection of the test cases should
formed by the user, who is generally well informed about be regarded as a proposal for the user who can change the
the specification. selected test cases according to his choice.
The classification tree obtained on the basis of a for-
mal specification is entirely formal since the individual
classes are characterized by formal predicates. Therefore,
the formal descriptions of the selected test cases can
be automatically generated in a straightforward way by
conjugating the predicates of the selected classes (see
section 3.2). During this process, it should be possible to
recognize most of the inconsistent test cases automatically
through an appropriate simplification mechanism.
86
0 Conjugate the specification schema of the test object cases. These test cases also contain information for
with the predicates characterizing the selected high the evaluation of the test results.
level test case and simplify the resulting schema to get
As a Z specification contains most of the information re-
the complete schema for the selected test case.
quired for the above activities in a formal way, all these ac-
0 Transform the test case schema into (canonical) dis- tivities can be automated to a large extent.
junctive normal form to get refined test cases which
also contain information for the evaluation of test re- 3.2. Application to an Adaptive Cruise
sults. Control System
To carry out these steps efficiently, powerful strategies and To illustrate our concept for designing test cases on the
rewriting rules are required (as discussed in section 2.2 basis of Z specifications, relevant parts of the adaptive
and 2.3). Otherwise, the number of refined test cases soon cruise control system SpeDi are formalized first in Z.
becomes very large. At each step, full potential for the Then a classification tree is constructed (steps 1 to 4 in
section 3.1) on the basis of this specification and a high
simplification of the resulting schemata, especially with level test case is selected (step 6). Finally, refined test cases
respect to recognizing the inconsistent test cases, should be are generated (steps 7 and 8) for this test case.
used.
Formal specification of SpeDi in Z. The behaviour
of the SpeDi controller depends on the value of the control
Main steps for test case design. Summarizing our switch, the speed of the controlled car, whether or not a
concept for test case design for a test object on the basis of vehicle is detected in front of the controlled car, and the
an operation schema in Z, as described above, leads to the internal state of SpeDi. To concentrate on the illustration
of our concept of test case design, only a part of the control
following main steps: logic is formalized, and the internal state of SpeDi is
neglected. The four positions of the control switch are
1. Identify the test-relevant variables for the test object on modelled by a free type [ 161
the basis of the signature of its specification schema. Switch ::= Set+ 1 Set- 1 Resume I Of.
For safety reasons the SpeDi controller is not allowed to be
2 . Design classification aspects for these variables on the active if the speed of the controlled car is less than 40
basis of their signatures and characterizing predicates
in the schema.
or higher than 160 9.
This is described by defining the
admissible speed for the SpeDi controller as:
3. Generate classes for each classification aspect as con-
AdmissibleSpeed == { v : Speed I 40 p 5 v 5 160 }.
The speed and distance controllers are considered to be
crete instances of the predicate used for designing the black boxes and are represented only by the signatures of
corresponding classification aspect. their respective transfer functions SC and DC:
SC : Speed x opt Speed + Acceleration
4. As a class can be partitioned further with respect to a DC : Speed x opt Speed x apt BeamData +Acceleration
new classification aspect, repeat steps 2 to 3 iteratively
The speed controller can be viewed as a function which cal-
until the classifications of the important and relevant
culates the required acceleration from the actual speed of
variables are treated to the desired level of refinement.
the controlled car and the speed desired by its driver. Since
5. If necessary, supplement the classification tree ob- the desired speed is not always defined, it is modelled by
tained with classification aspects and classes, whose an optional data type optSpeed2. The distance controller
predicates are not contained in the specification becomes active when a vehicle is detected in front of the
schema of the test object. controlled car (expressed by the schema VehicleInFront in
schema SpeDiControl below) by the infrared beams. The
6. Select appropriate (high level) test cases in the combi- corresponding function calculates the required acceleration
nation table of the classification tree by selecting at the by giving additional consideration to the optional data (de-
most one class out of each classification. scribed by the schema BeamData in schema SpeDiControl
below) about the detected vehicle. No further information
7. Conjugate the specification schema with the predicates
about VehicleInFront and BeamData is required. Based on
characterizing the selected high level test case and sim-
these definitions, the main behaviour of the SpeDi control
plify the resulting schema to get the complete schema
logic can be modelled by using three simple rules:
for the selected test case. Discard the test case if it is
found to be inconsistent (section 2.3).
