specification
DESCRIPTION
Specification. A broad term that means definition Used at different stages of software development for different purposes Generally, a statement of agreement ( contract ) between producer and consumer of a service Designer/implementer and user All desirable qualities must be specified - PowerPoint PPT PresentationTRANSCRIPT
Specification
A broad term that means definition Used at different stages of software
development for different purposes Generally, a statement of agreement
(contract) between producer and consumer of a service Designer/implementer and user
All desirable qualities must be specified What versus how dichotomy
Uses of specification
Statement of user requirements major failures occur because of
misunderstandings between the producer and the user
"The hardest single part of building a software system is deciding precisely what to build“ (F. Brooks)
Uses of specification (cont.)
Statement of the interface between the machine and the controlled environment serious undesirable effects can result due to
misunderstandings between software engineers and domain experts about the phenomena affecting the control function to be implemented by software (remember Arianne 5 example)
Uses of specification (cont.)
Statement of requirements for implementation design process is a chain of specification (i.e., definition)–
implementation–verification steps requirements specification refers to definition of external
behavior design specification must be verified against it
design specification refers to definition of the software architecture
code must be verified against it
Uses of specification (cont.)
A reference point during maintenance corrective maintenance only changes
implementation adaptive and perfective maintenance occur
because of requirements changes requirements specification must change accordingly
Specification qualities Precise, clear, unambiguous Consistent Complete
internal completeness external completeness
Incremental Informal specifications, written in a natural
language, are likely to contain subtle ambiguities Please see:
http://www.gray-area.org/Research/Ambig
Clear, unambiguous, understandable Example: specification fragment for a
word-processor (from Word 4.0 manual)
Selecting is the process of designating areas of the document that you want to work on. Most editing and formatting actions require two steps: first you select what you want to work on, such as text or graphics; then you initiate the appropriate action.
can an area be scattered?
Precise, unambiguous, clear Another example (from a real safety-
critical system)
The message must be triplicated. The threecopies must be forwarded through three different physical channels. The receiver accepts the message on the basis of a two-out-of-three voting policy.
can a message be accepted as soon as we receive 2 out of 3 identical copies of message or do we need to wait for receipt of the 3rd?
Consistent Example: specification fragment for a word-
processor
The whole text should be kept in lines of equal length. The length is specified by the user. Unless the user gives an explicit hyphenation command, a carriage return should occur only at the end of a word.
What if the length of a word exceeds the length of the line?
Complete
Internal completeness the specification must define any new concept or
terminology that it uses glossary helpful for this purpose
the specification must document all the needed requirements difficulty: when should one stop?
Classification of specification styles
Informal, semi-formal, formal Operational
Behavior specification in terms of some abstract machine
Descriptive Behavior described in terms of properties
Example 1 - Operational Specification of a geometric figure E:
E can be drawn as follows:
1. Select two points P1 and P2 on a plane2. Get a string of a certain length and fix its ends
to P1 and P23. Position a pencil as shown in next figure4. Move the pen clockwise, keeping the string
tightly stretched, until you reach the point where you started drawing
P P 1 2
A descriptive specification
Geometric figure E is describe by the following equation
ax2 + by2 + c = 0where a, b, and c are suitable constants
Another example
“Let a be an array of n elements. The result of its sorting is an array b of n elements such that the first element of b is the minimum of a (if several elements of a have the same value, any one of them is acceptable); the second element of b is the minimum of the array of n-1 elements obtained from a by removing its minimum element; and so on until all n elements of a have been removed.”
“The result of sorting array a is an array b which is a permutation of a and is sorted.”
Which one is operational? Descriptive?
Case study: Elevator Problem
An n elevator system to be installed in a building with m floors Natural language specs contain several ambiguities Formal specification using PNs removes ambiguities Specification will be provided in a stepwise fashion Will use modules, each encapsulating fragments of PNs which
describe certain system components
Easy question (?)(not on initial slides) How many buttons are on the first and top
floors?
From informal specs…
“The illumination is cancelled when the elevator visits the floor and is either moving in the desired direction, or ...”
2 different interpretations (case of up call) switch off as the elevator arrives at the floor from below
(obvious restrictions for 1st and last floor) switch off after the elevators starts moving up
in practice you may observe the two cases!
…more analysis of informal specs
“The algorithm to decide which to service first should minimize the waiting time for both requests.”what does this mean?
in no other way can you satisfy either request in a shorter time
but minimizing for one may require longer for the other the sum of both is minimal
why the sum?
Models Of Computation
A mathematical description that has a syntax and rules for computation of the behavior described by the syntax (semantics). Used to specify the semantics of computation and concurrency.
Characteristics: compact description, fidelity to design style, synthesize and optimize behavior to an implementation.
Language & MOCs: MOC affects expressiveness, trade off.
Diversity of MOCs
There are (far too) many models of computation in the embedded systems domain alone.
Why? Need to handle
different notions of time. different modes of communication different types of functionalities.
Notions of Time
Source: A.Sangiovanni-Vincentelli
Petri Nets: One Example of a MOC Originated in thesis of Carl Adam Petri, 1965 Beneficial in modeling systems that are
asynchronous and concurrent More popularized by Anatol Holt in 1968 For a while, very hot research area
(multiple yearly conferences)
Petri netsA quadruple (P,T,F,W)
P: places T: transitions (P, T are finite) F: flow relation (F {PT} {TP} ) W: weight function (W: F N – {0} )Properties:(1) P T = Ø(2) P T Ø(3)F (P T) (T P)(4) W: F N-{0}Default value of W is 1
State defined by marking: M: P N
places
transitions flows
marking
3 weight
P
P
P
t
t
P
t
1
3
1
3
4
6
5
P
P
P
2
5
7
t
t
t
2
4
6
Graphical representation
Semantics: dynamic evolution Transition t is enabled iff
pt's input places,M(p) W(<p,t>) t fires: produces a new marking M’ in places that
are either t's input or output places or both if p is an input place: M'(p) = M(p) - W(<p,t>) if p is an output place: M'(p) = M(p) + W(<t,p>) if p is both an input and an output place:
M'(p) = M(p) - W(<p,t>) + W(<t,p>)
Non-determinism
Any of the enabled transitions may fire Model does not specify which fires, nor when
it fires
Modeling with Petri nets
Places represent distributed states Transitions represent actions or events that
may occur when system is in a certain state They can occur as certain conditions hold on
the states
P
P
P
t
tP
t
1
3
1
3
4
65
P
P
P
2
5
7
t
t
t
2
4
6
P
P
P
t
tP
t
1
3
1
3
4
65
P
P
P
2
5
7
t
t
t
2
4
6
P
P
P
t
tP
t
1
3
1
3
4
65
P
P
P
2
5
7
t
t
t
2
4
6
P
P
P
t
tP
t
1
3
1
3
4
6
5
P
P
2
5
7
t
t
t
2
4
6
P
(a) (b)
(c) (d)
after (a) either (b) or (c) may occur, and then (d)
Common cases Concurrency
two transitions are enabled to fire in a given state, and the firing of one does nor prevent the other from firing
see t1 and t2 in case (a) Conflict
two transitions are enabled to fire in a given state, but the firing of one prevents the other from firing
see t3 and t4 in case (d) place P3 models a shared resource between two processes
no policy exists to resolve conflicts (known as unfair scheduling)
a process may never get a resource (starvation)
How to avoid starvation
P P
P
P P
t t
t t
P P
t t
1
1 2
3
4
5
6
7
4
2
3
6
5
imposes alternation
Advantages of PNs
Modeling Fairly simple models of elaborate schemas
Analysis Proving properties of model/design
Design 1. Generate the model 2. Use it to prove correctness properties 3. Design system from model
Deadlock
A PN with a given marking is said to be in deadlock if and only if no transition is enabled in that marking.
A conflict-free net, but not deadlock free
R
P P
t t
t'
t"
t
t'
t"
t
1
1
3
3
2
2
4
4
56
2 2
this net candeadlock!consider
'42
'31 t,t , t,t
A conflict-free net, but not deadlock free
R
P P
t t
t'
t"
t
t'
t"
t
1
1
3
3
2
2
4
4
5 6
2 2
A deadlock-free net
R
P P
t t
t'
t"
t
t'
t"
t
1
1
3
3
2
2
4
4
56
2 2
2 2
A case of partial starvation
t
t
1
3
t
t
2
4
Is it deadlock-free?
t
t
1
3
t
t
2
4
Producer/ConsumerEmpty buffer
Producer
Full buffer
Consumer
Questions: How about adding 4 buffers? How about 3 producers and 5 consumers?
