Black Box Software Testing

Fall 2005

Study Guide for CSE 3411

Copyright (c) Cem Kaner

Here is your 2005 study guide. All questions on my tests and exams come from this study guide.

I invite you to submit candidate questions for the study guide.

The typical midterm includes questions that total between 90 and 110 points, where

Notes on Studying & Answering Test Questions

Because you have plenty of time to work with these questions, I can expect well-organized, well-focused, thoughtful answers. For additional guidance, I suggest my paper on assessment in the testing course http://www.testingeducation.org/articles/assessment_in_the_software_testing_course_wtst_2003_paper.pdf, or these shorter discussions on answering essay questions:

Here are some additional suggestions:


Definitions

  1. Charter (of a testing session)
  2. Combination testing
  3. Complete testing
  4. Configuration-dependent failure
  5. Corner case
  6. Cost of quality
  7. Diverse half-measures
  8. Exploratory testing
  9. Failure mode and effects analysis
  10. Fault vs. failure vs. defect
  11. Function testing
  12. Functional testing
  13. Heuristic
  14. Implicit specifications
  15. Inattentional blindness
  16. Opportunity cost of a test
  17. Oracle
  18. Output domain
  19. Parafunctional attributes of a program
  20. Postcondition data
  21. Precondition state
  22. Project inertia
  23. Reference program
  24. Side effect of a measurement
  25. Smoke testing

Short Answers

S.1. What is the primary difference between black box and glass box testing? What kinds of bugs are you more likely to find with black box testing? With glass box?

S.2. Discuss the assertion that a programmer shouldn't test her own code. Replace this with a more reasonable assertion and explain why it is more reasonable.

S.3. In lecture, I asserted that all oracles are heuristic. What is the basis for that assertion? What do you think of that assertion? Why? Bonus points: describe a counter-example to this assertion.

S.4. What kinds of bugs might you be likely to miss if you use a reference program as an oracle?

S.5. How is it that you can achieve very high coverage from your tests but still miss lots of bugs?

S.6. Why is it usually impossible to achieve complete path coverage? Use examples to clarify your answer.

S.7. Consider a program with two loops, controlled by index variables. The first variable increments (by 1 each iteration) from -3 to 20. The second variable increments (by 2 each iteration) from 10 to 20. The program can exit from either loop normally at any value of the loop index. (Ignore the possibility of invalid values of the loop index.)

S.8. A program asks you to enter a password, and then asks you to enter it again. The program compares the two entries and either accepts the password (if they match) or rejects it (if they don’t). An entry is "valid" if it contains only letters and/or digits and is neither too short nor too long.

How many valid entries could you test? (Please show and/or explain your calculations.)

S.9. A program is structured as follows:

Ignore the possibility of invalid values of the index variable or X. How many paths are there through this program? Please show and/or explain your calculations.

Note: a test question might use different constants but would be identical to this question in all other respects.

S.10. Consider the program described by Myers to illustrate calculating number of paths through the program. Change the program as follows: (a) from E, the program can go to H or I or J, not just H or I and (b) at H, the program can return to A at most 10 times.

Note: a test question might use different constants but would be identical to this question in all other respects.

S.11. Distinguish between using code coverage to highlight what has not been tested from using code coverage to measure what has been tested. Use an example to make your contrast clearer.

S.12. Use Weinberg's definition of quality. Suppose that the software behaves in a way that you don't consider appropriate. Does it matter whether the behavior conflicts with the specification? Why? Why not?

S.13. Why are late changes to a product often more expensive than early changes?

S.14. One of the reasons often given for fully scripting test cases is that the tester who follows a script will know what she was doing when the program failed, and so she will be able to reproduce the bug. What do you think of this assertion? Why?

S.15. Compare, contrast, and give some examples of internal failure costs and external failure costs. What is the most important difference between these two types of failure cost?

S.16. In the Printer Options dialog in Open Office Impress, you can mark (Yes/No) for inclusion on a document:

(a) Would you do a domain analysis on these (Yes/No) variables? Why or why not?

