Diversity of graph models and graph generators in mutation testing

The two cases aim at testing different kinds of DSL artifacts: WF constraints and model access policies, respectively. We measured the quality of the generated test suites in the context of mutation testing. First, we specified a fault model for the artifacts of both case studies, and we derived mutant modeling artifacts by injecting errors accordingly: we derived a set of mutant WF constraints for ST, and a set of mutated access control policies (for WT). Then, we applied both the original and mutant artifacts on both single test input models and complete test suites, and evaluated whether the test input is able to detect the fault injected into the mutant. A test input model detects the fault if it differentiates the mutant from the original, i.e., the two artifacts yield different outcomes for the model (respectively, resulting in different well-formedness violations, or different levels of access). The number of detected mutant artifacts is measured by a mutation score, which is considered a proxy for test suite quality.

In this paper, we use EMF as a metamodeling technique which is widely used in the modeling community. Nevertheless, the presented techniques can either be analogously adapted to other metamodeling approaches, or applied directly after creating a representation of the model in EMF (like in case of UML model with Papyrus[55]). Formally [47, 49], an (EMF) metamodel defines a vocabulary \(\langle \Sigma ,\alpha \rangle \) where \(\Sigma = \{ {\texttt {C}}_{1},\ldots ,{\texttt {C}}_{n}, {\texttt {R}}_{1}, \ldots ,{\texttt {R}}_{m},{\texttt {P}}_{1}, \ldots ,{\texttt {P}}_{l}\}\) is a set of type, relation, and predicate symbols where a unary predicate symbol \({\texttt {C}}_{i}\) is defined for each EClass and EDataType (like EString, EInteger, or EEnum), a binary predicate symbol \({\texttt {R}}_{j}\) is derived for each EReference and EAttribute and additional graph predicates \({\texttt {P}}_{1}, \ldots ,{\texttt {P}}_{l}\) are also provided. The additional predicates are a generalization of class and reference symbols where the number of parameters can be arbitrary. The function \(\alpha : \Sigma \rightarrow \mathbb {N}\) assigns arities to predicates, such that \(\alpha ({\texttt {C}}_{i})=1\) and \(\alpha ({\texttt {R}}_{j})=2\) for all i, j.

An instance model can be represented as a logic structure \(M = \langle { Obj _{M}}, {\mathcal {I}_{M}} \rangle \) where \( Obj _{M}\) is the finite set of objects (the size of the model is \(| M | = | Obj _{M} |\)), and \(\mathcal {I}_{M}\) provides interpretation for all predicate symbols in \(\Sigma \) as follows.However, not all such logic structures constitute valid instance models. A metamodel also specifies extra structural constraints that need to be satisfied in each valid instance model [47]. Such structural constraints include the type conformance of nodes and edges as well as type hierarchy (essentially type conformance of the object graph), multiplicities, acyclic containment structure, etc., in addition to custom WF constraints.

Some modeling technologies and metamodeling approaches use slightly different definitions for these concepts, but this makes little difference to the substance of our paper. For instance, in UML, instances of an Association are entities in their own right; they have attribute values and multiple such links can share the same source and target. In our approach, graph edges are represented as binary predicates instead. However, we can make this restriction without loss of generality: Instances of UML Associations can be adequately represented in our framework as objects (graph nodes), with distinguished outgoing edges representing the association ends. Similarly, definitions in the sequel apply to such alternate modeling formalisms as well.

In many industrial modeling tools, WF constraints are captured either by OCL constraints [39] or graph patterns (GP) [58] where the latter captures errors as structural conditions over an instance model as paths in a graph. To have a unified and precise handling of evaluating WF constraints, we use a tool-independent logic representation (which was influenced by [44, 47, 49]) that covers the key features of concrete graph pattern languages and a first-order fragment of OCL (including expressions like and, or, not, collect, select, exists, forall, includes, excludes, but excluding expressions like size, min or max). In our current implementation, we used the graph pattern language of Viatra [58, 60], where error patterns describe malformedness of the model, and derived logic predicates in accordance with [47].