0 If the speed of the controlled car is not admissible, nei-
8. Transform the consistent test case schema into the ther the speed nor the distance controller provide any
canonical disjunctive normal form to get refined test * A variable of this optional type can have a defined value (any possible
cases and analyse them to remove inconsistent test speed) or can be undefined.
a7
value for the required acceleration, i.e., the optional the formal specification, this classification tree can be gen-
output areq!is not defined. erated semi-automatically. However, the user can modify
this tree, for example, by defining validation-relevant clas-
If the speed of the controlled car is admissible, if no sification aspects which are not explicitly contained in the
vehicle is detected in front, and if the speed is set by formal specification, e.g. the weather situation in the speci-
the driver through the control switch, SpeDi is in the fication of SpeDi. Such classification aspects and the corre-
speed control mode, i.e., aR4!is defined and its actual sponding formal classes could be inserted manually at any
value is determined by SC (def areq!as SC(v,,,: vdex)). desired position in the classification tree of Figure 5 and
would automatically be taken into account for further con-
If the speed of the controlled car is admissible, if a siderations.
preceding vehicle is detected, and if the speed is set,
SpeDi calculates the required acceleration by switch- The high level test cases in the classification-tree method
can be selected by using different strategies (see sec-
ing into the distance control mode, i.e., areq!is defined tion 3.1). The formal description of the selected test cases
and its actual value is determined by DC. can be automatically generated in a straightforward way
by conjugating the predicates of the selected classes. For
example, Testcase4 in Figure 5 is characterized by the
These rules can be formally described by the following predicate v,,, E AdmissibleSpeed A -- VehiclelnFront.
Z schema where the three predicates formally specify the This test case neither contains information about the input
three rules for the SpeDi control logic described above: variable ControlSwitch? nor about the output variable areq!.
SpeDiControl Furthermore, it is possible to partition this test case into
vcor : Speed more detailed test cases as shown in the next section.
vder : opt Speed
Vehicle : opt BeamData Refined test cases for TestCase4. In this section, it
ControlSwitch'? : Switch is shown how to automatically generate refined test cases
amy! : opt Acceleration corresponding to the high level test case TestCase4 (see
Figure 5).The complete specification schema for TestCuse4
is obtained by conjugating its characterizing predicate with
(wcor E AdmissibleSpeed A 7 VehiclelnFront A the original schema of the test object, i.e.,
(ControlSwitch? = Set+ V ControlSwitch'?= Set-) + Testcase4 SpeDiControl A [Signature
defarey!as SC(vcnr,v~/e.v)) I v,,, E AdmissibleSpeed A 7 VehiclelnFront].
(vCnrE AdmissibleSpeed A VehiclelnFront A where Signature is the signature of SpeDiControl. This
(ControlSwitch'? = Set+ V ControlSwitch? = Set-),+ schema can be simplified to the schema:
def arey!as DC(v,,,; v , / ~ ,Vehicle))
~: -TestCase4
Signature
VI., e
Admiisiblespeed
- VI.. E
V
(vcorE AdmissibleSpeed A VehiclelnFront A
7
88
test case. The first three of these test cases corres-
pond to the three test cases which could be selected in
the extended combination table of the classification tree
3f Figure 5 by marking the appropriate classes, such
that the predicates 1 VehiclelnFront, ControlSwitch? =
Set+ and 7 VehiclelnFront, ControlSwitch? = Set- and
-,VehicleInFront, ControlSwitch? = Resume are valid, re-
spectively. In this way, the combination of the DNF ap-
proach with the classification-tree method takes into ac-
count the classification aspects which are not explicitly con-
sidered in the classification tree. Furthermore, the refined
test cases contain explicit information about the output vari-
able areq!which can be used for the test evaluation. The
last two refined test cases lead to different output situations
for the same input situation. This is because the behaviour
of SpeDi in schema SpediControl is not specified for the (vex E AdmissibleSpeed A -.I VehkklnFrmt A
bntrdswitcb? =Set- A def a,q!ssSC(v,. v&))
case ControlSwitch? # Set+ A ControlSwitch? # Set- A
ControlSwitch? # Resume. In this way, the analysis of re-
fined test cases can help in recognizing specification flaws
like incompleteness.
