mocks;generatingthemocksisextremelypainfulifthemockingframeworkimposes - PDF document

mocks;generatingthemocksisextremelypainfulifthemockingframeworkimposesarbitraryrestrictionsonwhatwecanwrite.Wewantthefreedomtocombinethefeaturesofthemockingframeworkhoweverwelike.ClearandunambiguousspecicationsInmostmockingframeworks,themeaningofaspecicationcanbequitesubtle,apointweillustrateinSection2.Forexample,theseframeworkshaverulesforresolvingambiguity,andtheusercanexploittheserulesinwritingspecications.Thisisconvenientbutmakesithardtosaywhatagivenspecicationmeans.OurAUTOSARmockingspecicationsare,bynecessity,sometimeslongandcomplex.Theyaretrickytogetright.Thelastthingwewantfromourframe-workisasubtlesemantics!Wewanteachmockingspecicationtohaveasimple,declarativemeaning.Likewise,wewantthemockingframeworktorejectambigu-ousspecications,ratherthanmakearbitrarychoices:thisreducesthenumberofpotentialpitfalls.Onemightexpectthatwecoulduseanambiguousspecicationtomockanondeterministiccomponent,iftheframeworkresolvesambiguityrandomly.Webelievethisisthewrongapproach,becauseitmakestestsunrepeatable.Instead,thetestsuiteitselfshouldchooseaparticulardeterministicinterpretation.Thispaperpresentsanewmockingframeworkwhichisexpressive,isbuiltfromasmallcoreoforthogonalfeatures,hasasimple,compositionalsemanticswhereeveryspecicationhasaclearmeaning,andwhichavoidsmakingarbitrarychoicesduringtestexecutionbyrejectingambiguousspecications.AlthoughourrequirementscamefromtheAUTOSARtestingproject,webelievethesefeaturesarecompellingintheirownright,andareespeciallyimportantwhentestinglargecomponents.Thecontributionsofthepaperareasfollows:{Wepresentanewframeworkformocking(Sections3{4).Theframeworkisgiventwosemantics,asimple,compositionaldenotationalsemanticsandasmall-stepoperationalsemantics.Thetwosemanticshavebeenprovedequivalent(seetheaccompanyingtechnicalreport[13]).{Weavoidmakingarbitrarychoicesduringtestexecutionbyrulingoutam-biguousmockingspecications.Specically,weprovideaproceduretovali-datespecications(Section5)whichrulesoutspecicationswhichaream-biguous.Thevalidationissoundwithrespecttothesemantics.Perhapssur-prisingly,itisalsocomplete,whichmeansthatifwerejectaspecication,itmustbeambiguous,andwecanmoreoverndatracethatdemonstratestheambiguity.Thesoundnessproof,asketchofthecompletenessproof,andalinktothefullformalizationarefoundinthetech.report[13]{Weextendourbasicframeworktomakeitpracticalanddescribehowtoimplementitinamemory-ecientway(Section6).{Wereportonourexperienceusinganearlierversionofthisframeworkinalargeindustrialcasestudywritingspecicationsfor,andthentestingimple-mentationsof,automotivesoftware(Section7). Thistestwillpassforcorrectimplementationsofthedashboard.Next,sup-posewewanttobealittlebitmoreprecise.ItsohappensthattheDashboardshouldconvertthesensorspeed,giveninm/s,tokm/h;i.e.ifreadSpeedreturns10,updateDisplayshouldbecalledwith36asitssecondargument.Wechangetheexpectedcallsto:EXPECT_CALL(mDisplay,updateDisplay(Display::SPEED,36)).Times(1);EXPECT_CALL(mDisplay,updateDisplay(Display::SPEED,_)).Times(2);Surprisingly,thistestfailseveniftheimplementationdoesthecorrectthing.Itturnsoutthatexpectationsareputonastack,soaretestedinthereverseorderthattheyaredened.Thus,thecorrectwaytospecifythiswouldbeEXPECT_CALL(mDisplay,updateDisplay(Display::SPEED,_)).Times(2);EXPECT_CALL(mDisplay,updateDisplay(Display::SPEED,36)).Times(1);eventhoughthecallreturning36happensrst.Andindeed,thistestpasses.NowsupposethatwechangethespecicationsothatthenalcalltoreadSpeedreturns10insteadof12:5:EXPECT_CALL(mSensor,readSpeed()).WillOnce(Return(10)).WillOnce(Return(6.7)).WillOnce(Return(10));EXPECT_CALL(mDisplay,updateDisplay(Display::SPEED,_)).Times(2);EXPECT_CALL(mDisplay,updateDisplay(Display::SPEED,36)).Times(1);Wemightexpectthistesttopass,butitdoesnot!Thereasonisthat(bydefault)expectationsarenotremovedfromthestackoncetheyarefullled.ThusassoonasthefunctionupdateDisplayiscalledwithargument36itremainsonthestackasbeingcalledonce.ThesecondtimeitiscalleditincreasesthecallcountoftheupdateDisplaywithargument36insteadofincreasingthecallcountofupdateDisplaywitharbitraryargument.Theabovemockingspecicationlooksambiguous,sinceasecondcallwithargument36canbehandledintwoways:itcanbeacceptedbytherstclauseorrejectedbythesecond.Themockingframeworkhasarbitrarilychosenthesecondway.ThewaytoxthistestinGoogleMockiseithertoexpect36twice,ortotellthesecondexpectationtoretireonceitisfullledwiththefeatureRetiresOnSaturation().Wechoosethesecondoptionandthetestnowpasses:EXPECT_CALL(mDisplay,updateDisplay(Display::SPEED,_)).Times(2);EXPECT_CALL(mDisplay,updateDisplay(Display::SPEED,36)).Times(1).RetiresOnSaturation();Whileconventionalmockingframeworkshaveaprecisesemantics,itisquitecomplicated.Therearesubtleinteractionsbetweenfeaturesbecausetheseman-ticsisnotcompositionalandambiguousspecicationsaregivenanarbitrary,thoughdocumented,semantics. readthelightsensoreachtimetheyupdateapartofthedisplay,whileothersonlyreaditonceperloop.Butwheneverthedashboardreadsthelightsensor,itmustthenupdatethedisplaybrightness.Thedashboardmayreadthelightsensoranynumberoftimesperloop,whichwecanmodelusingtheoperator:(read light7!6:light display7!())Thethreespecicationsabovecapturethreeaspectsofthedashboard.Tomockthedashboardasawhole,wecombinethethreespecicationswiththeparallelcompositionoperator\jj".Thissaysthatthedashboardmayinterleavetheexecutionofthethreespecications,butmustrespecttheorderofeventswithineachsinglespecication.Forexample,thedashboardmayreadthespeed,thenthelightsensor,thensetthedisplaybrightness,thenupdatethedisplay:(read speed7!5:833:update display(speed;21)7!())jj(read light7!6:light display7!())jj((read battery7!234:update display(battery;70)7!())+")Fromthisspecicationwecanautomaticallygeneratemocks.Ourmockscheckthatthecallsmadebythedashboardpreciselymatchthecallsinthespecication:noextracalls,nomissingcalls,andallcallsintherightorder.4AProcessCalculusforMockingWehavenowseenallofthefeaturesofourmockinglanguage,andbeginaformaltreatmentofitssemantics.Mockingspecicationsresembletermsinaprocesscalculus,andtheirsyntaxissummarisedbelow.Aneventa7!zdenotescallingthefunctionatogetresultz.Fornowwetreataandzabstractly;inSection6wewillbreathelifeintothecalculusbyallowingeventstoberealfunctioncalls.p::="ja7!zjp:qjpjjqjp+qjpWewanttoassignmeaningtomockingspecications.Wethereforedeneadenotationalsemanticsintermsoftraces;atraceisasequenceofevents.ThelanguageL(p)ofaprocessisthesetoftracesthattheprocessaccepts,i.e.thatsatisfythemockingspecication,andisdenedasfollows:L(p:q)=fstjs2L(p)^t2L(q)gL(p+q)=L(p)[L(q)L(pjjq)=fujs2L(p)^t2L(q)^uisaninterleavingofsandtgL(p)=fs1s2