There is always a token in Producer and Consumer
How would you do the operations above with a FSM?
Limitations and extensions
P
channel1 channel2
Token represents a message.You wish to say that the delivery channel dependson contents.How?Petri nets cannot specify selection policies.
Extension 1: Assigning values to tokens
Transitions have associated predicates and functions
Predicate refers to values of tokens in input places selected for firing
Functions define values of tokens produced in output places
Example
PP
P
PP
34
71 4
t t1 2
45
12
3Predicate P2 > P1 and function P4 := P2 + P1 associated with t1
Predicate P3 = P2 and functions P4 := P3 P2 and P5 := P2 + P3 are associated with t2
The firing of t1 by using <3,7> would produce the value 10 in P4. t2 can then fire using <4, 4>
Extension 2:Specifying priorities A priority function from transitions to natural
numbers: pri: T N When several transitions are enabled, only
the ones with maximum priority are allowed to fire
Among those with the same priority, the one to fire is chosen non-deterministically
Extension 3:Timed Petri nets A pair of constants <tmin, tmax> is
associated with each transition Once a transition is enabled, it must
wait for at least tmin to elapse before it can fire
If enabled, it must fire before tmax has elapsed, unless it is disabled by the firing of another transition before tmax
Example:Combining priorities and time
P P P
t t t tmin = 1 tmax = 4
tmin = 2 tmax = 3
tmin = 0 tmax = 5
priority = priority = priority = 1 3 2
P
1
1 2
2
3
3
4
Precise, unambiguous, clear Another example (from a real safety-
critical system)
The message must be triplicated. The threecopies must be forwarded through three different physical channels. The receiver accepts the message on the basis of a two-out-of-three voting policy.
can a message be accepted as soon as we receive 2 out of 3 identical copies of message or do we need to wait for receipt of the 3rd?
Original message
Message triplication
Message copies
Message copies transmission
tmin = tmax =
tmin = tmax =
tmin = tmax = 0
0
for all three transitions
PC1
PC2PC3
c1 k1
c2k2
Forwarded message
tvoting1 tvoting2 tvoting3
{
{
{Precise specificationof message triplication problemCase (1)
Original message
Message triplication
Message copies
Message copies transmission
tmin = tmax =
tmin = tmax =
tmin = 0 tmax = 0
PC1
PC2
PC3
c1 k1
c2k2
tvoting
Forwarded message
Precise specificationof message triplication problemCase (2)
Elevator Example with PNs
Initial sketch of movement
Elevator at floor j
Elevator at floor j + 1
Pushing internal button for floor j + 1
Button illumination Transfer
from floor j to j+1
Shortcomings:
• External buttons?• Movement can be caused by any button• Button reset?• From 4 to 27, and floor 20 button pushed•Scalability – 100 floors!• Button illumination if button pushed multiple times
Button module
C P P u s h
S e t
O f f
R e s e t
O n
0 . 1 . . 0 . 0 5 . . 0 . 0 5
0 . . 0
Elevator position (sketch)F
F DFUF
UF F DF
UF FDF
F
m
m-1
3
2
1
m-1 m-1
3 3
2 2
Assume j+1hm
Fj+1 UFj+1
Fj"
t Fj'
UPh On
On
DOWNh
ILBh
DOWNj+1
On
On
On
On
ILBj+1
Fj
t1 t2 t3 t4 t5 t6
t7
t8 t9
t10 t11 t12
UPj+1
More precise description of elevator position
Switch internal button off
I L B j
F j
S e t
R e s e t
O f fO n0 . . 0
Switch external button off
Set
x..x Reset
ti'
Fj
Fj'
On Off
UPj
x time needed bya person to enter + pushing button
Example: Vending Machine
The machine dispenses two kinds of snack bars – 20c and 15c.
Only two types of coins can be used – 10c coins and 5c coins.
The machine does not return any change.
Example: Vending Machine (A Petri net)
5c
Take 15c bar
Deposit 5c
0c
Deposit 10c
Deposit 5c
10c
Deposit 10c
Deposit5c
Deposit 10c20c
Deposit5c
15c
Take 20c bar
Example: Vending Machine (3 Scenarios) Scenario 1:
Deposit 5c, deposit 5c, deposit 5c, deposit 5c, take 20c snack bar.
Scenario 2: Deposit 10c, deposit 5c, take 15c snack bar.
Scenario 3: Deposit 5c, deposit 10c, deposit 5c, take 20c
snack bar.
Example: Vending Machine (Token Games)
5c
Take 15c bar
Deposit 5c
0c
Deposit 10c
Deposit 5c
10c
Deposit 10c
Deposit5c
Deposit 10c20c
Deposit5c
15c
Take 20c bar
Behavioral properties (1) Properties that depend on the initial marking Reachability
Mn is reachable from M0 if exists a sequence of firings that transform M0 into Mn
Boundedness a PN is bounded if the number of tokens in each place
doesn’t exceed a finite number k for any marking reachable from M0
a PN is safe if it is 1-bounded
Behavioral properties (2)
Liveness a PN is live if, no matter what marking has been reached, it
is possible to fire any transition with an appropriate firing sequence
Liveness=> deadlock free (but not vice versa) strong property, different levels of liveness are defined
(L0=dead, L1, L2, L3 and L4=live) Reversibility
a PN is reversible if, for each marking M reachable from M0, M0 is reachable from M
relaxed condition: a marking M’ is a home state if, for each marking M reachable from M0, M’ is reachable from M
Analysis methods (1)
Coverability tree tree representation of all possible markings
root = M0 nodes = markings reachable from M0 arcs = transition firings
if net is unbounded, then tree is kept finite by introducing the symbol
Properties a PN is bounded iff doesn’t appear in any node a PN is safe iff only 0’s and 1’s appear in nodes a transition is dead iff it doesn’t appear in any arc if M is reachable form M0, then exists a node M’ that covers
M
Coverability tree example
t3
p2
t2
p1
t1
p3
t0
M0=(100)
Coverability tree example
t3
p2
t2
p1
t1
p3
t0
M0=(100)
M1=(001)“dead end”
t1
Coverability tree example
t3
p2
t2
p1
t1
p3
t0
M0=(100)
M1=(001)“dead end”
t1 t3
M3=(10)
Coverability tree example
t3
p2
t2
p1
t1
p3
t0
M0=(100)
M1=(001)“dead end”
t1 t3
M3=(10)t1
M4=(01)
Coverability tree example
t3
p2
t2
p1
t1
p3
t0
M0=(100)
M1=(001)“dead end”
t1 t3
M3=(10)t1
M4=(01)
t3
M3=(10) “old”
Coverability tree example
t3
p2
t2
p1
t1
p3
t0
M0=(100)
M1=(001)“dead end”
t1 t3
M3=(10)t1
M4=(01)
t3
M6=(10) “old”t2
M5=(01) “old”
Coverability tree example
100 M0=(100)
M1=(001)“dead end”
t1 t3
M3=(10)t1
M4=(01)
t3
M6=(10) “old”t2
M5=(01) “old”
t1 t3
t110001
01t3
t2
coverability graph coverability tree
Need for verification(in some safety-critical domains) Designers are fallible even if they are skilled
and follow sound principles Everything must be verified, every required
quality, process and products even verification itself…
Approaches to verification
Experiment with behavior of product sample behaviors via testing goal is to find "counterexamples" dynamic technique
Analyze product to deduce its adequacy analytic study of properties static technique
Testing and lack of "continuity"
Testing samples behaviors by examining "test cases"
Impossible to extrapolate behavior of software from a finite set of test cases
No continuity of behavior it can exhibit correct behavior in a seemingly
infinite number of cases, but may still be incorrect in some cases
Dijkstra Said
“Program testing can be used to show the presence of bugs, but never to show their absence!”
Undergraduate “programming” classes at UT-Austin
History Program verification is almost as old as programming (e.g.,
“Checking a Large Routine”, Turing 1949) Naur66, Floyd67:
used assertions to specify/verify flowchart programs Hoare69:
developed the proof system for Hoare triples Boehm and Jacopini, 1966
Proved that control logic of any flowchartable program could be expressed without gotos, using only sequence, selection, iteration.