Figure 6. The main window of the envisaged
extended classification-tree editor
4. Tool Support
user should be able to define new rules for the mathematical
As described above, the classification-tree method em- objects used in the specification.
ploys a graphical representation of the classification tree
The development of CTE will proceed in two directions.
and the corresponding combination table. In order to sup-
The first direction concerns the implementation of program
port this method, a syntax-directed graphical editor, named
and user interfaces as well as other facilities to handle Z
classification-tree editor CTE 171, has been developed at
specifications [ 181, e.g.:
the Systems Technology Research Center of Daimler-Benz.
This tool enables the tester to work interactively on the tree
and the combination table. The main window in the back- 0 Interface for reading Z specifications.
ground of Figure 6 shows a typical screen image of CTE. 0 User interface for specifying Z predicates as classifica-
The upper part of the window is the area in which a classifi- tions and classes including syntax and type checking of
cation tree can be drawn interactively. The lower part of the the given formulas.
window contains a table corresponding to the tree, in which
test cases can be selected. Additional textual annotations 0 A mechanism for describing test cases in Z through
can be added to classifications, classes and test cases. The conjunction of selected classes with the Z schema of
test case design can be documented by printing out the trees the test object.
and tables.
0 Interface with the tool for transforming Z predicates
It is planned to integrate the concept of test case design into DNF.
based on Z, as described in section 3, into CTE. A sepa-
rate tool will be implemented for transforming Z schemata 0 User interface to represent refined test cases.
into a DNF and for recognizing inconsistent test cases. This
tool will accept Z schemata as input and will transform them Figure 6 shows the main window of the extended envis-
into an abstract syntax as an internal representation. It will aged classification-tree editor where the combination table
contain a rewriting system to transform Z schemata into a is overlapped by a seperate window which contains the Z
DNF and a simplifier for recognizing inconsistent test cases specifications of the refined test cases for the high level test
[lo]. The simplifier will have an interface for defining new case TestCase4 of SpeDi (see section 3.2). With the aid of
rules because the power of the simplification strongly de- this window the tester can observe, scroll and analyse the
pends on the properties of sets, functions, and other pre- refined test cases. For example, the inconsistent test cases
defined data types used in the specification. Therefore, the which have not been recognized by the simplifier could be
89
discarded. Only valid and important test cases (for example, [3] P. Dauchy, M. C. Gaudel, and B. Marre. Using algebraic
according to the safety-critical aspects) could be included in specifications in software testing: A case study on the soft-
the list of the selected test cases. ware of an automatic subway. Journal of Systems and Sofr-
ware (USA),21(3):229-244, 1993.
The second direction of the extension of CTE concems the [4] J. Dick and A. Faivre. Automating the generation and se-
semi-automatic classification-tree generation described in quencing of test cases from model-based specifications. In
section 3.1. The upper part of the window in Figure 6 J. Woodcock and P. Larsen, editors, Proceedings of Formal
contains the classification tree of SpeDi derived from its Z Methods Europe '93, volume 670 of LNCS, pages 268-284,
specification described in section 3.2. The additional menu 1993.
[SI J. S . Gourlay. A mathematical framework for the investiga-
point TreeGeneration with its sub-menus is meant to
tion of testing. IEEE Transactions on Software Engineering,
support the user by generating classifications and classes. SE-9(6):686-709, November 1983.
