specification

223
Specification A broad term that means definition Used at different stages of software development for different purposes Generally, a statement of agreement (contract) between producer and consumer of a service Designer/implementer and user All desirable qualities must be specified What versus how dichotomy

Upload: ulla

Post on 20-Mar-2016

38 views

Category:

Documents


1 download

DESCRIPTION

Specification. A broad term that means definition Used at different stages of software development for different purposes Generally, a statement of agreement ( contract ) between producer and consumer of a service Designer/implementer and user All desirable qualities must be specified - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Specification

Specification

A broad term that means definition Used at different stages of software

development for different purposes Generally, a statement of agreement

(contract) between producer and consumer of a service Designer/implementer and user

All desirable qualities must be specified What versus how dichotomy

Page 2: Specification

Uses of specification

Statement of user requirements major failures occur because of

misunderstandings between the producer and the user

"The hardest single part of building a software system is deciding precisely what to build“ (F. Brooks)

Page 3: Specification

Uses of specification (cont.)

Statement of the interface between the machine and the controlled environment serious undesirable effects can result due to

misunderstandings between software engineers and domain experts about the phenomena affecting the control function to be implemented by software (remember Arianne 5 example)

Page 4: Specification

Uses of specification (cont.)

Statement of requirements for implementation design process is a chain of specification (i.e., definition)–

implementation–verification steps requirements specification refers to definition of external

behavior design specification must be verified against it

design specification refers to definition of the software architecture

code must be verified against it

Page 5: Specification

Uses of specification (cont.)

A reference point during maintenance corrective maintenance only changes

implementation adaptive and perfective maintenance occur

because of requirements changes requirements specification must change accordingly

Page 6: Specification

Specification qualities Precise, clear, unambiguous Consistent Complete

internal completeness external completeness

Incremental Informal specifications, written in a natural

language, are likely to contain subtle ambiguities Please see:

http://www.gray-area.org/Research/Ambig

Page 7: Specification

Clear, unambiguous, understandable Example: specification fragment for a

word-processor (from Word 4.0 manual)

Selecting is the process of designating areas of the document that you want to work on. Most editing and formatting actions require two steps: first you select what you want to work on, such as text or graphics; then you initiate the appropriate action.

can an area be scattered?

Page 8: Specification

Precise, unambiguous, clear Another example (from a real safety-

critical system)

The message must be triplicated. The threecopies must be forwarded through three different physical channels. The receiver accepts the message on the basis of a two-out-of-three voting policy.

can a message be accepted as soon as we receive 2 out of 3 identical copies of message or do we need to wait for receipt of the 3rd?

Page 9: Specification

Consistent Example: specification fragment for a word-

processor

The whole text should be kept in lines of equal length. The length is specified by the user. Unless the user gives an explicit hyphenation command, a carriage return should occur only at the end of a word.

What if the length of a word exceeds the length of the line?

Page 10: Specification

Complete

Internal completeness the specification must define any new concept or

terminology that it uses glossary helpful for this purpose

the specification must document all the needed requirements difficulty: when should one stop?

Page 11: Specification

Classification of specification styles

Informal, semi-formal, formal Operational

Behavior specification in terms of some abstract machine

Descriptive Behavior described in terms of properties

Page 12: Specification

Example 1 - Operational Specification of a geometric figure E:

E can be drawn as follows:

1. Select two points P1 and P2 on a plane2. Get a string of a certain length and fix its ends

to P1 and P23. Position a pencil as shown in next figure4. Move the pen clockwise, keeping the string

tightly stretched, until you reach the point where you started drawing

P P 1 2

Page 13: Specification

A descriptive specification

Geometric figure E is describe by the following equation

ax2 + by2 + c = 0where a, b, and c are suitable constants

Page 14: Specification

Another example

“Let a be an array of n elements. The result of its sorting is an array b of n elements such that the first element of b is the minimum of a (if several elements of a have the same value, any one of them is acceptable); the second element of b is the minimum of the array of n-1 elements obtained from a by removing its minimum element; and so on until all n elements of a have been removed.”

“The result of sorting array a is an array b which is a permutation of a and is sorted.”

Which one is operational? Descriptive?

Page 15: Specification

Case study: Elevator Problem

An n elevator system to be installed in a building with m floors Natural language specs contain several ambiguities Formal specification using PNs removes ambiguities Specification will be provided in a stepwise fashion Will use modules, each encapsulating fragments of PNs which

describe certain system components

Page 16: Specification

Easy question (?)(not on initial slides) How many buttons are on the first and top

floors?

Page 17: Specification

From informal specs…

“The illumination is cancelled when the elevator visits the floor and is either moving in the desired direction, or ...”

2 different interpretations (case of up call) switch off as the elevator arrives at the floor from below

(obvious restrictions for 1st and last floor) switch off after the elevators starts moving up

in practice you may observe the two cases!

Page 18: Specification

…more analysis of informal specs

“The algorithm to decide which to service first should minimize the waiting time for both requests.”what does this mean?

in no other way can you satisfy either request in a shorter time

but minimizing for one may require longer for the other the sum of both is minimal

why the sum?

Page 19: Specification

Models Of Computation

A mathematical description that has a syntax and rules for computation of the behavior described by the syntax (semantics). Used to specify the semantics of computation and concurrency.

Characteristics: compact description, fidelity to design style, synthesize and optimize behavior to an implementation.

Language & MOCs: MOC affects expressiveness, trade off.

Page 20: Specification

Diversity of MOCs

There are (far too) many models of computation in the embedded systems domain alone.

Why? Need to handle

different notions of time. different modes of communication different types of functionalities.

Page 21: Specification

Notions of Time

Source: A.Sangiovanni-Vincentelli

Page 22: Specification

Petri Nets: One Example of a MOC Originated in thesis of Carl Adam Petri, 1965 Beneficial in modeling systems that are

asynchronous and concurrent More popularized by Anatol Holt in 1968 For a while, very hot research area

(multiple yearly conferences)

Page 23: Specification

Petri netsA quadruple (P,T,F,W)

P: places T: transitions (P, T are finite) F: flow relation (F {PT} {TP} ) W: weight function (W: F N – {0} )Properties:(1) P T = Ø(2) P T Ø(3)F (P T) (T P)(4) W: F N-{0}Default value of W is 1

State defined by marking: M: P N

Page 24: Specification

places

transitions flows

marking

3 weight

P

P

P

t

t

P

t

1

3

1

3

4

6

5

P

P

P

2

5

7

t

t

t

2

4

6

Graphical representation

Page 25: Specification

Semantics: dynamic evolution Transition t is enabled iff

pt's input places,M(p) W(<p,t>) t fires: produces a new marking M’ in places that

are either t's input or output places or both if p is an input place: M'(p) = M(p) - W(<p,t>) if p is an output place: M'(p) = M(p) + W(<t,p>) if p is both an input and an output place:

M'(p) = M(p) - W(<p,t>) + W(<t,p>)

Page 26: Specification

Non-determinism

Any of the enabled transitions may fire Model does not specify which fires, nor when

it fires

Page 27: Specification

Modeling with Petri nets

Places represent distributed states Transitions represent actions or events that

may occur when system is in a certain state They can occur as certain conditions hold on

the states

Page 28: Specification

P

P

P

t

tP

t

1

3

1

3

4

65

P

P

P

2

5

7

t

t

t

2

4

6

P

P

P

t

tP

t

1

3

1

3

4

65

P

P

P

2

5

7

t

t

t

2

4

6

P

P

P

t

tP

t

1

3

1

3

4

65

P

P

P

2

5

7

t

t

t

2

4

6

P

P

P

t

tP

t

1

3

1

3

4

6

5

P

P

2

5

7

t

t

t

2

4

6

P

(a) (b)

(c) (d)

after (a) either (b) or (c) may occur, and then (d)

Page 29: Specification

Common cases Concurrency

two transitions are enabled to fire in a given state, and the firing of one does nor prevent the other from firing

see t1 and t2 in case (a) Conflict

two transitions are enabled to fire in a given state, but the firing of one prevents the other from firing

see t3 and t4 in case (d) place P3 models a shared resource between two processes

no policy exists to resolve conflicts (known as unfair scheduling)

a process may never get a resource (starvation)

Page 30: Specification

How to avoid starvation

P P

P

P P

t t

t t

P P

t t

1

1 2

3

4

5

6

7

4

2

3

6

5

imposes alternation

Page 31: Specification

Advantages of PNs

Modeling Fairly simple models of elaborate schemas

Analysis Proving properties of model/design

Design 1. Generate the model 2. Use it to prove correctness properties 3. Design system from model

Page 32: Specification

Deadlock

A PN with a given marking is said to be in deadlock if and only if no transition is enabled in that marking.