Edsger Dijkstra, 1970 His argument that gotos are harmful was motivated by a desire
to shorten formal proofs of correctness Reynolds00, Ishtiaq&O’Hearn01
extended Hoare’s proof system using separating connectives to handle pointers
Formal Methods Advantages
Change program from a private, puzzle-solving activity to a public, verifiable activity of translating specifications into programs
Based on formal mathematical techniques Only way to provide guaranteed correctness Supported by formal languages (Z, VDM-SL, REFINE), proof-
checkers, and translation systems Disadvantages
Notations are often baroque, confusing Formal techniques do not scale up very well
In Practice Formal techniques have been used successfully, and are
especially recommended for safety-critical systems Formal approaches and tools may be mandated, e.g., British
Ministry of Defense. But, not even considered by most programmers…
Hoare Said
“Thus the practice of proving programs would seem to lead to solution of three of the most pressing problems in software and programming, namely, reliability, documentation, and compatibility. However, program proving, certainly at present, will be difficult even for programmers of high caliber; and may be applicable only to quite simple program designs.”
“Things like even software verification, this has been the Holy Grail of computer science for many decades but now in some very key areas, for example, driver verification we’re building tools that can do actual proof about the software and how it works in order to guarantee the reliability.” Bill Gates, April 18, 2002.
Gates Said
Basic Programming Constructs Form programs only from basic 1-in, 1-out
control constructs: Sequence: begin S1 S2 end Selection: if E then S1 else S2 end Iteration: while E loop S1 end Above statements are enough , but 1-in, 1-out
statements include: if/elseif, case statements, for loops, etc.
Correctness ProofsTo prove a program is correct:
We need to prove the post-condition is true after executing the program fragment
(assuming the pre-condition was true beforehand)E.g.
Step 1: for z>0 to be true after the assignment, x*y>0 must have been true before it
Step 2: for x*y>0 to be true before the assignment, the precondition must imply it.
Step 3: show that (x>0 and y>0) implies x*y>0
{ x>0 and y>0 }z := x*y;{ z>0 }
Weakest Precondition
Starting with a post-assertion, what is the weakest pre-condition that makes the assertion true?
In other words, what must be true before to make the assertion true after?
[WP ^ [test&action] ] -> Assertion
What do we mean by “weakest”? If A => B but not (B => A), then B is “weaker”
than A, and A is “stronger” than B. The weakest possible predicate is the one
that is identically true, because A => true no matter what A is.
Similarly, the strongest possible predicate is false
Weakest Precondition
Dijkstra’s definition: The condition that characterizes the set of all
initial states, such that activation will certainly result in a properly terminating happening leaving the system in a final state satisfying a given post-condition, is called "the weakest pre-condition corresponding to that post-condition". (We call it "weakest", because the weaker a condition, the more states satisfy it and we aim here at characterizing all possible starting states that are certain to lead to a desired final state.)
The general strategy is:1) start with the post-condition2) work backwards through the program line-by-line3) find the weakest pre-condition (WP) that guarantees the post-condition4) prove that the actual pre-condition implies WP
i.e. the actual pre-condition is weaker than the “weakest pre-condition”, WP
For example
1) for Post to be true after S2, then x<1 must be true before S2
2) for x<1 to be true after S1, then 0<1 must be true before S1
3) (0<1) is the weakest precondition for this program4) So is (true implies 0<1) true?
Using Weakest Pre-conditions
PreS1S2
Post
{ true } x := 0; y := 1{ x<y }
Proof rulesProof rules
tell us how to find weakest preconditions for different programswe need a proof rule for each programming language construct
Proof rule for assignmente.g. for
the weakest precondition is Post with all free occurrences of x replaced by e
Proof rule for sequencee.g. for
if WP2 is the weakest precondition for S2, then the weakest precondition for the whole program is the same as the weakest precondition for { Pre } S1 { WP2 }
{ Pre } x := e; { Post }
{ Pre } S1; S2{ Post }
Hoare Notation
We can express proof rules more conciselye.g. using Hoare notation:
this means “if claim1 and claim2 have both been proved, then conclusion must be true”
claim1, claim2, ...conclusion
Hoare NotationE.g. for sequence:
E.g. for if statements:
find the weakest precondition for S1 and the weakest precondition for S2.
Then show ((Pre and c) implies WP S1) and ((Pre and not(c)) implies WP S2)
{Pre}S1{Q}, {Q}S2{Post}{Pre}S1; S2{Post}
{Pre and c}S1{Post}, {Pre and not(c)}S2{Post}{Pre}if (c) then S1 else S2{Post}
1) the first branch:
to find the weakest precondition, substitute x for max:
WP1 = {(x=x or x=y) and (x>=x) and (x>=y)}= {(true or x=y) and true and (x>=y)}= {(true) and (x>=y)}= {x>=y}
{ true } if (x>y) then max := x;else max := y; { (max=x or max=y) and max>=x and
max>=y) }{ true and x>y }max := x;{ Post }
Proving an If statement
which is okay because(Pre and c) implies WP1,{true and x>y} implies {x>=y}
{ true } if (x>y) then max := x;else max := y; { (max=x or max=y) and max>=x and
max>=y) }
2) the second branch:
to find the weakest precondition, substitute y for max:WP2 = {(y=x or y=y) and
(y>=x) and (y>=y)}= {(y=x or true) and
(y>=x) and true}= {(true) and (y>=x)}= {y>=x}
{ true and not(x>y) }max := y;{ Post }
Proving an If statement
which is okay because(Pre and not(c)) implies WP2,{true and not(x>y)} implies {y>=x}
Proof rules for a language
{F1}S1{F2}, {F2}S2{F3}
{F1}S1;S2{F3}sequence
{Pre and cond} S1 {Post},{Pre and not cond} S2 {Post}{Pre} if cond then S1 ; else S 2 ; end if; {Post}
if-then-else
while-do{I and cond} S {I}
{I} while cond loop S; end loop; {I and not cond}
I loop invariant
Program proofs are not (currently) widely used:
they can be tedious to construct they tend to be longer than the programs
they refer to they could contain mistakes too! they require mathematical expertise they do not ensure against hardware
errors, compiler errors, etc. they only prove functional correctness (i.e.
not termination, efficiency,…)
Practicalities
Practical formal methods:Just use for small parts of the program
e.g. isolate the safety-critical partUse to reason about changes to a
programe.g. prove that changing a statement preserves
correctnessAutomate some of the proof
use proof checkers and theorem proversUse formal reasoning for other things
test properties of the specification to see if we got the spec right
ie. use for validation, rather than verification
Practicalities
Implication review
P Q P => Q
T T T
T F F
F T T
F F T
If it rains tomorrow, then I will sleep-in late.
It rained – I slept in late.
It rained – I did NOT sleep in late.
It did NOT rain – I slept in late.
It did NOT rain – I did NOT sleep in late.
Review from last week
Which is true: {true and x>y} implies {x>=y} {true and x>=y} implies {x>y}
Does {X=1} => {X=1 or X=0} ?
Fibonacci Numbers
n’th Fibonacci number fib(n): fib(0) = 0, fib(1) = 1 fib(n+2) = fib(n+1) + fib(n)
Implementation in C
if (n==0) { a=0; }else {
i=1; p=0; a=1;while (i != n) {
t=p; p=a; a=p+t; i=i+1;}
} Does this program calculate “fib(n)” and store
the result in “a”?
Specification
Spec: {true}FIB{a==fib(n)}
Specification
Spec: {true}FIB{a==fib(n)} FIB does not satisfy the spec: when n<0,
fib(n) is not even defined!!
Specification
Spec: {true}FIB{a==fib(n)} FIB does not satisfy the spec: when n<0,
fib(n) is not even defined!! New spec: {n>=0}FIB{a==fib(n)} But, how can we be sure that the new spec
holds?
Hoare Logic
Hoare logic consists of inference rules for proving valid Hoare triples Assignment, Conditional, Composition, while Loop What about others:
Switch, for loop, procedure call, inheritance? So, we can use these rules to show that
{n>=0}FIB{a==fib(n)} holds.
Rule for Conditional
So, {n>=0}FIB{a==fib(n)} holds if FIB satisfies:
if (n==0) { {n>=0&&n==0}C1{a==fib(n)} }
else { {n>=0&&!(n==0)}C2{a==fib(n)}}
Rule for Assignment
So, {n==0}a=0;{a==fib(n)} because n==0 implies 0==fib(n).