snjn2Nandforalli,si2L(p)gL(a7!z)=fa7!zgL(")=f"gThissemanticsiscompactandeasytounderstand,andidealforunderstandingthebehaviourofamockingspecication.However,itisoflittleuseforimple-mentingthemockingframework.Itacceptsorrejectswholeexecutiontraces, 5AmbiguitydetectionAsarguedintheIntroductionandSection2,wewanttoforbidambiguousspecications,becausetheyleadtocomplexsemantics,ortounrepeatabletestsifresolvedatrandom.Anexampleofanambiguousspecicationinourlanguageisa7!z1+a7!z2:iftheprogramcallsa,wedonotknowwhethertoreturnz1orz2.WewillseeinSection6.1thattheuserdoesnotdecidewhatvalueaneventwillreturnuntilthateventiscalled,sowemustalsorejecta7!z+a7!z|wehavenowayofknowingthatbotheventswillalwaysreturnthesamevalue.Thissuggeststhefollowingdenitionofambiguity:pisambiguousifforsomecalla,therearetwoapplicablereductionrulesforp!a.Aprocessisalsoambiguousifitreducestoanambiguousprocess.Ourprocessa7!z+a7!zisambiguousbecause,forthecalla,therules+Land+Rbothapply.Herearesomeexamplesofambiguousprocesses:{a7!z1+a7!z2isambiguous,asabove.Ingeneral,ifp!aandq!a,thenp+qisambiguous.{(a7!z1:b7!z2)jjb7!z3isambiguous:afteracalltoa,itreducestob7!z2jjb7!z3,inwhichtherearetwob-reductions.Ingeneral,ifpandqhaveoverlappingalphabets,thenpjjqisambiguous.{(a7!z1+"):a7!z2isambiguous:callinga,wecouldreturneitherz1orz2.{Alongthesamelines,a7!z1:(a7!z2+"):a7!z3isambiguous:afteracalltoa,weareleftwith(a7!z2+"):a7!z3,essentiallythepreviousexample.Theexamplesabovetellushowtodetectambiguity.Wewillstartwith+andjj.Notethatthetwoconstructsneeddierentrules:thesecondexampleisambiguous,butreplacingjjby+itbecomesunambiguous.With+,therstcallneedstotelluswhichalternativetochoose,butwithjjeverycallneedstohavethisproperty.{Ifp!aandq!a,thenp+qisambiguousbecauserules+Land+Rbothapply.{Ifa2alphabet(p)\alphabet(q)thenpjjqisambiguousbecausewecanreachaprocessp0jjq0wherep0!aandq0!a;rulesjjLandjjRthenbothapply.(Thealphabetofaprocessissimplythesetofeventsthatappearsyntacticallyinit.)WewilldeneafunctionpXthatchecksthatpisunambiguous.Fornowweonlydenetheeasycases:p+qX=pX^qX^:9a(p!a^q!a)pjjqX=pX^qX^alphabet(p)\alphabet(q)=;a7!zX=true"X=trueSequentialcompositionistrickier.Lookingat(a7!z1+"):a7!z2,weseethatthereductionrulesThenLandThenRbothapply,therstbecause 6FromProcessCalculustoMockingFrameworkThegoalofthissectionistoturntheprocesscalculusintoafully- edgedmockingframework.Abasicimplementationissimple.Werstcheckthatthemockingspecicationpisunambiguous.Toexecutep,wewaitforthesystemundertesttomakeacalla.Wecheckifp!a;zqforsomeq;ifnot,thecalliserroneous.Otherwise,wereturntheresultztothecaller,andcontinuebyexecutingq.Finally,whenthetestnishes,wecheckthatthenalprocessisaccepting.6.1MatchingInourexamplessofar,aneventspeciesasingleconcretecallsuchasupdate display(speed;21)andaconcreteresultlike5:833.Inreality,wedonotalwaysknowthefunctionargumentssoprecisely,andneedarichereventlan-guage.Inourframework,aneventspeciesapatternoffunctioncalls.Forex-ample,wemaywriteupdate