Page 33: Specification

A conflict-free net, but not deadlock free

R

P P

t t

t'

t"

t

t'

t"

t

1

1

3

3

2

2

4

4

56

2 2

this net candeadlock!consider

'42

'31 t,t , t,t

Page 34: Specification

A conflict-free net, but not deadlock free

R

P P

t t

t'

t"

t

t'

t"

t

1

1

3

3

2

2

4

4

5 6

2 2

Page 35: Specification

A deadlock-free net

R

P P

t t

t'

t"

t

t'

t"

t

1

1

3

3

2

2

4

4

56

2 2

2 2

Page 36: Specification

A case of partial starvation

t

t

1

3

t

t

2

4

Page 37: Specification

Is it deadlock-free?

t

t

1

3

t

t

2

4

Page 38: Specification

Producer/ConsumerEmpty buffer

Producer

Full buffer

Consumer

Questions: How about adding 4 buffers? How about 3 producers and 5 consumers?

There is always a token in Producer and Consumer

How would you do the operations above with a FSM?

Page 39: Specification

Limitations and extensions

P

channel1 channel2

Token represents a message.You wish to say that the delivery channel dependson contents.How?Petri nets cannot specify selection policies.

Page 40: Specification

Extension 1: Assigning values to tokens

Transitions have associated predicates and functions

Predicate refers to values of tokens in input places selected for firing

Functions define values of tokens produced in output places

Page 41: Specification

Example

PP

P

PP

34

71 4

t t1 2

45

12

3Predicate P2 > P1 and function P4 := P2 + P1 associated with t1

Predicate P3 = P2 and functions P4 := P3 P2 and P5 := P2 + P3 are associated with t2

The firing of t1 by using <3,7> would produce the value 10 in P4. t2 can then fire using <4, 4>

Page 42: Specification

Extension 2:Specifying priorities A priority function from transitions to natural

numbers: pri: T N When several transitions are enabled, only

the ones with maximum priority are allowed to fire

Among those with the same priority, the one to fire is chosen non-deterministically

Page 43: Specification

Extension 3:Timed Petri nets A pair of constants <tmin, tmax> is

associated with each transition Once a transition is enabled, it must

wait for at least tmin to elapse before it can fire

If enabled, it must fire before tmax has elapsed, unless it is disabled by the firing of another transition before tmax

Page 44: Specification

Example:Combining priorities and time

P P P

t t t tmin = 1 tmax = 4

tmin = 2 tmax = 3

tmin = 0 tmax = 5

priority = priority = priority = 1 3 2

P

1

1 2

2

3

3

4

Page 45: Specification

Precise, unambiguous, clear Another example (from a real safety-

critical system)

The message must be triplicated. The threecopies must be forwarded through three different physical channels. The receiver accepts the message on the basis of a two-out-of-three voting policy.

can a message be accepted as soon as we receive 2 out of 3 identical copies of message or do we need to wait for receipt of the 3rd?

Page 46: Specification

Original message

Message triplication

Message copies

Message copies transmission

tmin = tmax =

tmin = tmax =

tmin = tmax = 0

0

for all three transitions

PC1

PC2PC3

c1 k1

c2k2

Forwarded message

tvoting1 tvoting2 tvoting3

{

{

{Precise specificationof message triplication problemCase (1)

Page 47: Specification

Original message

Message triplication

Message copies

Message copies transmission

tmin = tmax =

tmin = tmax =

tmin = 0 tmax = 0

PC1

PC2

PC3

c1 k1

c2k2

tvoting

Forwarded message

Precise specificationof message triplication problemCase (2)

Page 48: Specification

Elevator Example with PNs

Page 49: Specification

Initial sketch of movement

Elevator at floor j

Elevator at floor j + 1

Pushing internal button for floor j + 1

Button illumination Transfer

from floor j to j+1

Shortcomings:

• External buttons?• Movement can be caused by any button• Button reset?• From 4 to 27, and floor 20 button pushed•Scalability – 100 floors!• Button illumination if button pushed multiple times

Page 50: Specification

Button module

C P P u s h

S e t

O f f

R e s e t

O n

0 . 1 . . 0 . 0 5 . . 0 . 0 5

0 . . 0

Page 51: Specification

Elevator position (sketch)F

F DFUF

UF F DF

UF FDF

F

m

m-1

3

2

1

m-1 m-1

3 3

2 2

Page 52: Specification

Assume j+1hm

Fj+1 UFj+1

Fj"

t Fj'

UPh On

On

DOWNh

ILBh

DOWNj+1

On

On

On

On

ILBj+1

Fj

t1 t2 t3 t4 t5 t6

t7

t8 t9

t10 t11 t12

UPj+1

More precise description of elevator position

Page 53: Specification

Switch internal button off

I L B j

F j

S e t

R e s e t

O f fO n0 . . 0

Page 54: Specification

Switch external button off

Set

x..x Reset

ti'

Fj

Fj'

On Off

UPj

x time needed bya person to enter + pushing button

Page 55: Specification

Example: Vending Machine

The machine dispenses two kinds of snack bars – 20c and 15c.

Only two types of coins can be used – 10c coins and 5c coins.

The machine does not return any change.

Page 56: Specification

Example: Vending Machine (A Petri net)

5c

Take 15c bar

Deposit 5c

0c

Deposit 10c

Deposit 5c

10c

Deposit 10c

Deposit5c

Deposit 10c20c

Deposit5c

15c

Take 20c bar

Page 57: Specification

Example: Vending Machine (3 Scenarios) Scenario 1:

Deposit 5c, deposit 5c, deposit 5c, deposit 5c, take 20c snack bar.

Scenario 2: Deposit 10c, deposit 5c, take 15c snack bar.

Scenario 3: Deposit 5c, deposit 10c, deposit 5c, take 20c

snack bar.

Page 58: Specification

Example: Vending Machine (Token Games)

5c

Take 15c bar

Deposit 5c

0c

Deposit 10c

Deposit 5c

10c

Deposit 10c

Deposit5c

Deposit 10c20c

Deposit5c

15c

Take 20c bar

Page 59: Specification

Behavioral properties (1) Properties that depend on the initial marking Reachability

Mn is reachable from M0 if exists a sequence of firings that transform M0 into Mn

Boundedness a PN is bounded if the number of tokens in each place

doesn’t exceed a finite number k for any marking reachable from M0

a PN is safe if it is 1-bounded

Page 60: Specification

Behavioral properties (2)

Liveness a PN is live if, no matter what marking has been reached, it

is possible to fire any transition with an appropriate firing sequence

Liveness=> deadlock free (but not vice versa) strong property, different levels of liveness are defined

(L0=dead, L1, L2, L3 and L4=live) Reversibility

a PN is reversible if, for each marking M reachable from M0, M0 is reachable from M

relaxed condition: a marking M’ is a home state if, for each marking M reachable from M0, M’ is reachable from M

Page 61: Specification

Analysis methods (1)

Coverability tree tree representation of all possible markings

root = M0 nodes = markings reachable from M0 arcs = transition firings

if net is unbounded, then tree is kept finite by introducing the symbol

Properties a PN is bounded iff doesn’t appear in any node a PN is safe iff only 0’s and 1’s appear in nodes a transition is dead iff it doesn’t appear in any arc if M is reachable form M0, then exists a node M’ that covers

M

Page 62: Specification

Coverability tree example

t3

p2

t2

p1

t1

p3

t0

M0=(100)

Page 63: Specification

Coverability tree example

t3

p2

t2

p1

t1

p3

t0

M0=(100)

M1=(001)“dead end”

t1

Page 64: Specification

Coverability tree example

t3

p2

t2

p1

t1

p3

t0

M0=(100)

M1=(001)“dead end”

t1 t3

M3=(10)

Page 65: Specification

Coverability tree example

t3

p2

t2

p1

t1

p3

t0

M0=(100)

M1=(001)“dead end”

t1 t3

M3=(10)t1

M4=(01)

Page 66: Specification

Coverability tree example

t3

p2

t2

p1

t1

p3

t0

M0=(100)

M1=(001)“dead end”

t1 t3

M3=(10)t1

M4=(01)

t3

M3=(10) “old”

Page 67: Specification

Coverability tree example

t3

p2

t2

p1

t1

p3

t0

M0=(100)

M1=(001)“dead end”

t1 t3

M3=(10)t1

M4=(01)

t3

M6=(10) “old”t2

M5=(01) “old”

Page 68: Specification

Coverability tree example

100 M0=(100)

M1=(001)“dead end”

t1 t3

M3=(10)t1

M4=(01)

t3

M6=(10) “old”t2

M5=(01) “old”

t1 t3

t110001

01t3

t2

coverability graph coverability tree

Page 69: Specification

Need for verification(in some safety-critical domains) Designers are fallible even if they are skilled

and follow sound principles Everything must be verified, every required

quality, process and products even verification itself…

Page 70: Specification

Approaches to verification

Experiment with behavior of product sample behaviors via testing goal is to find "counterexamples" dynamic technique

Analyze product to deduce its adequacy analytic study of properties static technique

Page 71: Specification

Testing and lack of "continuity"

Testing samples behaviors by examining "test cases"

Impossible to extrapolate behavior of software from a finite set of test cases

No continuity of behavior it can exhibit correct behavior in a seemingly

infinite number of cases, but may still be incorrect in some cases

Page 72: Specification

Dijkstra Said

“Program testing can be used to show the presence of bugs, but never to show their absence!”