It suffices to show the correctness of C2:if (n==0) { {n>=0&&n==0}a=0;{a==fib(n)} }
else { {n>=0&&!(n==0)}C2{a==fib(n)} }
Rule for Sequencing
So, it suffices to show:if (n==0) { {n>=0&&n==0}a=0;{a==fib(n)} }else { {n>=0&&!(n==0)}
i=1;p=0;a=1;{a==fib(i)&&p==fib(i-1)&&i<=n}while (I!=n) { t=p;p=a; a=p+t;i=i+1; }{a==fib(n)}
}
We focus on this step
Rule for Loop
So, we have:{a==fib(i)&&p==fib(i-1)&&i<=n}while(i!=n) {
{a==fib(i)&&p==fib(i-1)&&i<=n&&i!=n} t=p; p=a; a=p+t; i=i+1;{a==fib(i)&&p==fib(i-1)&&i<=n}
}{a==fib(i)&&p==fib(i-1)&&i<=n&&!(i!=n)}
We prove this in the next slide
Application of loop rule
{a==fib(i)&&p==fib(i-1)&&i<=n&&i!=n}{(a+p)==fib(i+1)&&a==fib(i+1-1)&&(i+1)<=n}
t=p; {(a+t)==fib(i+1)&&a==fib(i+1-1)&&(i+1)<=n}
p=a; {(p+t)==fib(i+1)&&p==fib(i+1-1)&&(i+1)<=n}
a=p+t;{a==fib(i+1)&&p==fib(i+1-1)&&(i+1)<=n}
i=i+1;{a==fib(i)&&p==fib(i-1)&&i<=n}
Consequence
Since a==fib(i)&&!(i!=n) implies a==fib(n), we have:
{a==fib(i)&&p==fib(i-1)&&i<=n}while(i!=n) { t=p; p=a; a=p+t; i=i+1; }{a==fib(i)&&p==fib(i-1)&&i<=n&&!(i!=n)} {a==fib(n)}
In-class examples
Prove:
{x=0 & y<0}x := x-1;x:= x-y;
{x >=0 }
In-class examples
Prove:
{x>=0 & x=a & y=0}while x>0 loop
x := x-1;y := y+1;
end loop;{y=a}
What is the invariant?
Another Risk
Windows daylight saving and file time-stamp"Chris Jakeman (Bigfoot)" Sun, 3 Nov 2002 21:48:22 -0000Discovered today that a misbehaving program wasdue to a strange behaviour in Windows. When thecomputer clock changes due to Daylight SavingTime (we gained an hour a week ago in the UK),Windows also changes the time stamp of all itsfiles by an hour. This came to light whensynchronising files between a Unix webserver anda Windows copy of the website, usingDreamweaver.
Program Testing
Can reveal the presence of errors NOT their absence Only exhaustive testing can show a program is free from
defects. However, exhaustive testing for any but trivial programs is impossible
A successful test is a test which discovers one or more errors
Should be used in conjunction with static verification Run all tests after modifying a system
Regression testing
Test Cases, Specs, and Programmed Behaviors
S = Specified behaviorsP = Programmed behaviorsT = Tested behaviorU = All possible behaviors
S P
[Adapted from Software Testing A Craftman’s Approach, by Jorgensen, CRC Press, 1995]
T
U
1
2
34
5 6
7
We want to makeregion 1 as largeas possible.
Test Cases
Test case: An input on which the program under test is executed during
testing Test set:
Set of test cases for executing a program Test cases are valuable – just as valuable as the source
code. Test cases need to be developed, reviewed, used, managed,
and saved. Information to include: Test case ID, purpose, pre-conditions,
inputs, expected outputs, post-conditions, and execution history (date, result, version, run by)
[Adapted from Software Testing A Craftman’s Approach, by Jorgensen, CRC Press, 1995]
The V-model of testing
Testing Stages
Unit testing Testing of individual components
Integration testing Testing to expose problems arising from the
combination of components System testing
Testing the complete system prior to delivery Acceptance testing
Testing by users to check that the system satisfies requirements. Sometimes called alpha testing
Terminology Failure
A failure is said to occur whenever the external behavior does not conform to system spec.
Error An error is a state of the
system which, in the absence of any corrective action, could lead to a failure.
Fault The actual cause of an
error.
Distinction between Debugging and Testing Defect testing and debugging are distinct
processes Defect testing is concerned with confirming
the presence of errors Debugging is concerned with locating and
repairing these errors Debugging involves formulating a hypothesis
about program behavior then testing these hypotheses to find the system error
Historical Views: Thinking About Testing Phase 0: Testing = Debugging Phase 1: Testing is an act whose purpose is to show that the
software works. Phase 2: Testing is an act whose purpose is to show that the
software does not work. Phase 3: Testing is an act whose purpose is not to prove
anything, but to reduce the perceived risk of failure to an acceptable level.
Phase 4: Testing is not an act; rather, it is a mindset that involves development and coding practices along with a systematic approach to exercising the software.
[Adapted from Software Testing Techniques, 2nd Edition, by Boris Beizer, Van Nostrand Reinhold, 1990]
What Testing Showserrors
requirements conformance
performance
an indicationof quality
[Adapted from Software Engineering A Practitioner’s Approach 5th Edition, by Pressman, McGraw-Hill, 2000]
Test Coverage and Adequacy
How much testing is enough? When to stop testing? Various test coverage criteria developed Goodenough and Gerhart [1975]:
What is software test adequacy criterion? A predicate that defines “what properties of a program
must be exercised to constitute a thorough test. i.e., one whose successful execution implies no errors in the program”
Gerhart and Goodenough
Reliability requirement “Test criterion always produces consistent test results” If a program tested successfully on one test set that
satisfies the criterion, then the program also tested successfully on all test sets that satisfy the criterion
Validity requirement “Test always produces a meaningful result” For every error in a program, there exists a test set that
satisfies the criterion and is capable of revealing the error
Two uses of test adequacy
Serves as a stopping rule Determines whether sufficient testing has been
done according to the criterion such that testing can be stopped
E.g., when using statement coverage, testing can stop when all program statements have been exercised
Provide measurements of test quality Percentage of coverage used as a metric to guide
whether further tests are needed
Testing Methods Functional (Black Box) Testing
Knowing the specified functions that a product has been designed to perform, tests can be conducted to demonstrate that each function is fully operational.
Test cases are based on external behavior as well as internal structure.
Aka: specification-based, data-driven, or input/output driven testing Structural (White Box) Testing
Knowing the internal workings of a program, tests can be conducted to assure that the internal operation performs according to specification, and all internal components have been exercised.
Test cases are based on internal structure of the program and a specific level of coverage.
Aka: code-based, glass-box, logic-driven, or path-oriented testing Mutation testing; perturbation testing
Purposefully inserting errors into the code to help in determining the degree to which the program is being tested
Feasibility of Testing to Specifications Suppose specs include 20 factors, each
taking on 4 values 420 or 1.1 1012 test cases If each takes 30 seconds to run, running all test
cases takes > 1 million years Combinatorial explosion makes exhaustive
testing to specifications impossible
Feasibility of Testing to Code
Can exercise every path without detecting every fault (what if x=2, y=1, z=3?)
Coping with the Combinatorial Explosion Neither testing to specifications nor testing to
code is feasible The art of testing:
Select a small, manageable set of test cases to Maximize chances of detecting fault, while Minimizing chances of wasting test case
Every test case must detect a previously undetected fault
Coping with the Combinatorial Explosion We need a method that will highlight as many faults as
possible First black-box test cases (testing to specifications) Then glass-box methods (testing to code)
Functional (Black Box) Testing
Knowing the specified function (requirements), design test cases to ensure that those requirements are met. Example : Sort (list);
Structural Testing - How well is the code exercised? Functional Testing - How well does Sort perform its intended function?
In general, complete functional testing is not feasible Attempting to test every possible input to the function
A randomly selected set of test cases is statistically insignificant “Not all test cases are created equally”
Test case selection Based on characteristics of input and output sets relative to
specified functionality.
Functional Testing
Types of errors looked for during functional testing Incorrect function or missing function Interface errors External database errors Performance errors (including stress testing) Initialization/termination errors
Tests are designed to answer the following questions How is functional validity tested? What classes of input will make good test cases? Is the system particularly sensitive to certain input values? How are the boundaries of a data class isolated? What data rates and data volume can the system tolerate? What effect will specific combinations of data have on system
operations?