Syntax A graph predicate is a first-order logic predicate \(\varphi (v_1, \ldots , v_n)\) over (object) variables which can be inductively constructed by using class and relation predicates \({\texttt {C}}(v)\) and \({\texttt {R}}(v_1,v_2)\), equality check \(=\), standard first order logic connectives \(\lnot \), \(\vee \), \(\wedge \), and quantifiers \(\exists \) and \(\forall \).

Semantics A graph predicate \(\varphi (v_1,\ldots ,v_n)\) can be evaluated on model M along a variable binding \(Z:\{v_1,\ldots ,v_n\} \rightarrow Obj _{M}\) from variables to objects in M. The truth value of \(\varphi \) can be evaluated over model M along the mapping Z (denoted by \({\llbracket \varphi (v_1,\ldots ,v_n) \rrbracket }^{M}_Z\)) in accordance with the semantic rules defined in Fig. 4.

If there is a variable binding Z where the predicate \(\varphi \) is evaluated to \(1\) over M (i.e., \({\llbracket \varphi \rrbracket }^{M}_{Z} = 1\)) is often called a \(pattern match \). Otherwise, if there are no bindings Z to satisfy a predicate, i.e., \({\llbracket \varphi \rrbracket }^{M}_{Z} = 0\) for all Z, then the predicate \(\varphi \) is evaluated to \(0\) over M. Graph query engines like [58] can retrieve (one or all) matches of a graph predicate over a model. When using graph patterns for validating WF constraints, a match of a pattern denotes a violation, thus the corresponding graph formula needs to capture the erroneous case. In order to ensure validity, some of the predicates \({\texttt {P}}_{k} \in \Sigma \) can be marked as WF constraints.

A code generator would normally assume that the input models are well formed, i.e., all WF constraints are validated prior to calling the code generator. However, there is no guarantee that the WF constraints actually checked by the DSL tool are exactly the same as the ones required by the code generator. For instance, if the validation forgets to check a subclause of a WF constraint, then runtime errors may occur during code generation. Moreover, the preconditions of the transformation rule may also contain errors. For that purpose, WF constraints and model transformations of DSL tools can be systematically tested.

A popular approach for designing test suites for software artifacts, also applicable to testing DSL tools, is mutation testing [37, 52]. Mutation testing aims to quantify the quality of test suites by (1) deriving a set of mutant artifacts (e.g., WF constraint sets in our case) by applying a set of mutation operators. Then, (2) the test suite is executed for the evaluation of both the original and the mutant artifacts (WF checkers), and (3) their outputs are compared. (4) A mutant is killed by a test if different output is produced for the two cases (i.e., different match sets); in other words if the test input is evidence for the different behaviors of the mutant and the original artifacts. (5) The mutation score of a test suite is calculated either as the number of mutants killed by at least one test (from a fixed collection of mutants), or the ratio of mutants killed wrt. the total number of mutants. A test suite with better mutation score is preferred [32].

Fault model and detection As a fault model, we consider omission faults in WF constraints of DSL tools where some subconstraints are not actually checked. In our fault model, a WF constraint is given in a conjunctive normal form \(\varphi _e = \varphi _1 \wedge \dots \wedge \varphi _k \), all unbound variables are quantified existentially (\(\exists \)), and may refer to other predicates specified in the same form. Note that this format is equivalent to first-order logic, and does not reduce the range of supported graph predicates. We assume that in a faulty predicate (a mutant) the developer may forget to check one of the predicates \(\varphi _i\) (Constraint Omission, CO), i.e., \(\varphi _e = [\varphi _1\wedge \ldots \wedge \varphi _i\wedge \ldots \wedge \varphi _k]\) is rewritten to \(\varphi _f = [\varphi _1 \wedge \dots \wedge \varphi _{i-1} \wedge \varphi _{i+1} \wedge \dots \wedge \varphi _k]\), or may forget a negation (Negation Omission), i.e., \(\varphi _e = [\varphi _1\wedge \ldots \wedge (\lnot \varphi _i)\wedge \ldots \wedge \varphi _k]\) is rewritten to \(\varphi _f = [\varphi _1\wedge \ldots \wedge \varphi _i\wedge \ldots \wedge \varphi _k]\). Given an instance model M, we assume that both \({\llbracket \varphi _e \rrbracket }^{M}_{}\) and the faulty \({\llbracket \varphi _f \rrbracket }^{M}_{}\) can be evaluated separately by the DSL tool. Now a test model M detects a fault if there is a variable binding Z, where the two evaluations differ, i.e., \({\llbracket \varphi _e \rrbracket }^{M}_{Z} \ne {\llbracket \varphi _f \rrbracket }^{M}_{Z}\).