Undergraduate “programming” classes at UT-Austin

Page 73: Specification

History Program verification is almost as old as programming (e.g.,

“Checking a Large Routine”, Turing 1949) Naur66, Floyd67:

used assertions to specify/verify flowchart programs Hoare69:

developed the proof system for Hoare triples Boehm and Jacopini, 1966

Proved that control logic of any flowchartable program could be expressed without gotos, using only sequence, selection, iteration.

Edsger Dijkstra, 1970 His argument that gotos are harmful was motivated by a desire

to shorten formal proofs of correctness Reynolds00, Ishtiaq&O’Hearn01

extended Hoare’s proof system using separating connectives to handle pointers

Page 74: Specification

Formal Methods Advantages

Change program from a private, puzzle-solving activity to a public, verifiable activity of translating specifications into programs

Based on formal mathematical techniques Only way to provide guaranteed correctness Supported by formal languages (Z, VDM-SL, REFINE), proof-

checkers, and translation systems Disadvantages

Notations are often baroque, confusing Formal techniques do not scale up very well

In Practice Formal techniques have been used successfully, and are

especially recommended for safety-critical systems Formal approaches and tools may be mandated, e.g., British

Ministry of Defense. But, not even considered by most programmers…

Page 75: Specification

Hoare Said

“Thus the practice of proving programs would seem to lead to solution of three of the most pressing problems in software and programming, namely, reliability, documentation, and compatibility. However, program proving, certainly at present, will be difficult even for programmers of high caliber; and may be applicable only to quite simple program designs.”

Page 76: Specification

“Things like even software verification, this has been the Holy Grail of computer science for many decades but now in some very key areas, for example, driver verification we’re building tools that can do actual proof about the software and how it works in order to guarantee the reliability.” Bill Gates, April 18, 2002.

Gates Said

Page 77: Specification

Basic Programming Constructs Form programs only from basic 1-in, 1-out

control constructs: Sequence: begin S1 S2 end Selection: if E then S1 else S2 end Iteration: while E loop S1 end Above statements are enough , but 1-in, 1-out

statements include: if/elseif, case statements, for loops, etc.

Page 78: Specification

Correctness ProofsTo prove a program is correct:

We need to prove the post-condition is true after executing the program fragment

(assuming the pre-condition was true beforehand)E.g.

Step 1: for z>0 to be true after the assignment, x*y>0 must have been true before it

Step 2: for x*y>0 to be true before the assignment, the precondition must imply it.

Step 3: show that (x>0 and y>0) implies x*y>0

{ x>0 and y>0 }z := x*y;{ z>0 }

Page 79: Specification

Weakest Precondition

Starting with a post-assertion, what is the weakest pre-condition that makes the assertion true?

In other words, what must be true before to make the assertion true after?

[WP ^ [test&action] ] -> Assertion

Page 80: Specification

What do we mean by “weakest”? If A => B but not (B => A), then B is “weaker”

than A, and A is “stronger” than B. The weakest possible predicate is the one

that is identically true, because A => true no matter what A is.

Similarly, the strongest possible predicate is false

Page 81: Specification

Weakest Precondition

Dijkstra’s definition: The condition that characterizes the set of all

initial states, such that activation will certainly result in a properly terminating happening leaving the system in a final state satisfying a given post-condition, is called "the weakest pre-condition corresponding to that post-condition". (We call it "weakest", because the weaker a condition, the more states satisfy it and we aim here at characterizing all possible starting states that are certain to lead to a desired final state.)

Page 82: Specification

The general strategy is:1) start with the post-condition2) work backwards through the program line-by-line3) find the weakest pre-condition (WP) that guarantees the post-condition4) prove that the actual pre-condition implies WP

i.e. the actual pre-condition is weaker than the “weakest pre-condition”, WP

For example

1) for Post to be true after S2, then x<1 must be true before S2

2) for x<1 to be true after S1, then 0<1 must be true before S1

3) (0<1) is the weakest precondition for this program4) So is (true implies 0<1) true?

Using Weakest Pre-conditions

PreS1S2

Post

{ true } x := 0; y := 1{ x<y }

Page 83: Specification

Proof rulesProof rules

tell us how to find weakest preconditions for different programswe need a proof rule for each programming language construct

Proof rule for assignmente.g. for

the weakest precondition is Post with all free occurrences of x replaced by e

Proof rule for sequencee.g. for

if WP2 is the weakest precondition for S2, then the weakest precondition for the whole program is the same as the weakest precondition for { Pre } S1 { WP2 }

{ Pre } x := e; { Post }

{ Pre } S1; S2{ Post }

Page 84: Specification

Hoare Notation

We can express proof rules more conciselye.g. using Hoare notation:

this means “if claim1 and claim2 have both been proved, then conclusion must be true”

claim1, claim2, ...conclusion

Page 85: Specification

Hoare NotationE.g. for sequence:

E.g. for if statements:

find the weakest precondition for S1 and the weakest precondition for S2.

Then show ((Pre and c) implies WP S1) and ((Pre and not(c)) implies WP S2)

{Pre}S1{Q}, {Q}S2{Post}{Pre}S1; S2{Post}

{Pre and c}S1{Post}, {Pre and not(c)}S2{Post}{Pre}if (c) then S1 else S2{Post}

Page 86: Specification

1) the first branch:

to find the weakest precondition, substitute x for max:

WP1 = {(x=x or x=y) and (x>=x) and (x>=y)}= {(true or x=y) and true and (x>=y)}= {(true) and (x>=y)}= {x>=y}

{ true } if (x>y) then max := x;else max := y; { (max=x or max=y) and max>=x and

max>=y) }{ true and x>y }max := x;{ Post }

Proving an If statement

which is okay because(Pre and c) implies WP1,{true and x>y} implies {x>=y}

Page 87: Specification

{ true } if (x>y) then max := x;else max := y; { (max=x or max=y) and max>=x and

max>=y) }

2) the second branch:

to find the weakest precondition, substitute y for max:WP2 = {(y=x or y=y) and

(y>=x) and (y>=y)}= {(y=x or true) and

(y>=x) and true}= {(true) and (y>=x)}= {y>=x}

{ true and not(x>y) }max := y;{ Post }

Proving an If statement

which is okay because(Pre and not(c)) implies WP2,{true and not(x>y)} implies {y>=x}

Page 88: Specification

Proof rules for a language

{F1}S1{F2}, {F2}S2{F3}

{F1}S1;S2{F3}sequence

{Pre and cond} S1 {Post},{Pre and not cond} S2 {Post}{Pre} if cond then S1 ; else S 2 ; end if; {Post}

if-then-else

while-do{I and cond} S {I}

{I} while cond loop S; end loop; {I and not cond}

I loop invariant

Page 89: Specification

Program proofs are not (currently) widely used:

they can be tedious to construct they tend to be longer than the programs

they refer to they could contain mistakes too! they require mathematical expertise they do not ensure against hardware

errors, compiler errors, etc. they only prove functional correctness (i.e.

not termination, efficiency,…)

Practicalities

Page 90: Specification

Practical formal methods:Just use for small parts of the program

e.g. isolate the safety-critical partUse to reason about changes to a

programe.g. prove that changing a statement preserves

correctnessAutomate some of the proof

use proof checkers and theorem proversUse formal reasoning for other things

test properties of the specification to see if we got the spec right

ie. use for validation, rather than verification

Practicalities

Page 91: Specification

Implication review

P Q P => Q

T T T

T F F

F T T

F F T

If it rains tomorrow, then I will sleep-in late.

It rained – I slept in late.

It rained – I did NOT sleep in late.

It did NOT rain – I slept in late.

It did NOT rain – I did NOT sleep in late.

Page 92: Specification

Review from last week

Which is true: {true and x>y} implies {x>=y} {true and x>=y} implies {x>y}

Does {X=1} => {X=1 or X=0} ?

Page 93: Specification

Fibonacci Numbers

n’th Fibonacci number fib(n): fib(0) = 0, fib(1) = 1 fib(n+2) = fib(n+1) + fib(n)

Page 94: Specification

Implementation in C

if (n==0) { a=0; }else {

i=1; p=0; a=1;while (i != n) {

t=p; p=a; a=p+t; i=i+1;}

} Does this program calculate “fib(n)” and store

the result in “a”?

Page 95: Specification

Specification

Spec: {true}FIB{a==fib(n)}

Page 96: Specification

Specification

Spec: {true}FIB{a==fib(n)} FIB does not satisfy the spec: when n<0,

fib(n) is not even defined!!

Page 97: Specification

Specification

Spec: {true}FIB{a==fib(n)} FIB does not satisfy the spec: when n<0,

fib(n) is not even defined!! New spec: {n>=0}FIB{a==fib(n)} But, how can we be sure that the new spec

holds?

Page 98: Specification

Hoare Logic

Hoare logic consists of inference rules for proving valid Hoare triples Assignment, Conditional, Composition, while Loop What about others:

Switch, for loop, procedure call, inheritance? So, we can use these rules to show that

{n>=0}FIB{a==fib(n)} holds.

