specification
DESCRIPTION
Specification. A broad term that means definition Used at different stages of software development for different purposes Generally, a statement of agreement ( contract ) between producer and consumer of a service Designer/implementer and user All desirable qualities must be specified - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/1.jpg)
Specification
A broad term that means definition Used at different stages of software
development for different purposes Generally, a statement of agreement
(contract) between producer and consumer of a service Designer/implementer and user
All desirable qualities must be specified What versus how dichotomy
![Page 2: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/2.jpg)
Uses of specification
Statement of user requirements major failures occur because of
misunderstandings between the producer and the user
"The hardest single part of building a software system is deciding precisely what to build“ (F. Brooks)
![Page 3: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/3.jpg)
Uses of specification (cont.)
Statement of the interface between the machine and the controlled environment serious undesirable effects can result due to
misunderstandings between software engineers and domain experts about the phenomena affecting the control function to be implemented by software (remember Arianne 5 example)
![Page 4: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/4.jpg)
Uses of specification (cont.)
Statement of requirements for implementation design process is a chain of specification (i.e., definition)–
implementation–verification steps requirements specification refers to definition of external
behavior design specification must be verified against it
design specification refers to definition of the software architecture
code must be verified against it
![Page 5: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/5.jpg)
Uses of specification (cont.)
A reference point during maintenance corrective maintenance only changes
implementation adaptive and perfective maintenance occur
because of requirements changes requirements specification must change accordingly
![Page 6: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/6.jpg)
Specification qualities Precise, clear, unambiguous Consistent Complete
internal completeness external completeness
Incremental Informal specifications, written in a natural
language, are likely to contain subtle ambiguities Please see:
http://www.gray-area.org/Research/Ambig
![Page 7: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/7.jpg)
Clear, unambiguous, understandable Example: specification fragment for a
word-processor (from Word 4.0 manual)
Selecting is the process of designating areas of the document that you want to work on. Most editing and formatting actions require two steps: first you select what you want to work on, such as text or graphics; then you initiate the appropriate action.
can an area be scattered?
![Page 8: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/8.jpg)
Precise, unambiguous, clear Another example (from a real safety-
critical system)
The message must be triplicated. The threecopies must be forwarded through three different physical channels. The receiver accepts the message on the basis of a two-out-of-three voting policy.
can a message be accepted as soon as we receive 2 out of 3 identical copies of message or do we need to wait for receipt of the 3rd?
![Page 9: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/9.jpg)
Consistent Example: specification fragment for a word-
processor
The whole text should be kept in lines of equal length. The length is specified by the user. Unless the user gives an explicit hyphenation command, a carriage return should occur only at the end of a word.
What if the length of a word exceeds the length of the line?
![Page 10: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/10.jpg)
Complete
Internal completeness the specification must define any new concept or
terminology that it uses glossary helpful for this purpose
the specification must document all the needed requirements difficulty: when should one stop?
![Page 11: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/11.jpg)
Classification of specification styles
Informal, semi-formal, formal Operational
Behavior specification in terms of some abstract machine
Descriptive Behavior described in terms of properties
![Page 12: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/12.jpg)
Example 1 - Operational Specification of a geometric figure E:
E can be drawn as follows:
1. Select two points P1 and P2 on a plane2. Get a string of a certain length and fix its ends
to P1 and P23. Position a pencil as shown in next figure4. Move the pen clockwise, keeping the string
tightly stretched, until you reach the point where you started drawing
P P 1 2
![Page 13: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/13.jpg)
A descriptive specification
Geometric figure E is describe by the following equation
ax2 + by2 + c = 0where a, b, and c are suitable constants
![Page 14: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/14.jpg)
Another example
“Let a be an array of n elements. The result of its sorting is an array b of n elements such that the first element of b is the minimum of a (if several elements of a have the same value, any one of them is acceptable); the second element of b is the minimum of the array of n-1 elements obtained from a by removing its minimum element; and so on until all n elements of a have been removed.”
“The result of sorting array a is an array b which is a permutation of a and is sorted.”
Which one is operational? Descriptive?
![Page 15: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/15.jpg)
Case study: Elevator Problem
An n elevator system to be installed in a building with m floors Natural language specs contain several ambiguities Formal specification using PNs removes ambiguities Specification will be provided in a stepwise fashion Will use modules, each encapsulating fragments of PNs which
describe certain system components
![Page 16: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/16.jpg)
Easy question (?)(not on initial slides) How many buttons are on the first and top
floors?
![Page 17: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/17.jpg)
From informal specs…
“The illumination is cancelled when the elevator visits the floor and is either moving in the desired direction, or ...”
2 different interpretations (case of up call) switch off as the elevator arrives at the floor from below
(obvious restrictions for 1st and last floor) switch off after the elevators starts moving up
in practice you may observe the two cases!
![Page 18: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/18.jpg)
…more analysis of informal specs
“The algorithm to decide which to service first should minimize the waiting time for both requests.”what does this mean?
in no other way can you satisfy either request in a shorter time
but minimizing for one may require longer for the other the sum of both is minimal
why the sum?
![Page 19: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/19.jpg)
Models Of Computation
A mathematical description that has a syntax and rules for computation of the behavior described by the syntax (semantics). Used to specify the semantics of computation and concurrency.
Characteristics: compact description, fidelity to design style, synthesize and optimize behavior to an implementation.
Language & MOCs: MOC affects expressiveness, trade off.
![Page 20: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/20.jpg)
Diversity of MOCs
There are (far too) many models of computation in the embedded systems domain alone.
Why? Need to handle
different notions of time. different modes of communication different types of functionalities.
![Page 21: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/21.jpg)
Notions of Time
Source: A.Sangiovanni-Vincentelli
![Page 22: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/22.jpg)
Petri Nets: One Example of a MOC Originated in thesis of Carl Adam Petri, 1965 Beneficial in modeling systems that are
asynchronous and concurrent More popularized by Anatol Holt in 1968 For a while, very hot research area
(multiple yearly conferences)
![Page 23: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/23.jpg)
Petri netsA quadruple (P,T,F,W)
P: places T: transitions (P, T are finite) F: flow relation (F {PT} {TP} ) W: weight function (W: F N – {0} )Properties:(1) P T = Ø(2) P T Ø(3)F (P T) (T P)(4) W: F N-{0}Default value of W is 1
State defined by marking: M: P N
![Page 24: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/24.jpg)
places
transitions flows
marking
3 weight
P
P
P
t
t
P
t
1
3
1
3
4
6
5
P
P
P
2
5
7
t
t
t
2
4
6
Graphical representation
![Page 25: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/25.jpg)
Semantics: dynamic evolution Transition t is enabled iff
pt's input places,M(p) W(<p,t>) t fires: produces a new marking M’ in places that
are either t's input or output places or both if p is an input place: M'(p) = M(p) - W(<p,t>) if p is an output place: M'(p) = M(p) + W(<t,p>) if p is both an input and an output place:
M'(p) = M(p) - W(<p,t>) + W(<t,p>)
![Page 26: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/26.jpg)
Non-determinism
Any of the enabled transitions may fire Model does not specify which fires, nor when
it fires
![Page 27: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/27.jpg)
Modeling with Petri nets
Places represent distributed states Transitions represent actions or events that
may occur when system is in a certain state They can occur as certain conditions hold on
the states
![Page 28: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/28.jpg)
P
P
P
t
tP
t
1
3
1
3
4
65
P
P
P
2
5
7
t
t
t
2
4
6
P
P
P
t
tP
t
1
3
1
3
4
65
P
P
P
2
5
7
t
t
t
2
4
6
P
P
P
t
tP
t
1
3
1
3
4
65
P
P
P
2
5
7
t
t
t
2
4
6
P
P
P
t
tP
t
1
3
1
3
4
6
5
P
P
2
5
7
t
t
t
2
4
6
P
(a) (b)
(c) (d)
after (a) either (b) or (c) may occur, and then (d)
![Page 29: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/29.jpg)
Common cases Concurrency
two transitions are enabled to fire in a given state, and the firing of one does nor prevent the other from firing
see t1 and t2 in case (a) Conflict
two transitions are enabled to fire in a given state, but the firing of one prevents the other from firing
see t3 and t4 in case (d) place P3 models a shared resource between two processes
no policy exists to resolve conflicts (known as unfair scheduling)
a process may never get a resource (starvation)
![Page 30: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/30.jpg)
How to avoid starvation
P P
P
P P
t t
t t
P P
t t
1
1 2
3
4
5
6
7
4
2
3
6
5
imposes alternation
![Page 31: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/31.jpg)
Advantages of PNs
Modeling Fairly simple models of elaborate schemas
Analysis Proving properties of model/design
Design 1. Generate the model 2. Use it to prove correctness properties 3. Design system from model
![Page 32: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/32.jpg)
Deadlock
A PN with a given marking is said to be in deadlock if and only if no transition is enabled in that marking.
![Page 33: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/33.jpg)
A conflict-free net, but not deadlock free
R
P P
t t
t'
t"
t
t'
t"
t
1
1
3
3
2
2
4
4
56
2 2
this net candeadlock!consider
'42
'31 t,t , t,t
![Page 34: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/34.jpg)
A conflict-free net, but not deadlock free
R
P P
t t
t'
t"
t
t'
t"
t
1
1
3
3
2
2
4
4
5 6
2 2
![Page 35: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/35.jpg)
A deadlock-free net
R
P P
t t
t'
t"
t
t'
t"
t
1
1
3
3
2
2
4
4
56
2 2
2 2
![Page 36: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/36.jpg)
A case of partial starvation
t
t
1
3
t
t
2
4
![Page 37: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/37.jpg)
Is it deadlock-free?
t
t
1
3
t
t
2
4
![Page 38: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/38.jpg)
Producer/ConsumerEmpty buffer
Producer
Full buffer
Consumer
Questions: How about adding 4 buffers? How about 3 producers and 5 consumers?