A second motivating case study is the testing of rule-based, model-level access control policies for collaborative modeling. In our setting, the design model of a complex system, hosted by a system integrator, must be partially accessible (for reading, and in some cases for writing) to multiple subcontractors, downstream supply chain actors, remote offices, certification authorities, etc., according to an access control policy set up by a policy engineer. Erroneous access control settings can have a critical impact [27], due to export control regulations, the high business value of intellectual property (IP) contained in the models, and the importance of adherence to change request procedures. However, in practice, it may be difficult to properly implement access control policies based on informal security requirements (see examples in [8, 18, 23]) and the interactions or conflicts between different access rules or requirements may not be well thought-out.

An example access rule may grant certain specialists full access to subsystems they own, as well as the contents of such subsystems. The specialists must also be able to read or write signals directly provided as outputs of control units transitively contained in these subsystems; this requires further access rules in the policy. As this example shows, the complexity of such rules may be quite high, and therefore properly formalizing them may be prone to errors.

Following earlier work including [9, 27, 35], we propose test generation for access control policies. In our case, this means the generation of instance models, on which access control policies can be evaluated and the results inspected, so that the policy engineer can verify that the policy indeed works as intended. As manual inspection (human-in-the-loop testing) is time consuming, test prioritization (the order in which the generated test cases are evaluated) is of great importance: The goal is for the test suite to reveal as many bugs of the policy as possible, using as few test models as possible. This motivates the need for ordering heuristics for tests to support test selection / prioritization.

In our experiments, we rely on the policy language of the MONDO Collaboration Framework [18], which is (i) fine-grained in the sense that each model element is assigned its own set of permissions; and (ii) rule-based with single rules granting or denying permissions for many elements in a model (selected according to an expressive graph query / predicate, see Sect. 2.3). A MONDO Access Control Policy combines individual rules with various priority classes, and ensures referential integrity [8] of the filtered view model throughout the interactions of rules.

The case study applies access control to models of the wind turbine domain, according to security requirements from the literature and evaluates generated (consistent and diverse) test models with respect to their ability to distinguish the original access control policy from its mutant policies. A detailed description of the security requirements, the baseline policy, the fault model, and the obtained mutants, is relegated to the online appendix ².

Challenge Unlike (non-model-based) standard rule-based policy languages such as XACML [21], MONDO Access Control applies to graph-structured models, and uses expressive model queries (graph formulae) to identify the elements to which the rules of the policy are applicable. This presents the main challenge of this case study: Automated testing of model-based access control requires the generation of consistent and diverse (graph) models that demonstrate the behavior of the access rules.

This is in contrast with existing test generation and mutation testing approaches (e.g., [9, 10, 27, 35]) for policy languages such as XACML, where test inputs usually feature a finite set of parameters for combinatorical or other test generation approaches to consider. Therefore, the novelty of our investigation is tied to the rich and expressive nature of graph models and is specifically focusing on the ability of graph model generators and measures of model diversity to efficiently test model-based access control policies.

An effective test suite needs models with diverse graph structures. This paper proposes various metrics to measure the diversity of graph structures by adapting the formal concepts of graph shapes. The proposed distance metrics measure the diversity of a test suite based on the number of structural differences between models: If two models are the same, then the related distance metric equals to zero. Models are “far from each other” if the number of different structures is high, and they are close if the distance metric is low. Our intuition is that a more diverse model set wrt. our metrics will serve as a better test suite as it checks a larger number of different graph structures.