[Adapted from Software Engineering 4th Ed, by Pressman, McGraw-Hill, 1997]
Goals and Methods of Functional Testing Goals
Produce test cases that reduce the overall number of test cases Generate test cases that will tell us something about the
presence or absence of errors for an entire class of input Methods/Approaches
Equivalence partitioning Boundary value analysis Cause-effect graphing Decision Tables
Equivalence Partitioning
It is impossible to test all cases Equivalence partitioning provides a
systematic means for selecting cases that matter and ignoring those that don’t
An equivalence class or equivalence partition is a set of test cases that tests the same aspect or reveals the same bugs
e.g., If X >= 15 then do-this else do-that
(- 15) 15 (15 )
Equivalence Partitioning
Equivalence partitions – groups for similar inputs, outputs, and/or operation of the software
e.g., file-name, 1 .. 255 characters- valid characters- invalid characters- valid length- invalid length
Boundary Value Analysis
Range : a..b
Example : 100..200 Test cases : 99, 100, 101, 199, 200, 201
Number of values Test cases that exercise minimums and maximums
Apply the above to the output conditions Try to drive output to invalid range
Internal data structures with boundaries Example : A(1..100) with test cases A(0), A(1), A(2), A(99), A(100), A(101) A(0) and A(101) should generate exceptions
a b
( ))( (
Equivalence Class Example
function in_list (input1:name_type;input_list : list_names)return boolean is …
Equivalence Classes:(1) Inputs where input1 is in the list
(2) Inputs where input1 is not in the list
Specific Input Partitions:List input1Empty ?One element In the listOne element Not in the list>One element First element>One element Last element>One element Middle element>One element Not in list
Test CasesList input1 Output<nil> ? falsebird bird truebird fish falsebird, cat, owl bird truedog, pig, chicken chicken true
...
Cause Effect Graphing
Causes (input conditions) and effects (actions) are listed for a module, and an identifier is assigned to each
A cause-effect graph is developed Looking for causes without effects Looking for effects without causes
The graph is converted to a decision table (if a decision table has been used as a design tool, developing the graph and table is not necessary)
Decision table rules are converted to test cases
Cause-Effect Graph Symbology
Identity
“Not”
“And”
“Or”
Symbology Constraints
c1
c1
c1
c2
c1
c2
e1
e1
e1
e1
c
a
a
a
a
b
b
b
b
E I O
R
ExclusiveInclusive
Only One
Requires
Cause-Effect Graphing Example The CHANGE subcommand - used to modify a character string
in the “current line” of the file being edited Inputs
Syntax : C /string1/string2 String1 represents the character string you wish to replace
1-30 characters Any character except ‘/’
String2 represents the character string that is to replace string1 0-30 characters Any character except ‘/’
At least one blank must follow the command name “C”
Cause-Effect Graphing Example
Outputs Changed line is printed to the terminal if the command
is successful “NOT FOUND” is printed if string1 cannot be found “INVALID SYNTAX” is printed if the command syntax
is incorrect System Transformations
If the syntax is valid and string1 can be found in the current line, then string1 is removed and string2 replaces it
If the syntax is invalid or string1 cannot be found, the line is not changed
Cause-Effect Graphing Example Cause 1: The first nonblank character following the “C” and one or more
blanks is a ‘/’ Cause 2: The command contains exactly two ‘/’ characters Cause 3: String1 has length 1 Cause 4: String1 has length 30 Cause 5: String1 has length 2-29 Cause 6: String2 has length 0 Cause 7: String2 has length 30 Cause 8: String2 has length 1-29 Cause 9: The current line contains an occurrence of string1 Effect 1: The changed line is typed Effect 2: The first occurrence of string1 in the current line is replaced by
string2 Effect 3: NOT FOUND is printed Effect 4: INVALID SYNTAX is printed
Complete Cause-Effect Graph
c1
c2
c3
c4
c5
c6
c8
c7
c9
i1
i2
i3
e1
e2
e3
e4
Converting to a Decision Table
1 2 3 4 5 6 7 8 9 10 11c1c2c3c4c5c6c7c8c9
e1e2e3e4
I = invoked A = absentS = suppressed P = presentX = don't care
jUnit Test framework
Initially developed to support Extreme Programming Focused on unit testing
Features and Goals Trivial to add unit tests Trivial to run tests
Taking ACE and TAO’s one-button tests to the extreme (actually one-button runs them all)
Tests must be complete automatic (no user input) Trivial presentation of test results
Green = good Red = one or more tests failed
Rerun tests without exiting the testing interface Large assertion API to aid condition checking
Idea: Unit tests are good, but a pain to write -> jUnit alleviates much of the pain
Writing a jUnit Test Case1. Define a subclass of TestCase2. Override the setUp() method to initialize object(s)
under test (optional)3. Override the tearDown() method to release any
permanent resources you allocated in setUp() (optional)
4. Define one or more testXxx() methods that exercise the objects under test
5. Define a suite() method that creates a TestSuite containing all the testXxxx() methods of a TestCase
6. Define a main() method that runs the TestCase
Basic jUnit Test Caseimport junit.framework.*;
public class CubeTest extends TestCase { public CubeTest(String name) { super(name); } protected void setUp() { /* Any pre-test setup */ } protected void tearDown() { /* Any post-test teardown */ } public void testCubePositive() { assertEquals(Cube.calcCube(5), 125); } public void testCubeNegative() { assertEquals(Cube.calcCube(-5), -125); } public void testCubeZero() { assertEquals(Cube.calcCube(0), 0); }}
import junit.framework.*;import junit.runner.BaseTestRunner;
public class AllTests {
public static Test suite() { TestSuite suite= new TestSuite("Cube Tests"); suite.addTestSuite(CubeTest.class); return suite; } public static void main(String[] args) { junit.textui.TestRunner.run(suite()); }}
Basic jUnit Test Suite
Running the jUnit Tests Three ways:
Text UI – java junit.textui.TestRunner <Suite> AWT UI - java junit.awtui.TestRunner <Suite> Swing UI - java junit.swingui.TestRunner <Suite>
GUI features Reload classes each run
Make changes without restarting the test runner Browse test cases Run individual tests
Text UI features Fastest Can be automated
Screenshot of Cube Test Run
Assertion APIassertEquals(T expected, T actual);
assertEquals(double expected, double actual, double delta);
assertNull(Object object);
assertNotNull(Object object);
assertSame(Object expected,Object actual);
assertTrue(boolean condition);
fail(String message);•If any exceptions are thrown, jUnit will catch and log them too.
Glass-Box Module Testing Methods Structural testing
Statement coverage Branch coverage Condition coverage Path coverage Linear code sequences All-definition-use path coverage
Control Flow Graph• Step 1: From the source code, create a graph describing the flow of control (called the control flow graph). The graph is created (extracted from the source code) manually or automatically
• Step 2: Design test cases to cover certain elements of this graph nodes, edges, paths
Structural Testing: Statement Coverage Statement coverage:
Series of test cases to check every statement at least once
CASE tool needed to keep track Weakness
Branch statements Consider
if ( y >= 0) then y = 0;abs = y;
test case-1:input: y = 0expected result: 0actual result: 0
This case gives the false assumption that the code is correct.
Structural Testing: Branch Coverage Series of tests to check all branches (solves
problem on previous slide); edge coverage Again, a CASE tool is helpful
if ( y >= 0) then y = 0;abs = y;
test case-1:input: y = 0expected result: 0actual result: ?
test case-2:input: y = -5expected result: 5actual result: ?
Branch=>statementnot true other way…
Branch Coverage Problem
if ( x < 10 && y > 20) { z = foo (x,y);else z =fie (x,y);}
test case-1 (yes-branch):input: x = -4, y = 30expected result: ...actual result: ?
test case-2 (no-branch):input: x = 12, y = 12expected result: ...actual result: ?
What is the potential problem here?
Another example…
found := false; counter : = 1;while (not found) and counter < number_of_items loop …
Perhaps < should be <=, but certain values of found and counter may not reveal this…
Condition Coverage
if ( x < 10 && y > 20) { z = foo (x,y);else z =fie (x,y);}
x<10 y>20-----------------------------------test-case-1: t ttest-case:2 t ftest-case-3: f ttest-case-4 f f
Another Problem…
Consider:
{x = 0, z = 12} (n,y){x = 2, z = 6} (y,n)
What is the problem here?
