10.4.1 Sensitizing Faults

Let E be a Boolean expression in a program; we assume that E has one of the faults classified above, and we let E be the Boolean expression obtained from E by correct- ing the fault in question. For example, let E be the Boolean expression x y ¬x and let there be a variable reference fault in E with respect to variable y (which should have been z, say), then E is x z ¬x . We are interested to determine under what condition (on program variables x, y, and z) can this fault be sensitized. In order for expression E to be different from expression E , the following condition has to hold:

EE,

where represents the operator of exclusive or: E E = E ¬E ¬E E . This expression is true if and only if the Boolean values of expressions E and E are distinct

222 STRUCTURAL CRITERIA

(one is True, the other is False). To understand the meaning of this condition, consider the following simple example:

• E=xy. • E=xz.

We find,

EE = {Substitution, expansion}

xy xz xy

xz

= {DeMorgan} xy

xz xy

xz

= {Distributivity, simplification} xyz yxz = {Factoring, Definition of } x yz

Indeed, if expression E is faulty and expression E is the correct expression, then the only way to sensitize this fault is to let x be true and let y be different from z. As long as y and z take the same values, we will never know that we are referring to the wrong variable (y rather than z); also, as long as x is false, the value of the expres- sion is false regardless of whether the second term is y or z. Hence the condition x y z is indeed the condition under which the fault can be sensitized and produce an error.

We review in turn all the classes of faults catalogued above and discuss what form the condition of fault sensitization has for them.

• Variable Reference Fault. If expression E(x) depends on variable x and it should

be referring to y instead of x, then the condition of sensitization is:

Ex Ey

An example of such a situation is given above. • Variable Negation Fault. If expression E(x) depends on variable x and it should

be referring to x instead of x, then the condition of sensitization is:

Ex Ex

10.4 FAULT-BASED TEST GENERATION 223

As an illustrative example, we consider expression E(x) defined as: E x = x y and we assume that the reference to x should have been negated, hence

E x = E x = x y , then the condition of sensitization is: xy

xy We analyze this expression, as follows: xy xy = {Expanding}

xy xy xy

xy

= {De Morgan} xy

xy xy

xy

= {Distribution, cancellation} xy xy = {Simplification}

y Clearly, the only way to sensitize this fault is to let y be true, since if y were

false then the expression would be false regardless of the value of x. Whereas with y at true, the expression would be equal to x and hence reflects whether we have the right value or its negation.

• Expression Negation Fault. If the faulty expression is the negation of the fault- free expression, then any evaluation of the expression sensitizes the fault. Indeed, we have, by definition

E Ε = True

for all expression E. • Associative Shift Fault. This fault arises when a Boolean expression is parenthe-

sized wrong. As an illustrative example, we consider the following expression

E = x y z and we assume that the fault free expression is E = x y z . We analyze the expression E E to determine under what condition this fault may be sensitized; rather than doing this algebraically (using logic identities), we use truth tables to compute the two expressions and then characterize the rows for which the two expressions are distinct:

224 STRUCTURAL CRITERIA

Hence this condition can be simplified into z x . Indeed, if z is True and x is False, then E = True regardless of the value of y and E = False regardless of the value of y.

• Operator Reference Fault. We let E be the original expression and E be the cor- rected expression, and we compute/analyze the expression E E . For example,

if we let E be the expression x y and E be the expression x y, then we find:

EE = {substitution, expansion}

xy xy xy

xy

= {De Morgan} xy

xy xy

xy

= {Distributing, simplifying} xyxy = {Definition} xy

In other words, in order to sensitize this fault, we must submit distinct values for x and y ((true, false) or (false, true)); indeed, if x and y are identical, then their conjunction ( ) and their disjunction ( ) are identical.

• Relational Operator Fault. If a relational operator is faulty, then we need to proceed in two steps: first, we choose data that yields different Boolean values

for the relational expression; then we treat the relational expression as a variable

10.4 FAULT-BASED TEST GENERATION 225

reference fault. For example, let i and j be integer variables and let x be a Boolean variable (or another Boolean valued expression). We let expressions E and E’ be defined as follows:

○ E=x i≤j, ○ E=x i<j.

Because i < j logically implies i ≤ j , the only way to make these conditions distinct is to let the first condition be false while the second is true. To this effect,

we let i and j be equal. From then on, the question is how to make an expression (x y) distinct from (x z) given that y is different from z. We have seen in the study of the first class of fault that this requires the condition x y z . Since

y z is true by construction, the remaining condition for us is x. All the sensitization conditions we have generated so far are local conditions, that

is. conditions that refer to the value of program variables at the state where the Boolean expressions are evaluated; but generating test data requires that we compute conditions that input data must satisfy. In the following section, we consider how to generate test data that triggers sensitization conditions at chosen locations in the program, where the targeted Boolean conditions are evaluated.