However, the number of potential structures can be huge even for small graphs. To systematically count the occurrences of all graph structures with a specific size in a graph model, this paper uses neighborhood shapes [43], which categorizes all nodes of a graph based on their neighborhood for a given range, thus collecting all potential structures. The number of structural differences is calculated on the level of shapes (which are in between traditional metamodels and instance models), and such shapes are then used to quantify the distance between models.

A neighborhood describes the local properties of an object in a graph model for a range of size \(i\in \mathbb {N}\). According to [43], the neighborhood describes the class and edge relations of an object. Intuitively, neighborhood shapes start splitting the classes and associations of a metamodel by introducing subtypes if the neighborhood of certain elements can be structurally different. For example, in case of statecharts, shaping may split the general State class into subclasses such as InitialState, IntermediateState, TrapState, etc. based on the existence or nonexistence of incoming and outgoing source and target edges.

Here, we propose an extension of the shape concept [43] to support hypergraphs (in other words, predicates/base relations of higher arity). Besides regular edge relationships (with objects at the source and target end of a given edge type), we also consider generalized hyperneighbor relationships (where such a hyperedge is defined by a match of a predicate with arbitrary arity leading between objects). Since classes and references can be regarded as special predicates (with arity 1 and 2), the proposed concept handles relations specified by any predicate \({\texttt {P}} \in \Sigma \) uniformly.

Concretely, a neighborhood of range i for an object \(o \in Obj _{M}\) contains descriptors of objects that can be reached from o by a path of at most i hyperedges. Technically, \({ nbh }_{i}(o)\) (range i neighborhood of o) contains range \(i-1\) neighborhoods of objects with a common hyperedge, which by recursion contain range \(i-2\) neighborhoods of their neighbors (which are objects reachable from o in at most \(i-2\) steps), and so on.

The shaping function \({ nbh }_{i} : Obj _{M} \rightarrow { Nbh }_{i}\) maps each object in a model M to a neighborhood with range i: (1) if \(i=0\), then \({ nbh }_{0}(o) = \emptyset \); (2) if \(i>0\), then \({ nbh }_{i}(o) = \langle { nbh }_{i-1}(o), rel \rangle \), whereA (graph) shape of a model M for range i (denoted as \(S_{i}(M)\)) is a multiset of neighborhood descriptors of the model: \(S_{i}(M) =({ Nbh }_{i} ,m_M)\) where \(m_M:{ Nbh }_{i} \rightarrow \mathbb {N}\) assigns multiplicities to the neighborhoods: \(m_M(n)=| \{o \in Obj _{M} \mid { nbh }_{i}(o)=n\} |\). We will use the size of a shape \(| S_{i}(M) |\) as the number of shapes used in M, i.e., \(| S_{i}(M) |=| \{n \in { Nbh }_{i} | m_M(n)>0\} |\).

Properties of graph shapes The theoretical foundations of graph shapes [43, 44] prove several key semantic properties which are exploited in this paper:

We define two types of metrics for model diversity based upon neighborhood shapes. Internal diversity captures the diversity of a single model (or model set), i.e., it can be evaluated individually for each and every generated model. This model diversity metric measures the number of neighborhood types (object categories) used in the model (or model set) with respect to the size of the model(s). External diversity captures the distance between a pair of models, or the overall degree of variation in a larger set of models.

Internal model diversity for one model Internal model diversity measures the number of different neighborhood with respect to the number of nodes. The range of this internal diversity metric \(d_{i}^\mathrm{int}(M)\) is normalized to [0..1], and for a model M with \(d_{1}^\mathrm{int}(M) = 1\) ensures each object has some different property (i.e., there is a predicate that can differentiate between each node).

This metric helps to minimize test inputs with respect to model size by punishing the unnecessary copying of the same model fragments (which is typical output for a logic solver). Models with higher internal diversity is frequently preferred in numerous machine learning or testing scenarios where a certain approach is more sensitive to the number of examples, but not insensitive to their size.