Path Coverage
Consider:
{x = 0, z = 7} (n,n){x = 0, z = 13} (n,y){x = 1, z = 5} (y,n){x = 2, z = 15} (y,y)
All paths leading from initial to the final node of P’s control flowgraph are traversed…
Linear Code Sequences In a fragment with a loop, the number of paths is
very large, and can be infinite We want a weaker condition than all paths but that shows
up more faults than branch coverage Linear code sequences
Identify the set of points L from which control flow may jump, plus entry and exit points
Restrict test cases to paths that begin and end with elements of L
This uncovers many faults without testing every path
All-definition-use-path Coverage Each occurrence of variable, zz say, is labeled either as
The definition of a variablezz = 1 or read (zz)
or the use of variabley = zz + 3 or if (zz < 9) errorB ()
Identify all paths from the definition of a variable to the use of that definition This can be done by an automatic tool
A test case is set up for each such path
Data-flow testing using def-use
Data-flow testing using def-use
Led to research ideas of program slicing, and other static analysis techniques…
Another Example of def-use
Continued…
Infeasible Code
It may not be possible to test a specific statement May have an
infeasible path (“dead code”) in the module
Frequently this is evidence of a fault
Automated Testing of GUIs
Commercial tools: Mercury Interactive
WinRunner, LoadRunner Rational
Ph.D. Level research: Best reference: Atif Memon
http://www.cs.umd.edu/~atif/
C/S - DatabasesLoadRunner (Load/Stress)TestDirector(Test Management)WinRunner (Functional/Regression)
E - BusinessWebTest Add-in for WinRunnerLoadRunnerTestDirectorAstra Site ManagerAstra Site Test
ERP Applications
WinRunnerTestDirector LoadRunner QuickTest
Year 2000
QuickTest 2000WinRunner 2000TestDirectorLoadRunner/RTE
The Mercury Interactive Product Line
MERCURY’S PRODUCT
LINE
Why Use Testing Tools?
No TestingNo Testing Manual TestingManual Testing• Time consuming• Low reliability• Human resources• Inconsistent
Automated TestingAutomated TestingSpeedRepeatabilityProgramming
capabilitiesCoverageReliabilityReusability
Which Test Cases to Automate?
Tests that need to be run for every build of the application (sanity level)
Tests that use multiple data values for the same actions (data driven tests)
Tests that require detailed information from application internals (e.g., SQL, GUI attributes)
Stress/load testing
More repetitive execution?Better candidate for automation.
Which Test Cases Not to Automate?Usability testing
"How easy is the application to use?"One-time testing"ASAP" testing
"We need to test NOW!"Ad hoc/random testing
based on intuition and knowledge of applicationTests without predictable results
Improvisation required?Poor candidate for automation.
What Happens During Recording?
set_window("Automobile Purchase Form", 10);edit_set ("Customer Name", "Thomas Paine");edit_set ("Address","234 Willow Drive");
Depart Date: ___/___/___From City. . : ________________To City. . . . .: ________________Flight. . . . . . : _______
Order Number. . . .: __________Customer. . . . . . . .: ___________________
Billing Date. . . . . . : edit_set ("Date", "12/12/98");list_select_item ("Make", "BMW"); edit_set ("Year", "1973");
button_press ("Insert Sale");
Thomas Paine
234 Willow Drive
12/12/98
BMW1973 2002tii
edit_set ("Model", "2002tii");
Context Sensitive Recording Object oriented Readable script Maintainable script (editable) Script not affected by User
Interface changes if object moves location on GUI,
script will still replay correctly Portable script
a context sensitive script can be ported to different platforms with different configurations
scroll bar
frame
A Closer Look at GUI Objectsmenu window
radio button push button
list item
edit field
static text
User Actions in the Test Script
list_select_item ("Make", "BMW");
button_press ("OK");
set_window("Automobile Purchase Form", 10);
set_window("Login", 10);
password_edit_set("Password:", "kzptnzet");
edit_set ("Username", "thomas");
Specify window for input
Type input into an edit field
Press a button to submit "OK"
Type encrypted input into password field
Specify a listbox selection
Wait for a bitmap to refresh
BITMAP
Wait for a window
WINDOW
No visual cue;just wait forset time toelapse
ELAPSEDTIME
Establish Visual Cue to SynchronizeExamples
Wait for an object state
OBJECT STATE
Testing Phases in TestDirector Test Planning
set up your test plan create the test cases manage resources
Test Execution run manual and automated tests run integrated tests collect and analyze test results
Defect Tracking create and track defects throughout the life cycle inform testing team with automatic email notification monitor defect status using graphs and reports
You Can Monitor the Testing Effort How:
many tests are ready for test execution? many tests executed passed or failed? many defects are logged in a week? many defects remain in severe status? long does it take for a defect to be fixed? can I balance the resources available?
View Contents of the Defect Database
Things are not as perfect as they seem...1. The recorded input can be incorrect either due to tester error during the
recording session, or the test script can be incorrect in the first place. A reliance on recording alone would then require the entire input to be re-recorded
2. The resulting script contains multiple commands and statements for every action taken, is extremely lengthy and difficult to interpret and maintain
3. Recording of test scripts requires that the application be fully developed, and error-free
4. If errors occur, such as unexpected screens, the recorded test script will fail, and therefore requires someone to constantly monitor the test run in order to keep it going
The Problem: Software Drift Over many phases of maintenance, structure begins
to decay (entropy) Begins to resemble Rube Goldberg machine
(http://www.rube-goldberg.com/html/gallery.htm) Honda Cog commercial
What is Refactoring?The process of changing a software system in such a way that it does not alter the external behaviour of the code, yet improves its internal structure – Martin Fowler
A behaviour-preserving source-to-source program transformation – Don Roberts
A change to the system that leaves its behaviour unchanged, but enhances some non-functional quality - simplicity, flexibility, understandability- Kent Beck
Where Refactoring Came From
Ward Cunningham and Kent Beck Smalltalk style
Ralph Johnson at UIUC Bill Opdyke’s Thesis
ftp://st.cs.uiuc.edu/pub/papers/refactoring/opdyke-thesis.ps.Z
John Brant and Don Roberts: The Refactoring Browser
Refactoring Tools Based on provable transformations
Build parse tree of programs Research: Mathematic proof that refactoring does not
change semantics; graph transformation Embed refactoring in tool
Speeds up refactoring Extract method: select code, type in method name. Big speed improvement
Not Science Fiction Available for Smalltalk for a couple of years Now appearing for Java and other languages
Refactor To UnderstandThe Obvious:
• Programs hard to read => Programs hard to understand
• => Programs hard to modify• Programs with duplicated logic are hard to understand• Programs with complex conditionals are hard to understand
Refactoring code creates and supports the understanding• Renaming instance variables helps understanding methods• Renaming methods helps understanding responsibility• Iterations are necessary
Typical RefactoringsClass Refactorings
Method Refactorings Attribute Refactorings
add (sub)class to hierarchy
add method to class add variable to class
rename class rename method rename variableremove class remove method remove variable
push method down push variable downpush method up push variable upadd parameter to method create accessorsmove method to component abstract variableextract code in new method
These simple refactorings can be combined to provide bigger restructurings such as the introduction of design patterns.
Example: Add Class
Add Class (new name, package, superclasses, subclasses)Preconditions
no class or global variable exists with new name in the same scope subclasses are all subclasses of all superclasses
Postconditions new class is added into the hierarchy with superclasses as
superclasses and subclasses as subclasses new class has name new name subclasses inherit from new class and not anymore from
superclassesConsiderations: Abstractness
B
C D FN
A B
C D
F
A
Rename Method: Do It Yourself
Do it yourself approach Check if a method does not exist in the class and
superclass/subclasses with the same “name” Browse all the implementers (method definitions) Browse all the senders (method invocations) Edit and rename all implementers Edit and rename all senders Remove all implementers Test Automated refactoring is better !
BX
B b = new B();b.blnc();
blnce()
Ablnce()
Dblnce()
Cblnce()
BXbalance()
Abalance()
Dbalance()
Cbalance()
B b = new B();b.balance();
Rename Method Rename Method (method, new name)Preconditions
no method exists with the signature implied by new name in the inheritance hierarchy that contains method
Postconditions method has new name relevant methods in the inheritance hierarchy have new
name invocations of changed method are updated to new name
Other Considerations Statically/Dynamically Typed Languages
=> Scope of the renaming
Bad smells in code Duplicated code
“The #1 bad smell” Same expression in two methods in the same class?
