softrare reliability methods prof. doron a. peled bar ilan university, israel and univeristy of...
TRANSCRIPT
![Page 1: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/1.jpg)
Softrare Reliability Methods
Prof. Doron A. PeledBar Ilan University,IsraelAndUniveristy of warwick,UK
Version 2008
![Page 2: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/2.jpg)
Some related books:
Also:Mainly:
![Page 3: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/3.jpg)
Goal: software reliability
Use software engineering methodologies to develop the code.
Use formal methods during code development
![Page 4: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/4.jpg)
What are formal methods?
Techniques for analyzing systems, based on some mathematics.
This does not mean that the user must be a mathematician.
Some of the work is done in an informal way, due to complexity.
![Page 5: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/5.jpg)
Examples for FM
Deductive verification:Using some logical formalism, prove formally that the software satisfies its specification.
Model checking:Use some software to automatically check that the software satisfies its specification.
Testing:Check executions of the software according to some coverage scheme.
![Page 6: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/6.jpg)
Typical situation:
Boss: Mark, I want that the new internet marketing software will be flawless. OK?
Mark: Hmmm. Well, ..., Aham, Oh! Ah??? Where do I start?
Bob: I have just the solution for you. It would solve everything.
![Page 7: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/7.jpg)
Some concerns
Which technique? Which tool? Which experts? What limitations? What methodology? At which points? How expensive? How many people?
Needed expertise. Kind of training. Size limitations. Exhaustiveness. Reliability. Expressiveness. Support.
![Page 8: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/8.jpg)
Badmouth
Formal methods can only be used by mathematicians.
The verification process is itself prone to errors, so why bother?
Using formal methods will slow down the project.
![Page 9: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/9.jpg)
Some answers...
Formal methods can only be used by mathematicians.
Wrong. They are based on some math but the user should not care.
The verification process is itself prone to errors, so why bother?
We opt to reduce the errors, not eliminate them.Using formal methods will slow down the
project.Maybe it will speed it up, once errors are found
earlier.
![Page 10: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/10.jpg)
Some exaggerations
Automatic verification can always find errors.
Deductive verification can show that the software is completely safe.
Testing is the only industrial practical method.
![Page 11: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/11.jpg)
Our approach
Learn several methods (deductive verification, model checking, testing process algebra).
Learn advantages and limitations, in order to choose the right methods and tools.
Learn how to combine existing methods.
![Page 12: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/12.jpg)
Emphasis
The process:Selecting the tools, Modeling,Verification, Locating errors.
Use of tools:Hands on. PVS, SPIN
Visual notation:Statecharts, MSCs, UML.
![Page 13: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/13.jpg)
Some emphasis
The process of selecting and using formal methods.
The appropriate notation. In particular, visual notation.
Hands-on experience with tools.
![Page 14: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/14.jpg)
The unbearable easiness of grading
During class, choose some small project in groups, e.g.,Explore some examples using tools.Implementing a simple algorithm.Dealing with new material.
or covering advanced subject.- Office presentation (1 hour).- Written description (2-3 pages +
computer output or 6-10 pages).- Class presentation (0.5-1.5 hours per
group).
![Page 15: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/15.jpg)
Example topics
Project:Verify some example
using some tools.Communication
protocols.Mutual exclusion.
Advanced topics:Abstractions.Reductions.Partitions.Static analysis.Verifying pushdown
automata.Verifying security
protocols.
![Page 16: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/16.jpg)
Where do we start?
Boss: Mark, can you verify this for me?
Mark: OK, first I have to ...
![Page 17: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/17.jpg)
Things to do
Check the kind ofsoftware to analyze.
Choose methods and tools.
Express system properties.
Model the software.
Apply methods.Obtain verification
results.Analyze results.Identify errors.Suggest correction.
![Page 18: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/18.jpg)
Different types of software
Sequential.Concurrent.Distributed.Reactive.Protocols.Abstract algorithms.Finite state.
![Page 19: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/19.jpg)
Specification:Informal, textual, visual
The value of x will be between 1 and 5, until some point where it will become 7. In any case it will never be negative.
(1<=x<=5 U (x=7/\ [] x>=0))
1<=x<=5 X=7
X>=0
![Page 20: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/20.jpg)
Verification methods
Finite state machines. Apply model checking.
Apply deductive verification (theorem proving).
Program too big, too complicated.Apply testing techniques.
Apply a combination of the above!
![Page 21: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/21.jpg)
Modeling
Use the program text.Translate to a programming language
embedded in some proof system.Translate to some notation (transition
system).Translate to finite automata.Use visual notation.Special case: black box system.
![Page 22: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/22.jpg)
Modeling Software Systems for Analysis
(Book: Chapter 4)
![Page 23: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/23.jpg)
Modelling and specification for verification and validation
How to specify what the software is supposed to do?
Can we use the UML model or parts of it?
How to model it in a way that allows us to check it?
![Page 24: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/24.jpg)
Systems of interest Sequential systems. Concurrent systems (multi-threaded).
1. Distributive systems.2. Reactive systems.3. Embedded systems
(software + hardware).
![Page 25: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/25.jpg)
Sequential systems.
Perform some computational task. Have some initial condition, e.g.,
0in A[i] integer. Have some final assertion, e.g.,
0in-1 A[i]A[i+1].(What is the problem with this spec?)
Are supposed to terminate.
![Page 26: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/26.jpg)
Concurrent Systems
Involve several computation agents.Termination may indicate an abnormal
event (interrupt, strike).May exploit diverse computational
power.May involve remote components.May interact with users (Reactive).May involve hardware components
(Embedded).