(b) What benefit(s) (if any) would you gain from such an analysis?

S.17. What is a quick test? Why do we use them? Give two examples of quick tests.

S.18. Why would you use scenario testing instead of domain testing? Why would you use domain testing instead of scenario testing?

S.19. Compare and contrast scenario testing and specification-based testing.

S.20. Advocates of GUI-level regression test automation often recommend creating a large set of function tests. What are they actually advocating and why? What are some benefits and risks of this?

S.21. What is a function list and how would you build one for Open Office Impress?

S.22. List and describe four different dimensions (different "goodnesses") of "goodness of tests."

S.23 What is the power of a test? Credibility of a test? Contrast them with an example of a good test that has high power/low credibility and another that has low power/high credibility.

S.24. What is opportunity cost and why is it such an important issue in testing?

S.25. What is strong combination testing? What is the primary strength of this type of testing? What are two of the main problems with doing this type of testing? What would you do to improve it?

S.26. What is weak combination testing? What is the primary strength of this type of testing? What are two of the main problems with doing this type of testing? What would you do to improve it?

S.27. What kinds of errors are you likely to miss with specification-based testing?

S.28. Describe two benefits and two risks associated with using test matrices to drive your more repetitive tests.

S.29. What risks are we trying to mitigate with black box regression testing?

S.30. What risks are we trying to mitigate with unit-level regression testing?

S.31. What are the differences between risk-oriented and procedural regression testing?

S.32. Describe three risks of exploratory testing.

S.33. What is a configuration test matrix? Draw one and explain its elements.

S.34. What factors drive up the cost of maintenance of test documentation?

S.35. Does detailed test documentation discourage exploratory testing? If so, how? Why?

S.36. What does it mean to do maintenance on test documentation? What types of things are needed and why?

S.37. How can it be that you don't increase coverage when using extended random regression testing but you still find bugs?


Long Answer

L.1. State, describe, compare and contrast three different definitions of software testing. Which do you prefer? Why?

L.2. Suppose that a test group's mission is to achieve its primary information objective. Consider (and list) three different objectives. For each one, how would you focus your testing? How would your testing differ from objective to objective?

L.3. SoftCo makes a word processing program. The program exhibits an interesting behavior. When you save a document that has exactly 32 footnotes, and the total number of characters across all footnotes is 1024, the program deletes the last character in the 32nd footnote.

L.4. The oracle problem is the problem of finding a method that lets you determine whether a program passed or failed a test.

Suppose that you were doing automated testing of page layout (how the document will look like when printed) of an OpenOffice presentation document. Describe three different oracles that you could use or create to determine whether layout-related features were working. For each of these oracles,

L.5. Consider testing a presentation program, such as Open Office Impress. Describe 5 types of coverage that you could measure, and explain a benefit and a potential problem with each. Which one(s) would you actually use and why?

L.6. Some theorists model the defect arrival rate using a Weibull probability distribution. Suppose that a company measures its project progress using such a curve. Describe and explain the impact of two of the pressures testers are likely to face early in the testing of the product and two of the pressures they are likely to face near the end of the project.

L.7. Vendor sells custom software with a development contract that promises the applications will be "completely tested." In fact, the testing done by Vendor includes complete statement and branch coverage. Vendor delivers a product to Customer, the product corrupts its data without indicating any problem, and Customer loses $2 million. Customer sues, arguing that no product that has a serious bug (you should assume in your answer that this is, in fact, a serious bug) could have been completely tested.

Vendor responds with two arguments: First, that complete statement and branch coverage is complete testing. Second, that no reasonable customer could believe that a software contract would promise such extensive testing that they could guarantee bug-free software.

Your tasks:

L.8. SoftCo publishes software. Their president hates Easter Eggs and has instructed the test group to find every one (if there are any) in the product it is testing. As lead tester, it is your to figure out how to test for Easter Eggs and when to declare the job done. How will you decide when you have finished this task? Present your ideas, their strengths and weaknesses.