There is always a token in Producer and Consumer
How would you do the operations above with a FSM?
![Page 39: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/39.jpg)
Limitations and extensions
P
channel1 channel2
Token represents a message.You wish to say that the delivery channel dependson contents.How?Petri nets cannot specify selection policies.
![Page 40: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/40.jpg)
Extension 1: Assigning values to tokens
Transitions have associated predicates and functions
Predicate refers to values of tokens in input places selected for firing
Functions define values of tokens produced in output places
![Page 41: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/41.jpg)
Example
PP
P
PP
34
71 4
t t1 2
45
12
3Predicate P2 > P1 and function P4 := P2 + P1 associated with t1
Predicate P3 = P2 and functions P4 := P3 P2 and P5 := P2 + P3 are associated with t2
The firing of t1 by using <3,7> would produce the value 10 in P4. t2 can then fire using <4, 4>
![Page 42: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/42.jpg)
Extension 2:Specifying priorities A priority function from transitions to natural
numbers: pri: T N When several transitions are enabled, only
the ones with maximum priority are allowed to fire
Among those with the same priority, the one to fire is chosen non-deterministically
![Page 43: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/43.jpg)
Extension 3:Timed Petri nets A pair of constants <tmin, tmax> is
associated with each transition Once a transition is enabled, it must
wait for at least tmin to elapse before it can fire
If enabled, it must fire before tmax has elapsed, unless it is disabled by the firing of another transition before tmax
![Page 44: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/44.jpg)
Example:Combining priorities and time
P P P
t t t tmin = 1 tmax = 4
tmin = 2 tmax = 3
tmin = 0 tmax = 5
priority = priority = priority = 1 3 2
P
1
1 2
2
3
3
4
![Page 45: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/45.jpg)
Precise, unambiguous, clear Another example (from a real safety-
critical system)
The message must be triplicated. The threecopies must be forwarded through three different physical channels. The receiver accepts the message on the basis of a two-out-of-three voting policy.
can a message be accepted as soon as we receive 2 out of 3 identical copies of message or do we need to wait for receipt of the 3rd?
![Page 46: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/46.jpg)
Original message
Message triplication
Message copies
Message copies transmission
tmin = tmax =
tmin = tmax =
tmin = tmax = 0
0
for all three transitions
PC1
PC2PC3
c1 k1
c2k2
Forwarded message
tvoting1 tvoting2 tvoting3
{
{
{Precise specificationof message triplication problemCase (1)
![Page 47: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/47.jpg)
Original message
Message triplication
Message copies
Message copies transmission
tmin = tmax =
tmin = tmax =
tmin = 0 tmax = 0
PC1
PC2
PC3
c1 k1
c2k2
tvoting
Forwarded message
Precise specificationof message triplication problemCase (2)
![Page 48: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/48.jpg)
Elevator Example with PNs
![Page 49: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/49.jpg)
Initial sketch of movement
Elevator at floor j
Elevator at floor j + 1
Pushing internal button for floor j + 1
Button illumination Transfer
from floor j to j+1
Shortcomings:
• External buttons?• Movement can be caused by any button• Button reset?• From 4 to 27, and floor 20 button pushed•Scalability – 100 floors!• Button illumination if button pushed multiple times
![Page 50: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/50.jpg)
Button module
C P P u s h
S e t
O f f
R e s e t
O n
0 . 1 . . 0 . 0 5 . . 0 . 0 5
0 . . 0
![Page 51: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/51.jpg)
Elevator position (sketch)F
F DFUF
UF F DF
UF FDF
F
m
m-1
3
2
1
m-1 m-1
3 3
2 2
![Page 52: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/52.jpg)
Assume j+1hm
Fj+1 UFj+1
Fj"
t Fj'
UPh On
On
DOWNh
ILBh
DOWNj+1
On
On
On
On
ILBj+1
Fj
t1 t2 t3 t4 t5 t6
t7
t8 t9
t10 t11 t12
UPj+1
More precise description of elevator position
![Page 53: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/53.jpg)
Switch internal button off
I L B j
F j
S e t
R e s e t
O f fO n0 . . 0
![Page 54: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/54.jpg)
Switch external button off
Set
x..x Reset
ti'
Fj
Fj'
On Off
UPj
x time needed bya person to enter + pushing button
![Page 55: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/55.jpg)
Example: Vending Machine
The machine dispenses two kinds of snack bars – 20c and 15c.
Only two types of coins can be used – 10c coins and 5c coins.
The machine does not return any change.
![Page 56: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/56.jpg)
Example: Vending Machine (A Petri net)
5c
Take 15c bar
Deposit 5c
0c
Deposit 10c
Deposit 5c
10c
Deposit 10c
Deposit5c
Deposit 10c20c
Deposit5c
15c
Take 20c bar
![Page 57: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/57.jpg)
Example: Vending Machine (3 Scenarios) Scenario 1:
Deposit 5c, deposit 5c, deposit 5c, deposit 5c, take 20c snack bar.
Scenario 2: Deposit 10c, deposit 5c, take 15c snack bar.
Scenario 3: Deposit 5c, deposit 10c, deposit 5c, take 20c
snack bar.
![Page 58: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/58.jpg)
Example: Vending Machine (Token Games)
5c
Take 15c bar
Deposit 5c
0c
Deposit 10c
Deposit 5c
10c
Deposit 10c
Deposit5c
Deposit 10c20c
Deposit5c
15c
Take 20c bar
![Page 59: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/59.jpg)
Behavioral properties (1) Properties that depend on the initial marking Reachability
Mn is reachable from M0 if exists a sequence of firings that transform M0 into Mn
Boundedness a PN is bounded if the number of tokens in each place
doesn’t exceed a finite number k for any marking reachable from M0
a PN is safe if it is 1-bounded
![Page 60: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/60.jpg)
Behavioral properties (2)
Liveness a PN is live if, no matter what marking has been reached, it
is possible to fire any transition with an appropriate firing sequence
Liveness=> deadlock free (but not vice versa) strong property, different levels of liveness are defined
(L0=dead, L1, L2, L3 and L4=live) Reversibility
a PN is reversible if, for each marking M reachable from M0, M0 is reachable from M
relaxed condition: a marking M’ is a home state if, for each marking M reachable from M0, M’ is reachable from M
![Page 61: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/61.jpg)
Analysis methods (1)
Coverability tree tree representation of all possible markings
root = M0 nodes = markings reachable from M0 arcs = transition firings
if net is unbounded, then tree is kept finite by introducing the symbol
Properties a PN is bounded iff doesn’t appear in any node a PN is safe iff only 0’s and 1’s appear in nodes a transition is dead iff it doesn’t appear in any arc if M is reachable form M0, then exists a node M’ that covers
M
![Page 62: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/62.jpg)
Coverability tree example
t3
p2
t2
p1
t1
p3
t0
M0=(100)
![Page 63: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/63.jpg)
Coverability tree example
t3
p2
t2
p1
t1
p3
t0
M0=(100)
M1=(001)“dead end”
t1
![Page 64: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/64.jpg)
Coverability tree example
t3
p2
t2
p1
t1
p3
t0
M0=(100)
M1=(001)“dead end”
t1 t3
M3=(10)
![Page 65: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/65.jpg)
Coverability tree example
t3
p2
t2
p1
t1
p3
t0
M0=(100)
M1=(001)“dead end”
t1 t3
M3=(10)t1
M4=(01)
![Page 66: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/66.jpg)
Coverability tree example
t3
p2
t2
p1
t1
p3
t0
M0=(100)
M1=(001)“dead end”
t1 t3
M3=(10)t1
M4=(01)
t3
M3=(10) “old”
![Page 67: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/67.jpg)
Coverability tree example
t3
p2
t2
p1
t1
p3
t0
M0=(100)
M1=(001)“dead end”
t1 t3
M3=(10)t1
M4=(01)
t3
M6=(10) “old”t2
M5=(01) “old”
![Page 68: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/68.jpg)
Coverability tree example
100 M0=(100)
M1=(001)“dead end”
t1 t3
M3=(10)t1
M4=(01)
t3
M6=(10) “old”t2
M5=(01) “old”
t1 t3
t110001
01t3
t2
coverability graph coverability tree
![Page 69: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/69.jpg)
Need for verification(in some safety-critical domains) Designers are fallible even if they are skilled
and follow sound principles Everything must be verified, every required
quality, process and products even verification itself…
![Page 70: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/70.jpg)
Approaches to verification
Experiment with behavior of product sample behaviors via testing goal is to find "counterexamples" dynamic technique
Analyze product to deduce its adequacy analytic study of properties static technique
![Page 71: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/71.jpg)
Testing and lack of "continuity"
Testing samples behaviors by examining "test cases"
Impossible to extrapolate behavior of software from a finite set of test cases
No continuity of behavior it can exhibit correct behavior in a seemingly
infinite number of cases, but may still be incorrect in some cases
![Page 72: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/72.jpg)
Dijkstra Said
“Program testing can be used to show the presence of bugs, but never to show their absence!”