display(speed; ),wherethe\ "isawildcard;thismatchesanycalltoupdate displaywheretherstargumentisspeed.Apatternsimplystandsforanyoftheconcretecallswhichitmatches.Wealsoallowtheevent'sreturnvaluetodependonthecallarguments.Theusercanassociateanevaluationfunctionwitheachevent,whichisgiventhecall'sconcreteargumentsandcomputesthereturnvalue.4Notethateachoc-currenceofaneventinthemockingspecicationcanhaveadierentevaluationfunction:thesamecallneednotalwaysreturnthesameresult.Aneventthatre-turnsaconstantresultisadegeneratecasewheretheevaluationfunctionignoresitsarguments.Weneedtobecarefulthatwecanstillexecutemockingspecicationsthatusepatternmatching,andcheckthemforambiguity.Executingthespecicationisnotaproblem:weonlyneedtobeabletocheckifaconcretecallmatchesaparticularevent.Givenaprocesspandacallc,wecheckifthereisaneventthatpcanconsumeandwhichmatchesc.Finally,weusetheevaluationfunctionassociatedwiththeeventtocalculatethereturnvalue,andreducep.Wecanalsocheckthespecicationforambiguity,aslongaswecantellwhetheranytwoeventsintersect.(Twoeventsintersectifthereisasinglecon-cretecallthatmatchesbothofthem.)Itwillhelptowriteouttheexistingrules,usingequalityexplicitlywheneverwecomparetheeventsoftwoprocesses:p+qX=pX^qX^:9a9b(p!a^q!b^a=b)pjjqX=pX^qX^:9a9b(a2alphabet(p)^b2alphabet(q)^a=b)a7!zX=true"X=truep:qX=pX^qX^:9a9b(p?a^q!b^a=b)pX=pX^:9a9b9c9q(p!aq^q?b^p!c^b=c) 4ThisiswhywecouldnottelliftwoeventshavethesamereturnvalueinSection5. {Wedonotneedtoaugmentpjjq,thoughpandqthemselvesareaugmented.Thereductionrulesarethesameasbefore.{Weaugmentasingleevent,a7!z,witha agthatindicateswhetherwehaveperformedtheevent.Ifthe agshowsthatwehavealreadyperformedtheevent,wemaynolongerperformit.Replicationisthetrickiestcase,becauseinexecutingpwemayexecutepanunlimitednumberoftimes.Tohandlethisweneedtobeabletoresetaterm,whichsetsits agsbacktotheirinitialstate.Wheneverpinpdoesnotacceptaneventa7!z,butdoesaccepttheemptytrace,weresetpandfeeda7!ztoit;thiscorrespondstounrollingpintheoriginalsemantics.Wealsoaugmentpwitha agthatrecordswhetherwehaveperformedanyreductionsonit;this agissetaftertheveryrstreduction,andallowsustomodelthefactthatpalwaysacceptstheemptytrace.6.3ExtensionsThemockinglanguagewehavepresentedsofarisquiteminimal.Whenwritingmockingspecicationsinpracticeweusealargerrepertoireofconstructs.Con-structswe'vefoundusefulincludepermutations,optionalbehavioursandniterepetition.Thepermutationconstructoperatesonalistofbehavioursandissimilartoparallelcompositionbutdoesn'tallowinterleavingofbehaviours:thebehavioursmustexecuteoneafteranother,butinanarbitraryorder.Constructslikethesearedenableinthelanguagewe'vealreadypresented.Forexample,anoptionalpissimplyp+".However,inourimplementationwe'veaddedthemasprimitivesforreasonsofeciency.Itisparticularlyimpor-tanttohavepermutationsbeaprimitiveintheimplementationsinceitsencodingintoourcalculuscausesanexponentialblow-upinthesizeoftheprocess.AsanexampleofusingpermutationsconsidertheexamplewithparallelcompositionfromSection3:(read speed7!5:833:update display(speed;21)7!())jj(read light7!6:light display7!