![Page 27: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/27.jpg)
Problems in modeling systems Representing concurrency:
- Allow one transition at a time, or- Allow coinciding transitions.
Granularity of transitions. Assignments and checks? Application of methods?
Global (all the system) or local (one thread at a time) states.
![Page 28: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/28.jpg)
Modeling.The states based model.
V={v0,v1,v2, …} - a set of variables, over some domain.
p(v0, v1, …, vn) - a parametrized assertion, e.g.,
v0=v1+v2 /\ v3>v4. A state is an assignment of values to the program
variables. For example: s=<v0=1,v2=3,v3=7,…,v18=2>
For predicate (first order assertion) p:p(s) is p under the assignment s.Example: p is x>y /\ y>z. s=<x=4, y=3, z=5>.Then we have 4>3 /\ 3>5, which is false.
![Page 29: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/29.jpg)
State space
The state space of a program is the set of all possible states for it.
For example, if V={a, b, c} and the variables are over the naturals, then the state space includes: <a=0,b=0,c=0>,<a=1,b=0,c=0>, <a=1,b=1,c=0>,<a=932,b=5609,c=6658>…
![Page 30: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/30.jpg)
Atomic Transitions
Each atomic transition represents a small piece of code such that no smaller piece of code is observable.
Is a:=a+1 atomic? In some systems, e.g., when a is a
register and the transition is executed using an inc command.
![Page 31: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/31.jpg)
Non atomicity
Execute the following when a=0 in two concurrent processes:
P1:a=a+1 P2:a=a+1 Result: a=2. Is this always the
case?
Consider the actual translation:
P1:load R1,a inc R1 store R1,aP2:load R2,a inc R2 store R2,a a may be also 1.
![Page 32: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/32.jpg)
Scenario
P1:load R1,a
inc R1
store R1,a
P2:load R2,a inc R2 store R2,a
a=0
R1=0
R2=0
R1=1
R2=1
a=1
a=1
![Page 33: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/33.jpg)
Representing transitions
Each transition has two parts: The enabling condition: a predicate. The transformation: a multiple assignment.
For example:a>b (c,d ):=(d,c )This transition can be executed in states where a>b. The result of executing it isswitching the value of c with d.
![Page 34: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/34.jpg)
Initial condition
A predicate I. The program can
start from states s such that I (s) holds.
For example:I (s)=a >b /\ b >c.
![Page 35: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/35.jpg)
A transition system
A (finite) set of variables V over some domain.
A set of states . A (finite) set of transitions T, each
transition e t has an enabling condition e, and a transformation t.
An initial condition I.
![Page 36: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/36.jpg)
Example
V={a, b, c, d, e}. : all assignments of natural
numbers for variables in V. T={c >0(c,e):=(c -1,e +1),
d >0(d,e):=(d -1,e +1)} I: c =a /\ d =b /\ e =0 What does this transition system
do?
![Page 37: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/37.jpg)
The interleaving model
An execution is a maximal finite or infinite sequence of states s0, s1, s2, …That is: finite if nothing is enabled from the last state.
The first state s0 satisfies the initial condition, I.e., I (s0).
Moving from one state si to its successor si+1 is by executing a transition et: e (si), i.e., si satisfies e. si+1 is obtained by applying t to si.
![Page 38: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/38.jpg)
Example:
s0=<a=2, b=1, c=2, d=1, e=0>
s1=<a=2, b=1, c=1, d=1, e=1>
s2=<a=2, b=1, c=1, d=0, e=2>
s3=<a=2, b=1 ,c=0, d=0, e=3>
T={c>0(c,e):=(c -1,e +1),
d>0(d,e):=(d-1,e+1)}
I: c=a /\ d=b /\ e=0
![Page 39: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/39.jpg)
L0:While True do NC0:wait(Turn=0); CR0:Turn=1endwhile ||L1:While True do NC1:wait(Turn=1); CR1:Turn=0endwhile
T0:PC0=L0PC0:=NC0T1:PC0=NC0/\Turn=0 PC0:=CR0T2:PC0=CR0 (PC0,Turn):=(L0,1)T3:PC1=L1PC1=NC1T4:PC1=NC1/\Turn=1 PC1:=CR1T5:PC1=CR1 (PC1,Turn):=(L1,0) Initially: PC0=L0/\PC1=L1
The transitions
Is this the only reasonable way to model this program?
![Page 40: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/40.jpg)
The state graph:Successor relation between reachable states.
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1T0 T0T3 T3
T1 T4T3
T0 T3
T0
T0 T4T1 T3
T2
T2
T5
T5
![Page 41: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/41.jpg)
Some important points
Reachable states: obtained from an initial state through a sequence of enabled transitions.
Executions: the set of maximal paths (finite or terminating in a node where nothing is enabled).
Nondeterministic choice: when more than a single transition is enabled at a given state. We have a nondeterministic choice when at least one node at the state graph has more than one successor.
![Page 42: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/42.jpg)
Always ¬(PC0=CR0/\PC1=CR1)(Mutual exclusion)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 43: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/43.jpg)
Always if Turn=0 then at some point Turn=1
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 44: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/44.jpg)
Always if Turn=0 then at some point Turn=1
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 45: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/45.jpg)
Interleaving semantics:Execute one transition at a time.
Turn=0L0,L1
Turn=0L0,NC1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=1L0,CR1
Turn=1L0,NC1
Need to check the property
for every possible interleaving!