Undergraduate “programming” classes at UT-Austin
![Page 73: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/73.jpg)
History Program verification is almost as old as programming (e.g.,
“Checking a Large Routine”, Turing 1949) Naur66, Floyd67:
used assertions to specify/verify flowchart programs Hoare69:
developed the proof system for Hoare triples Boehm and Jacopini, 1966
Proved that control logic of any flowchartable program could be expressed without gotos, using only sequence, selection, iteration.
Edsger Dijkstra, 1970 His argument that gotos are harmful was motivated by a desire
to shorten formal proofs of correctness Reynolds00, Ishtiaq&O’Hearn01
extended Hoare’s proof system using separating connectives to handle pointers
![Page 74: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/74.jpg)
Formal Methods Advantages
Change program from a private, puzzle-solving activity to a public, verifiable activity of translating specifications into programs
Based on formal mathematical techniques Only way to provide guaranteed correctness Supported by formal languages (Z, VDM-SL, REFINE), proof-
checkers, and translation systems Disadvantages
Notations are often baroque, confusing Formal techniques do not scale up very well
In Practice Formal techniques have been used successfully, and are
especially recommended for safety-critical systems Formal approaches and tools may be mandated, e.g., British
Ministry of Defense. But, not even considered by most programmers…
![Page 75: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/75.jpg)
Hoare Said
“Thus the practice of proving programs would seem to lead to solution of three of the most pressing problems in software and programming, namely, reliability, documentation, and compatibility. However, program proving, certainly at present, will be difficult even for programmers of high caliber; and may be applicable only to quite simple program designs.”
![Page 76: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/76.jpg)
“Things like even software verification, this has been the Holy Grail of computer science for many decades but now in some very key areas, for example, driver verification we’re building tools that can do actual proof about the software and how it works in order to guarantee the reliability.” Bill Gates, April 18, 2002.
Gates Said
![Page 77: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/77.jpg)
Basic Programming Constructs Form programs only from basic 1-in, 1-out
control constructs: Sequence: begin S1 S2 end Selection: if E then S1 else S2 end Iteration: while E loop S1 end Above statements are enough , but 1-in, 1-out
statements include: if/elseif, case statements, for loops, etc.
![Page 78: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/78.jpg)
Correctness ProofsTo prove a program is correct:
We need to prove the post-condition is true after executing the program fragment
(assuming the pre-condition was true beforehand)E.g.
Step 1: for z>0 to be true after the assignment, x*y>0 must have been true before it
Step 2: for x*y>0 to be true before the assignment, the precondition must imply it.
Step 3: show that (x>0 and y>0) implies x*y>0
{ x>0 and y>0 }z := x*y;{ z>0 }
![Page 79: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/79.jpg)
Weakest Precondition
Starting with a post-assertion, what is the weakest pre-condition that makes the assertion true?
In other words, what must be true before to make the assertion true after?
[WP ^ [test&action] ] -> Assertion
![Page 80: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/80.jpg)
What do we mean by “weakest”? If A => B but not (B => A), then B is “weaker”
than A, and A is “stronger” than B. The weakest possible predicate is the one
that is identically true, because A => true no matter what A is.
Similarly, the strongest possible predicate is false
![Page 81: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/81.jpg)
Weakest Precondition
Dijkstra’s definition: The condition that characterizes the set of all
initial states, such that activation will certainly result in a properly terminating happening leaving the system in a final state satisfying a given post-condition, is called "the weakest pre-condition corresponding to that post-condition". (We call it "weakest", because the weaker a condition, the more states satisfy it and we aim here at characterizing all possible starting states that are certain to lead to a desired final state.)
![Page 82: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/82.jpg)
The general strategy is:1) start with the post-condition2) work backwards through the program line-by-line3) find the weakest pre-condition (WP) that guarantees the post-condition4) prove that the actual pre-condition implies WP
i.e. the actual pre-condition is weaker than the “weakest pre-condition”, WP
For example
1) for Post to be true after S2, then x<1 must be true before S2
2) for x<1 to be true after S1, then 0<1 must be true before S1
3) (0<1) is the weakest precondition for this program4) So is (true implies 0<1) true?
Using Weakest Pre-conditions
PreS1S2
Post
{ true } x := 0; y := 1{ x<y }
![Page 83: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/83.jpg)
Proof rulesProof rules
tell us how to find weakest preconditions for different programswe need a proof rule for each programming language construct
Proof rule for assignmente.g. for
the weakest precondition is Post with all free occurrences of x replaced by e
Proof rule for sequencee.g. for
if WP2 is the weakest precondition for S2, then the weakest precondition for the whole program is the same as the weakest precondition for { Pre } S1 { WP2 }
{ Pre } x := e; { Post }
{ Pre } S1; S2{ Post }
![Page 84: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/84.jpg)
Hoare Notation
We can express proof rules more conciselye.g. using Hoare notation:
this means “if claim1 and claim2 have both been proved, then conclusion must be true”
claim1, claim2, ...conclusion
![Page 85: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/85.jpg)
Hoare NotationE.g. for sequence:
E.g. for if statements:
find the weakest precondition for S1 and the weakest precondition for S2.
Then show ((Pre and c) implies WP S1) and ((Pre and not(c)) implies WP S2)
{Pre}S1{Q}, {Q}S2{Post}{Pre}S1; S2{Post}
{Pre and c}S1{Post}, {Pre and not(c)}S2{Post}{Pre}if (c) then S1 else S2{Post}
![Page 86: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/86.jpg)
1) the first branch:
to find the weakest precondition, substitute x for max:
WP1 = {(x=x or x=y) and (x>=x) and (x>=y)}= {(true or x=y) and true and (x>=y)}= {(true) and (x>=y)}= {x>=y}
{ true } if (x>y) then max := x;else max := y; { (max=x or max=y) and max>=x and
max>=y) }{ true and x>y }max := x;{ Post }
Proving an If statement
which is okay because(Pre and c) implies WP1,{true and x>y} implies {x>=y}
![Page 87: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/87.jpg)
{ true } if (x>y) then max := x;else max := y; { (max=x or max=y) and max>=x and
max>=y) }
2) the second branch:
to find the weakest precondition, substitute y for max:WP2 = {(y=x or y=y) and
(y>=x) and (y>=y)}= {(y=x or true) and
(y>=x) and true}= {(true) and (y>=x)}= {y>=x}
{ true and not(x>y) }max := y;{ Post }
Proving an If statement
which is okay because(Pre and not(c)) implies WP2,{true and not(x>y)} implies {y>=x}
![Page 88: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/88.jpg)
Proof rules for a language
{F1}S1{F2}, {F2}S2{F3}
{F1}S1;S2{F3}sequence
{Pre and cond} S1 {Post},{Pre and not cond} S2 {Post}{Pre} if cond then S1 ; else S 2 ; end if; {Post}
if-then-else
while-do{I and cond} S {I}
{I} while cond loop S; end loop; {I and not cond}
I loop invariant
![Page 89: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/89.jpg)
Program proofs are not (currently) widely used:
they can be tedious to construct they tend to be longer than the programs
they refer to they could contain mistakes too! they require mathematical expertise they do not ensure against hardware
errors, compiler errors, etc. they only prove functional correctness (i.e.
not termination, efficiency,…)
Practicalities
![Page 90: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/90.jpg)
Practical formal methods:Just use for small parts of the program
e.g. isolate the safety-critical partUse to reason about changes to a
programe.g. prove that changing a statement preserves
correctnessAutomate some of the proof
use proof checkers and theorem proversUse formal reasoning for other things
test properties of the specification to see if we got the spec right
ie. use for validation, rather than verification
Practicalities
![Page 91: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/91.jpg)
Implication review
P Q P => Q
T T T
T F F
F T T
F F T
If it rains tomorrow, then I will sleep-in late.
It rained – I slept in late.
It rained – I did NOT sleep in late.
It did NOT rain – I slept in late.
It did NOT rain – I did NOT sleep in late.
![Page 92: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/92.jpg)
Review from last week
Which is true: {true and x>y} implies {x>=y} {true and x>=y} implies {x>y}
Does {X=1} => {X=1 or X=0} ?
![Page 93: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/93.jpg)
Fibonacci Numbers
n’th Fibonacci number fib(n): fib(0) = 0, fib(1) = 1 fib(n+2) = fib(n+1) + fib(n)
![Page 94: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/94.jpg)
Implementation in C
if (n==0) { a=0; }else {
i=1; p=0; a=1;while (i != n) {
t=p; p=a; a=p+t; i=i+1;}
} Does this program calculate “fib(n)” and store
the result in “a”?
![Page 95: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/95.jpg)
Specification
Spec: {true}FIB{a==fib(n)}
![Page 96: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/96.jpg)
Specification
Spec: {true}FIB{a==fib(n)} FIB does not satisfy the spec: when n<0,
fib(n) is not even defined!!
![Page 97: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/97.jpg)
Specification
Spec: {true}FIB{a==fib(n)} FIB does not satisfy the spec: when n<0,
fib(n) is not even defined!! New spec: {n>=0}FIB{a==fib(n)} But, how can we be sure that the new spec
holds?
![Page 98: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/98.jpg)
Hoare Logic
Hoare logic consists of inference rules for proving valid Hoare triples Assignment, Conditional, Composition, while Loop What about others:
Switch, for loop, procedure call, inheritance? So, we can use these rules to show that
{n>=0}FIB{a==fib(n)} holds.