())jj((read battery7!234:update display(battery;70)7!())+")Thisspecicationallowsallvaluestobereadbeforeanyupdatesareperformed.Thismightbeexactlythefreedomonewishestoexpress.However,supposethatwewishtoensurethatthecallstoread speedandupdate displayshouldhappeninimmediatesequencewithoutbeinginterruptedbyanyoftheothercalls,andlikewisewiththecallstoread batteryandupdate display.Wecanachievethisbyusingpermutationsinsteadofparallelcomposition,writingthepermutationofp,qandrasperm[p;q;r],asfollows:perm[read speed7!5:833:update display(speed;21)7!();(read light7!6:light display7!());(read battery7!234:update display(battery;70)7!())+"] SinceChasnoobjects,wewillsimplycomparetheexpressivenessofthetwoapproaches.ThemaindierenceisthatGoogleMockprovideslotsofdefaultbehaviour:expectationsareputinparallelbydefault,therearedefaultreturnvalues,etc.Thelanguagewedenehasnodefaultbehaviour|everythingisexplicit.Bothapproacheshavetheirmerits,buthiddendefaultsrequireawell-educateduser.Intermsofexpressiveness,wehaveobservedthreekeydierences:{GoogleMockhasstate,i.e.oneactionmaysetavariablethatcanbereadbyalateraction.Thisisnotincludedinourlanguagesincewehavenothadtheneedforit.Itwouldbepossibletoextendourlanguagewithstate,butthemoreinterestingquestioniswhywehaven'thadtheneedforit.Webelievethereasonisthecompositionalityandexpressivenessofourmock-inglanguage.Comparetowritingaregularexpressionandimplementinganequivalentstatemachine.Regularexpressionsprovideadeclarativeandcompositionalinterfacewithouttheneedforstatewhichismuchsimplertousethanhavingtomaintainthestateofthestatemachineexplicitly.{GoogleMockonlydoesreplicationofsingleevents;itisnotpossibletorepeat,forexample,asequenceofcalls.Inourparticularusecase,Lisacentralingredient,thusnothavingitwouldhavepresentedaproblemtous.{Finally,theredoesnotseemtobeawaytoexpressp+qinGoogleMock.OnecouldsayatMost(1)forbothpandq,butthatwouldnotcatchthecasewhenneitherorbotharecalled.Againthisiscentraltoourusecase,butperhapsoneoftenmanageswithoutitinordinaryunittesting.Anareacloselyrelatedtomockingisruntimemonitoring.Inparticular,Jass[4]allowsmonitoringof"traceassertions"expressedinaCSP-likelanguage;ifthemonitoredcodeperformsaneventinthealphabetoftheprocessthatisnotpartofanytrace,thenanexceptionisraised.Thetraceassertionlanguageisdescribedbyexampleandformalpropertiesarenotstatedorproven.Ingen-eral,run-timemonitorscanallownon-determinisminthemonitor,becausethiscannotleadtonon-determinisminthetestoutcome.Becausemockingsuppliesreturnvaluestothecodeundertest,thennon-deterministicmockingwillleadtonon-deterministictestoutcomes.Similarly,modelcheckerscanallownon-deterministicenvironmentssincetheycanexplorebranchingexecutions,collectconstraints,andusesolverstondinterestingcases:sinceeachtestexecutioncanfollowonlyonebranchthenwedonotenjoythesamefreedom.OurmockinglanguagesharesmanysimilaritieswiththelanguagePSL[1],usedbythehardwarecommunityforspecifyingandverifyingcircuits.PSLisdividedintoseverallayersandoneoftheselayersisamodellinglayer,usedforspecifyingpartsofthedesignwhicharenotyetimplemented.Althoughsimilarinspirittoourlanguage,PSL'smockinglanguagenaturallydiersonmanydetailsasittargetshardware,notsoftware.