Page 99: Specification

Rule for Conditional

So, {n>=0}FIB{a==fib(n)} holds if FIB satisfies:

if (n==0) { {n>=0&&n==0}C1{a==fib(n)} }

else { {n>=0&&!(n==0)}C2{a==fib(n)}}

Page 100: Specification

Rule for Assignment

So, {n==0}a=0;{a==fib(n)} because n==0 implies 0==fib(n).

It suffices to show the correctness of C2:if (n==0) { {n>=0&&n==0}a=0;{a==fib(n)} }

else { {n>=0&&!(n==0)}C2{a==fib(n)} }

Page 101: Specification

Rule for Sequencing

So, it suffices to show:if (n==0) { {n>=0&&n==0}a=0;{a==fib(n)} }else { {n>=0&&!(n==0)}

i=1;p=0;a=1;{a==fib(i)&&p==fib(i-1)&&i<=n}while (I!=n) { t=p;p=a; a=p+t;i=i+1; }{a==fib(n)}

}

We focus on this step

Page 102: Specification

Rule for Loop

So, we have:{a==fib(i)&&p==fib(i-1)&&i<=n}while(i!=n) {

{a==fib(i)&&p==fib(i-1)&&i<=n&&i!=n} t=p; p=a; a=p+t; i=i+1;{a==fib(i)&&p==fib(i-1)&&i<=n}

}{a==fib(i)&&p==fib(i-1)&&i<=n&&!(i!=n)}

We prove this in the next slide

Page 103: Specification

Application of loop rule

{a==fib(i)&&p==fib(i-1)&&i<=n&&i!=n}{(a+p)==fib(i+1)&&a==fib(i+1-1)&&(i+1)<=n}

t=p; {(a+t)==fib(i+1)&&a==fib(i+1-1)&&(i+1)<=n}

p=a; {(p+t)==fib(i+1)&&p==fib(i+1-1)&&(i+1)<=n}

a=p+t;{a==fib(i+1)&&p==fib(i+1-1)&&(i+1)<=n}

i=i+1;{a==fib(i)&&p==fib(i-1)&&i<=n}

Page 104: Specification

Consequence

Since a==fib(i)&&!(i!=n) implies a==fib(n), we have:

{a==fib(i)&&p==fib(i-1)&&i<=n}while(i!=n) { t=p; p=a; a=p+t; i=i+1; }{a==fib(i)&&p==fib(i-1)&&i<=n&&!(i!=n)} {a==fib(n)}

Page 105: Specification

In-class examples

Prove:

{x=0 & y<0}x := x-1;x:= x-y;

{x >=0 }

Page 106: Specification

In-class examples

Prove:

{x>=0 & x=a & y=0}while x>0 loop

x := x-1;y := y+1;

end loop;{y=a}

What is the invariant?

Page 107: Specification

Another Risk

Windows daylight saving and file time-stamp"Chris Jakeman (Bigfoot)" Sun, 3 Nov 2002 21:48:22 -0000Discovered today that a misbehaving program wasdue to a strange behaviour in Windows. When thecomputer clock changes due to Daylight SavingTime (we gained an hour a week ago in the UK),Windows also changes the time stamp of all itsfiles by an hour. This came to light whensynchronising files between a Unix webserver anda Windows copy of the website, usingDreamweaver.

Page 108: Specification

Program Testing

Can reveal the presence of errors NOT their absence Only exhaustive testing can show a program is free from

defects. However, exhaustive testing for any but trivial programs is impossible

A successful test is a test which discovers one or more errors

Should be used in conjunction with static verification Run all tests after modifying a system

Regression testing

Page 109: Specification

Test Cases, Specs, and Programmed Behaviors

S = Specified behaviorsP = Programmed behaviorsT = Tested behaviorU = All possible behaviors

S P

[Adapted from Software Testing A Craftman’s Approach, by Jorgensen, CRC Press, 1995]

T

U

1

2

34

5 6

7

We want to makeregion 1 as largeas possible.

Page 110: Specification

Test Cases

Test case: An input on which the program under test is executed during

testing Test set:

Set of test cases for executing a program Test cases are valuable – just as valuable as the source

code. Test cases need to be developed, reviewed, used, managed,

and saved. Information to include: Test case ID, purpose, pre-conditions,

inputs, expected outputs, post-conditions, and execution history (date, result, version, run by)

[Adapted from Software Testing A Craftman’s Approach, by Jorgensen, CRC Press, 1995]

Page 111: Specification

The V-model of testing

Page 112: Specification

Testing Stages

Unit testing Testing of individual components

Integration testing Testing to expose problems arising from the

combination of components System testing

Testing the complete system prior to delivery Acceptance testing

Testing by users to check that the system satisfies requirements. Sometimes called alpha testing

Page 113: Specification

Terminology Failure

A failure is said to occur whenever the external behavior does not conform to system spec.

Error An error is a state of the

system which, in the absence of any corrective action, could lead to a failure.

Fault The actual cause of an

error.

Page 114: Specification

Distinction between Debugging and Testing Defect testing and debugging are distinct

processes Defect testing is concerned with confirming

the presence of errors Debugging is concerned with locating and

repairing these errors Debugging involves formulating a hypothesis

about program behavior then testing these hypotheses to find the system error

Page 115: Specification

Historical Views: Thinking About Testing Phase 0: Testing = Debugging Phase 1: Testing is an act whose purpose is to show that the

software works. Phase 2: Testing is an act whose purpose is to show that the

software does not work. Phase 3: Testing is an act whose purpose is not to prove

anything, but to reduce the perceived risk of failure to an acceptable level.

Phase 4: Testing is not an act; rather, it is a mindset that involves development and coding practices along with a systematic approach to exercising the software.

[Adapted from Software Testing Techniques, 2nd Edition, by Boris Beizer, Van Nostrand Reinhold, 1990]

Page 116: Specification

What Testing Showserrors

requirements conformance

performance

an indicationof quality

[Adapted from Software Engineering A Practitioner’s Approach 5th Edition, by Pressman, McGraw-Hill, 2000]

Page 117: Specification

Test Coverage and Adequacy

How much testing is enough? When to stop testing? Various test coverage criteria developed Goodenough and Gerhart [1975]:

What is software test adequacy criterion? A predicate that defines “what properties of a program

must be exercised to constitute a thorough test. i.e., one whose successful execution implies no errors in the program”

Page 118: Specification

Gerhart and Goodenough

Reliability requirement “Test criterion always produces consistent test results” If a program tested successfully on one test set that

satisfies the criterion, then the program also tested successfully on all test sets that satisfy the criterion

Validity requirement “Test always produces a meaningful result” For every error in a program, there exists a test set that

satisfies the criterion and is capable of revealing the error

Page 119: Specification

Two uses of test adequacy

Serves as a stopping rule Determines whether sufficient testing has been

done according to the criterion such that testing can be stopped

E.g., when using statement coverage, testing can stop when all program statements have been exercised

Provide measurements of test quality Percentage of coverage used as a metric to guide

whether further tests are needed

Page 120: Specification

Testing Methods Functional (Black Box) Testing

Knowing the specified functions that a product has been designed to perform, tests can be conducted to demonstrate that each function is fully operational.

Test cases are based on external behavior as well as internal structure.

Aka: specification-based, data-driven, or input/output driven testing Structural (White Box) Testing

Knowing the internal workings of a program, tests can be conducted to assure that the internal operation performs according to specification, and all internal components have been exercised.

Test cases are based on internal structure of the program and a specific level of coverage.

Aka: code-based, glass-box, logic-driven, or path-oriented testing Mutation testing; perturbation testing

Purposefully inserting errors into the code to help in determining the degree to which the program is being tested

Page 121: Specification

Feasibility of Testing to Specifications Suppose specs include 20 factors, each

taking on 4 values 420 or 1.1 1012 test cases If each takes 30 seconds to run, running all test

cases takes > 1 million years Combinatorial explosion makes exhaustive

testing to specifications impossible

Page 122: Specification

Feasibility of Testing to Code

Can exercise every path without detecting every fault (what if x=2, y=1, z=3?)

Page 123: Specification

Coping with the Combinatorial Explosion Neither testing to specifications nor testing to

code is feasible The art of testing:

Select a small, manageable set of test cases to Maximize chances of detecting fault, while Minimizing chances of wasting test case

Every test case must detect a previously undetected fault

Page 124: Specification

Coping with the Combinatorial Explosion We need a method that will highlight as many faults as

possible First black-box test cases (testing to specifications) Then glass-box methods (testing to code)

Page 125: Specification

Functional (Black Box) Testing

Knowing the specified function (requirements), design test cases to ensure that those requirements are met. Example : Sort (list);

Structural Testing - How well is the code exercised? Functional Testing - How well does Sort perform its intended function?

In general, complete functional testing is not feasible Attempting to test every possible input to the function

A randomly selected set of test cases is statistically insignificant “Not all test cases are created equally”

Test case selection Based on characteristics of input and output sets relative to

specified functionality.