![Page 99: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/99.jpg)
Rule for Conditional
So, {n>=0}FIB{a==fib(n)} holds if FIB satisfies:
if (n==0) { {n>=0&&n==0}C1{a==fib(n)} }
else { {n>=0&&!(n==0)}C2{a==fib(n)}}
![Page 100: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/100.jpg)
Rule for Assignment
So, {n==0}a=0;{a==fib(n)} because n==0 implies 0==fib(n).
It suffices to show the correctness of C2:if (n==0) { {n>=0&&n==0}a=0;{a==fib(n)} }
else { {n>=0&&!(n==0)}C2{a==fib(n)} }
![Page 101: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/101.jpg)
Rule for Sequencing
So, it suffices to show:if (n==0) { {n>=0&&n==0}a=0;{a==fib(n)} }else { {n>=0&&!(n==0)}
i=1;p=0;a=1;{a==fib(i)&&p==fib(i-1)&&i<=n}while (I!=n) { t=p;p=a; a=p+t;i=i+1; }{a==fib(n)}
}
We focus on this step
![Page 102: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/102.jpg)
Rule for Loop
So, we have:{a==fib(i)&&p==fib(i-1)&&i<=n}while(i!=n) {
{a==fib(i)&&p==fib(i-1)&&i<=n&&i!=n} t=p; p=a; a=p+t; i=i+1;{a==fib(i)&&p==fib(i-1)&&i<=n}
}{a==fib(i)&&p==fib(i-1)&&i<=n&&!(i!=n)}
We prove this in the next slide
![Page 103: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/103.jpg)
Application of loop rule
{a==fib(i)&&p==fib(i-1)&&i<=n&&i!=n}{(a+p)==fib(i+1)&&a==fib(i+1-1)&&(i+1)<=n}
t=p; {(a+t)==fib(i+1)&&a==fib(i+1-1)&&(i+1)<=n}
p=a; {(p+t)==fib(i+1)&&p==fib(i+1-1)&&(i+1)<=n}
a=p+t;{a==fib(i+1)&&p==fib(i+1-1)&&(i+1)<=n}
i=i+1;{a==fib(i)&&p==fib(i-1)&&i<=n}
![Page 104: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/104.jpg)
Consequence
Since a==fib(i)&&!(i!=n) implies a==fib(n), we have:
{a==fib(i)&&p==fib(i-1)&&i<=n}while(i!=n) { t=p; p=a; a=p+t; i=i+1; }{a==fib(i)&&p==fib(i-1)&&i<=n&&!(i!=n)} {a==fib(n)}
![Page 105: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/105.jpg)
In-class examples
Prove:
{x=0 & y<0}x := x-1;x:= x-y;
{x >=0 }
![Page 106: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/106.jpg)
In-class examples
Prove:
{x>=0 & x=a & y=0}while x>0 loop
x := x-1;y := y+1;
end loop;{y=a}
What is the invariant?
![Page 107: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/107.jpg)
Another Risk
Windows daylight saving and file time-stamp"Chris Jakeman (Bigfoot)" Sun, 3 Nov 2002 21:48:22 -0000Discovered today that a misbehaving program wasdue to a strange behaviour in Windows. When thecomputer clock changes due to Daylight SavingTime (we gained an hour a week ago in the UK),Windows also changes the time stamp of all itsfiles by an hour. This came to light whensynchronising files between a Unix webserver anda Windows copy of the website, usingDreamweaver.
![Page 108: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/108.jpg)
Program Testing
Can reveal the presence of errors NOT their absence Only exhaustive testing can show a program is free from
defects. However, exhaustive testing for any but trivial programs is impossible
A successful test is a test which discovers one or more errors
Should be used in conjunction with static verification Run all tests after modifying a system
Regression testing
![Page 109: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/109.jpg)
Test Cases, Specs, and Programmed Behaviors
S = Specified behaviorsP = Programmed behaviorsT = Tested behaviorU = All possible behaviors
S P
[Adapted from Software Testing A Craftman’s Approach, by Jorgensen, CRC Press, 1995]
T
U
1
2
34
5 6
7
We want to makeregion 1 as largeas possible.
![Page 110: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/110.jpg)
Test Cases
Test case: An input on which the program under test is executed during
testing Test set:
Set of test cases for executing a program Test cases are valuable – just as valuable as the source
code. Test cases need to be developed, reviewed, used, managed,
and saved. Information to include: Test case ID, purpose, pre-conditions,
inputs, expected outputs, post-conditions, and execution history (date, result, version, run by)
[Adapted from Software Testing A Craftman’s Approach, by Jorgensen, CRC Press, 1995]
![Page 111: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/111.jpg)
The V-model of testing
![Page 112: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/112.jpg)
Testing Stages
Unit testing Testing of individual components
Integration testing Testing to expose problems arising from the
combination of components System testing
Testing the complete system prior to delivery Acceptance testing
Testing by users to check that the system satisfies requirements. Sometimes called alpha testing
![Page 113: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/113.jpg)
Terminology Failure
A failure is said to occur whenever the external behavior does not conform to system spec.
Error An error is a state of the
system which, in the absence of any corrective action, could lead to a failure.
Fault The actual cause of an
error.
![Page 114: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/114.jpg)
Distinction between Debugging and Testing Defect testing and debugging are distinct
processes Defect testing is concerned with confirming
the presence of errors Debugging is concerned with locating and
repairing these errors Debugging involves formulating a hypothesis
about program behavior then testing these hypotheses to find the system error
![Page 115: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/115.jpg)
Historical Views: Thinking About Testing Phase 0: Testing = Debugging Phase 1: Testing is an act whose purpose is to show that the
software works. Phase 2: Testing is an act whose purpose is to show that the
software does not work. Phase 3: Testing is an act whose purpose is not to prove
anything, but to reduce the perceived risk of failure to an acceptable level.
Phase 4: Testing is not an act; rather, it is a mindset that involves development and coding practices along with a systematic approach to exercising the software.
[Adapted from Software Testing Techniques, 2nd Edition, by Boris Beizer, Van Nostrand Reinhold, 1990]
![Page 116: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/116.jpg)
What Testing Showserrors
requirements conformance
performance
an indicationof quality
[Adapted from Software Engineering A Practitioner’s Approach 5th Edition, by Pressman, McGraw-Hill, 2000]
![Page 117: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/117.jpg)
Test Coverage and Adequacy
How much testing is enough? When to stop testing? Various test coverage criteria developed Goodenough and Gerhart [1975]:
What is software test adequacy criterion? A predicate that defines “what properties of a program
must be exercised to constitute a thorough test. i.e., one whose successful execution implies no errors in the program”
![Page 118: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/118.jpg)
Gerhart and Goodenough
Reliability requirement “Test criterion always produces consistent test results” If a program tested successfully on one test set that
satisfies the criterion, then the program also tested successfully on all test sets that satisfy the criterion
Validity requirement “Test always produces a meaningful result” For every error in a program, there exists a test set that
satisfies the criterion and is capable of revealing the error
![Page 119: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/119.jpg)
Two uses of test adequacy
Serves as a stopping rule Determines whether sufficient testing has been
done according to the criterion such that testing can be stopped
E.g., when using statement coverage, testing can stop when all program statements have been exercised
Provide measurements of test quality Percentage of coverage used as a metric to guide
whether further tests are needed
![Page 120: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/120.jpg)
Testing Methods Functional (Black Box) Testing
Knowing the specified functions that a product has been designed to perform, tests can be conducted to demonstrate that each function is fully operational.
Test cases are based on external behavior as well as internal structure.
Aka: specification-based, data-driven, or input/output driven testing Structural (White Box) Testing
Knowing the internal workings of a program, tests can be conducted to assure that the internal operation performs according to specification, and all internal components have been exercised.
Test cases are based on internal structure of the program and a specific level of coverage.
Aka: code-based, glass-box, logic-driven, or path-oriented testing Mutation testing; perturbation testing
Purposefully inserting errors into the code to help in determining the degree to which the program is being tested
![Page 121: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/121.jpg)
Feasibility of Testing to Specifications Suppose specs include 20 factors, each
taking on 4 values 420 or 1.1 1012 test cases If each takes 30 seconds to run, running all test
cases takes > 1 million years Combinatorial explosion makes exhaustive
testing to specifications impossible
![Page 122: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/122.jpg)
Feasibility of Testing to Code
Can exercise every path without detecting every fault (what if x=2, y=1, z=3?)
![Page 123: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/123.jpg)
Coping with the Combinatorial Explosion Neither testing to specifications nor testing to
code is feasible The art of testing:
Select a small, manageable set of test cases to Maximize chances of detecting fault, while Minimizing chances of wasting test case
Every test case must detect a previously undetected fault
![Page 124: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/124.jpg)
Coping with the Combinatorial Explosion We need a method that will highlight as many faults as
possible First black-box test cases (testing to specifications) Then glass-box methods (testing to code)
![Page 125: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/125.jpg)
Functional (Black Box) Testing
Knowing the specified function (requirements), design test cases to ensure that those requirements are met. Example : Sort (list);
Structural Testing - How well is the code exercised? Functional Testing - How well does Sort perform its intended function?
In general, complete functional testing is not feasible Attempting to test every possible input to the function
A randomly selected set of test cases is statistically insignificant “Not all test cases are created equally”
Test case selection Based on characteristics of input and output sets relative to
specified functionality.