L.9. Ostrand & Balcer described the category-partition method for designing tests. Their first three steps are:

    1. Analyze
    2. Partition, and
    3. Determine constraints

Apply their method to this function:

I, J, and K are unsigned integers. The program calculates K = I *J. For this question, consider only cases in which you enter integer values into I and J.

Do an equivalence class analysis on the variable K from the point of view of the effects of I and J (jointly) on K. Identify the boundary tests that you would run (the values you would enter into I and J) in your tests of K.

Note: In the exam, I might use K = I / J or K = I + J or
K = IntegerPartOf (SquareRoot (I*J))

L.10. In EndNote, you can create a database of bibliographic references, which is very useful for writing essays. Here are some notes from the manual:

List the variables of interest and do a domain analysis on them.

L.11. Suppose that you found a reproducible failure, reported it, and the bug was deferred. Other than further testing, what types of evidence could you use to support an argument that this bug should be fixed, and where would you look for each of those types of evidence?

L.12. Imagine that you report something wrong with the program and the project manager responds that you have written an enhancement request, not a bug report. Assume that the project manager is making a rational statement that she believes is correct. How would she justify her statement (a) in a company that creates thorough specifications or (b) in a company that does not create trusted specifications? In both cases, describe her strongest arguments. Then evaluate the arguments.

L.13. Describe a bug that you reported about a product that you are testing. Provide a cost-of-quality argument to justify fixing it, and a cost-of-quality argument to justify not fixing it. In both cases, provide the best argument you can think of. In the specific case of this bug, which argument is more persuasive, and why?

L.14. Imagine testing a file name field. For example, go to a File Open dialog, you can enter something into the field.

Do a domain testing analysis: List a risk, equivalence classes appropriate to that risk, and best representatives of the equivalence classes.

For each test case (use a best representative), briefly explain why this is a best representative. Keep doing this until you have listed 10 best-representative test cases.

L.15. Imagine testing a file name field. For example, go to a File Open dialog, you can enter something into the File Name field.

Describe four examples of each of the following types of attacks that you could make on this feature (File Name in this dialog), and for each one, explain why your example is a good attack of that kind.

(Refer specifically to Whittaker, How to Break Software and use the types of attacks defined in that book. Don’t give me two examples of what is essentially the same attack. In the exam, I will not ask for all 16 examples, but I might ask for 4 examples of one type or two examples of two types, etc.)

L.16. Imagine testing the creation and use of templates in Open Office Impress.

Describe four examples of each of the following types of attacks that you could make on this feature, and for each one, explain why your example is a good attack of that kind.

(Refer specifically to Whittaker, How to Break Software and use the types of attacks defined in that book. Don’t give me two examples of what is essentially the same attack. In the exam, I will not ask for all 16 examples, but I might ask for 4 examples of one type or two examples of two types, etc.)

L.17. In the Windows version of OpenOffice, you can create a spreadsheet in Calc, then insert it into Impress so that when you edit the spreadsheet file, the changes automatically appear in the spreadsheet object when you reopen the Impress document.

L.18. You are testing the group of functions that let you create and format a table in Open Office Impress.

List 5 ways that these functions could fail. For each potential type of failure, describe a good test for it, and explain why that is a good test for that type of failure. (NOTE: When you explain why a test is a good test, make reference to some attribute(s) of good tests, and explain why you think it has those attributes. For example, if you think the test is powerful, say so. But don't stop there, explain what about the test justifies your assertion that the test is powerful.)

L.19. You are testing the group of functions that let you create and format a table in Open Office Impress.

Think in terms of compatibility with external software. What compatibility features or issues are (or could be) associated with tables? List three types. For each type, list 2 types of failures that could involve compatibility. For each type of failure, describe a good test for it and explain why that is a good test for that type of failure. (There are 6 failures, and 6 tests, in total). (NOTE: When you explain why a test is a good test, make reference to some attribute(s) of good tests, and explain why you think it has those attributes. For example, if you think the test is powerful, say so. But don't stop there, explain what about the test justifies your assertion that the test is powerful.)

L.20. You are testing the group of functions that let you create and format a table in Open Office Impress.