Page 126: Specification

Functional Testing

Types of errors looked for during functional testing Incorrect function or missing function Interface errors External database errors Performance errors (including stress testing) Initialization/termination errors

Tests are designed to answer the following questions How is functional validity tested? What classes of input will make good test cases? Is the system particularly sensitive to certain input values? How are the boundaries of a data class isolated? What data rates and data volume can the system tolerate? What effect will specific combinations of data have on system

operations?

[Adapted from Software Engineering 4th Ed, by Pressman, McGraw-Hill, 1997]

Page 127: Specification

Goals and Methods of Functional Testing Goals

Produce test cases that reduce the overall number of test cases Generate test cases that will tell us something about the

presence or absence of errors for an entire class of input Methods/Approaches

Equivalence partitioning Boundary value analysis Cause-effect graphing Decision Tables

Page 128: Specification

Equivalence Partitioning

It is impossible to test all cases Equivalence partitioning provides a

systematic means for selecting cases that matter and ignoring those that don’t

An equivalence class or equivalence partition is a set of test cases that tests the same aspect or reveals the same bugs

e.g., If X >= 15 then do-this else do-that

(- 15) 15 (15 )

Page 129: Specification

Equivalence Partitioning

Equivalence partitions – groups for similar inputs, outputs, and/or operation of the software

e.g., file-name, 1 .. 255 characters- valid characters- invalid characters- valid length- invalid length

Page 130: Specification

Boundary Value Analysis

Range : a..b

Example : 100..200 Test cases : 99, 100, 101, 199, 200, 201

Number of values Test cases that exercise minimums and maximums

Apply the above to the output conditions Try to drive output to invalid range

Internal data structures with boundaries Example : A(1..100) with test cases A(0), A(1), A(2), A(99), A(100), A(101) A(0) and A(101) should generate exceptions

a b

( ))( (

Page 131: Specification

Equivalence Class Example

function in_list (input1:name_type;input_list : list_names)return boolean is …

Equivalence Classes:(1) Inputs where input1 is in the list

(2) Inputs where input1 is not in the list

Specific Input Partitions:List input1Empty ?One element In the listOne element Not in the list>One element First element>One element Last element>One element Middle element>One element Not in list

Test CasesList input1 Output<nil> ? falsebird bird truebird fish falsebird, cat, owl bird truedog, pig, chicken chicken true

...

Page 132: Specification

Cause Effect Graphing

Causes (input conditions) and effects (actions) are listed for a module, and an identifier is assigned to each

A cause-effect graph is developed Looking for causes without effects Looking for effects without causes

The graph is converted to a decision table (if a decision table has been used as a design tool, developing the graph and table is not necessary)

Decision table rules are converted to test cases

Page 133: Specification

Cause-Effect Graph Symbology

Identity

“Not”

“And”

“Or”

Symbology Constraints

c1

c1

c1

c2

c1

c2

e1

e1

e1

e1

c

a

a

a

a

b

b

b

b

E I O

R

ExclusiveInclusive

Only One

Requires

Page 134: Specification

Cause-Effect Graphing Example The CHANGE subcommand - used to modify a character string

in the “current line” of the file being edited Inputs

Syntax : C /string1/string2 String1 represents the character string you wish to replace

1-30 characters Any character except ‘/’

String2 represents the character string that is to replace string1 0-30 characters Any character except ‘/’

At least one blank must follow the command name “C”

Page 135: Specification

Cause-Effect Graphing Example

Outputs Changed line is printed to the terminal if the command

is successful “NOT FOUND” is printed if string1 cannot be found “INVALID SYNTAX” is printed if the command syntax

is incorrect System Transformations

If the syntax is valid and string1 can be found in the current line, then string1 is removed and string2 replaces it

If the syntax is invalid or string1 cannot be found, the line is not changed

Page 136: Specification

Cause-Effect Graphing Example Cause 1: The first nonblank character following the “C” and one or more

blanks is a ‘/’ Cause 2: The command contains exactly two ‘/’ characters Cause 3: String1 has length 1 Cause 4: String1 has length 30 Cause 5: String1 has length 2-29 Cause 6: String2 has length 0 Cause 7: String2 has length 30 Cause 8: String2 has length 1-29 Cause 9: The current line contains an occurrence of string1 Effect 1: The changed line is typed Effect 2: The first occurrence of string1 in the current line is replaced by

string2 Effect 3: NOT FOUND is printed Effect 4: INVALID SYNTAX is printed

Page 137: Specification

Complete Cause-Effect Graph

c1

c2

c3

c4

c5

c6

c8

c7

c9

i1

i2

i3

e1

e2

e3

e4

Page 138: Specification

Converting to a Decision Table

1 2 3 4 5 6 7 8 9 10 11c1c2c3c4c5c6c7c8c9

e1e2e3e4

I = invoked A = absentS = suppressed P = presentX = don't care

Page 139: Specification

jUnit Test framework

Initially developed to support Extreme Programming Focused on unit testing

Features and Goals Trivial to add unit tests Trivial to run tests

Taking ACE and TAO’s one-button tests to the extreme (actually one-button runs them all)

Tests must be complete automatic (no user input) Trivial presentation of test results

Green = good Red = one or more tests failed

Rerun tests without exiting the testing interface Large assertion API to aid condition checking

Idea: Unit tests are good, but a pain to write -> jUnit alleviates much of the pain

Page 140: Specification

Writing a jUnit Test Case1. Define a subclass of TestCase2. Override the setUp() method to initialize object(s)

under test (optional)3. Override the tearDown() method to release any

permanent resources you allocated in setUp() (optional)

4. Define one or more testXxx() methods that exercise the objects under test

5. Define a suite() method that creates a TestSuite containing all the testXxxx() methods of a TestCase

6. Define a main() method that runs the TestCase

Page 141: Specification

Basic jUnit Test Caseimport junit.framework.*;

public class CubeTest extends TestCase { public CubeTest(String name) { super(name); } protected void setUp() { /* Any pre-test setup */ } protected void tearDown() { /* Any post-test teardown */ } public void testCubePositive() { assertEquals(Cube.calcCube(5), 125); } public void testCubeNegative() { assertEquals(Cube.calcCube(-5), -125); } public void testCubeZero() { assertEquals(Cube.calcCube(0), 0); }}

Page 142: Specification

import junit.framework.*;import junit.runner.BaseTestRunner;

public class AllTests {

public static Test suite() { TestSuite suite= new TestSuite("Cube Tests"); suite.addTestSuite(CubeTest.class); return suite; } public static void main(String[] args) { junit.textui.TestRunner.run(suite()); }}

Basic jUnit Test Suite

Page 143: Specification

Running the jUnit Tests Three ways:

Text UI – java junit.textui.TestRunner <Suite> AWT UI - java junit.awtui.TestRunner <Suite> Swing UI - java junit.swingui.TestRunner <Suite>

GUI features Reload classes each run

Make changes without restarting the test runner Browse test cases Run individual tests

Text UI features Fastest Can be automated

Page 144: Specification

Screenshot of Cube Test Run

Page 145: Specification

Assertion APIassertEquals(T expected, T actual);

assertEquals(double expected, double actual, double delta);

assertNull(Object object);

assertNotNull(Object object);

assertSame(Object expected,Object actual);

assertTrue(boolean condition);

fail(String message);•If any exceptions are thrown, jUnit will catch and log them too.

Page 146: Specification

Glass-Box Module Testing Methods Structural testing

Statement coverage Branch coverage Condition coverage Path coverage Linear code sequences All-definition-use path coverage

Page 147: Specification

Control Flow Graph• Step 1: From the source code, create a graph describing the flow of control (called the control flow graph). The graph is created (extracted from the source code) manually or automatically

• Step 2: Design test cases to cover certain elements of this graph nodes, edges, paths

Page 148: Specification

Structural Testing: Statement Coverage Statement coverage:

Series of test cases to check every statement at least once

CASE tool needed to keep track Weakness

Branch statements Consider

if ( y >= 0) then y = 0;abs = y;

test case-1:input: y = 0expected result: 0actual result: 0

This case gives the false assumption that the code is correct.

Page 149: Specification

Structural Testing: Branch Coverage Series of tests to check all branches (solves

problem on previous slide); edge coverage Again, a CASE tool is helpful

if ( y >= 0) then y = 0;abs = y;

test case-1:input: y = 0expected result: 0actual result: ?

test case-2:input: y = -5expected result: 5actual result: ?

Branch=>statementnot true other way…

Page 150: Specification

Branch Coverage Problem

if ( x < 10 && y > 20) { z = foo (x,y);else z =fie (x,y);}

test case-1 (yes-branch):input: x = -4, y = 30expected result: ...actual result: ?

test case-2 (no-branch):input: x = 12, y = 12expected result: ...actual result: ?

What is the potential problem here?