![Page 126: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/126.jpg)
Functional Testing
Types of errors looked for during functional testing Incorrect function or missing function Interface errors External database errors Performance errors (including stress testing) Initialization/termination errors
Tests are designed to answer the following questions How is functional validity tested? What classes of input will make good test cases? Is the system particularly sensitive to certain input values? How are the boundaries of a data class isolated? What data rates and data volume can the system tolerate? What effect will specific combinations of data have on system
operations?
[Adapted from Software Engineering 4th Ed, by Pressman, McGraw-Hill, 1997]
![Page 127: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/127.jpg)
Goals and Methods of Functional Testing Goals
Produce test cases that reduce the overall number of test cases Generate test cases that will tell us something about the
presence or absence of errors for an entire class of input Methods/Approaches
Equivalence partitioning Boundary value analysis Cause-effect graphing Decision Tables
![Page 128: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/128.jpg)
Equivalence Partitioning
It is impossible to test all cases Equivalence partitioning provides a
systematic means for selecting cases that matter and ignoring those that don’t
An equivalence class or equivalence partition is a set of test cases that tests the same aspect or reveals the same bugs
e.g., If X >= 15 then do-this else do-that
(- 15) 15 (15 )
![Page 129: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/129.jpg)
Equivalence Partitioning
Equivalence partitions – groups for similar inputs, outputs, and/or operation of the software
e.g., file-name, 1 .. 255 characters- valid characters- invalid characters- valid length- invalid length
![Page 130: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/130.jpg)
Boundary Value Analysis
Range : a..b
Example : 100..200 Test cases : 99, 100, 101, 199, 200, 201
Number of values Test cases that exercise minimums and maximums
Apply the above to the output conditions Try to drive output to invalid range
Internal data structures with boundaries Example : A(1..100) with test cases A(0), A(1), A(2), A(99), A(100), A(101) A(0) and A(101) should generate exceptions
a b
( ))( (
![Page 131: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/131.jpg)
Equivalence Class Example
function in_list (input1:name_type;input_list : list_names)return boolean is …
Equivalence Classes:(1) Inputs where input1 is in the list
(2) Inputs where input1 is not in the list
Specific Input Partitions:List input1Empty ?One element In the listOne element Not in the list>One element First element>One element Last element>One element Middle element>One element Not in list
Test CasesList input1 Output<nil> ? falsebird bird truebird fish falsebird, cat, owl bird truedog, pig, chicken chicken true
...
![Page 132: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/132.jpg)
Cause Effect Graphing
Causes (input conditions) and effects (actions) are listed for a module, and an identifier is assigned to each
A cause-effect graph is developed Looking for causes without effects Looking for effects without causes
The graph is converted to a decision table (if a decision table has been used as a design tool, developing the graph and table is not necessary)
Decision table rules are converted to test cases
![Page 133: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/133.jpg)
Cause-Effect Graph Symbology
Identity
“Not”
“And”
“Or”
Symbology Constraints
c1
c1
c1
c2
c1
c2
e1
e1
e1
e1
c
a
a
a
a
b
b
b
b
E I O
R
ExclusiveInclusive
Only One
Requires
![Page 134: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/134.jpg)
Cause-Effect Graphing Example The CHANGE subcommand - used to modify a character string
in the “current line” of the file being edited Inputs
Syntax : C /string1/string2 String1 represents the character string you wish to replace
1-30 characters Any character except ‘/’
String2 represents the character string that is to replace string1 0-30 characters Any character except ‘/’
At least one blank must follow the command name “C”
![Page 135: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/135.jpg)
Cause-Effect Graphing Example
Outputs Changed line is printed to the terminal if the command
is successful “NOT FOUND” is printed if string1 cannot be found “INVALID SYNTAX” is printed if the command syntax
is incorrect System Transformations
If the syntax is valid and string1 can be found in the current line, then string1 is removed and string2 replaces it
If the syntax is invalid or string1 cannot be found, the line is not changed
![Page 136: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/136.jpg)
Cause-Effect Graphing Example Cause 1: The first nonblank character following the “C” and one or more
blanks is a ‘/’ Cause 2: The command contains exactly two ‘/’ characters Cause 3: String1 has length 1 Cause 4: String1 has length 30 Cause 5: String1 has length 2-29 Cause 6: String2 has length 0 Cause 7: String2 has length 30 Cause 8: String2 has length 1-29 Cause 9: The current line contains an occurrence of string1 Effect 1: The changed line is typed Effect 2: The first occurrence of string1 in the current line is replaced by
string2 Effect 3: NOT FOUND is printed Effect 4: INVALID SYNTAX is printed
![Page 137: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/137.jpg)
Complete Cause-Effect Graph
c1
c2
c3
c4
c5
c6
c8
c7
c9
i1
i2
i3
e1
e2
e3
e4
![Page 138: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/138.jpg)
Converting to a Decision Table
1 2 3 4 5 6 7 8 9 10 11c1c2c3c4c5c6c7c8c9
e1e2e3e4
I = invoked A = absentS = suppressed P = presentX = don't care
![Page 139: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/139.jpg)
jUnit Test framework
Initially developed to support Extreme Programming Focused on unit testing
Features and Goals Trivial to add unit tests Trivial to run tests
Taking ACE and TAO’s one-button tests to the extreme (actually one-button runs them all)
Tests must be complete automatic (no user input) Trivial presentation of test results
Green = good Red = one or more tests failed
Rerun tests without exiting the testing interface Large assertion API to aid condition checking
Idea: Unit tests are good, but a pain to write -> jUnit alleviates much of the pain
![Page 140: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/140.jpg)
Writing a jUnit Test Case1. Define a subclass of TestCase2. Override the setUp() method to initialize object(s)
under test (optional)3. Override the tearDown() method to release any
permanent resources you allocated in setUp() (optional)
4. Define one or more testXxx() methods that exercise the objects under test
5. Define a suite() method that creates a TestSuite containing all the testXxxx() methods of a TestCase
6. Define a main() method that runs the TestCase
![Page 141: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/141.jpg)
Basic jUnit Test Caseimport junit.framework.*;
public class CubeTest extends TestCase { public CubeTest(String name) { super(name); } protected void setUp() { /* Any pre-test setup */ } protected void tearDown() { /* Any post-test teardown */ } public void testCubePositive() { assertEquals(Cube.calcCube(5), 125); } public void testCubeNegative() { assertEquals(Cube.calcCube(-5), -125); } public void testCubeZero() { assertEquals(Cube.calcCube(0), 0); }}
![Page 142: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/142.jpg)
import junit.framework.*;import junit.runner.BaseTestRunner;
public class AllTests {
public static Test suite() { TestSuite suite= new TestSuite("Cube Tests"); suite.addTestSuite(CubeTest.class); return suite; } public static void main(String[] args) { junit.textui.TestRunner.run(suite()); }}
Basic jUnit Test Suite
![Page 143: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/143.jpg)
Running the jUnit Tests Three ways:
Text UI – java junit.textui.TestRunner <Suite> AWT UI - java junit.awtui.TestRunner <Suite> Swing UI - java junit.swingui.TestRunner <Suite>
GUI features Reload classes each run
Make changes without restarting the test runner Browse test cases Run individual tests
Text UI features Fastest Can be automated
![Page 144: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/144.jpg)
Screenshot of Cube Test Run
![Page 145: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/145.jpg)
Assertion APIassertEquals(T expected, T actual);
assertEquals(double expected, double actual, double delta);
assertNull(Object object);
assertNotNull(Object object);
assertSame(Object expected,Object actual);
assertTrue(boolean condition);
fail(String message);•If any exceptions are thrown, jUnit will catch and log them too.
![Page 146: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/146.jpg)
Glass-Box Module Testing Methods Structural testing
Statement coverage Branch coverage Condition coverage Path coverage Linear code sequences All-definition-use path coverage
![Page 147: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/147.jpg)
Control Flow Graph• Step 1: From the source code, create a graph describing the flow of control (called the control flow graph). The graph is created (extracted from the source code) manually or automatically
• Step 2: Design test cases to cover certain elements of this graph nodes, edges, paths
![Page 148: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/148.jpg)
Structural Testing: Statement Coverage Statement coverage:
Series of test cases to check every statement at least once
CASE tool needed to keep track Weakness
Branch statements Consider
if ( y >= 0) then y = 0;abs = y;
test case-1:input: y = 0expected result: 0actual result: 0
This case gives the false assumption that the code is correct.
![Page 149: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/149.jpg)
Structural Testing: Branch Coverage Series of tests to check all branches (solves
problem on previous slide); edge coverage Again, a CASE tool is helpful
if ( y >= 0) then y = 0;abs = y;
test case-1:input: y = 0expected result: 0actual result: ?
test case-2:input: y = -5expected result: 5actual result: ?
Branch=>statementnot true other way…
![Page 150: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/150.jpg)
Branch Coverage Problem
if ( x < 10 && y > 20) { z = foo (x,y);else z =fie (x,y);}
test case-1 (yes-branch):input: x = -4, y = 30expected result: ...actual result: ?
test case-2 (no-branch):input: x = 12, y = 12expected result: ...actual result: ?
What is the potential problem here?