For simplicity, our definition for internal model diversity (as well as other metrics presented in this paper) takes the designated shape range as a parameter. However, it is possible to derive a generalized metric for internal model diversity that includes shapes of all ranges. For instance, the generalized metric for internal diversity can be defined as \(d_{}^\mathrm{int}(M)=\sum _{i \in \mathbb {N}} \frac{d_{i}^\mathrm{int}(M)}{2^{i+1}}\). In this formula, internal diversities of smaller ranges have larger coefficients because the differences in smaller neighborhoods are more significant. Other aggregation methods are also possible to use.

For a specific range i, the number of potential neighborhood shapes within that range is finite, but it grows superexponentially. As such, the coverage of a model set is not normalized, but its value grows monotonously for any range i by adding new models. This way, this is not yet an appropriate diversity metric for a set of models.

On the positive side, the proposed coverage concept \(cov_{i}\langle MS \rangle \) generalizes metamodel coverage [20, 62], which is a frequently used coverage metric. Metamodel coverage requires test input for each attribute (feature coverage), each subtype of a type (inheritance coverage) and references (potentially with multiple representative multiplicities, association coverage) of a metamodel. Compared to metamodel coverage, shape coverage requires test case for each possible combination of those features (for a specific range).

For a small range i of neighborhood shapes, one can derive a model \(M_j\) with \(d_{i}^\mathrm{int}(M_j) = 1\), but for larger models \(M_k\) (with \(| M_k | > | M_j |\)) we will likely have \(d_{i}^\mathrm{int}(M_j) \ge d_{i}^\mathrm{int}(M_k)\). However, due to the rapid growth of the number of shapes for increasing range i, for most practical cases, \(d_{i}^\mathrm{int}(M_j)\) will converge to 1 if \(M_j\) is sufficiently diverse.

External model diversity Finally, we also wish to measure the structural diversity between two models, which is captured by the concept of external diversity which combines shaping with existing pseudo-distance metrics. To increase the generality of our definition, we make the actual pseudo-distance functional d to be a parameter, and we adapt concrete metrics to calculate distances in the context of shapes.

Distance metrics characterize the difference between two models. For usability, it is required that a metric is a pseudo-distance over models in the mathematical sense [4], and thus, it can serve as a diversity metric for a model generator in accordance with [61].

Figure 9 illustrates the calculation of distances between \(M_1,\ldots ,M_5\) by mapping them to a pseudo-metric space. First, as in classic geometry, all distances are positive, and symmetric. For pseudo-distances, we assume triangle inequality, which means that direct distance (e.g., between models \(M_1\) and \(M_3\)) is less or equal than the sum of indirect paths (like from \(M_1\) to \(M_2\) and from \(M_2\) to \(M_3\)). Additionally, the mapping have to be functional, which means that if two models are isomorphic (like \(M_3\) and \(M_4\)) it has to mapped to the same point. Moreover, even non-isomorphic models can be mapped to the same point (like \(M_4\) and \(M_5\)). Therefore, \(d(M_i,M_j)=0\) is not implies that \(M_i\) and \(M_j\) isomorphic (just they are similar with respect to d). On the other hand, if \(d(M_i,M_j)>0\) implies that \(M_i\) and \(M_j\) are non-isomorphic.

The first metric considers the number of different shapes contained in the models:

The second distance metric is derived from the cosine of the angle between shape count vectors, where the dimensions are the local neighborhoods and the coordinates of the shapes are the corresponding multiplicities:

Technically, the presented definition does not fit Definition 5, because it does not satisfy the triangle inequality property of Definition 6. However, since the exceptions are rather extreme cases, this formula is widely used as a semi-metric.

During model generation, we will exclude a model \(M_k\) if \(d_{i}^\mathrm{sym}(M_j, M_k) = 0\) for a previously defined model \(M_j\), but it does not imply that they are isomorphic. Thus, our definition allows to avoid graph isomorphism checks between \(M_j\) and \(M_k\) which have high computation complexity. Note that distance metrics can be considered a dual of symmetry-breaking predicates [56] used in the Alloy Analyzer where \(d(M_j,M_k) = 0\) implies that \(M_j\) and \(M_k\) are isomorphic (and not vice versa).