![Page 46: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/46.jpg)
Interleaving semantics
Turn=0L0,L1
Turn=0L0,NC1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=1L0,CR1
Turn=1L0,NC1
Turn=0L0,L1
Turn=0L0,NC1
![Page 47: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/47.jpg)
L0:While True do NC0:wait(Turn=0); CR0:Turn=1endwhile ||L1:While True do NC1:wait(Turn=1); CR1:Turn=0endwhile
T0:PC0=L0PC0:=NC0T1:PC0=NC0/\Turn=0PC0:=CR0T1’:PC0=NC0/\Turn=1PC0:=NC0T2:PC0=CR0(PC0,Turn):=(L0,1)
T3:PC1==L1PC1=NC1T4:PC1=NC1/\Turn=1PC1:=CR1T4’:PC1=NC1/\Turn=0PC1:=NC1T5:PC1=CR1(PC1,Turn):=(L1,0)
Initially: PC0=L0/\PC1=L1
Busy waiting
![Page 48: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/48.jpg)
Always when Turn=0 then at some point Turn=1
Now it does not hold!(Red subgraph generates a counterexample execution.)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1T4’ T1’
![Page 49: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/49.jpg)
Combinatorial explosion
V1:=1
V1:=3
V1:=2
Vn:=1
Vn:=3
Vn:=2…
How many states?
![Page 50: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/50.jpg)
Global states
3n states
v1=1,v2=1…vn=1
v1=2,v2=1…vn=1 v1=1,v2=1…vn=2…
v1=3,v2=1…vn=1 …
…
v1=1,v2=1…vn=3
![Page 51: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/51.jpg)
Program verification: flowchart programs
(Book: chapter 7)
![Page 52: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/52.jpg)
History
Verification of flowchart programs: Floyd, 1967 Hoare’s logic: Hoare, 1969 Linear Temporal Logic: Pnueli, Krueger, 1977 Model Checking: Clarke & Emerson, 1981
![Page 53: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/53.jpg)
Program Verification
Predicate (first order) logic. Partial correctness, Total correctness Flowchart programs Invariants, annotated programs Well founded ordering (for
termination) Hoare’s logic
![Page 54: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/54.jpg)
Predicate (first order logic)
Variables, functions, predicates
Terms
Formulas (assertions)
![Page 55: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/55.jpg)
Signature
Variables: v1, x, y18Each variable represents a value of some given
domain (int, real, string, …). Function symbols: f(_,_), g2(_), h(_,_,_).Each function has an arity (number of
paramenters), a domain for each parameter, and a range.
f:int*int->int (e.g., addition), g:real->real (e.g., square root)
A constant is a predicate with arity 0. Relation symbols: R(_,_), Q(_).Each relation has an arity, and a domain for each
parameter.R : real*real (e.g., greater than).Q : int (e.g., is a prime).
![Page 56: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/56.jpg)
Terms
Terms are objects that have values. Each variable is a term. Applying a function with arity n to n
terms results in a new term.Examples: v1, 5.0, f(v1,5.0),
g2(f(v1,5.0))
More familiar notation: sqr(v1+5.0)
![Page 57: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/57.jpg)
Formulas
Applying predicates to terms results in a formula.
R(v1,5.0), Q(x)More familiar notation: v1>5.0 One can combine formulas with the
boolean operators (and, or, not, implies).
R(v1,5.0)->Q(x)x>1 -> x*x>x One can apply existentail and universal
quantification to formulas.x Q(X) x1 R(x1,5.0) x y R(x,y)
![Page 58: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/58.jpg)
A model, A proofs
A model gives a meaning (semantics) to a first order formula: A relation for each relation symbol. A function for each function symbol. A value for each variable.
An important concept in first order logic is that of a proof. We assume the ability to prove that a formula holds for a given model.
Example proof rule (MP) :
![Page 59: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/59.jpg)
Flowchart programs
Input variables: X=x1,x2,…,xlProgram variables: Y=y1,y2,…,ymOutput variables: Z=z1,z2,…,zn
start
haltY=f(X)
Z=h(X,Y)
![Page 60: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/60.jpg)
Assignments and tests
Y=g(X,Y) t(X,Y)FT
![Page 61: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/61.jpg)
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
Initial condition
Initial condition: the values for the input variables for which the program must work.
x1>=0 /\ x2>0
FT
![Page 62: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/62.jpg)
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
The input-output claim
The relation between the values of the input and the output variables at termination.
x1=z1*x2+z2 /\ 0<=z2<x2
FT
![Page 63: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/63.jpg)
Partial correctness, Termination, Total correctness
Partial correctness: if the initial condition holds and the program terminates then the input-output claim holds.
Termination: if the initial condition holds, the program terminates.
Total correctness: if the initial condition holds, the program terminates and the input-output claim holds.
![Page 64: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/64.jpg)
Subtle point:
The program ispartially correct
withrespect tox1>=0/\x2>=0and totally correctwith respect tox1>=0/\x2>0
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
T F
![Page 65: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/65.jpg)
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
Annotating a scheme
Assign an assertion for each pair of nodes. The assertion expresses the relation between the variable when the program counter is located between these nodes.
A
B
C D
E
FT
![Page 66: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/66.jpg)
Invariants Invariants are assertions that hold at each state
throughout the execution of the program. One can attach an assertion to a particular
location in the code:e.g., at(B) (B).This is also an invariant; in other locations, at(B) does not hold hence the implication holds.
If there is an assertion attached to each location, (A), (B), (C), (D), (E), then their disjunction is also an invariant: (A)\/(B)\/(C)\/(D)\/(E)(since location is always at one of these locations).
![Page 67: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/67.jpg)
Annotating a scheme with invariants
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0C): x1=y1*x2+y2 /\
y2>=0 /\ y2>=x2D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2E):x1=z1*x2+z2 /\ 0<=z2<x2Notice: (A) is the initial
condition, Eis the input-output condition.
