VALIDATION & VERIFICATION

Section A: Validation
Testing Strategies
a. Consider a software program that takes as input integers ranging between the
values of -200 to +200. Provide the equivalent partitions set and the boundary
conditions that could be used to test this program.
Equivalent Partitions Set
We know that the program accepts an integer in the range -200 to +200
Valid Equivalence Class partition: -200 to +200 inclusive.
Non-valid Equivalence Class partitions: less than -200, more than +200, decimal numbers
and alphabets/non-numeric characters.
Invalid Valid Invalid
<-200 -200 +200 >+200
Partition 1 Partition 2 Partition 3

Then we pick only one value from each partition for testing. The hypothesis behind this
technique is that if one condition/value in a partition passes all others will also pass.
Likewise, if one condition in a partition fails, all other conditions in that partition will
fail.
Boundary Conditions
In the above mentioned scenario, we will test the boundary values -201,-200,-
199,+199+200,+201.
Boundary Value = -201 -- System should not accept
Boundary Value = -200 -- System should accept
Boundary Value = -199 -- System should accept
Boundary Value = +199 -- System should accept
 Boundary Value = +200 -- System should accept
Boundary Value = +201 -- System should not accept

b. Table 1 shows a list of simple configurations for testing a website. What is the
number of all possible configurations for the website? Show your calculation.

Figure 1: Possible configurations for the website

The total number of configuration for testing will be: 3*3*2*2 = 36

c. Based on the information shown in Table 1, create a 3-way test suite satisfying the
following constraints:
i. Internet Explorer can only be combined with Windows 8 and vice versa
ii. Mac OS X can only be combined with Safari and vice versa
iii. Ubuntu can only be combined with Firefox and vice versa
iv. Oracle without Flash Player cannot be combined with any operating system
 v. if Firefox is used then only MySQL database can be chosen

d. Suppose you have available two test suites TS1 and TS2 for a same software under
test (SUT). You know that: (i) TS1 satisfies adequacy criterion AC1, (ii) TS2
satisfies adequacy criterion AC2, (ii) C2 subsumes C1. Can you assert that faults
revealed by TS1 will also be certainly revealed by TS2 ? Why?

In this case it is not necessary that fault revealed by TS1 will also be revealed by TS2.
Although C2 subsumes C1 but still it’s totally depends on the Test Cases in the Particular
suite. May be a fault occurred in TS1 is due to the test cases in it that may not satisfying
the AC1 and on the other hand test cases in TS2 may can satisfy that AC1.
e. Imagine you need to test a critical software module and have been asked by your
manager to produce a test suite which obtain 100% statement coverage. Explain in a
few sentences whether you will be able to achieve this goal and, if not, suggest an
alternative.
In complex or critical software module sometimes it becomes difficult to manage the
100% statement coverage. Because, for 100% criteria it’s important to execute all the
executable statement at least once. However, in critical system there may be complexity
of code or may be if else scenarios. So, in complex code, a single path is not sufficient to
cover all the statements. In that case, you need to write multiple test cases to cover all the
statements.
For 100% statement coverage different test cases need to be design for the execution of
all the statements at least once.

Finite State Machine

a. Describe how one can design test cases for a Finite State Machine.
Finite State Machine can easily testing by simple Transition Tour Method, checking the
transition of states for each input and output.
All that is needed, it to compare each output with the specification of the state machine.
So, made an input sequence that will take the tester through all the transitions of the state.
One can define a path that will cover all the edges and the transitions.

Conformance Testing
FSM Transition Testing
Make test case for every transition in spec separately:

