Every Line of Code is Guilty Until Proven Innocent

During one of the discussion with James Bach, I asked him why the whitebox testing is not pursued seriously by the testing community and he had brought out a very good point that there is nothing called as pure whitebox testing and what I am talking was actually about code based testing. He said that nothing can be a complete white box as at some level there will be an abstraction. For example if the devlopers are using some third party APIs then even a whitebox tester will not be looking the code of that API and assumes that it behaves as what is mentioned in the documentation. There may also be some errors in the compiler optimizations which may cause the program written by devloper to behave in some unexpected way. In such cases, the APIs and the compiler are the blackboxes for the tester.

The whitebox tester at some point of time has to do the black box testing of API's (also calle API Testing) for which the code might not be available. Even here the tester has to test that API works properly in all cases rather than just going by the documentation.This problem mostly is found in opensource code which is not properly tested.The tester should never believe in what the devloper says or what is mentioned in the book. He should always be looking at the things practically and then only confirm. Tester should always believe that every line of code can be guilty until proven innocent, for example the simple line of code like:

i=i+1; //i is an integer

looks innocent, but if we look at it carefully even this line can have problem over the boundaries, wherein the integer value may overflow.


  1. Excellent Article Mallik. Keep posting such thought provoking articles.

  2. Nice post mallik.

    What you are trying to describe is that the WhiteBox is not actually whitebox. All this is based on the context and as per context we may not acually see eveything.

    Incase of your Java Apps, we are using the Java API and building the apps. The bais here is that the Java API is good and try to find out the issues in your code.

    If we can dig more into the context, nothing is purely white and you can find many black holes

  3. Ya, What I meant is nothing can be foolproof, the error can be their anywhere API, compilers etc since even thats the code :). This happens more so in opensource code which is rarely tested.