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
FT
A) Is the precondition of (y1,y2)=(0,x1) and B) is its postcondition
![Page 68: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/68.jpg)
Preliminary:Relativizing assertions
(B) : x1= y1 * x2 + y2 /\ y2 >= 0Relativize B) w.r.t. the assignment,
obtaining B) [Y\g(X,Y)]e(B) expressed w.r.t. variables at
A.) (B)A =x1=0 * x2 + x1 /\ x1>=0Think about two sets of variables,
before={x, y, z, …} after={x’,y’,z’…}.
Rewrite (B) using after, and the assignment as a relation between the set of variables. Then eliminate after by substitution.
Here: x1’=y1’ * x2’ + y2’ /\ y2’>=0 /\x1’=x1 /\ x2’=x2 /\ y1’=0 /\ y2’=x1now eliminate x1’, x2’, y1’, y2’.
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
Y=g(X,Y)
![Page 69: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/69.jpg)
Preliminary:Relativizing assertions
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
A):
(B)A
(B)
Y=g(X,Y)
Y=g(X,Y)
![Page 70: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/70.jpg)
Verification conditions: assignment
A) B)A
where B)A = B)[Y\g(X,Y)]
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0
B)A=x1=0*x2+x1 /\
x1>=0
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
Y=g(X,Y)
![Page 71: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/71.jpg)
(y1,y2)=(y1+1,y2-x2)
Second assignment
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2
B): x1=y1*x2+y2 /\ y2>=0
B)C: x1=(y1+1)*x2+y2-x2 /\ y2-x2>=0
C
B
![Page 72: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/72.jpg)
(z1,z2)=(y1,y2)
Third assignment
D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2
E):x1=z1*x2+z2 /\ 0<=z2<x2
E)D:
x1=y1*x2+y2 /\ 0<=y2<x2
E
D
![Page 73: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/73.jpg)
Verification conditions: tests
B) /\ t(X,Y) C)B) /\¬t(X,Y) D)
B): x1=y1*x2+y2 /\y2>=0
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2
D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2
y2>=x2
B
C
D
B
C
Dt(X,Y)
FT
FT
![Page 74: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/74.jpg)
Verification conditions: tests
y2>=x2
B
C
D
B
C
Dt(X,Y)
FT
FT
t(X,Y)¬t(X,Y)
B)
C)
![Page 75: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/75.jpg)
Partial correctness proof:An induction on length of execution
B)
B)
D)
C)
Initially, states satisfy the initial conditions.
Then, passing from one set of states to another, we preserve the invariants at the appropriate location.
We prove: starting with a state satisfying the initial conditions, if are at a point in the execution, the invariant there holds.
Not a proof of termination!
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
A)
no
no
yes
yes
T F
![Page 76: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/76.jpg)
Exercise: prove partial correctness
Initial condition: x>=0
Input-output claim:
z=x!
start
halt
(y1,y2)=(0,1)
y1=x
(y1,y2)=(y1+1,(y1+1)*y2) z=y2
TF
![Page 77: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/77.jpg)
What have we achieved?
For each statement S that appears between points X and Y we showed that if the control is in X when (X) holds (the precondition of S) and S is executed, then (Y) (the postcondition of S) holds.
Initially, we know that (A) holds. The above two conditions can be combined into
an induction on the number of statements that were executed: If after n steps we are at point X, then (X)
holds.
![Page 78: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/78.jpg)
Another example
(A) : x>=0
(F) : z^2<=x<(z+1)^2
z is the biggest numberthat is not greaterthan sqrt x.
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 79: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/79.jpg)
Some insight
1+3+5+…+(2n+1)=(n+1)^2
y2 accumulates theabove sum, untilit is bigger than x.
y3 ranges over oddnumbers 1,3,5,…
y1 is n-1.
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 80: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/80.jpg)
Invariants
It is sufficient to have one invariant for every loop(cycle in the program’sgraph).
We will have(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 81: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/81.jpg)
Obtaining (B)
By backwards substitution in (C).
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 82: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/82.jpg)
Check assignment condition
(A)=x>=0(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1(B) relativized is 0^2<=x /\ 0+1=(0+1)^2 /\ 1=2*0+1Simplified: x>=0
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 83: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/83.jpg)
Obtaining (D)
By backwards substitution in
(B).
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1
(D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 84: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/84.jpg)
Checking
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(C)/\y2<=x) (D)
(D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 85: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/85.jpg)
y1^2<=x /\
y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\
y2+y3+2=(y1+2)^2 /\
y3+2=2*(y1+1)+1y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\ y2+y3+2=(y1+2)^2
/\ y3+2=2*(y1+1)+1
y1^2<=x /\
y2=(y1+1)^2 /\
y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\
y2+y3+2=(y1+2)^2 /\
y3+2=2*(y1+1)+1
![Page 86: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/86.jpg)
Not finished!
Still needs to:
Calculate (E) bysubstituting backwardsfrom (F).
Check that(C)/\y2>x(E)
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 87: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/87.jpg)
Exercise: prove partial correctness. Initially: x1>0/\x2>0. At termination: z1=gcd(x1,x2).