[6] M. Grochtmann and K. Grimm. Classification trees for par-
tition testing. Software Testing, Verificationand Reliability,
5. Summary and Outlook 3:63-82, 1993.
[7] M. Grochtmann, J. Wegner, and K. Grimm. Test case de-
sign using classification trees and the classification-tree ed-
Test case design is the most crucial activity for a trustwor- itor. In Proceedings of 8th International Quality Week, San
thy software test. As formal specifications contain most of Francisco, Paper 4-AA, 1995.
the information needed for black-box testing, we presented [8] P. A. V. Hall. Towards testing with respectto formal specifi-
a concept of automating test case design on the basis of Z cation. In 2nd IEE/BCS Con$ on Software Engineering '88,
specifications. This concept results in a method which is a 1988.
[9] D. Hamlet and R. Taylor. Partition testing does not inspire
combination of the classification-tree method and the dis- confidence. IEEE Transactions on Software Engineering,
junctive normal form approach. These two approaches are 16(12):1402-141 I , December 1990.
combined in such a way that the resulting method contains [lo] S. Helke, T. Neustupny, and T. Santen. Automating test case
the advantages of both of them and also overcomes most of generation from Z specifications with Isabelle. In Procced-
their limitations. Furthermore, some ideas for automating ings of Z Users Meeting '97, 1997.
different steps of the presented concept were outlined. [ I l l H. M. Horcher and J. Peleska. Using formal specifica-
tions to support software testing. Software Quality Journal,
The presented test case design method is based on an input- 4(4):309-328, 1995. ,
based partitioningstrategy, enabling the user to test all func- [ 121 G. Laycock. Formal specificationand testing. Software Test-
tional and safety requirements. However, at different levels ing, Verificationand Reliability, 2:7-23, 1992.
of test case design and test data generation, failure-based [ 131 K. Moritz. Automatische Testklassenerzeugung von Z-
partitioning [20,2] can and should be realized as well. The Spezifikationen (in german). Master's thesis, Christian-
user has the freedom to choose such a partitioning during Albrecht-Universitaetzu Kiel, 1994.
[ 141 G. Nocker. Abstandsregelung (in german). VDI-Berichte,
the design of high level test cases. For example, the part-
8171327-337,1990.
tioning of the domain of an integer variable into 0 and > 0 [IS] T. J . Ostrand and M. J. Balcer. The category-partitions
i s directed by the intuition of the tester that 0 might be a method for specifying and generating functional tests. Com-
failure-causing input. munications of the ACM, 31(6):676-686, June 1988.
(161 J. Spivey. The Z Notation. A Reference Manual. Prentice
The realization of the presented concept will semi-
Hall, New York, 2nd edition, 1992.
automatically lead to refined test cases in the form of small [I71 S . Stepeny. Testing as abstraction. In ProceedingsofZ Users
Z schemata for a given Z specification of the test object. Meeting '95, pages 137-151. Springer-Verlag,1995.
Based on such test cases, methods and tools for increasing [18] T. WeiB. Testfallgenerierung anf der Basis von Z-
the automation potential for test data selection and test re- Spezifikationen mit Hilfe der Kiassifikationsbaum-Methode
sults evaluation shall be developed. (in german). Master's thesis, Technische Univenitat Berlin,
Institut fur angewandte Informatik, 1997.
[ 191 E. Weyuker,T. Goradia, and A. Singh. Automatically gener-
References ating test data from a boolean specification. IEEE Transac-
tions on Software Engineering, 20(5):353-363, May 1994.
[20] E. Weyuker and B. Jeng. Analyzing partition testing
[ I ] N. Amla and P. Ammann. Using Z specifications in category strategies. IEEE Transactions on Software Engineering,
partition testing. Technical report, George Mason Univer- 17(7):703 -711, July 1991.
sity, 1992.
[2] T. Y. Chen and Y.T. Yu. On the relationship between par-
tition and random testing. IEEE Transactions on Software
Engineering, 20(12):977-980, December 1994.
90