Based on the introduced diversity metrics, we propose several model orderings \((M_1,M_2,\ldots )\) of a given set of models that focus on maximizing the diversity of prefix sequences \((M_1,\ldots , M_i)\) in order (informally, the models are sorted based on most diverse first).

The first ordering is based on the internal diversity of models and therefore can be calculated efficiently.

The following orderings are based on external diversity. In the following definition, \({ dist }(M,M')\) can be replaced by any distance metric.

Calculating distance order is less efficient as it requires all distances to be known from the beginning and therefore has both time and space complexity of \(\mathcal {O}(| MS |^2)\). The space complexity can be reduced to \(\mathcal {O}(| MS |)\) by omitting condition (i) and chosing the first element randomly or similarly to coverage order. This way the distances can be calculated on the fly.

Section 3.2 defines how shapes are computed from a set of relations over the graph nodes; then, Sect. 3.4 introduces diversity and distance metrics, while Sect. 3.5 proposes orderings of test cases, all derived from the shaping. However, so far we have not specified how a given instance model is to be interpreted as a set of relations for the purposes of computing the shapes.

The straightforward solution is to take a unary relation for each class / node type, and a binary relation for each edge / reference type (ignoring attributes for conciseness). This results in classic neighborhood-based graph shaping [43].

However, this is not the only possibility. Instead of actual classes and edges, we may take an arbitrary set of relations (each identified by a predicate symbol \({\texttt {P}} \in \Sigma \)) over the graph nodes that characterize the graph model according to some properties of interest. The definitions given in Sect. 3.2 are general enough so that they can be applied to these relations instead of the graph directly, resulting in a different set of node shapes. We call this predicate-based (or TVLA-style [44]) shaping. The two approaches can even be combined; it is possible to take both the basic graph structure and additional predicates to jointly determine shapes.

To motivate predicate-based shaping, let us discuss an intended use case. The literature on testing distinguishes black-box testing, where the artifact under test is not known at the time of test development (only its specification), from white-box testing, where the actual realization of the AUT can be taken into account to better focus the effort. Adapting this general terminology to testing a tool that processes models in certain modeling language, we find that a black-box test has to be developed with knowledge of the input DSL only; whereas a white-box approach is aware of how the tool processes its input models, e.g., which model queries (graph predicates / patterns) are used internally.

For example, consider the case of testing access control policies, as introduced in Sect. 2.5. For compiling a test suite or measuring its efficiency, a black-box testing approach would only consult the modeling language (the Wind Turbine domain) and aim for a diverse selection of model elements, whereas a white-box approach would additionally inspect the access control policy under consideration. Such a white-box technique may measure some notion of coverage of the policy provided by a given test suite, for example the proportion of access rules that applied (without being overruled) to at least one test case. Gaps in coverage would signal that more tests have to be developed or selected, as arbitrarily severe bugs may lurk in the untested parts of the policy; this is clearly useful for test selection/prioritization. Additionally, a white-box test input generator may aim to specifically generate such test cases that increase coverage. For example, the generator may take the graph patterns (predicates) used as access rule preconditions, and try to satisfy various combinations of these predicates. A similar white-box test generation approach was used for access control policies, e.g., in [35].

The above proposed generalized neighborhood-based shaping procedure can easily incorporate such additional white-box knowledge in the form of extra predicates (similarly to the classifying terms proposed in [22, 26]). The additional predicates discussed in Sect. 2.2 allow the definition of domain-specific graph predicates. Specifying such additional graph predicates for each graph pattern used in the AUT drives the graph generator to find models that are diverse in the described domain-specific aspect, as well as the local neighborhhod aspects. This way the proposed diversity metrics also guarantee model diversity from the point of view of the AUT, and may reward test cases and test suites that specifically satisfy or violate relevant graph predicates in several combinations.

In order to answer those questions, we executed model generation campaigns in our two case studies.

