Post

Automated Testing and Verification Structure

Posted Updated
Preview Image
By Aykhan Tanirverdiyev
7 min read
Automated Testing and Verification Structure

Software engineers often treat testing as a chore—a box to check before deployment. However, digging deeper into Automated Software Engineering reveals that testing is less about writing assertions and more about mathematical verification and structural analysis.

In this post, I want to explore the engineering principles behind automated testing. We will move beyond simple unit tests to understand how we can mathematically prove our test suites are effective, and how we can automate the generation of the tests themselves using advanced algorithmic techniques.

Part 1: The “Testing the Tests” Paradigm

Before we discuss generating tests, we must define what makes a test suite “good.” It is not just about passing; it is about the ability to detect faults.

The Fault Hypothesis

The fundamental premise of testing is the fault hypothesis: we assume the system under test is not the “correct” system, but rather a variant containing faults that lead to failures.

Mutation Testing: The Ultimate Litmus Test

How do you measure the quality of a test suite? Most developers look at code coverage. However, a more rigorous method is Mutation Testing.

Imagine we take a working piece of code (System S) and deliberately introduce a single defect (a “mutant”). These defects are generated by mutation operators, such as:

  • Replacing a logical operator (e.g., swapping == with !=).
  • Deleting a statement or edge in the control flow.
  • Altering a constant value.

If your test suite passes against the mutant, the mutant has “survived” (bad). If the test suite fails, the mutant is “killed” (good).

The Mutation Score is the ratio of killed mutants to total mutants. If a test suite has 100% code coverage but a low mutation score, it creates a false sense of security—it executes the code but doesn’t actually verify the logic.

Part 2: Structural Analysis and Coverage Criteria

To automate testing, we first abstract the code into a Control Flow Graph (CFG). In this graph, nodes represent “basic blocks” (sequences of statements with one entry and exit), and edges represent the flow of control (branches).

Let’s analyze the hierarchy of coverage criteria using a hypothetical access control function.

Original Code Example:

1
2
3
4
5
6
7

public void checkAccess(User u, Resource r) {
    if (u.isAdmin() || (r.isPublic() && !u.isBanned())) {
        grantAccess();
    } else {
        denyAccess();
    }
}

1. Statement Coverage

This is the weakest form of coverage. It simply requires every node in the CFG to be visited.

  • Flaw: If we test a case where access is granted, we might execute 100% of the statements inside grantAccess(), but we might completely miss the else block or implicit empty branches where no action is taken.

2. Decision (Branch) Coverage

Here, we must traverse every edge. Every decision (e.g., the if statement) must evaluate to both True and False at least once.

  • Flaw: It treats the complex boolean condition A || (B && !C) as a black box. It doesn’t force us to test the internal logic of B or C independently.

3. Condition Coverage

This requires every individual atomic condition (e.g., u.isAdmin(), r.isPublic()) to evaluate to both True and False.

  • Flaw: You can toggle individual conditions without necessarily affecting the final decision outcome, meaning you might not actually trigger the else branch even if you toggled all inputs.

4. Condition/Decision Coverage (C/DC)

This level is a hybrid approach designed to fix the “missing branch” problem found in pure condition coverage. To satisfy C/DC, your test suite must ensure:

  • Every individual condition toggles between True and False.
  • The overall decision toggles between True and False.

By requiring both, you guarantee that even if you are toggling sub-conditions, you are also forced to trigger the else branch of the code.

  • The Flaw: While it ensures the “main power” (the decision) turns on and off, it doesn’t verify if a specific condition is actually functional. You could achieve 100% C/DC with a set of tests where one condition is always “masked” by another, meaning you wouldn’t notice if that specific piece of logic was completely broken.

4. MC/DC (Modified Condition/Decision Coverage)

This is the gold standard for safety-critical systems (like avionics). It requires:

  1. Every decision takes all possible outcomes.
  2. Every condition takes all possible outcomes.
  3. Crucially: Each condition is shown to independently affect the decision’s outcome.

To satisfy MC/DC for our example, we would need a test pair where u.isBanned() flips from True to False while the other conditions remain fixed such that the entire result flips. This proves that u.isBanned() is not dead code masking a bug.