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
![Page 88: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/88.jpg)
Annotation of program with invariants
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
z1=gcd(x1,x2)
x1>0 /\ x2>0
gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0
gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1y2
gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1<y2
gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1>y2
y1=gcd(x1,x2)
A
BC
D
EF
G
H
![Page 89: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/89.jpg)
Part 1
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(A)= x1>0 /\ x2>0
(B)=gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0 A
BC
D
EF
G
H
(B)’rel= gcd(x1,x2)=gcd(x1,x2)/\x1>0/\x2>0 (A)
(B)’rel
![Page 90: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/90.jpg)
Part 2a
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(B)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0
(C)=gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1y2 A
BC
D
EF
G
H
(B)/\¬(y1=y2) (C)
![Page 91: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/91.jpg)
Part 2b
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(G)= y1=gcd(x1,x2)
A
BC
D
EF
G
H
(B)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0
(B)/\(y1=y2) (G)
![Page 92: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/92.jpg)
Part 3
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(D)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1y2
(E)=gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1<y2
(F)=(gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1>y2
A
BC
D
EF
G
H
(D)/\(y1>y2) (F)
(D)/\¬(y1>y2) (E)
![Page 93: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/93.jpg)
Part 4
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
x1>0 /\ x2>0
(B)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0
(E)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1<y2
(F)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1>y2
A
BC
D
EF
G
H
(B)’rel1=gcd(y1,y2-y1)=gcd(x1,x2)/\y1>0/\y2-y1>0(B)’rel2=gcd(y1-y2,y2)=gcd(x1,x2)/\y1-y2>0/\y2>0
(E) (B)’rel1 (F) (B)’rel2
![Page 94: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/94.jpg)
Part 5
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(H)= z1=gcd(x1,x2)
(G)= y1=gcd(x1,x2)
A
BC
D
EF
G
H
(H)’rel= y1=gcd(x1,x2)
(G) (H)’rel2
![Page 95: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/95.jpg)
Proving termination
![Page 96: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/96.jpg)
Well-founded sets
Partially ordered set (W,<): If a<b and b<c then a<c (transitivity). If a<b then not b<a (asymmetry). Not a<a (irreflexivity).
Well-founded set (W,<): Partially ordered. No infinite decreasing chain a1>a2>a3>…
![Page 97: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/97.jpg)
Examples for well founded sets Natural numbers with the bigger than
relation. Finite sets with the set inclusion relation. Strings with the substring relation. Tuples with alphabetic order:
(a1,b1)>(a2,b2) iff a1>a2 or [a1=a2 and b1>b2].
(a1,b1,c1)>(a2,b2,c2) iff a1>a2 or [a1=a2 and b1>b2] or [a1=a2 and b1=b2 and c1>c2].
![Page 98: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/98.jpg)
Why does the program terminate
y2 starts as x1. Each time the loop is
executed, y2 is decremented.
y2 is natural number The loop cannot be
entered again when y2<x2.
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
![Page 99: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/99.jpg)
Proving termination
Choose a well-founded set (W,<). Attach a function u(N) to each
point N. Annotate the flowchart with
invariants, and prove their consistency conditions.
Prove that (N) (u(N) in W).
![Page 100: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/100.jpg)
How not to stay in a loop?
Show that u(M)>=u(N)’rel.
At least once in each loop, show that u(M)>u(N).
S
M
N
TN
M
![Page 101: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/101.jpg)
How not to stay in a loop?
For stmt: (M)(u(M)>=u(N)’rel)
Relativize since we need to compare values not syntactic expressions.
For test (true side):((M)/\test)(u(M)>=u(N))
For test (false side):((M)/\
¬test)(u(M)>=u(L))
stmt
M
N
test
N
M
true
L
false
![Page 102: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/102.jpg)
What did we achieve?
There are finitely many control points. The value of the function u cannot
increase. If we return to the same control point,
the value of u must decrease (its a loop!).
The value of u can decrease only a finite number of times.
![Page 103: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/103.jpg)
Why does the program terminate
u(A)=x1u(B)=y2u(C)=y2u(D)=y2u(E)=z2
W: naturals> : greater than
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
![Page 104: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/104.jpg)
Recall partial correctness annotation
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0C): x1=y1*x2+y2 /\
y2>=0 /\ y2>=x2D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2E):x1=z1*x2+z2 /\ 0<=z2<x2
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
falsetrue
![Page 105: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/105.jpg)
Strengthen for termination
A): x1>=0 /\ x2>0B): x1=y1*x2+y2 /\
y2>=0/\x2>0C): x1=y1*x2+y2 /\
y2>=0/\y2>=x2/\x2>0D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2/\x2>0E):x1=z1*x2+z2 /\ 0<=z2<x2
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
falsetrue
![Page 106: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/106.jpg)
Strengthen for termination
A): x1>=0 /\ x2>0 u(A)>=0B): x1=y1*x2+y2 /\ y2>=0/\
x2>0u(B)>=0C): x1=y1*x2+y2 /\y2>=0
/\y2>=x2/\x2>0u(c)>=0D):x1=y1*x2+y2 /\ y2>=0 /\
y2<x2/\x2>0u(D)>=0E):x1=z1*x2+z2 /\ 0<=z2<x2u(E)>=0This proves that u(M) is natural for
each point M.
u(A)=x1u(B)=y2u(C)=y2u(D)=y2u(E)=z2
![Page 107: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/107.jpg)
We shall show:
u(A)=x1u(B)=y2u(C)=y2u(D)=y2u(E)=z2A)u(A)>=u(B)’relB)u(B)>=u(C)C)u(C)>u(B)’relB)u(B)>=u(D)D)u(D)>=u(E)’re
l
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
![Page 108: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/108.jpg)
Proving decrement
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2/\x2>0
u(C)=y2u(B)=y2u(B)’rel=y2-x2
C) y2>y2-x2(notice that C) x2>0)
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
![Page 109: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/109.jpg)
Integer square prog.