Page 151: Specification

Another example…

found := false; counter : = 1;while (not found) and counter < number_of_items loop …

Perhaps < should be <=, but certain values of found and counter may not reveal this…

Page 152: Specification

Condition Coverage

if ( x < 10 && y > 20) { z = foo (x,y);else z =fie (x,y);}

x<10 y>20-----------------------------------test-case-1: t ttest-case:2 t ftest-case-3: f ttest-case-4 f f

Page 153: Specification

Another Problem…

Consider:

{x = 0, z = 12} (n,y){x = 2, z = 6} (y,n)

What is the problem here?

Page 154: Specification

Path Coverage

Consider:

{x = 0, z = 7} (n,n){x = 0, z = 13} (n,y){x = 1, z = 5} (y,n){x = 2, z = 15} (y,y)

All paths leading from initial to the final node of P’s control flowgraph are traversed…

Page 155: Specification

Linear Code Sequences In a fragment with a loop, the number of paths is

very large, and can be infinite We want a weaker condition than all paths but that shows

up more faults than branch coverage Linear code sequences

Identify the set of points L from which control flow may jump, plus entry and exit points

Restrict test cases to paths that begin and end with elements of L

This uncovers many faults without testing every path

Page 156: Specification

All-definition-use-path Coverage Each occurrence of variable, zz say, is labeled either as

The definition of a variablezz = 1 or read (zz)

or the use of variabley = zz + 3 or if (zz < 9) errorB ()

Identify all paths from the definition of a variable to the use of that definition This can be done by an automatic tool

A test case is set up for each such path

Page 157: Specification

Data-flow testing using def-use

Page 158: Specification

Data-flow testing using def-use

Led to research ideas of program slicing, and other static analysis techniques…

Page 159: Specification

Another Example of def-use

Page 160: Specification

Continued…

Page 161: Specification

Infeasible Code

It may not be possible to test a specific statement May have an

infeasible path (“dead code”) in the module

Frequently this is evidence of a fault

Page 162: Specification

Automated Testing of GUIs

Commercial tools: Mercury Interactive

WinRunner, LoadRunner Rational

Ph.D. Level research: Best reference: Atif Memon

http://www.cs.umd.edu/~atif/

Page 163: Specification

C/S - DatabasesLoadRunner (Load/Stress)TestDirector(Test Management)WinRunner (Functional/Regression)

E - BusinessWebTest Add-in for WinRunnerLoadRunnerTestDirectorAstra Site ManagerAstra Site Test

ERP Applications

WinRunnerTestDirector LoadRunner QuickTest

Year 2000

QuickTest 2000WinRunner 2000TestDirectorLoadRunner/RTE

The Mercury Interactive Product Line

MERCURY’S PRODUCT

LINE

Page 164: Specification

Why Use Testing Tools?

No TestingNo Testing Manual TestingManual Testing• Time consuming• Low reliability• Human resources• Inconsistent

Automated TestingAutomated TestingSpeedRepeatabilityProgramming

capabilitiesCoverageReliabilityReusability

Page 165: Specification

Which Test Cases to Automate?

Tests that need to be run for every build of the application (sanity level)

Tests that use multiple data values for the same actions (data driven tests)

Tests that require detailed information from application internals (e.g., SQL, GUI attributes)

Stress/load testing

More repetitive execution?Better candidate for automation.

Page 166: Specification

Which Test Cases Not to Automate?Usability testing

"How easy is the application to use?"One-time testing"ASAP" testing

"We need to test NOW!"Ad hoc/random testing

based on intuition and knowledge of applicationTests without predictable results

Improvisation required?Poor candidate for automation.

Page 167: Specification

What Happens During Recording?

set_window("Automobile Purchase Form", 10);edit_set ("Customer Name", "Thomas Paine");edit_set ("Address","234 Willow Drive");

Depart Date: ___/___/___From City. . : ________________To City. . . . .: ________________Flight. . . . . . : _______

Order Number. . . .: __________Customer. . . . . . . .: ___________________

Billing Date. . . . . . : edit_set ("Date", "12/12/98");list_select_item ("Make", "BMW"); edit_set ("Year", "1973");

button_press ("Insert Sale");

Thomas Paine

234 Willow Drive

12/12/98

BMW1973 2002tii

edit_set ("Model", "2002tii");

Page 168: Specification

Context Sensitive Recording Object oriented Readable script Maintainable script (editable) Script not affected by User

Interface changes if object moves location on GUI,

script will still replay correctly Portable script

a context sensitive script can be ported to different platforms with different configurations

Page 169: Specification

scroll bar

frame

A Closer Look at GUI Objectsmenu window

radio button push button

list item

edit field

static text

Page 170: Specification

User Actions in the Test Script

list_select_item ("Make", "BMW");

button_press ("OK");

set_window("Automobile Purchase Form", 10);

set_window("Login", 10);

password_edit_set("Password:", "kzptnzet");

edit_set ("Username", "thomas");

Specify window for input

Type input into an edit field

Press a button to submit "OK"

Type encrypted input into password field

Specify a listbox selection

Page 171: Specification

Wait for a bitmap to refresh

BITMAP

Wait for a window

WINDOW

No visual cue;just wait forset time toelapse

ELAPSEDTIME

Establish Visual Cue to SynchronizeExamples

Wait for an object state

OBJECT STATE

Page 172: Specification

Testing Phases in TestDirector Test Planning

set up your test plan create the test cases manage resources

Test Execution run manual and automated tests run integrated tests collect and analyze test results

Defect Tracking create and track defects throughout the life cycle inform testing team with automatic email notification monitor defect status using graphs and reports

Page 173: Specification

You Can Monitor the Testing Effort How:

many tests are ready for test execution? many tests executed passed or failed? many defects are logged in a week? many defects remain in severe status? long does it take for a defect to be fixed? can I balance the resources available?

Page 174: Specification

View Contents of the Defect Database

Page 175: Specification

Things are not as perfect as they seem...1. The recorded input can be incorrect either due to tester error during the

recording session, or the test script can be incorrect in the first place. A reliance on recording alone would then require the entire input to be re-recorded

2. The resulting script contains multiple commands and statements for every action taken, is extremely lengthy and difficult to interpret and maintain

3. Recording of test scripts requires that the application be fully developed, and error-free

4. If errors occur, such as unexpected screens, the recorded test script will fail, and therefore requires someone to constantly monitor the test run in order to keep it going

Page 176: Specification

The Problem: Software Drift Over many phases of maintenance, structure begins

to decay (entropy) Begins to resemble Rube Goldberg machine

(http://www.rube-goldberg.com/html/gallery.htm) Honda Cog commercial

Page 177: Specification

What is Refactoring?The process of changing a software system in such a way that it does not alter the external behaviour of the code, yet improves its internal structure – Martin Fowler

A behaviour-preserving source-to-source program transformation – Don Roberts

A change to the system that leaves its behaviour unchanged, but enhances some non-functional quality - simplicity, flexibility, understandability- Kent Beck

Page 178: Specification

Where Refactoring Came From

Ward Cunningham and Kent Beck Smalltalk style

Ralph Johnson at UIUC Bill Opdyke’s Thesis

ftp://st.cs.uiuc.edu/pub/papers/refactoring/opdyke-thesis.ps.Z

John Brant and Don Roberts: The Refactoring Browser

Page 179: Specification

Refactoring Tools Based on provable transformations

Build parse tree of programs Research: Mathematic proof that refactoring does not

change semantics; graph transformation Embed refactoring in tool

Speeds up refactoring Extract method: select code, type in method name. Big speed improvement

Not Science Fiction Available for Smalltalk for a couple of years Now appearing for Java and other languages

Page 180: Specification

Refactor To UnderstandThe Obvious:

• Programs hard to read => Programs hard to understand

• => Programs hard to modify• Programs with duplicated logic are hard to understand• Programs with complex conditionals are hard to understand

Refactoring code creates and supports the understanding• Renaming instance variables helps understanding methods• Renaming methods helps understanding responsibility• Iterations are necessary

Page 181: Specification

Typical RefactoringsClass Refactorings

Method Refactorings Attribute Refactorings

add (sub)class to hierarchy

add method to class add variable to class

rename class rename method rename variableremove class remove method remove variable

push method down push variable downpush method up push variable upadd parameter to method create accessorsmove method to component abstract variableextract code in new method

These simple refactorings can be combined to provide bigger restructurings such as the introduction of design patterns.

Page 182: Specification

Example: Add Class

Add Class (new name, package, superclasses, subclasses)Preconditions

no class or global variable exists with new name in the same scope subclasses are all subclasses of all superclasses

Postconditions new class is added into the hierarchy with superclasses as

superclasses and subclasses as subclasses new class has name new name subclasses inherit from new class and not anymore from

superclassesConsiderations: Abstractness

B

C D FN

A B

C D

F

A

Page 183: Specification

Rename Method: Do It Yourself

Do it yourself approach Check if a method does not exist in the class and

superclass/subclasses with the same “name” Browse all the implementers (method definitions) Browse all the senders (method invocations) Edit and rename all implementers Edit and rename all senders Remove all implementers Test Automated refactoring is better !