Make it a private ancillary routine and parameterize it (Extract method)
Same code in two related classes? Push commonalities into closest mutual ancestor and parameterize Use template method for variation in subtasks
(Form template method) Same code in two unrelated classes?
Ought they be related? Introduce abstract parent (Extract class, Pull up method)
Does the code really belong to just one class? Make the other class into a client (Extract method)
Bad smells in code Long method
Often a sign of: Bad cohesion Trying to do too many things Poorly thought out abstractions and boundaries
Best to think carefully about the major tasks and how they inter-relate. Be aggressive!
Break up into smaller private methods within the class(Extract method)
Fowler’s heuristic: When you see a comment, make a method. Often, a comment indicates:
The next major step Something non-obvious whose details detract from the clarity of the
routine as a whole. In either case, this is a good spot to “break it up”.
Bad smells in code Long parameter list
Long parameter lists make methods difficult for clients to understand
This is often a symptom of Trying to do too much … with too many disparate subparts
In the old days, structured programming taught the use of parameterization as a cure for global variables.
With modules/OOP, objects have mini-islands of state that can be reasonably treated as “global” to the methods (yet are still hidden from the rest of the program).
i.e., You don’t need to pass a subpart of yourself as a parameter to one of your own methods.
Bad smells in code Divergent change
Occurs when one class is commonly changed in different ways for different reasons
Likely, this class is trying to do too much and contains too many unrelated subparts
Over time, some classes develop a “God complex” They acquires details/ownership of subparts that rightly belong
elsewhere This is a sign of poor cohesion
Unrelated elements in the same container Solution:
Break it up, reshuffle, reconsider relationships and responsibilities (Extract class)
Bad smells in code
Shotgun surgery … the opposite of divergent change
Each time you want to make a single, seemingly coherent change, you have to change lots of classes in little ways
Also a classic sign of poor cohesion Related elements are not in the same container!
Solution: Look to do some gathering, either in a new or existing class.
(Move method/field)
Advertisement: A key idea that will be explored in my CS 692/792 class next Fall
Bad smells in code Data clumps
You see a set of variables that seem to “hang out” togethere.g., passed as parameters, changed/accessed at the same time
Usually, this means that there’s a coherent subobject just waiting to be recognized and encapsulated
void Scene::setTitle (string titleText, int titleX, int titleY, Colour titleColour){…}
void Scene::getTitle (string& titleText, int& titleX, int& titleY, Colour& titleColour){…}
Bad smells in code Data clumps
In the example, a Title class is dying to be born If a client knows how to change a title’s x, y, text, and colour, then it
knows enough to be able to “roll its own” Title objects. However, this does mean that the client now has to talk to another class.
This will greatly shorten and simplify your parameter lists (which aids understanding) and makes your class conceptually simpler too.
Bad smells in code
Switch statements
Double getSpeed () { switch (_type) {
case EUROPEAN: return getBaseSpeed();case AFRICAN: return getBaseSpeed() –
getLoadFactor() * _numCoconuts;case NORWEGIAN_BLUE: return (_isNailed) ? 0
: getBaseSpeed(_voltage); }}
Bad smells in code
Switch statements This is an example of a lack of understanding polymorphism
and a lack of encapsulation. Solution:
Redesign as a polymorphic method of PythonBird(Replace conditional with polymorphism, replace type code
with subclasses)
Bad smells in code
Lazy class Classes that don’t do much that’s different from other classes. If there are several sibling classes that don’t exhibit
polymorphic behavioural differences , then consider just collapsing them back into the parent and add some parameters
Often, lazy classes are legacies of ambitious design or a refactoring that gutted the class of interesting behaviour
(Collapse hierarchy, inline class)
Bad smells in code Inappropriate intimacy
Sharing of secrets between classes, esp. outside of the holy bounds of inheritance
e.g., public variables, indiscriminate definitions of get/set methods, C++ friendship, protected data in classes
Leads to data coupling, intimate knowledge of internal structures and implementation decisions.
Makes clients brittle, hard to evolve, easy to break. Solution:
Appropriate use of get/set methods Rethink basic abstraction. Merge classes if you discover “true love”(Move/extract method/field, change bidirectional association to
unidirectional, hide delegate)
Sample Output
Rental Record for Dinsdale PirhanaMonty Python and the Holy Grail3.5Ran
2Star Trek 27
6Star Wars 3.2
3Wallace and Gromit
6Amount owed is 20.5You earned 6 frequent renter points
Class Moviepublic class Movie {
public static final int CHILDRENS = 2;public static final int REGULAR = 0;public static final int NEW_RELEASE = 1;
private String _title;private int _priceCode;
public Movie(String title, int priceCode) {_title = title;_priceCode = priceCode;
}
public int getPriceCode() {return _priceCode;
}
public void setPriceCode(int arg) { _priceCode = arg;
}
public String getTitle () {return _title;
};}
Class Rental
class Rental { private Movie _movie; private int _daysRented;
public Rental(Movie movie, int daysRented) { _movie = movie; _daysRented = daysRented; } public int getDaysRented() { return _daysRented; } public Movie getMovie() { return _movie; }}
Class Customer (almost)
class Customer {private String _name;
private Vector _rentals = new Vector();
public Customer (String name) {_name = name;};
public void addRental(Rental arg) { _rentals.addElement(arg); }
public String getName () {return _name;};
public String statement() // see next slide
Customer.statement() part 1public String statement() {
double totalAmount = 0;int frequentRenterPoints = 0;Enumeration rentals = _rentals.elements();String result = "Rental Record for " + getName() + "\n";while (rentals.hasMoreElements()) {
double thisAmount = 0;Rental each = (Rental)
rentals.nextElement();
//determine amounts for each lineswitch (each.getMovie().getPriceCode()) {
case Movie.REGULAR:thisAmount += 2;if (each.getDaysRented() > 2)
thisAmount += (each.getDaysRented() - 2) * 1.5;
break;case Movie.NEW_RELEASE:
thisAmount += each.getDaysRented() * 3;break;
case Movie.CHILDRENS:thisAmount += 1.5;if (each.getDaysRented() > 3)
thisAmount += (each.getDaysRented() - 3) * 1.5;
break;
} continues on next slide
Customer.statement() part 2
// add frequent renter pointsfrequentRenterPoints ++;// add bonus for a two day new release
rentalif ((each.getMovie().getPriceCode() ==
Movie.NEW_RELEASE) && each.getDaysRented() > 1)
frequentRenterPoints ++;
//show figures for this rentalresult += "\t" +
each.getMovie().getTitle()+ "\t" + String.valueOf(thisAmount) + "\n";totalAmount += thisAmount;
}//add footer linesresult += "Amount owed is " + String.valueOf(totalAmount) + "\n";result += "You earned " + String.valueOf(frequentRenterPoints) +
" frequent renter points";return result;
}
Interactions for statement
aC ustom er aR ental aM ovie
getM ovie
* [for all renta ls]
getPriceC ode
getD aysRented
statem ent
Future Requirements Changes
Produce an html version of the statement The movie classifications will soon change
together with the rules for charging and for frequent renter points
Extract Method
voi d printOwi ng() {printBanner();
// print detail sSystem.out.pri ntln ("name: " + _name);System.out.pri ntln ("amount" + getOutstanding());
}
voi d printOwi ng() {printBanner();printDetai ls(getOutstanding());
}
voi d printDetai ls (double outstandi ng) {System.out.pri ntln ("name: " + _name);System.out.pri ntln ("amount" + outstandi ng);
}
You have a code fragment that can be grouped togetherTurn the fragment into a method whose name explains the
purpose of the method.