For both case studies, the campaigns involved generating a large set of test input models (conforming to the modeling language used in the case study), using multiple different model generation mechanisms. The generated models were evaluated both “statically” with respect to diversity metrics defined earlier, and also “dynamically” with regards to their quality as test inputs to detect faults in the AUTs specific to the case study. The latter involved applying an appropriate fault model and injecting corresponding faults into the AUT to obtain a large number of mutant artifacts, and then evaluating whether the test input models are able to differentiate the mutants from the original AUT. Beside the total number of mutants killed by a test suite, we also investigated how this mutation score increases with each additional test (according to a given ordering of graphs), in order to find test selection approaches that reach high test suite quality using a small number of tests.

An overview of case study-specific details follows in the next paragraphs, with the most important differences highlighted in Table 1.

Yakindu Statecharts (ST) First, we used a DSL extracted from Yakindu Statecharts as proposed in [51]. We used the partial metamodel describing the state hierarchy and transitions of statecharts (illustrated in Fig. 2, containing 12 classes and 6 references). Additionally, we formalized 10 WF constraints regulating the transitions as graph predicates, based on the built-in validation of Yakindu. These WF constraints serve as AUTs (not “extra predicates” for white-box testing); i.e., we measured the ability of model generators to reveal bugs in WF constraints.

For mutation testing of WF constraints, we used a constraint or negation omission operator (CO and NO) to inject a fault to the original WF constraint in every possible way, which yielded 51 mutants from the original 10 constraints (but some mutants may never have matches). We evaluated both the original and mutated versions of the constraints for each instance model. A model kills a mutant if there is a difference in the match set of the two constraints. The mutation score for a test suite (i.e., a set of models) is the total number of mutant WF constraints killed that way.

Wind Turbine control system models (WT) As a second case study (which is novel compared to [50], and described in more detail in the online appendix ³), we used WT system models conforming to the metamodel illustrated in Fig. 3, containing 15 classes, 18 references, two relevant attributes, which is extended by two classes and an enum type to encode access control metadata. For this case study, we also formalized 10 WF constraints. Additionally, we formalized 25 access control rules using a further 18 graph patterns to define a complex access control policy motivated by the literature. This access control policy serves as the AUT; i.e., we measured the ability of model generators to reveal bugs in the policy.

For mutation testing of access control rules (WT), we derived 174 mutant policies by applying mutation operators on the access control rules. However, in WT mutations did not applied on the WF constraints. Moreover, mutations were allowed to change neither the 18 graph patterns underlying the policy, nor the way they are used in the access rules (“bindings”). This choice was deliberately made to reduce the overlap with the first case study; in ST, mutation affected graph patterns / model queries exclusively, while in WT, mutation affected all parts of the access policy except the model queries. This way our experiments can attest that the test generation methods can be used to verify both graph patterns and other kinds of DSL artifacts.

For evaluation, we applied both the original and the mutant access control policies on a model, and checked all read and write permission for all users and all model elements. A test input model kills a mutant policy, if there is a difference for any user in any read or write permission in any part of the model, compared to the effective permissions assigned by the baseline policy. The mutation score for a test suite is the total number of mutant policies killed that way.

Since the WF constraints are assumed to be correct in this case study, the model generators (where supported) were instructed to obey them (consistent model generation), to reveal real problems with the policy.

As explained in Sect. 3.6, in case of white-box testing, the queries underlying the access rules can be used to enhance the shaping function. Such extra predicates may potentially result in diversity metrics and orderings that reward diversity in triggering access rules (over diversity in graph structure).

Our test input models were taken from multiple sources.

To address RQ1, we generated two sets of models for each case study:After generating the model set, we compared the efficiency of different ordering (test case prioritization) techniques on the model set, and measured the mutation score of the first n elements in the sequence.

To answer RQ2 and RQ3, we introduced the following measurement setup. First, a sequence of instance models is generated with all VS, A and REMF configurations. Each tool in each configuration generated a sequence of 30 instance models produced by subsequent solver calls, and each sequence is repeated 20 times (so 6000 models are generated for all configuration of VS , Aand REMF, for both case studies). The target model size is uniformly set to 30 objects (as Alloy did not scale with increasing size). The size of Human models ranges from 50 to 200 objects. Next, we evaluate the mutation scores for all the models individually, for each prefix of the entire model sequence as test suites.

