Lustre is a formal synchronous declarative language widely used for modeling and specifying safety-critical applications in the fields of avionics, transportation, and energy production. In such applications, the testing activity to ensure correctness of the system plays a crucial role in the development process. To enable adequacy measurement of test cases over applications specified in Lustre (or SCADE), a hierarchy of structural coverage criteria for Lustre programs has been recently defined. A drawback with the current definition of the criteria is that they can only be applied for unit testing, i.e., to single modules without calls to other modules. The criteria experiences scalability issues when used over large systems with several modules and calls between modules. We propose an extension to the criteria definition to address this scalability issue. We formally define the extension by introducing an operator to abstract calls to other modules. This extension allows coverage metrics to be applied to industrial-sized software without an exponential blowup in the number of activation conditions. We conduct a preliminary evaluation of the extended criteria using an Alarm Management System.
|Title of host publication||Formal Methods for Industrial Critical Systems|
|Editors||Gwen Salaün, Bernhard Schätz|
|Number of pages||17|
|Publication status||Published - 2011|
|Name||Lecture Notes in Computer Science|
|Publisher||Springer Berlin / Heidelberg|