Steps for Extract Method Create method named after intention of code Copy extracted code Look for local variables and parameters
turn into parameter turn into return value declare within method
Compile Replace code fragment with call to new
method Compile and test
Candidate Extractionpublic String statement() {
double totalAmount = 0;int frequentRenterPoints = 0;Enumeration rentals = _rentals.elements();String result = "Rental Record for " + getName() + "\n";while (rentals.hasMoreElements()) {
double thisAmount = 0;Rental each = (Rental)
rentals.nextElement();
//determine amounts for each lineswitch (each.getMovie().getPriceCode()) {
case Movie.REGULAR:thisAmount += 2;if (each.getDaysRented() > 2)
thisAmount += (each.getDaysRented() - 2) * 1.5;
break;case Movie.NEW_RELEASE:
thisAmount += each.getDaysRented() * 3;
break;case Movie.CHILDRENS:
thisAmount += 1.5;if (each.getDaysRented() > 3)
thisAmount += (each.getDaysRented() - 3) * 1.5;
break;
} [snip]12
Extracting the Amount Calculation
private int amountFor(Rental each) { int thisAmount = 0; switch (each.getMovie().getPriceCode()) { case Movie.REGULAR: thisAmount += 2; if (each.getDaysRented() > 2) thisAmount += (each.getDaysRented() - 2) * 1.5; break; case Movie.NEW_RELEASE: thisAmount += each.getDaysRented() * 3; break; case Movie.CHILDRENS: thisAmount += 1.5; if (each.getDaysRented() > 3) thisAmount += (each.getDaysRented() - 3) * 1.5; break; } return thisAmount;}
Statement() after extraction public String statement() {
double totalAmount = 0; int frequentRenterPoints = 0; Enumeration rentals = _rentals.elements(); String result = "Rental Record for " + getName() + "\n"; while (rentals.hasMoreElements()) { double thisAmount = 0; Rental each = (Rental) rentals.nextElement();
thisAmount = amountFor(each);
// add frequent renter points frequentRenterPoints ++; // add bonus for a two day new release rental if ((each.getMovie().getPriceCode() == Movie.NEW_RELEASE) &&
each.getDaysRented() > 1) frequentRenterPoints ++;
//show figures for this rental result += "\t" + each.getMovie().getTitle()+ "\t" +
String.valueOf(thisAmount) + "\n"; totalAmount += thisAmount;
} //add footer lines result += "Amount owed is " + String.valueOf(totalAmount) + "\n"; result += "You earned " + String.valueOf(frequentRenterPoints) +
" frequent renter points"; return result;
}}
Extracting the amount calculation (2)
private double amountFor(Rental each) { double thisAmount = 0; switch (each.getMovie().getPriceCode()) { case Movie.REGULAR: thisAmount += 2; if (each.getDaysRented() > 2) thisAmount += (each.getDaysRented() - 2) * 1.5; break; case Movie.NEW_RELEASE: thisAmount += each.getDaysRented() * 3; break; case Movie.CHILDRENS: thisAmount += 1.5; if (each.getDaysRented() > 3) thisAmount += (each.getDaysRented() - 3) * 1.5; break; } return thisAmount;}
Is this important?
Is this method in the right
place?
Change names of variablesprivate double amountFor(Rental aRental) { double result = 0; switch (aRental.getMovie().getPriceCode()) { case Movie.REGULAR: result += 2; if (aRental.getDaysRented() > 2) result += (aRental.getDaysRented() - 2) * 1.5; break; case Movie.NEW_RELEASE: result += aRental.getDaysRented() * 3; break; case Movie.CHILDRENS: result += 1.5; if (aRental.getDaysRented() > 3) result += (aRental.getDaysRented() - 3) * 1.5; break; } return result;}
Move Method
aMethod()
Class 1
Class 2
Class 1
aMethod()
Class 2
A method is, or will be, using or used by more features of another class than the class it is defined on.
Create a new method with a similar body in the class it uses most. Either turn the old method into a simple delegation, or
remove it altogether.
Steps for Move method Declare method in target class Copy and fit code Set up a reference from the source object to the target Turn the original method into a delegating method
amountOf(Rental each) {return each.charge()}
Check for overriding methods Compile and test Find all users of the method
Adjust them to call method on target Remove original method Compile and test
Moving amount() to Rentalclass Rental ...
double getCharge() { double result = 0; switch (getMovie().getPriceCode()) { case Movie.REGULAR: result += 2; if (getDaysRented() > 2) result += (getDaysRented() - 2) * 1.5; break; case Movie.NEW_RELEASE: result += getDaysRented() * 3; break; case Movie.CHILDRENS: result += 1.5; if (getDaysRented() > 3) result += (getDaysRented() - 3) * 1.5; break; } return result;}1
statem ent()
C ustom er
getC harge()
daysR ented: int
R ental
priceC ode: int
M ovie
Altered statementclass Customer... public String statement() { double totalAmount = 0; int frequentRenterPoints = 0; Enumeration rentals = _rentals.elements(); String result = "Rental Record for " + getName() + "\n"; while (rentals.hasMoreElements()) { double thisAmount = 0; Rental each = (Rental) rentals.nextElement();
thisAmount = each.getCharge(); // add frequent renter points frequentRenterPoints ++; // add bonus for a two day new release rental if ((each.getMovie().getPriceCode() == Movie.NEW_RELEASE) &&
each.getDaysRented() > 1) frequentRenterPoints ++;
//show figures for this rental result += "\t" + each.getMovie().getTitle()+ "\t" +
String.valueOf(thisAmount) + "\n"; totalAmount += thisAmount;
} //add footer lines result += "Amount owed is " + String.valueOf(totalAmount) + "\n"; result += "You earned " + String.valueOf(frequentRenterPoints) +
" frequent renter points"; return result;
}
Replace Conditional With Polymorphism
getSpeed
Bird
getSpeed
European
getSpeed
African
getSpeed
Norweigian Blue
doubl e getSpeed() {switch (_type) {
case EUROPEAN:return getBaseSpeed();
case AFRICAN:return getBaseSpeed() - getLoadFactor() * _numberOfCoconuts;
case NORWEIGIAN_BLUE:return (_i sNai led) ? 0 : getBaseSpeed(_vol tage);
}throw new RuntimeExcepti on ("Shoul d be unreachable");
}
You have a conditional that chooses different behavior depending on the type of an object.
Move each leg of the conditional to an overriding method in a subclass. Make the original method abstract
Steps for Replace Conditional with Polymorphism
Move switch to superclass of inheritance structure
Copy one leg of case statement into subclass Compile and test Repeat for all other legs Replace case statement with abstract method
Move getCharge to Priceclass Movie…
double getCharge(int daysRented) {return _price.getCharge(daysRented);
}
class Price… double getCharge(int daysRented) { double result = 0; switch (getPriceCode()) { case Movie.REGULAR: result += 2; if (daysRented > 2) result += (daysRented - 2) * 1.5; break; case Movie.NEW_RELEASE: result += daysRented * 3; break; case Movie.CHILDRENS: result += 1.5; if (daysRented > 3) result += (daysRented - 3) * 1.5; break; } return result;}
Override getCharge in the subclassesClass RegularPrice…
double getCharge(int daysRented){ double result = 2; if (daysRented > 2) result += (daysRented - 2) * 1.5; return result; }Class ChildrensPrice double getCharge(int daysRented){ double result = 1.5; if (daysRented > 3) result += (daysRented - 3) * 1.5; return result; }
Class NewReleasePrice… double getCharge(int daysRented){ return daysRented * 3;
}
Class Price… abstract double getCharge(int
daysRented);
Do each leg one at a time then...
Obstacles to RefactoringComplexity
• Changing design is hard• Understanding code is hard
Possibility to introduce errors• Run tests if possible• Build tests
Clean first Then add new functionality
Cultural Issues• Producing negative lines of code, what an idea!• “We pay you to add new features, not to improve the code!”
If it ain’t broke, don’t fix it• “We do not have a problem, this is our software!“
Obstacles to Refactoring
Performance• Refactoring may slow down the execution• The secret to write fast software:
“Write tunable software first then tune it”Typically only 10% of your system consumes 90% of the resources so just focus on 10 %.
• Refactorings help to localize the part that need change• Refactorings help to concentrate the optimizations
Development is always under time pressure • Refactoring takes time• Refactoring better right after a software release
Conclusion: Know-when & Know-how
“Know when” is as important as “know-how”• Use “code smells” as symptoms• Rule of the thumb: “Once and Only Once” (Kent Beck)
=> a thing stated more than once implies refactoring
Research Issues (Mens paper) Tool Support
Visualization, automated refactoring How to make more open?
Scalability of composable refactorings (conflict resolution)
Analysis of dependencies among refactorings Formally, what is behavior and how can we prove that
it is preserved by a refactoring Real-time, embedded, safety critical behavior?
Research Issues (Mens paper) How to specify refactoring in a language-independent
manner? How to apply refactoring at higher levels of abstraction
(e.g., UML models)? Determine the “where/how” of applying refactoring Can we get some objective measurements of how
refactoring affects software quality?