![Page 151: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/151.jpg)
Another example…
found := false; counter : = 1;while (not found) and counter < number_of_items loop …
Perhaps < should be <=, but certain values of found and counter may not reveal this…
![Page 152: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/152.jpg)
Condition Coverage
if ( x < 10 && y > 20) { z = foo (x,y);else z =fie (x,y);}
x<10 y>20-----------------------------------test-case-1: t ttest-case:2 t ftest-case-3: f ttest-case-4 f f
![Page 153: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/153.jpg)
Another Problem…
Consider:
{x = 0, z = 12} (n,y){x = 2, z = 6} (y,n)
What is the problem here?
![Page 154: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/154.jpg)
Path Coverage
Consider:
{x = 0, z = 7} (n,n){x = 0, z = 13} (n,y){x = 1, z = 5} (y,n){x = 2, z = 15} (y,y)
All paths leading from initial to the final node of P’s control flowgraph are traversed…
![Page 155: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/155.jpg)
Linear Code Sequences In a fragment with a loop, the number of paths is
very large, and can be infinite We want a weaker condition than all paths but that shows
up more faults than branch coverage Linear code sequences
Identify the set of points L from which control flow may jump, plus entry and exit points
Restrict test cases to paths that begin and end with elements of L
This uncovers many faults without testing every path
![Page 156: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/156.jpg)
All-definition-use-path Coverage Each occurrence of variable, zz say, is labeled either as
The definition of a variablezz = 1 or read (zz)
or the use of variabley = zz + 3 or if (zz < 9) errorB ()
Identify all paths from the definition of a variable to the use of that definition This can be done by an automatic tool
A test case is set up for each such path
![Page 157: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/157.jpg)
Data-flow testing using def-use
![Page 158: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/158.jpg)
Data-flow testing using def-use
Led to research ideas of program slicing, and other static analysis techniques…
![Page 159: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/159.jpg)
Another Example of def-use
![Page 160: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/160.jpg)
Continued…
![Page 161: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/161.jpg)
Infeasible Code
It may not be possible to test a specific statement May have an
infeasible path (“dead code”) in the module
Frequently this is evidence of a fault
![Page 162: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/162.jpg)
Automated Testing of GUIs
Commercial tools: Mercury Interactive
WinRunner, LoadRunner Rational
Ph.D. Level research: Best reference: Atif Memon
http://www.cs.umd.edu/~atif/
![Page 163: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/163.jpg)
C/S - DatabasesLoadRunner (Load/Stress)TestDirector(Test Management)WinRunner (Functional/Regression)
E - BusinessWebTest Add-in for WinRunnerLoadRunnerTestDirectorAstra Site ManagerAstra Site Test
ERP Applications
WinRunnerTestDirector LoadRunner QuickTest
Year 2000
QuickTest 2000WinRunner 2000TestDirectorLoadRunner/RTE
The Mercury Interactive Product Line
MERCURY’S PRODUCT
LINE
![Page 164: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/164.jpg)
Why Use Testing Tools?
No TestingNo Testing Manual TestingManual Testing• Time consuming• Low reliability• Human resources• Inconsistent
Automated TestingAutomated TestingSpeedRepeatabilityProgramming
capabilitiesCoverageReliabilityReusability
![Page 165: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/165.jpg)
Which Test Cases to Automate?
Tests that need to be run for every build of the application (sanity level)
Tests that use multiple data values for the same actions (data driven tests)
Tests that require detailed information from application internals (e.g., SQL, GUI attributes)
Stress/load testing
More repetitive execution?Better candidate for automation.
![Page 166: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/166.jpg)
Which Test Cases Not to Automate?Usability testing
"How easy is the application to use?"One-time testing"ASAP" testing
"We need to test NOW!"Ad hoc/random testing
based on intuition and knowledge of applicationTests without predictable results
Improvisation required?Poor candidate for automation.
![Page 167: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/167.jpg)
What Happens During Recording?
set_window("Automobile Purchase Form", 10);edit_set ("Customer Name", "Thomas Paine");edit_set ("Address","234 Willow Drive");
Depart Date: ___/___/___From City. . : ________________To City. . . . .: ________________Flight. . . . . . : _______
Order Number. . . .: __________Customer. . . . . . . .: ___________________
Billing Date. . . . . . : edit_set ("Date", "12/12/98");list_select_item ("Make", "BMW"); edit_set ("Year", "1973");
button_press ("Insert Sale");
Thomas Paine
234 Willow Drive
12/12/98
BMW1973 2002tii
edit_set ("Model", "2002tii");
![Page 168: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/168.jpg)
Context Sensitive Recording Object oriented Readable script Maintainable script (editable) Script not affected by User
Interface changes if object moves location on GUI,
script will still replay correctly Portable script
a context sensitive script can be ported to different platforms with different configurations
![Page 169: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/169.jpg)
scroll bar
frame
A Closer Look at GUI Objectsmenu window
radio button push button
list item
edit field
static text
![Page 170: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/170.jpg)
User Actions in the Test Script
list_select_item ("Make", "BMW");
button_press ("OK");
set_window("Automobile Purchase Form", 10);
set_window("Login", 10);
password_edit_set("Password:", "kzptnzet");
edit_set ("Username", "thomas");
Specify window for input
Type input into an edit field
Press a button to submit "OK"
Type encrypted input into password field
Specify a listbox selection
![Page 171: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/171.jpg)
Wait for a bitmap to refresh
BITMAP
Wait for a window
WINDOW
No visual cue;just wait forset time toelapse
ELAPSEDTIME
Establish Visual Cue to SynchronizeExamples
Wait for an object state
OBJECT STATE
![Page 172: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/172.jpg)
Testing Phases in TestDirector Test Planning
set up your test plan create the test cases manage resources
Test Execution run manual and automated tests run integrated tests collect and analyze test results
Defect Tracking create and track defects throughout the life cycle inform testing team with automatic email notification monitor defect status using graphs and reports
![Page 173: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/173.jpg)
You Can Monitor the Testing Effort How:
many tests are ready for test execution? many tests executed passed or failed? many defects are logged in a week? many defects remain in severe status? long does it take for a defect to be fixed? can I balance the resources available?
![Page 174: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/174.jpg)
View Contents of the Defect Database
![Page 175: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/175.jpg)
Things are not as perfect as they seem...1. The recorded input can be incorrect either due to tester error during the
recording session, or the test script can be incorrect in the first place. A reliance on recording alone would then require the entire input to be re-recorded
2. The resulting script contains multiple commands and statements for every action taken, is extremely lengthy and difficult to interpret and maintain
3. Recording of test scripts requires that the application be fully developed, and error-free
4. If errors occur, such as unexpected screens, the recorded test script will fail, and therefore requires someone to constantly monitor the test run in order to keep it going
![Page 176: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/176.jpg)
The Problem: Software Drift Over many phases of maintenance, structure begins
to decay (entropy) Begins to resemble Rube Goldberg machine
(http://www.rube-goldberg.com/html/gallery.htm) Honda Cog commercial
![Page 177: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/177.jpg)
What is Refactoring?The process of changing a software system in such a way that it does not alter the external behaviour of the code, yet improves its internal structure – Martin Fowler
A behaviour-preserving source-to-source program transformation – Don Roberts
A change to the system that leaves its behaviour unchanged, but enhances some non-functional quality - simplicity, flexibility, understandability- Kent Beck
![Page 178: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/178.jpg)
Where Refactoring Came From
Ward Cunningham and Kent Beck Smalltalk style
Ralph Johnson at UIUC Bill Opdyke’s Thesis
ftp://st.cs.uiuc.edu/pub/papers/refactoring/opdyke-thesis.ps.Z
John Brant and Don Roberts: The Refactoring Browser
![Page 179: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/179.jpg)
Refactoring Tools Based on provable transformations
Build parse tree of programs Research: Mathematic proof that refactoring does not
change semantics; graph transformation Embed refactoring in tool
Speeds up refactoring Extract method: select code, type in method name. Big speed improvement
Not Science Fiction Available for Smalltalk for a couple of years Now appearing for Java and other languages
![Page 180: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/180.jpg)
Refactor To UnderstandThe Obvious:
• Programs hard to read => Programs hard to understand
• => Programs hard to modify• Programs with duplicated logic are hard to understand• Programs with complex conditionals are hard to understand
Refactoring code creates and supports the understanding• Renaming instance variables helps understanding methods• Renaming methods helps understanding responsibility• Iterations are necessary
![Page 181: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/181.jpg)
Typical RefactoringsClass Refactorings
Method Refactorings Attribute Refactorings
add (sub)class to hierarchy
add method to class add variable to class
rename class rename method rename variableremove class remove method remove variable
push method down push variable downpush method up push variable upadd parameter to method create accessorsmove method to component abstract variableextract code in new method
These simple refactorings can be combined to provide bigger restructurings such as the introduction of design patterns.
![Page 182: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/182.jpg)
Example: Add Class
Add Class (new name, package, superclasses, subclasses)Preconditions
no class or global variable exists with new name in the same scope subclasses are all subclasses of all superclasses
Postconditions new class is added into the hierarchy with superclasses as
superclasses and subclasses as subclasses new class has name new name subclasses inherit from new class and not anymore from
superclassesConsiderations: Abstractness
B
C D FN
A B
C D
F
A
![Page 183: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/183.jpg)
Rename Method: Do It Yourself
Do it yourself approach Check if a method does not exist in the class and
superclass/subclasses with the same “name” Browse all the implementers (method definitions) Browse all the senders (method invocations) Edit and rename all implementers Edit and rename all senders Remove all implementers Test Automated refactoring is better !