Test Transition:
 1. Go to state S1
2. Apply input a?
3. Check output x!
4. Verify state S2 (optionally)
Checks every output fault and transfer fault (to existing state)
If we assume that the number of states of the implementation machine MI is less than or
equal to the number of states of the specification machine to MS. then testing all
transitions in this way leads to equivalence of reduced machines, i.e., complete
conformance. If not: exponential growth in test length in number of extra states.
Coverage Based Test Generation
Location Coverage: Test sequence traversing all locations
Edge Coverage: Test sequence traversing all edges
b. Which method requires less effort between Distinguishing Sequence and Unique
Input/Output Sequence, when testing a Finite State Machine? Provide the
reason why.
When testing a Finite State Machine, a state identification can be solved by
distinguish sequences DS. But for some FSMs where we do not have DS, in such
cases Unique Input Output will be more useful because it can use difference input
sequences for different outputs.
In terms of strength UIO is more powerful as it can be used when DS can’t do its job.
Similarly, in terms of effort, DS requires to check all the state for a particular
sequence of input and identify the state of a finite state machine. In contrast, UIO
requires a set of input output to check the state of the finite state machine. If specific
output will be produced with an input, the state can be determined.
c. Given the following test coverage criteria for a Finite State Machine (FSM):
State coverage: For each state in the FSM model, there is a test case that visits that state.
Transition coverage: For each transition in the FSM model, there is a test case that
traverses that transition.
Path coverage: For all finite-length sub paths from a distinguished start state in the FSM
model, there is at least one test case that includes a corresponding sub path.

Explain which of the above coverage criteria subsume which others and why.
The Path coverage subsume the state coverage and the transition coverage both. The
reason is that in path coverage we have to look at all the paths in a FSM. Therefore it
subsumes the transition all well as the state coverage.
A transition coverage subsumes the state coverage because in that we have to look at the
all possible transition in the FSM. It checks all the valid transitions from one states to
another as well as invalid states.
d. Consider Figure 1: FSM 1.b is a faulty implementation of the original FSM 1.a.
Describe the fault contained in FSM 1.b. Describe the steps needed to reveal this
fault. Provide a test input sequence to reveal this fault.

The figure above, a FSM contained the State transfer fault. As it is highlighted, when
the input b is given it should produce an output y and should remain in the same state
S4 as shown in original FSM. But in the faulty version it is producing the output but
changing the state from S4 to S1, which is known as a state transfer fault.
In order to check or find this fault, we need to
a. Get to the start state of the transition
b. Execute the transition
c. Check if the end state is the right one
Test sequence for reveling this fault will be {bbb}. If at S4 we run the transition with
the specified sequence the end end state of the original FSM will be S4 whoever if we
do similar with the faulty version then the state will be S1.

e. Can the number of basic blocks in a Control Flow Graph of a program ever be
greater than the number of program statements? If so, explain how and give an
example. If not, explain why.

In CFG, the nodes are typically represents the basic block and a basic block is a
collection of one or more than one statements. Therefore, basic blocks can never be
more than the program statements.
A fact about basic block is that it’s a sequence of statement with a single entry point,
a single exit point, and no internal branches , that means these statements execute
sequentially, if one will be executed all other statement in a basic block must be
execute. Therefore, keeping in view these facts, it can be concluded that basic blocks
can never be greater than the total number of statements in a program.
Structural Testing
For the structure testing the sequence of node is highlighted in the figure below, according to
which the rest of the part is solved.
  A is defined at 1,9 node.
 Uses at 4,5,6,8,9
 DU pairs of A:
(1,4), (1,5), (1,6), (1,8), (1,9),( 1,(5,6)), ( 1,(5,7)), (9,4), (9,5), (9,6), (9,8), (9,9),( 9,(5,6)), ( 9,
(5,7))
 DU path of A:
With respect to Sequence of node numbers the path is as follows:
i. 1->2->3->4