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 110: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/110.jpg)
u(A)=x+1u(B)=x-y2+1u(C)=max(0,x-y2+1)u(D)=x-y2+1u(E)=u(F)=0u(A)>=u(B)’relu(B)>u(C)’relu(C)>=u(D)u(C)>=u(E)u(D)>=u(B)’relNeed some invariants,i.e., y2<=x/\y3>0at points B and D,and y3>0 at point C.
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 111: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/111.jpg)
![Page 112: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/112.jpg)
Why testing?
Reduce design/programming errors. Can be done during development,
before production/marketing. Practical, simple to do. Check the real thing, not a model. Scales up reasonably. Being state of the practice for
decades.
![Page 113: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/113.jpg)
Part 1: Testing of black box finite state machine
Know:
Transition relation
Size or bound on size
Wants to know:
In what state we started?
In what state we are?
Transition relation
Conformance
Satisfaction of a temporal property
![Page 114: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/114.jpg)
Finite automata (Mealy machines)
S - finite set of states. (size n)- set of inputs. (size d)O - set of outputs, for each transition.(s0 S - initial state). δ S S - transition relation (deterministic but
sometimes not defined for each input per each state). S O - output on edges.
Notation: δ(s,a1a2..an)= δ(… (δ(δ(s,a1),a2) … ),an)(s,a1a2..an)=
(s,a1)(δ(s,a1),a2)…(δ(… δ(δ(s,a1),a2) … ),an)
![Page 115: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/115.jpg)
Finite automata (Mealy machines)
S - finite set of states. (size n)– set of inputs. (size d)O – set of outputs, for each
transition.(s0 S - initial state). δ S S - transition relation. S O – output on edge.
S={s1, s2, s3 }, {a, b }, O={0,1 }.
δ(s1,a)=s3 (also s1=a=>s3),δ(s1,b)=s2,(also s1=b=>s2)…(s1,a)=0 , (s1,b)=1,…δ(s1,ab)=s1, (s1,ab)=01
s1
s3
s2
a/0b/1 b/0
b/1
a/0
a/0
![Page 116: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/116.jpg)
Why deterministic machines?
Otherwise no amount of experiments would guarantee anything.
If dependent on some parameter (e.g., temperature), we can determinize, by taking parameter as additional input.
We still can model concurrent system. It means just that the transitions are deterministic.
All kinds of equivalences are unified into language equivalence.
Also: connected machine (otherwise we may never get to the completely separate parts).
![Page 117: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/117.jpg)
Determinism
When the black box is nondeterministic, we might never test some choices.
b/1a/1
a/1
![Page 118: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/118.jpg)
Preliminaries: separating sequences
s1
s3
s2
a/0b/1 b/0
b/1
a/0
a/0
Start with one block containing all states {s1, s2, s3}.
A set of sequences X such that if we execute them from different states, at least one of them will give a different output sequence.
s≠t µX (s, µ )≠(s, µ )
![Page 119: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/119.jpg)
A: separate to blocks of states with different output.
s1
s3
s2
a/0b/1
b/0
b/1
a/0
a/0
The states are separated into {s1, s3}, {s2} using the string b.
But s1 and s3 have the same outputs to same inputs.
![Page 120: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/120.jpg)
Repeat B : Separate blocks based on input that cause moving to different blocks.
s1
s3
s2
a/0b/1 b/0
b/1
a/0
a/0
Separate first block using b to three singleton blocks obtaining separation sequence bb.Separating sequences: b, bb.Max rounds: n-1, sequences: n-1, length: n-1.
If string X separated blocks B1, B2, and letter a splits part of block C to move to B1 and part to B2, then aX separates C into C1, C2, accordingly.
![Page 121: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/121.jpg)
Want to know the state of the machine (at end): Homing sequence.
Know: transition relation.Don’t know: which state we start.Want to know: which state we end up.After firing homing sequence, we know in
what state we are by observing the outputs. Find a sequence µ such that
δ(s, µ )≠δ(t, µ ) (s, µ )≠(t, µ )So, given an input µ that is executed from
state s, we look at a table of outputs and according to a table, know in which state r we are.
![Page 122: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/122.jpg)
Homing sequence
Algorithm: Put all the states in one block (initially we do not know what is the current state).
Then repeatedly separate blocks, as long as they are not singletons, as follows:
Take a non singleton block, append a distinguishing sequence µ that separates at least two states in that block.
Update each block to the states after executing µ. (Blocks may not be disjoint, its not a partition!)
Note: blocks do not have to be disjoint!
Max length of sequence: (n-1)2 (Lower bound: n(n-1)/2.)
![Page 123: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/123.jpg)
Example (homing sequence)
s1
s3
s2
a/0b/1 b/0
b/1
a/0
a/0
{s1, s2, s3}
{s1, s2} {s3}
{s1} {s2} {s3}
b
b1 0
011
1
On input b and output 1, we still don’t know if we were in s1 or s3, i.e., if we are currently in s2 or s1. So separate these cases with another b.
![Page 124: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/124.jpg)
Synchronizing sequence
One sequence takes the machine to the same final state, regardless of the initial state or the outputs.That is: find a sequence µ such that for each states s, t,
δ(s, µ )=δ(t, µ ) Not every machine has a
synchronizing sequence. Can be checked whether
exists and if so, can be found in polynomial time.
a/1
b/1
a/0b/0b/1
a/0
![Page 125: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/125.jpg)
Algorithm for synchronizing sequeneces
s1
s2 s3
a/1
b/1
a/0b/0b/1
a/0
Construct a graph with ordered pairs of nodes (s,t) such that (s,t )=a=>(s’,t’ ) when s=a=>s’, t=a=>t’.(Ignore self loops, e.g., on (s2,s2).)s1,s1
s2,s2
s3,s3
s1,s2
s2,s3 s1,s3
b b
b
b
b
baa
a
![Page 126: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/126.jpg)
Algorithm continues (2)There is an input sequence
from both s≠t to some r iff there is a path in this graph from (s,t ) to (r,r ).