BX

B b = new B();b.blnc();

blnce()

Ablnce()

Dblnce()

Cblnce()

BXbalance()

Abalance()

Dbalance()

Cbalance()

B b = new B();b.balance();

Page 184: Specification

Rename Method Rename Method (method, new name)Preconditions

no method exists with the signature implied by new name in the inheritance hierarchy that contains method

Postconditions method has new name relevant methods in the inheritance hierarchy have new

name invocations of changed method are updated to new name

Other Considerations Statically/Dynamically Typed Languages

=> Scope of the renaming

Page 185: Specification

Bad smells in code Duplicated code

“The #1 bad smell” Same expression in two methods in the same class?

Make it a private ancillary routine and parameterize it (Extract method)

Same code in two related classes? Push commonalities into closest mutual ancestor and parameterize Use template method for variation in subtasks

(Form template method) Same code in two unrelated classes?

Ought they be related? Introduce abstract parent (Extract class, Pull up method)

Does the code really belong to just one class? Make the other class into a client (Extract method)

Page 186: Specification

Bad smells in code Long method

Often a sign of: Bad cohesion Trying to do too many things Poorly thought out abstractions and boundaries

Best to think carefully about the major tasks and how they inter-relate. Be aggressive!

Break up into smaller private methods within the class(Extract method)

Fowler’s heuristic: When you see a comment, make a method. Often, a comment indicates:

The next major step Something non-obvious whose details detract from the clarity of the

routine as a whole. In either case, this is a good spot to “break it up”.

Page 187: Specification

Bad smells in code Long parameter list

Long parameter lists make methods difficult for clients to understand

This is often a symptom of Trying to do too much … with too many disparate subparts

In the old days, structured programming taught the use of parameterization as a cure for global variables.

With modules/OOP, objects have mini-islands of state that can be reasonably treated as “global” to the methods (yet are still hidden from the rest of the program).

i.e., You don’t need to pass a subpart of yourself as a parameter to one of your own methods.

Page 188: Specification

Bad smells in code Divergent change

Occurs when one class is commonly changed in different ways for different reasons

Likely, this class is trying to do too much and contains too many unrelated subparts

Over time, some classes develop a “God complex” They acquires details/ownership of subparts that rightly belong

elsewhere This is a sign of poor cohesion

Unrelated elements in the same container Solution:

Break it up, reshuffle, reconsider relationships and responsibilities (Extract class)

Page 189: Specification

Bad smells in code

Shotgun surgery … the opposite of divergent change

Each time you want to make a single, seemingly coherent change, you have to change lots of classes in little ways

Also a classic sign of poor cohesion Related elements are not in the same container!

Solution: Look to do some gathering, either in a new or existing class.

(Move method/field)

Advertisement: A key idea that will be explored in my CS 692/792 class next Fall

Page 190: Specification

Bad smells in code Data clumps

You see a set of variables that seem to “hang out” togethere.g., passed as parameters, changed/accessed at the same time

Usually, this means that there’s a coherent subobject just waiting to be recognized and encapsulated

void Scene::setTitle (string titleText, int titleX, int titleY, Colour titleColour){…}

void Scene::getTitle (string& titleText, int& titleX, int& titleY, Colour& titleColour){…}

Page 191: Specification

Bad smells in code Data clumps

In the example, a Title class is dying to be born If a client knows how to change a title’s x, y, text, and colour, then it

knows enough to be able to “roll its own” Title objects. However, this does mean that the client now has to talk to another class.

This will greatly shorten and simplify your parameter lists (which aids understanding) and makes your class conceptually simpler too.

Page 192: Specification

Bad smells in code

Switch statements

Double getSpeed () { switch (_type) {

case EUROPEAN: return getBaseSpeed();case AFRICAN: return getBaseSpeed() –

getLoadFactor() * _numCoconuts;case NORWEGIAN_BLUE: return (_isNailed) ? 0

: getBaseSpeed(_voltage); }}

Page 193: Specification

Bad smells in code

Switch statements This is an example of a lack of understanding polymorphism

and a lack of encapsulation. Solution:

Redesign as a polymorphic method of PythonBird(Replace conditional with polymorphism, replace type code

with subclasses)

Page 194: Specification

Bad smells in code

Lazy class Classes that don’t do much that’s different from other classes. If there are several sibling classes that don’t exhibit

polymorphic behavioural differences , then consider just collapsing them back into the parent and add some parameters

Often, lazy classes are legacies of ambitious design or a refactoring that gutted the class of interesting behaviour

(Collapse hierarchy, inline class)

Page 195: Specification

Bad smells in code Inappropriate intimacy

Sharing of secrets between classes, esp. outside of the holy bounds of inheritance

e.g., public variables, indiscriminate definitions of get/set methods, C++ friendship, protected data in classes

Leads to data coupling, intimate knowledge of internal structures and implementation decisions.

Makes clients brittle, hard to evolve, easy to break. Solution:

Appropriate use of get/set methods Rethink basic abstraction. Merge classes if you discover “true love”(Move/extract method/field, change bidirectional association to

unidirectional, hide delegate)

Page 196: Specification

Sample Output

Rental Record for Dinsdale PirhanaMonty Python and the Holy Grail3.5Ran

2Star Trek 27

6Star Wars 3.2

3Wallace and Gromit

6Amount owed is 20.5You earned 6 frequent renter points

Page 197: Specification

Class Moviepublic class Movie {

public static final int CHILDRENS = 2;public static final int REGULAR = 0;public static final int NEW_RELEASE = 1;

private String _title;private int _priceCode;

public Movie(String title, int priceCode) {_title = title;_priceCode = priceCode;

}

public int getPriceCode() {return _priceCode;

}

public void setPriceCode(int arg) { _priceCode = arg;

}

public String getTitle () {return _title;

};}

Page 198: Specification

Class Rental

class Rental { private Movie _movie; private int _daysRented;

public Rental(Movie movie, int daysRented) { _movie = movie; _daysRented = daysRented; } public int getDaysRented() { return _daysRented; } public Movie getMovie() { return _movie; }}

Page 199: Specification

Class Customer (almost)

class Customer {private String _name;

private Vector _rentals = new Vector();

public Customer (String name) {_name = name;};

public void addRental(Rental arg) { _rentals.addElement(arg); }

public String getName () {return _name;};

public String statement() // see next slide

Page 200: Specification

Customer.statement() part 1public String statement() {

double totalAmount = 0;int frequentRenterPoints = 0;Enumeration rentals = _rentals.elements();String result = "Rental Record for " + getName() + "\n";while (rentals.hasMoreElements()) {

double thisAmount = 0;Rental each = (Rental)

rentals.nextElement();

//determine amounts for each lineswitch (each.getMovie().getPriceCode()) {

case Movie.REGULAR:thisAmount += 2;if (each.getDaysRented() > 2)

thisAmount += (each.getDaysRented() - 2) * 1.5;

break;case Movie.NEW_RELEASE:

thisAmount += each.getDaysRented() * 3;break;

case Movie.CHILDRENS:thisAmount += 1.5;if (each.getDaysRented() > 3)

thisAmount += (each.getDaysRented() - 3) * 1.5;

break;

} continues on next slide

Page 201: Specification

Customer.statement() part 2

// add frequent renter pointsfrequentRenterPoints ++;// add bonus for a two day new release

rentalif ((each.getMovie().getPriceCode() ==

Movie.NEW_RELEASE) && each.getDaysRented() > 1)

frequentRenterPoints ++;

//show figures for this rentalresult += "\t" +

each.getMovie().getTitle()+ "\t" + String.valueOf(thisAmount) + "\n";totalAmount += thisAmount;

}//add footer linesresult += "Amount owed is " + String.valueOf(totalAmount) + "\n";result += "You earned " + String.valueOf(frequentRenterPoints) +

" frequent renter points";return result;

}

Page 202: Specification

Interactions for statement

aC ustom er aR ental aM ovie

getM ovie

* [for all renta ls]

getPriceC ode

getD aysRented

statem ent

Page 203: Specification

Future Requirements Changes

Produce an html version of the statement The movie classifications will soon change

together with the rules for charging and for frequent renter points

Page 204: Specification

Extract Method

voi d printOwi ng() {printBanner();

// print detail sSystem.out.pri ntln ("name: " + _name);System.out.pri ntln ("amount" + getOutstanding());

}

voi d printOwi ng() {printBanner();printDetai ls(getOutstanding());

}

voi d printDetai ls (double outstandi ng) {System.out.pri ntln ("name: " + _name);System.out.pri ntln ("amount" + outstandi ng);

}

You have a code fragment that can be grouped togetherTurn the fragment into a method whose name explains the

purpose of the method.

