14.4 ERROR MASKABILITY

Maskability is the ability of a program to mask an error that arises during its execution. In the testing phase, maskability may be seen as an obstacle to fault diagnosis, since (by definition) it masks errors and hence prevents the observer from exposing the impact of faults, while in the operating phase, maskability may be seen as a blessing, since it helps the program avoid failure. Either way, this metric is relevant from the standpoint of testing.

If we consider deterministic programs, tha is, programs that map initial states into uniquely determined final states, then each program defines an equivalence class on its domain that places in the same class all the initial states that map to the same final state. See Figure 14.2.

A program is all the more non-injective that the equivalence class of each final state is larger. To quantify this attribute, we let X be the random variable that represents the initial states of the program and we let Y be the random variable that represents the final states of the program. Then one way to quantify the size of a (typical) equivalence class is to compute the conditional entropy of X with respect to Y; in other words, we quantify the non-injectivity of a program by the uncertainty we have about the initial state of the program if we know its final state; the more initial states map to the same final state (the essence of non-injectivity), the larger this conditional entropy. Whence the definition:

Definition: Non-injectivity Let g be a program on space S, let X be a random var- iable that takes its values in the domain of G and Y a random variable that takes its values in the range of G. The non-injectivity of g is defined as the following conditional entropy:

μ g=HXY Because Y is a function of X, this conditional entropy can simply be written as: μ g = H X −H Y

Figure 14.2 Measuring non-injectivity.

324 METRICS FOR SOFTWARE TESTING

As illustrative examples, we consider the following: • Let g be the following program on space S defined by a single integer variable i:

g = {i=i+1;}. Then μ g = 0, since H X = w, and H Y = w, where w is the width of an integer variable. Ignoring the possibility of overflow, this program is injective; if variable i has an erroneous value prior to this statement, then it has an erroneous value after this statement.

• Let g be the following program on space S defined by three integer variables i, j, and k: g = {i=j+k;} Then μ g = w, since H X = 3w, and H Y = 2w, where w is the width of an integer variable. Indeed, this program has the potential to mask an error of size w: if variable i had a wrong value prior to this statement, then that error will be masked by this statement since the wrong value is overridden.

• Let g be the following program on space S defined by three integer variables i, j, and k: g = {i=0; j=1; k=2;}. Then μ g = 3w, since H X = 3w, and

H Y = 0, where w is the width of an integer variable. Indeed, this program has the potential to mask an error of size 3×w: if variables i, j, and k had wrong values prior to this statement, then that error will be masked by this statement since all the wrong values are overridden.

We submit the following interpretation: The non-injectivity of a program measures the size of damage to its state (error) that the

program can mask by its execution.

The more non-injective a program, the more damage it can mask; in fact non- injectivity aims to measure in bits the amount of erroneous information that can be masked by the program.