In order to answer RQ1, we checked the efficiency of all proposed orderings on test selection, both case studies (WT and ST) are executed on a complete set of instance models (created by VS/All) and a randomly generated set (generated by REMF). Figure 10 illustrates the efficiency of the various test case orderings for each tool and case study: WT and ST are illustrated top and bottom, VS/All and REMF are illustrated left to right. On a diagram, the horizontal axis shows the number of tests selected in a test suite (in log scale), in other words the length of the prefix of the complete model sequence. The vertical axis shows the achieved joint mutation score (a number of mutant killed by the test suite as a whole). Each chart line represents the mutation score achieved by a specific test case prioritization / ordering scheme, in context of the given tool and given case study.In both case studies, random order produced logarithmic characteristic in mutation score before killing all mutants. VS discovered mutants in multiple steps, stagnating for a large amount of models before increasing the mutation score again. Table 2 highlights when each ordering reached 95% and 100% of the maximal number of mutants it kills. For each case study ST and WT executed on either a complete set or a randomly sampled set of models, almost all proposed orderings performed significantly better than random ordering.

Findings We can summarize our important findings of concerning reordering of models (RQ1):

However, there were no external diversity metrics that always produced better orderings than others; thus, we cannot propose a single best heuristic.

Figure 11 shows the number of killed mutants (vertical axis) by an increasingly longer sequence of models (horizontal axis) generated by the different approaches. The diagram shows the average of 20 generation runs.

For case study ST, both VS+i and VS-i found a large amount of mutants in the first model, and the number of killed mutants (45+) which increased to 51. For A, the result highly depends on the symmetry value: for s = 0 it found a large amount of mutants, but the value saturated early. The default configuration (s=20) found the least number of mutants.

For case study WT, VS+i and both A solvers started from relatively high mutation score at the beginning, but not a single run was unable to discover more than 75 bugs. At first VS+i showed better results, but at the end they showed similar efficiency. On the other hand REMF showed poor mutation score values at the beginning, but it was able to improve the score with each additional model, outpacing both VS+i and A after 7 models. Finally, VS-i showed the benefit of both VS+i and REMF: it produced relatively high mutation score at the beginning, and it was able to increase the mutation score in every step.Findings Our important findings about the efficiency of existing model generators are the following (RQ2):

Figure 12 illustrates the correlation between mutation score (horizontal axis) and internal diversity (vertical axis) for all generated models with 30 elements (1200 A, 1200 VS, 600 REMF for both case studies), and 1250 human models for ST.

Table 3 shows the correlation between mutation score and internal diversity for a group of models. We detected a high correlation on the set of well-formed models:Findings We highlight the following findings regarding the correlation between internal diversity and mutation score (RQ3):

However, there are certain model groups that showed no correlation. In particular, REMF was able to produce models with very high diversity, but with low mutation score. This can be partially considered to the fact that REMF models were mostly malformed.

Additionally, based on our measurement conducted on a large number of instance models created by humans, we conclude as follows:

We evaluated more than 23,439 test inputs in our measurement, and all models were taken from two open-source industrial tools and for two different testing scenarios. Those case studies used wide range of metamodel and constraint features; thus, we did not specialized the generators to those case studies. Thus, we believe that similar results would be obtained for other domains.

For mutation operations, we checked only omission of predicates for WF, as extra constraints could easily yield infeasible predicates due to inconsistency with the metamodel, thus further reducing the number of mutants that can be killed. For mutation testing of WT, we used mutation operators similar to [10, 35]. In this paper, we focused on testing of structural constraints that can be captured as logic predicates (as detailed in Sect. 2.3).

Finally, although we detected a strong correlation between diversity and mutation score with our well-formed test cases, this result cannot be generalized to statistical causality, because the generated models were not random samples taken from the universe of models. Thus, additional investigations are needed to justify this correlation, and we only state that if a model is generated by either VS or A, a higher diversity means a higher mutation score with high probability.