Page 205: Specification

Steps for Extract Method Create method named after intention of code Copy extracted code Look for local variables and parameters

turn into parameter turn into return value declare within method

Compile Replace code fragment with call to new

method Compile and test

Page 206: Specification

Candidate Extractionpublic String statement() {

double totalAmount = 0;int frequentRenterPoints = 0;Enumeration rentals = _rentals.elements();String result = "Rental Record for " + getName() + "\n";while (rentals.hasMoreElements()) {

double thisAmount = 0;Rental each = (Rental)

rentals.nextElement();

//determine amounts for each lineswitch (each.getMovie().getPriceCode()) {

case Movie.REGULAR:thisAmount += 2;if (each.getDaysRented() > 2)

thisAmount += (each.getDaysRented() - 2) * 1.5;

break;case Movie.NEW_RELEASE:

thisAmount += each.getDaysRented() * 3;

break;case Movie.CHILDRENS:

thisAmount += 1.5;if (each.getDaysRented() > 3)

thisAmount += (each.getDaysRented() - 3) * 1.5;

break;

} [snip]12

Page 207: Specification

Extracting the Amount Calculation

private int amountFor(Rental each) { int thisAmount = 0; switch (each.getMovie().getPriceCode()) { case Movie.REGULAR: thisAmount += 2; if (each.getDaysRented() > 2) thisAmount += (each.getDaysRented() - 2) * 1.5; break; case Movie.NEW_RELEASE: thisAmount += each.getDaysRented() * 3; break; case Movie.CHILDRENS: thisAmount += 1.5; if (each.getDaysRented() > 3) thisAmount += (each.getDaysRented() - 3) * 1.5; break; } return thisAmount;}

Page 208: Specification

Statement() after extraction public String statement() {

double totalAmount = 0; int frequentRenterPoints = 0; Enumeration rentals = _rentals.elements(); String result = "Rental Record for " + getName() + "\n"; while (rentals.hasMoreElements()) { double thisAmount = 0; Rental each = (Rental) rentals.nextElement();

thisAmount = amountFor(each);

// add frequent renter points frequentRenterPoints ++; // add bonus for a two day new release rental if ((each.getMovie().getPriceCode() == Movie.NEW_RELEASE) &&

each.getDaysRented() > 1) frequentRenterPoints ++;

//show figures for this rental result += "\t" + each.getMovie().getTitle()+ "\t" +

String.valueOf(thisAmount) + "\n"; totalAmount += thisAmount;

} //add footer lines result += "Amount owed is " + String.valueOf(totalAmount) + "\n"; result += "You earned " + String.valueOf(frequentRenterPoints) +

" frequent renter points"; return result;

}}

Page 209: Specification

Extracting the amount calculation (2)

private double amountFor(Rental each) { double thisAmount = 0; switch (each.getMovie().getPriceCode()) { case Movie.REGULAR: thisAmount += 2; if (each.getDaysRented() > 2) thisAmount += (each.getDaysRented() - 2) * 1.5; break; case Movie.NEW_RELEASE: thisAmount += each.getDaysRented() * 3; break; case Movie.CHILDRENS: thisAmount += 1.5; if (each.getDaysRented() > 3) thisAmount += (each.getDaysRented() - 3) * 1.5; break; } return thisAmount;}

Is this important?

Is this method in the right

place?

Page 210: Specification

Change names of variablesprivate double amountFor(Rental aRental) { double result = 0; switch (aRental.getMovie().getPriceCode()) { case Movie.REGULAR: result += 2; if (aRental.getDaysRented() > 2) result += (aRental.getDaysRented() - 2) * 1.5; break; case Movie.NEW_RELEASE: result += aRental.getDaysRented() * 3; break; case Movie.CHILDRENS: result += 1.5; if (aRental.getDaysRented() > 3) result += (aRental.getDaysRented() - 3) * 1.5; break; } return result;}

Page 211: Specification

Move Method

aMethod()

Class 1

Class 2

Class 1

aMethod()

Class 2

A method is, or will be, using or used by more features of another class than the class it is defined on.

Create a new method with a similar body in the class it uses most. Either turn the old method into a simple delegation, or

remove it altogether.

Page 212: Specification

Steps for Move method Declare method in target class Copy and fit code Set up a reference from the source object to the target Turn the original method into a delegating method

amountOf(Rental each) {return each.charge()}

Check for overriding methods Compile and test Find all users of the method

Adjust them to call method on target Remove original method Compile and test

Page 213: Specification

Moving amount() to Rentalclass Rental ...

double getCharge() { double result = 0; switch (getMovie().getPriceCode()) { case Movie.REGULAR: result += 2; if (getDaysRented() > 2) result += (getDaysRented() - 2) * 1.5; break; case Movie.NEW_RELEASE: result += getDaysRented() * 3; break; case Movie.CHILDRENS: result += 1.5; if (getDaysRented() > 3) result += (getDaysRented() - 3) * 1.5; break; } return result;}1

statem ent()

C ustom er

getC harge()

daysR ented: int

R ental

priceC ode: int

M ovie

Page 214: Specification

Altered statementclass Customer... public String statement() { double totalAmount = 0; int frequentRenterPoints = 0; Enumeration rentals = _rentals.elements(); String result = "Rental Record for " + getName() + "\n"; while (rentals.hasMoreElements()) { double thisAmount = 0; Rental each = (Rental) rentals.nextElement();

thisAmount = each.getCharge(); // add frequent renter points frequentRenterPoints ++; // add bonus for a two day new release rental if ((each.getMovie().getPriceCode() == Movie.NEW_RELEASE) &&

each.getDaysRented() > 1) frequentRenterPoints ++;

//show figures for this rental result += "\t" + each.getMovie().getTitle()+ "\t" +

String.valueOf(thisAmount) + "\n"; totalAmount += thisAmount;

} //add footer lines result += "Amount owed is " + String.valueOf(totalAmount) + "\n"; result += "You earned " + String.valueOf(frequentRenterPoints) +

" frequent renter points"; return result;

}

Page 215: Specification

Replace Conditional With Polymorphism

getSpeed

Bird

getSpeed

European

getSpeed

African

getSpeed

Norweigian Blue

doubl e getSpeed() {switch (_type) {

case EUROPEAN:return getBaseSpeed();

case AFRICAN:return getBaseSpeed() - getLoadFactor() * _numberOfCoconuts;

case NORWEIGIAN_BLUE:return (_i sNai led) ? 0 : getBaseSpeed(_vol tage);

}throw new RuntimeExcepti on ("Shoul d be unreachable");

}

You have a conditional that chooses different behavior depending on the type of an object.

Move each leg of the conditional to an overriding method in a subclass. Make the original method abstract

Page 216: Specification

Steps for Replace Conditional with Polymorphism

Move switch to superclass of inheritance structure

Copy one leg of case statement into subclass Compile and test Repeat for all other legs Replace case statement with abstract method

Page 217: Specification

Move getCharge to Priceclass Movie…

double getCharge(int daysRented) {return _price.getCharge(daysRented);

}

class Price… double getCharge(int daysRented) { double result = 0; switch (getPriceCode()) { case Movie.REGULAR: result += 2; if (daysRented > 2) result += (daysRented - 2) * 1.5; break; case Movie.NEW_RELEASE: result += daysRented * 3; break; case Movie.CHILDRENS: result += 1.5; if (daysRented > 3) result += (daysRented - 3) * 1.5; break; } return result;}

Page 218: Specification

Override getCharge in the subclassesClass RegularPrice…

double getCharge(int daysRented){ double result = 2; if (daysRented > 2) result += (daysRented - 2) * 1.5; return result; }Class ChildrensPrice double getCharge(int daysRented){ double result = 1.5; if (daysRented > 3) result += (daysRented - 3) * 1.5; return result; }

Class NewReleasePrice… double getCharge(int daysRented){ return daysRented * 3;

}

Class Price… abstract double getCharge(int

daysRented);

Do each leg one at a time then...

Page 219: Specification

Obstacles to RefactoringComplexity

• Changing design is hard• Understanding code is hard

Possibility to introduce errors• Run tests if possible• Build tests

Clean first Then add new functionality

Cultural Issues• Producing negative lines of code, what an idea!• “We pay you to add new features, not to improve the code!”

If it ain’t broke, don’t fix it• “We do not have a problem, this is our software!“

Page 220: Specification

Obstacles to Refactoring

Performance• Refactoring may slow down the execution• The secret to write fast software:

“Write tunable software first then tune it”Typically only 10% of your system consumes 90% of the resources so just focus on 10 %.

• Refactorings help to localize the part that need change• Refactorings help to concentrate the optimizations

Development is always under time pressure • Refactoring takes time• Refactoring better right after a software release

Page 221: Specification

Conclusion: Know-when & Know-how

“Know when” is as important as “know-how”• Use “code smells” as symptoms• Rule of the thumb: “Once and Only Once” (Kent Beck)

=> a thing stated more than once implies refactoring

Page 222: Specification

Research Issues (Mens paper) Tool Support

Visualization, automated refactoring How to make more open?

Scalability of composable refactorings (conflict resolution)

Analysis of dependencies among refactorings Formally, what is behavior and how can we prove that

it is preserved by a refactoring Real-time, embedded, safety critical behavior?

Page 223: Specification

Research Issues (Mens paper) How to specify refactoring in a language-independent

manner? How to apply refactoring at higher levels of abstraction

(e.g., UML models)? Determine the “where/how” of applying refactoring Can we get some objective measurements of how

refactoring affects software quality?