BX
B b = new B();b.blnc();
blnce()
Ablnce()
Dblnce()
Cblnce()
BXbalance()
Abalance()
Dbalance()
Cbalance()
B b = new B();b.balance();
![Page 184: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/184.jpg)
Rename Method Rename Method (method, new name)Preconditions
no method exists with the signature implied by new name in the inheritance hierarchy that contains method
Postconditions method has new name relevant methods in the inheritance hierarchy have new
name invocations of changed method are updated to new name
Other Considerations Statically/Dynamically Typed Languages
=> Scope of the renaming
![Page 185: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/185.jpg)
Bad smells in code Duplicated code
“The #1 bad smell” Same expression in two methods in the same class?
Make it a private ancillary routine and parameterize it (Extract method)
Same code in two related classes? Push commonalities into closest mutual ancestor and parameterize Use template method for variation in subtasks
(Form template method) Same code in two unrelated classes?
Ought they be related? Introduce abstract parent (Extract class, Pull up method)
Does the code really belong to just one class? Make the other class into a client (Extract method)
![Page 186: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/186.jpg)
Bad smells in code Long method
Often a sign of: Bad cohesion Trying to do too many things Poorly thought out abstractions and boundaries
Best to think carefully about the major tasks and how they inter-relate. Be aggressive!
Break up into smaller private methods within the class(Extract method)
Fowler’s heuristic: When you see a comment, make a method. Often, a comment indicates:
The next major step Something non-obvious whose details detract from the clarity of the
routine as a whole. In either case, this is a good spot to “break it up”.
![Page 187: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/187.jpg)
Bad smells in code Long parameter list
Long parameter lists make methods difficult for clients to understand
This is often a symptom of Trying to do too much … with too many disparate subparts
In the old days, structured programming taught the use of parameterization as a cure for global variables.
With modules/OOP, objects have mini-islands of state that can be reasonably treated as “global” to the methods (yet are still hidden from the rest of the program).
i.e., You don’t need to pass a subpart of yourself as a parameter to one of your own methods.
![Page 188: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/188.jpg)
Bad smells in code Divergent change
Occurs when one class is commonly changed in different ways for different reasons
Likely, this class is trying to do too much and contains too many unrelated subparts
Over time, some classes develop a “God complex” They acquires details/ownership of subparts that rightly belong
elsewhere This is a sign of poor cohesion
Unrelated elements in the same container Solution:
Break it up, reshuffle, reconsider relationships and responsibilities (Extract class)
![Page 189: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/189.jpg)
Bad smells in code
Shotgun surgery … the opposite of divergent change
Each time you want to make a single, seemingly coherent change, you have to change lots of classes in little ways
Also a classic sign of poor cohesion Related elements are not in the same container!
Solution: Look to do some gathering, either in a new or existing class.
(Move method/field)
Advertisement: A key idea that will be explored in my CS 692/792 class next Fall
![Page 190: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/190.jpg)
Bad smells in code Data clumps
You see a set of variables that seem to “hang out” togethere.g., passed as parameters, changed/accessed at the same time
Usually, this means that there’s a coherent subobject just waiting to be recognized and encapsulated
void Scene::setTitle (string titleText, int titleX, int titleY, Colour titleColour){…}
void Scene::getTitle (string& titleText, int& titleX, int& titleY, Colour& titleColour){…}
![Page 191: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/191.jpg)
Bad smells in code Data clumps
In the example, a Title class is dying to be born If a client knows how to change a title’s x, y, text, and colour, then it
knows enough to be able to “roll its own” Title objects. However, this does mean that the client now has to talk to another class.
This will greatly shorten and simplify your parameter lists (which aids understanding) and makes your class conceptually simpler too.
![Page 192: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/192.jpg)
Bad smells in code
Switch statements
Double getSpeed () { switch (_type) {
case EUROPEAN: return getBaseSpeed();case AFRICAN: return getBaseSpeed() –
getLoadFactor() * _numCoconuts;case NORWEGIAN_BLUE: return (_isNailed) ? 0
: getBaseSpeed(_voltage); }}
![Page 193: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/193.jpg)
Bad smells in code
Switch statements This is an example of a lack of understanding polymorphism
and a lack of encapsulation. Solution:
Redesign as a polymorphic method of PythonBird(Replace conditional with polymorphism, replace type code
with subclasses)
![Page 194: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/194.jpg)
Bad smells in code
Lazy class Classes that don’t do much that’s different from other classes. If there are several sibling classes that don’t exhibit
polymorphic behavioural differences , then consider just collapsing them back into the parent and add some parameters
Often, lazy classes are legacies of ambitious design or a refactoring that gutted the class of interesting behaviour
(Collapse hierarchy, inline class)
![Page 195: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/195.jpg)
Bad smells in code Inappropriate intimacy
Sharing of secrets between classes, esp. outside of the holy bounds of inheritance
e.g., public variables, indiscriminate definitions of get/set methods, C++ friendship, protected data in classes
Leads to data coupling, intimate knowledge of internal structures and implementation decisions.
Makes clients brittle, hard to evolve, easy to break. Solution:
Appropriate use of get/set methods Rethink basic abstraction. Merge classes if you discover “true love”(Move/extract method/field, change bidirectional association to
unidirectional, hide delegate)
![Page 196: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/196.jpg)
Sample Output
Rental Record for Dinsdale PirhanaMonty Python and the Holy Grail3.5Ran
2Star Trek 27
6Star Wars 3.2
3Wallace and Gromit
6Amount owed is 20.5You earned 6 frequent renter points
![Page 197: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/197.jpg)
Class Moviepublic class Movie {
public static final int CHILDRENS = 2;public static final int REGULAR = 0;public static final int NEW_RELEASE = 1;
private String _title;private int _priceCode;
public Movie(String title, int priceCode) {_title = title;_priceCode = priceCode;
}
public int getPriceCode() {return _priceCode;
}
public void setPriceCode(int arg) { _priceCode = arg;
}
public String getTitle () {return _title;
};}
![Page 198: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/198.jpg)
Class Rental
class Rental { private Movie _movie; private int _daysRented;
public Rental(Movie movie, int daysRented) { _movie = movie; _daysRented = daysRented; } public int getDaysRented() { return _daysRented; } public Movie getMovie() { return _movie; }}
![Page 199: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/199.jpg)
Class Customer (almost)
class Customer {private String _name;
private Vector _rentals = new Vector();
public Customer (String name) {_name = name;};
public void addRental(Rental arg) { _rentals.addElement(arg); }
public String getName () {return _name;};
public String statement() // see next slide
![Page 200: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/200.jpg)
Customer.statement() part 1public String statement() {
double totalAmount = 0;int frequentRenterPoints = 0;Enumeration rentals = _rentals.elements();String result = "Rental Record for " + getName() + "\n";while (rentals.hasMoreElements()) {
double thisAmount = 0;Rental each = (Rental)
rentals.nextElement();
//determine amounts for each lineswitch (each.getMovie().getPriceCode()) {
case Movie.REGULAR:thisAmount += 2;if (each.getDaysRented() > 2)
thisAmount += (each.getDaysRented() - 2) * 1.5;
break;case Movie.NEW_RELEASE:
thisAmount += each.getDaysRented() * 3;break;
case Movie.CHILDRENS:thisAmount += 1.5;if (each.getDaysRented() > 3)
thisAmount += (each.getDaysRented() - 3) * 1.5;
break;
} continues on next slide
![Page 201: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/201.jpg)
Customer.statement() part 2
// add frequent renter pointsfrequentRenterPoints ++;// add bonus for a two day new release
rentalif ((each.getMovie().getPriceCode() ==
Movie.NEW_RELEASE) && each.getDaysRented() > 1)
frequentRenterPoints ++;
//show figures for this rentalresult += "\t" +
each.getMovie().getTitle()+ "\t" + String.valueOf(thisAmount) + "\n";totalAmount += thisAmount;
}//add footer linesresult += "Amount owed is " + String.valueOf(totalAmount) + "\n";result += "You earned " + String.valueOf(frequentRenterPoints) +
" frequent renter points";return result;
}
![Page 202: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/202.jpg)
Interactions for statement
aC ustom er aR ental aM ovie
getM ovie
* [for all renta ls]
getPriceC ode
getD aysRented
statem ent
![Page 203: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/203.jpg)
Future Requirements Changes
Produce an html version of the statement The movie classifications will soon change
together with the rules for charging and for frequent renter points
![Page 204: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/204.jpg)
Extract Method
voi d printOwi ng() {printBanner();
// print detail sSystem.out.pri ntln ("name: " + _name);System.out.pri ntln ("amount" + getOutstanding());
}
voi d printOwi ng() {printBanner();printDetai ls(getOutstanding());
}
voi d printDetai ls (double outstandi ng) {System.out.pri ntln ("name: " + _name);System.out.pri ntln ("amount" + outstandi ng);
}
You have a code fragment that can be grouped togetherTurn the fragment into a method whose name explains the
purpose of the method.