There is a synchronization sequence iff some twins node (r,r ) is reachable from every pair of distinct nodes.
In this case it is (s2,s2 ).
s1,s1
s2,s2
s3,s3
s1,s2
s2,s3 s1,s3
b b
b
b
b
baa
a
If original automaton is not strongly connected, there is no synchronizing sequence. Otherwise, all twins are reachable from each other in product graph. Thus, in this case, if there is not twins node (r,r) reachable from all pairs, there is some pair (Si,Sj) from which no twins node is reachable, thus no sequence will synchronize Si and Sj.
![Page 127: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/127.jpg)
Algorithm continues (3)Notation:δ(S,x)=
{t |sS,δ(s,x)=t }1. i=1; S1=S
2. Take some nodes s≠tSi, and find a shortest path labeled xi to some twins (r,r ).
3. i=i+1; Si:=δ(Si-1,x ). If |Si |>1,goto 2., else goto 4.
4. Concatenate x1x2…xk.
s1,s1
s2,s2
s3,s3
s1,s2
s2,s3 s1,s3
b b
b
b
b
baa
a
Number of sequences ≤ n-1.Each of length ≤ n(n-1)/2.Overall O(n(n-1)2/2).
![Page 128: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/128.jpg)
Example:
(s2,s3)=a=>(s2,s2)
x1:=a
δ({s1,s2,s3},a)={s1,s2}
(s1,s2)=ba=>(s2,s2)
x2:=ba
δ({s1,s2},ba)={s2}
So x1x2=aba is a synchronization sequence, bringing every state into state s2.
s1,s1
s2,s2
s3,s3
s1,s2
s2,s3 s1,s3
b b
b
b
b
baa
a
![Page 129: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/129.jpg)
State identification: Want to know in which state the
system has started (was reset to).
Can be a preset distinguishing sequence (fixed), or a tree (adaptive).
May not exist (PSPACE complete to check if preset exists, polynomial for adaptive).
Best known algorithm: exponential length for preset, polynomial for adaptive [LY].
![Page 130: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/130.jpg)
Sometimes cannot identify initial state
b/1a/1 s1
s3
s2
a/1
b/0
b/1
a/1
Start with a:in case of being in s1 or s3 we’ll move to s1 and cannot distinguish.Start with b:In case of being in s1 or s2 we’ll move to s2 and cannot distinguish.The kind of experiment we do affects what we can
distinguish. Much like the Heisenberg principle in Physics.
![Page 131: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/131.jpg)
So…
We’ll assume resets from now on!
![Page 132: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/132.jpg)
Conformance testing Unknown deterministic finite state system B. Known: n states and alphabet . An abstract model C of B. C satisfies all the
properties we want from B. C has m states. Check conformance of B and C. Another version: only a bound n on the number of
states l is known.
![Page 133: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/133.jpg)
Check conformance with a given state machine
Black box machine has no more states than specification machine (errors are mistakes in outputs, mistargeted edges).
Specification machine is reduced, connected, deterministic. Machine resets reliably to a single initial state (or use homing
sequence).
s1
s3
s2
a/1
b/0
b/1
a/1
?=
a/1
b/1
![Page 134: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/134.jpg)
Conformance testing [Ch,V]
a/1
b/1
Cannot distinguish if reduced or not.
a/1
b/1
a/1
b/1
a/1
b/1a/1
b/1
![Page 135: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/135.jpg)
Conformance testing (cont.)
ab b
a
a
a
a b
b
b
a
Need: bound on number of states of B.
a
![Page 136: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/136.jpg)
Preparation: Construct a spanning tree, and separating sequences
b/1a/1 s1
s3
s2
a/1
b/0
b/1
a/1
s1
s2s3
b/1a/1
Given an initial state, we can reach any state of the automaton.
![Page 137: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/137.jpg)
How the algorithm works?According to the spanning
tree, force a sequence of inputs to go to each state.
1. From each state, perform the distinguishing sequences.
2. From each state, make a single transition, check output, and use distinguishing sequences to check that in correct target state.
s1
s2s3
b/1a/1
Rese
t
Rese
t
Distinguishing sequences
![Page 138: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/138.jpg)
Comments1. Checking the different distinguishing
sequences (m-1 of them) means each time resetting and returning to the state under experiment.
2. A reset can be performed to a distinguished state through a homing sequence. Then we can perform a sequence that brings us to the distinguished initial state.
3. Since there are no more than m states, and according to the experiment, no less than m states, there are m states exactly.
4. Isomorphism between the transition relation is found, hence from minimality the two automata recognize the same languages.
![Page 139: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/139.jpg)
Combination lock automaton
Assume accepting states. Accepts only words with a specific suffix
(cdab in the example).
s1 s2 s3 s4 s5
bdc a
Any other input
![Page 140: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/140.jpg)
When only a bound on size of black box is known…
Black box can “pretend” to behave as a specification automaton for a long time, then upon using the right combination, make a mistake.
b/1a/1s1
s3
s2
a/1
b/0
b/1
a/1
b/1
Pretends to be s3
Pretends to be s1
a/1
![Page 141: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/141.jpg)
Conformance testing algorithm [VC]
The worst that can happen is a combination lock automaton that behaves differently only in the last state. The length of it is the difference between the size n of the black box and the specification m.
Reach every state on the spanning tree and check every word of length n-m+1 or less. Check that after the combination we are at the state we are supposed to be, using the distinguishing sequences.
No need to check transitions: already included in above check.