ii. 1->2->3->4->5

iii. 1->2->3->4->5->6

iv. 1->2->3->4->5->7->8

v. 1->2->3->4->5->7->8->9

vi. 1->2->3->4->5->6->9
 vii. 1->2->3->4->5->7->9

viii. 9->4

ix. 9->4->5

x. 9->4->5->6

xi. 9->4->5->7->8

xii. 9->4->5->7->8->9

xiii. 9->4->5->6->9

Section B Verification
Hoare Logic
a. 1) If the <P> C <Q> is valid, that means that C is executed when P condition is satisfied
then the condition <P ^ R> in <P ^ R> C <Q> will not be valid since the truth value of
<P ^ R> is True only when the both of P and Q will be satisfied. For this condition we
are dependent on the value of R as well that might can false in situation where P will be
true. So if former one is valid it does not mean that lateral one will also be valid like
when P is True then the first one is valid but with True value of P doesn’t determine the
validity of second statement R must also be T with the P then this will be valid.
2) Its True, with the help of while and implied rules, its proved to be correct. The hoare
tripe stated in question is true first of all pre-condition of x equals o is satisfied, when after
checking the condition of while loop the code is executed and generates random number. It
will keep on generating until generates 1. After that it will come out of the loop and here the
value of x is 1. Then post condition will be match which is also x=1. So the hoare triple is
correct.
c. Hoare logic assertions
 i. Define each calling convention discussed in Section 6
In the section 6 of this paper, different calling conventions have been summarized.
a.Call-by-Name
b. Call-by-Value
c.Call-by-Variable
These are the calling methods that are explained with their certain conditions. In the
first one, in Non-recursive Procedures the call by value will be declared as:

In the expression above x́ and v́ 5 are disjoint lists of distinct variables, and v́ cannot
occur to the left of any assignment statement in So. Further, So does not contain procedure
calls; so it can be said that P is not recursive.
The procedure, call by value and call by variable are used in programming languages, in
this calling local and subscripted variables are allowed. Below is the description of a non-
recursive procedure P where S0 is the body of the procedure and the x is the formal value
and y is the variables parameter.

ii. Restrictions by Rule no 20

 These restriction in variables are needed otherwise they can give the wrong results.
Consider the declaration of a procedure that P ⇐ ⟨ name ( x : )∨x ≔0 ⟩ and {u=1} P(x: )
{u=1} however, {u=1} P(u: ) {u=1} is not true. This fact can clearly shows us that there
must be a restriction on the substitution of the parameter. Otherwise, there will be an
invalid substitution leads to the faulty outputs. We know that the condition holds for the {
u=1} P(x: ) {u=1} only so { x=1} P(x: ) {x=1} will also be false. So, the restriction in the
variable substitution rule is necessary as well. Because there are certain pre and post
conditions on a variable we can simply replace that with another. This rule is basically to
rename free occurrences of the formal parameters in the assertions of the correctness
formula to be proved. In the proof, the writer rename the formal parameter x and
subsequently uses these rules step by step and at the end again substitute the value that is
initially renamed.
How is Rule 20 altered for the recursive case?
In the case of recursive procedure, the substitution rule take the form:

If parameters are passed by value and variable (reference):

1. What program transformation is applied to make the program amenable
to Hoare Logic + rules introduced in Section 4?
2. What is the resultant proof rule?

3. How is the non-recursive proof rule adapted to the recursive case?

In the recursive Procedures, recursion rule is in the following form; where we can
say that the formula can be proved through the assumptions.

For the case of proof, author have used H+Axoim 18+ Rule 16 for the extension.
In not only includes the above stated recursion rule but also the versions of
invariance axioms, conjunction rule, substitutions rule II and parameter
{ p } S' {q }
substitution rule as well. The only one rule which is newly used is:
{ p } S {q }
4. Imagine you are in industry working as a developer on a large code base.
Explain what kinds of problems that could be occurring in your code base
that applying Hoare logic might solve. Detail the steps you would have to
take to use Hoare logic on this code base.
Hoare logic is based on the idea of a specification as a contract between the
implementation of a function and its clients. The specification is a combination of
post and preconditions.

In a large code, it verify the correctness of the problems like, strength of the loops
in the code or if a client calls a function without fulfilling its precondition but still
behaving correct. But there can be certain erroneous input that can result into bad
output which is unexpected.

Hoare logic uses Hoare Triples to reason about program correctness. For applying
Hoare logic, one must start from preconditions and the post conditions, then I will
find the invariant by weakest precondition. Further different rules must be find
out to base on the scenario in the code. Through the Hoare triple the
computational state of the code will be analyzed.

Based in the issue or structure of the code, different axioms and inference are
applied, which are provided by the Hoare logic. There are different axioms and
rule available, map the code scenario and process in this way. After execution of
all the statements, check the post conditions, in this way we can apply Hoare logic
on our code to find out the correctness of the code.