![Page 205: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/205.jpg)
Steps for Extract Method Create method named after intention of code Copy extracted code Look for local variables and parameters
turn into parameter turn into return value declare within method
Compile Replace code fragment with call to new
method Compile and test
![Page 206: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/206.jpg)
Candidate Extractionpublic String statement() {
double totalAmount = 0;int frequentRenterPoints = 0;Enumeration rentals = _rentals.elements();String result = "Rental Record for " + getName() + "\n";while (rentals.hasMoreElements()) {
double thisAmount = 0;Rental each = (Rental)
rentals.nextElement();
//determine amounts for each lineswitch (each.getMovie().getPriceCode()) {
case Movie.REGULAR:thisAmount += 2;if (each.getDaysRented() > 2)
thisAmount += (each.getDaysRented() - 2) * 1.5;
break;case Movie.NEW_RELEASE:
thisAmount += each.getDaysRented() * 3;
break;case Movie.CHILDRENS:
thisAmount += 1.5;if (each.getDaysRented() > 3)
thisAmount += (each.getDaysRented() - 3) * 1.5;
break;
} [snip]12
![Page 207: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/207.jpg)
Extracting the Amount Calculation
private int amountFor(Rental each) { int thisAmount = 0; switch (each.getMovie().getPriceCode()) { case Movie.REGULAR: thisAmount += 2; if (each.getDaysRented() > 2) thisAmount += (each.getDaysRented() - 2) * 1.5; break; case Movie.NEW_RELEASE: thisAmount += each.getDaysRented() * 3; break; case Movie.CHILDRENS: thisAmount += 1.5; if (each.getDaysRented() > 3) thisAmount += (each.getDaysRented() - 3) * 1.5; break; } return thisAmount;}
![Page 208: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/208.jpg)
Statement() after extraction public String statement() {
double totalAmount = 0; int frequentRenterPoints = 0; Enumeration rentals = _rentals.elements(); String result = "Rental Record for " + getName() + "\n"; while (rentals.hasMoreElements()) { double thisAmount = 0; Rental each = (Rental) rentals.nextElement();
thisAmount = amountFor(each);
// add frequent renter points frequentRenterPoints ++; // add bonus for a two day new release rental if ((each.getMovie().getPriceCode() == Movie.NEW_RELEASE) &&
each.getDaysRented() > 1) frequentRenterPoints ++;
//show figures for this rental result += "\t" + each.getMovie().getTitle()+ "\t" +
String.valueOf(thisAmount) + "\n"; totalAmount += thisAmount;
} //add footer lines result += "Amount owed is " + String.valueOf(totalAmount) + "\n"; result += "You earned " + String.valueOf(frequentRenterPoints) +
" frequent renter points"; return result;
}}
![Page 209: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/209.jpg)
Extracting the amount calculation (2)
private double amountFor(Rental each) { double thisAmount = 0; switch (each.getMovie().getPriceCode()) { case Movie.REGULAR: thisAmount += 2; if (each.getDaysRented() > 2) thisAmount += (each.getDaysRented() - 2) * 1.5; break; case Movie.NEW_RELEASE: thisAmount += each.getDaysRented() * 3; break; case Movie.CHILDRENS: thisAmount += 1.5; if (each.getDaysRented() > 3) thisAmount += (each.getDaysRented() - 3) * 1.5; break; } return thisAmount;}
Is this important?
Is this method in the right
place?
![Page 210: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/210.jpg)
Change names of variablesprivate double amountFor(Rental aRental) { double result = 0; switch (aRental.getMovie().getPriceCode()) { case Movie.REGULAR: result += 2; if (aRental.getDaysRented() > 2) result += (aRental.getDaysRented() - 2) * 1.5; break; case Movie.NEW_RELEASE: result += aRental.getDaysRented() * 3; break; case Movie.CHILDRENS: result += 1.5; if (aRental.getDaysRented() > 3) result += (aRental.getDaysRented() - 3) * 1.5; break; } return result;}
![Page 211: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/211.jpg)
Move Method
aMethod()
Class 1
Class 2
Class 1
aMethod()
Class 2
A method is, or will be, using or used by more features of another class than the class it is defined on.
Create a new method with a similar body in the class it uses most. Either turn the old method into a simple delegation, or
remove it altogether.
![Page 212: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/212.jpg)
Steps for Move method Declare method in target class Copy and fit code Set up a reference from the source object to the target Turn the original method into a delegating method
amountOf(Rental each) {return each.charge()}
Check for overriding methods Compile and test Find all users of the method
Adjust them to call method on target Remove original method Compile and test
![Page 213: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/213.jpg)
Moving amount() to Rentalclass Rental ...
double getCharge() { double result = 0; switch (getMovie().getPriceCode()) { case Movie.REGULAR: result += 2; if (getDaysRented() > 2) result += (getDaysRented() - 2) * 1.5; break; case Movie.NEW_RELEASE: result += getDaysRented() * 3; break; case Movie.CHILDRENS: result += 1.5; if (getDaysRented() > 3) result += (getDaysRented() - 3) * 1.5; break; } return result;}1
statem ent()
C ustom er
getC harge()
daysR ented: int
R ental
priceC ode: int
M ovie
![Page 214: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/214.jpg)
Altered statementclass Customer... public String statement() { double totalAmount = 0; int frequentRenterPoints = 0; Enumeration rentals = _rentals.elements(); String result = "Rental Record for " + getName() + "\n"; while (rentals.hasMoreElements()) { double thisAmount = 0; Rental each = (Rental) rentals.nextElement();
thisAmount = each.getCharge(); // add frequent renter points frequentRenterPoints ++; // add bonus for a two day new release rental if ((each.getMovie().getPriceCode() == Movie.NEW_RELEASE) &&
each.getDaysRented() > 1) frequentRenterPoints ++;
//show figures for this rental result += "\t" + each.getMovie().getTitle()+ "\t" +
String.valueOf(thisAmount) + "\n"; totalAmount += thisAmount;
} //add footer lines result += "Amount owed is " + String.valueOf(totalAmount) + "\n"; result += "You earned " + String.valueOf(frequentRenterPoints) +
" frequent renter points"; return result;
}
![Page 215: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/215.jpg)
Replace Conditional With Polymorphism
getSpeed
Bird
getSpeed
European
getSpeed
African
getSpeed
Norweigian Blue
doubl e getSpeed() {switch (_type) {
case EUROPEAN:return getBaseSpeed();
case AFRICAN:return getBaseSpeed() - getLoadFactor() * _numberOfCoconuts;
case NORWEIGIAN_BLUE:return (_i sNai led) ? 0 : getBaseSpeed(_vol tage);
}throw new RuntimeExcepti on ("Shoul d be unreachable");
}
You have a conditional that chooses different behavior depending on the type of an object.
Move each leg of the conditional to an overriding method in a subclass. Make the original method abstract
![Page 216: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/216.jpg)
Steps for Replace Conditional with Polymorphism
Move switch to superclass of inheritance structure
Copy one leg of case statement into subclass Compile and test Repeat for all other legs Replace case statement with abstract method
![Page 217: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/217.jpg)
Move getCharge to Priceclass Movie…
double getCharge(int daysRented) {return _price.getCharge(daysRented);
}
class Price… double getCharge(int daysRented) { double result = 0; switch (getPriceCode()) { case Movie.REGULAR: result += 2; if (daysRented > 2) result += (daysRented - 2) * 1.5; break; case Movie.NEW_RELEASE: result += daysRented * 3; break; case Movie.CHILDRENS: result += 1.5; if (daysRented > 3) result += (daysRented - 3) * 1.5; break; } return result;}
![Page 218: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/218.jpg)
Override getCharge in the subclassesClass RegularPrice…
double getCharge(int daysRented){ double result = 2; if (daysRented > 2) result += (daysRented - 2) * 1.5; return result; }Class ChildrensPrice double getCharge(int daysRented){ double result = 1.5; if (daysRented > 3) result += (daysRented - 3) * 1.5; return result; }
Class NewReleasePrice… double getCharge(int daysRented){ return daysRented * 3;
}
Class Price… abstract double getCharge(int
daysRented);
Do each leg one at a time then...
![Page 219: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/219.jpg)
Obstacles to RefactoringComplexity
• Changing design is hard• Understanding code is hard
Possibility to introduce errors• Run tests if possible• Build tests
Clean first Then add new functionality
Cultural Issues• Producing negative lines of code, what an idea!• “We pay you to add new features, not to improve the code!”
If it ain’t broke, don’t fix it• “We do not have a problem, this is our software!“
![Page 220: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/220.jpg)
Obstacles to Refactoring
Performance• Refactoring may slow down the execution• The secret to write fast software:
“Write tunable software first then tune it”Typically only 10% of your system consumes 90% of the resources so just focus on 10 %.
• Refactorings help to localize the part that need change• Refactorings help to concentrate the optimizations
Development is always under time pressure • Refactoring takes time• Refactoring better right after a software release
![Page 221: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/221.jpg)
Conclusion: Know-when & Know-how
“Know when” is as important as “know-how”• Use “code smells” as symptoms• Rule of the thumb: “Once and Only Once” (Kent Beck)
=> a thing stated more than once implies refactoring
![Page 222: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/222.jpg)
Research Issues (Mens paper) Tool Support
Visualization, automated refactoring How to make more open?
Scalability of composable refactorings (conflict resolution)
Analysis of dependencies among refactorings Formally, what is behavior and how can we prove that
it is preserved by a refactoring Real-time, embedded, safety critical behavior?
![Page 223: Specification](https://reader030.vdocuments.mx/reader030/viewer/2022032612/5681564e550346895dc3edbe/html5/thumbnails/223.jpg)
Research Issues (Mens paper) How to specify refactoring in a language-independent
manner? How to apply refactoring at higher levels of abstraction
(e.g., UML models)? Determine the “where/how” of applying refactoring Can we get some objective measurements of how
refactoring affects software quality?