Part 3: Automated Test Generation Techniques

Writing these tests manually is tedious. This is where Automated Test Generation (ATG) comes in. The goal is to build a “Robot Tester” that selects inputs, executes the code, and observes the output.

The industry categorizes these techniques into three main buckets:

1. Random Testing & Fuzzing

The simplest approach is to throw random data at the system.

  • Mechanism: Sample the input domain randomly (e.g., random integers, random strings).
  • Pros: Extremely fast, cheap to implement, and surprisingly effective at finding crash-inducing bugs (robustness).
  • Cons: It struggles to find “deep” bugs hidden behind specific checks (e.g., if (x == 6502)). The probability of hitting exactly 6502 randomly is near zero.

  • Tools: Randoop (for Java) uses feedback-driven random testing, keeping sequences that create valid object states and discarding those that throw checked exceptions.

    Code Coverage & Randoop

2. Search-Based Software Engineering (SBSE)

This approach treats test generation as an optimization problem.

  • Mechanism: It uses meta-heuristic algorithms (like Genetic Algorithms). The “fitness function” is usually code coverage. The algorithm “evolves” a population of test cases, mutating input values and combining the best performing tests to reach uncovered branches.
  • Tools: EvoSuite generates entire test suites optimized for high coverage.

3. Symbolic Execution (The “Heavy Math” Approach)

Instead of running the code with concrete values (like x = 5), we run it with symbolic values (like x = α).

How it works:

  1. The engine tracks a Path Constraint (PC), a boolean formula representing the conditions needed to reach the current line of code.
  2. When it hits an if (x > 10), the execution forks.
    • Path A updates PC: PC && (α > 10)
    • Path B updates PC: PC && (α <= 10)
  3. We use a constraint solver (SMT solver) to find concrete values for α that satisfy these constraints, effectively generating a test case for each path.

Dynamic Symbolic Execution (Concolic Testing):

Pure symbolic execution struggles with loops and complex libraries. Modern tools (like SAGE or Pex) use Concolic testing (Concrete + Symbolic) .

  1. Run with random concrete input (e.g., x=0).
  2. Collect constraints along the execution path.
  3. Negate the last constraint (e.g., change x <= 0 to x > 0).
  4. Solve for a new input that forces the execution down the new path.

Part 4: The Oracle Problem

If a tool generates inputs, how does it know if the output is correct? This is the Oracle Problem.

Without a human specification, automated tools can usually only detect:

  1. Implicit Oracles: Crashes, uncaught exceptions, segregation faults.
  2. Regression: Differences in output compared to a previous version.

Parameterized Unit Testing (PUT) solves this by allowing developers to write tests as specifications. Instead of checking assert(result == 5), we check invariant properties:

1
2
3
4
5
6
7

// Concept adapted from PUT examples
void assertImageResizeProperty(Image img, int newW, int newH) {
    assume(img != null && newW > 0 && newH > 0); // Assumptions
    Image result = resize(img, newW, newH);
    assert(result.width == newW); // General Assertion
    assert(result.totalPixels == newW * newH);
}

Tools like Pex or QuickCheck can then automatically generate inputs that violate these assertions.

Part 5: Reality Check & Effectiveness

Are these tools a silver bullet? Empirical studies suggest a nuanced reality.

  • Coverage vs. Faults: High code coverage does not guarantee high fault detection. In studies (e.g., the Defect4J benchmark), tools like EvoSuite and Randoop found only about 55% of real faults.
  • Complexity: Tools struggle with “polluted” code—code dependent on databases, networks, or complex string formats.
  • Human Factor: Generated tests can be hard for humans to read and maintain. If a tool generates a 500-line setup to test one edge case, debugging a failure becomes a nightmare.

Conclusion

Automated testing is transitioning from simple assertion checking to sophisticated structural exploration. While we cannot yet fully replace manual testing, techniques like Mutation Testing provide a rigorous quality check for our suites, and Concolic Execution helps us uncover corner cases that human intuition often misses.

Acknowledgment: Based on my interpretation of the lecture materials on Automated Software Engineering and Testing by the Critical Systems Research Group BME.

softeng, Automated Software Engineering
AppSec coverage MC/DC Engineering DevSecOps
This post is licensed under CC BY 4.0 by the author.