10.4.2 Selecting Input Data for Fault Sensitization

For the sake of this discussion, we introduce a program label that indicates the first executable statement of the program, and we refer to it as the begin label. Also, we consider a Boolean expression E and designate the program label where this expression is evaluated by L. We consider a possible fault in expression E (among the classes of faults catalogued in Section 10.4.1) and we let E be the expression obtained from E when the fault is removed; also, we let C be the sensitization condi- tion of the targeted fault at E, that is, C = E E . We have the following criterion:

We say that initial state s sensitizes the targeted fault in the Boolean expression E if and only if:

• There exists a path p from label begin to label L; let P be the function of p (computed as shown in Section 10.1). • The post-restriction of P to sensitization condition C is not empty. • State s is in the domain of the post-restriction of P to sensitization condition C.

As an illustrative example, we consider an array a of size 2 × N for some natural number N greater than 1 and an element x of the same data type as the contents of the array; we assume that we are interested in checking whether x is in the first half of the array. Hence we write the following program:

226 STRUCTURAL CRITERIA

void main () {itemtype a[2*N]; itemtype x; indextype i; bool found; i=0; L: while ((a[i]!=x) && (i<=N)) {i=i+1;} found = (a[i-1]==x);}

We have a relational operator fault in this program, as the loop condition should read ((a[i]!=x) && (i<N)) rather than ((a[i]!=x) && (i<=N)). As we discuss in the previous section, this fault can be sensitized locally by ensuring that (i<=N) holds while (i<N) does not, and ensuring that (a[i]!=x)is true. To this effect, we let i be equal to N while ensuring that the condition (a[N]!=x) is true. We write the local sensitization condition as:

C≡i=N

aN x

All these are local conditions; we must now determine what input data will create these local conditions at label L? To this effect, we compute a path from the start of the program to label L, take its post-restriction to the sensitization condition, check that it is nonempty, then compute its domain. We find:

Path: i=0; ((((a[i]!=x) && (i<=N))? True) ; {i=i+1})*;

where the * is used to refer to an arbitrary number of instances of a path. The function of this path is given by the following formula (where the star represents reflexive tran- sitive closure):

P = {Substitution}

s, s i = 0 − s = − s • s,s a i x i ≤ N i = i + 1− s = − s = {Transitive Closure}

s, s i = 0 − s = − s • s,s j0≤j<iajxj≤Ni≥i−s=−s = {Relational Product} s, s j0≤j<iajxj≤Ni≥0−s=−s = {Simplification} s, s i ≥ 0 − s = − s i≤N+1 j0≤j<iajx

10.4 FAULT-BASED TEST GENERATION 227

Taking the post-restriction of this function to the sensitization condition, we find P•I C

= {Substitution} s,s i ≥ 0 − s = − s i≤N+1 i=N

aN x j0≤j<iajx = {Simplification}

s,s − s = − s

i=N

j0≤j≤Najx

The domain of this function is:

dom P•I C = s j 0 ≤ j ≤ N a j x

Any initial state in this domain will sensitize the fault: Indeed, since the condition aj x holds for all indices between 0 and N inclusive, the second conjunct of the while condition determines the value of this condition: For i=N, the condition (i<=N) returns True, whereas the condition (i<N) returns False.