Suppose that a critical requirement for this release is scalability of the product. What scalability issues might be present in the table? List three. For each issue, list 2 types of failures that could involve scalability. For each type of failure, describe a good test for it and explain why that is a good test for that type of failure. (There are 6 failures, and 6 tests, in total). (NOTE: When you explain why a test is a good test, make reference to some attribute(s) of good tests, and explain why you think it has those attributes. For example, if you think the test is powerful, say so. But don't stop there, explain what about the test justifies your assertion that the test is powerful.)

L.21. Define a scenario test and describe the characteristics of a good scenario test.

Imagine developing a set of scenario tests for AutoCorrect in OpenOffice Impress.

L.22. Imagine that you were testing how OpenOffice Impress does outline numbering.

L.23. Suppose that scenario testing is your primary approach to testing. What controls would you put into place to ensure good coverage? Describe at least three and explain why each is useful.

L.24. We are going to do some configuration testing on the Open Office Word Processor. We want to test it on

L.25. Compare and contrast all-pairs testing and scenario testing. Why would you use one over the other?

L.26. You are testing the group of functions that let you create and format a table in Impress. Think about the different types of users of presentation programs. Why would they want to create tables? Describe three different types of users, and two types of tables that each one would want to create. (In total, there are 3 users, 6 tables). Describe a scenario test for one of these tables and explain why it is a good scenario test.

L.27. Consider domain testing and specification-based testing. What kinds of bugs are you more likely to find with domain testing than with specification-based testing? What kinds of bugs are you more likely to find with specification-based testing than with domain testing?

L.28. Consider scenario testing and function testing. What kinds of bugs are you more likely to find with scenario testing than with function testing? What kinds of bugs are you more likely to find with function testing than with scenario testing?

L.29. Compare and contrast the mechanical, risk-based, and scenario-based approaches to developing combination tests. Discuss their strengths and weaknesses relative to each other. Use examples to clarify your points.

L.30. Describe a traceability matrix.

L.31. What is regression testing? What are some benefits and some risks associated with regression testing? Under what circumstances would you use regression tests?

L.32. Compare exploratory and scripted testing. What advantages (name three) does exploration have over creating and following scripts? What advantages (name three) does creating and following scripts have over exploration?

L.33. Your company decides to outsource test execution. Your senior engineers will write detailed test scripts and the outside test lab's staff will follow the instructions. How well do you expect this to work? Why?

L.34. Imagine that you are an external test lab, and Sun came to you to discuss testing of Open Office Calc. They are considering paying for some testing, but before making a commitment, they need to know what they'll get and how much it will cost.

How will you decide what test documentation to give them?

(Suppose that when you ask them what test documentation they want, they say that they want something appropriate but they are relying on your expertise.)

To decide what to give them, what questions would you ask (up to 7 questions) and for each answer, how would the answer to that question guide you?

L.35. Suppose that Boeing developed a type of fighter jet and a simulator to train pilots to fly it. Suppose that Electronic Arts is developing a simulator game that lets players "fly" this jet. Compare and contrast the test documentation requirements you would consider appropriate for developers of the two different simulators.

L.36. Why is it important to design maintainability into automated regression tests? Describe some design (of the test code) choices that will usually make automated regression tests more maintainable.

L.37. A client retains you as a consultant to help them use a new GUI-level test automation tool that they have bought. They have no programmers in the test group and don't want to hire any. They want to know from you what are the most effective ways that they can use the tool. Make and justify three recommendations (other than "hire programmers to write your automation code" and "don't use this tool"). In your justification, list some of the questions you would have asked to develop those recommendations and the type of answers that would have led you to those recommendations.

L.38. Contrast developing a GUI-level regression strategy for a computer game that will ship in one release (there won't be a 2.0 version) versus an in-house financial application that is expected to be enhanced many times over a ten-year period.


Copyright (c) Cem Kaner 2004

This work is licensed under the Creative Commons Attribution-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

These notes are partially based on research that was supported by NSF Grant EIA-0113539 ITR/SY+PE: "Improving the Education of Software Testers." Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.