Complexity: m2 n dn-m+1
Probabilistic complexity: Polynomial.
Distinguishing sequences
s1
s2s3
b/1a/1
Words of length n-m+1
Rese
t
Rese
t
![Page 142: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/142.jpg)
Part 2: Software testing(Book: chapter 9)
Testing is not about showing that there are no errors in the program.
Testing cannot show that the program performs its intended goal correctly.
So, what is software testing?Testing is the process of executing the
program in order to find errors.A successful test is one that finds an
error.
![Page 143: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/143.jpg)
Some software testing stages
Unit testing – the lowest level, testing some procedures.
Integration testing – different pieces of code. System testing – testing a system as a whole. Acceptance testing – performed by the
customer. Regression testing – performed after updates. Stress testing – checking the code under
extreme conditions. Mutation testing – testing the quality of the
test suite.
![Page 144: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/144.jpg)
Some drawbacks of testing
There are never sufficiently many test cases.
Testing does not find all the errors. Testing is not trivial and requires
considerable time and effort. Testing is still a largely informal task.
![Page 145: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/145.jpg)
Black-Box (data-driven, input-output) testing
The testing is not based on the structure of the program (which is unknown).
In order to ensure correctness, every possible input needs to be tested - this is impossible!
The goal: to maximize the number of errors found.
![Page 146: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/146.jpg)
testing
Is based on the internal structure of the program.
There are several alternative criterions for checking “enough” paths in the program.
Even checking all paths (highly impractical) does not guarantee finding all errors (e.g., missing paths!)
![Page 147: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/147.jpg)
Some testing principles
A programmer should not test his/her own program. One should test not only that the program does
what it is supposed to do, but that it does not do what it is not supposed to.
The goal of testing is to find errors, not to show that the program is errorless.
No amount of testing can guarantee error-free program.
Parts of programs where a lot of errors have already been found are a good place to look for more errors.
The goal is not to humiliate the programmer!
![Page 148: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/148.jpg)
Inspections and Walkthroughs
Manual testing methods. Done by a team of people. Performed at a meeting
(brainstorming). Takes 90-120 minutes. Can find 30%-70% of
errors.
![Page 149: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/149.jpg)
Code Inspection
Team of 3-5 people. One is the moderator.
He distributes materials and records the errors.
The programmer explains the program line by line.
Questions are raised. The program is
analyzed w.r.t. a checklist of errors.
![Page 150: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/150.jpg)
Checklist for inspections
Data declarationAll variables
declared?Default values
understood?Arrays and strings
initialized?Variables with similar
names?Correct initialization?
Control flowEach loop terminates?DO/END statements
match?
Input/outputOPEN statements
correct?Format specification
correct?End-of-file case
handled?
![Page 151: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/151.jpg)
Walkthrough
Team of 3-5 people. Moderator, as
before. Secretary, records
errors. Tester, play the role
of a computer on some test suits on paper and board.
![Page 152: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/152.jpg)
Selection of test cases (for white-box testing)
The main problem is to select a good coverage
criterion. Some options are: Cover all paths of the program. Execute every statement at least once. Each decision has a true or false value at
least once. Each condition is taking each truth value at
least once. Check all possible combinations of conditions
in each decision.
![Page 153: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/153.jpg)
Cover all the paths of the program
Infeasible.Consider the flow
diagram on the left.It corresponds to a
loop.The loop body has 5
paths.If the loops executes
20times there are 5^20
different paths!May also be
unbounded!
![Page 154: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/154.jpg)
How to cover the executions?
IF (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
Choose values for A,B,X. Value of X may change, depending on A,B. What do we want to cover? Paths?
Statements? Conditions?
![Page 155: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/155.jpg)
Statement coverageExecute every statement at least once
By choosingA=2,B=0,X=3each statement will
be chosen.The case where the
tests fail is not checked!
IF (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
Now x=1.5
![Page 156: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/156.jpg)
Decision coverage (if, while checks)Each decision has a true and false outcome at least once.
Can be achieved using A=3,B=0,X=3 A=2,B=1,X=1
Problem: Does not test individual conditions. E.g., when X>1 is erroneous in second decision.
IF (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
![Page 157: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/157.jpg)
Decision coverage
A=3,B=0,X=3 IF (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
Now x=1
![Page 158: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/158.jpg)
Decision coverage
A=2,B=1,X=1
The case where A1 and the case where x>1 where not checked!
IF (A>1) & (B=0) THEN X=X/A; END;
IF (A=2)|(X>1) THEN X=X+1; END;
![Page 159: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/159.jpg)
Condition coverageEach condition has a true and false value at least once.
For example: A=1,B=0,X=3 A=2,B=1,X=0
lets each condition be true and false once.
Problem:covers only the path where the first test fails and the second succeeds.
IF (A>1) (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
![Page 160: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/160.jpg)
Condition coverage
A=1,B=0,X=3 IF (A>1) (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
![Page 161: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/161.jpg)
Condition coverage
A=2,B=1,X=0
Did not check the first THEN part at all!!!
Can use condition+decision coverage.
IF (A>1) (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
![Page 162: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/162.jpg)
Multiple Condition CoverageTest all combinations of all conditions in each test.
A>1,B=0 A>1,B≠0 A1,B=0 A1,B≠0 A=2,X>1 A=2,X1 A≠2,X>1 A≠2,X1
IF (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
![Page 163: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/163.jpg)
A smaller number of cases: A=2,B=0,X=4 A=2,B=1,X=1 A=1,B=0,X=2 A=1,B=1,X=1Note the X=4 in the firstcase: it is due to the factthat X changes beforebeing used!
IF (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
Further optimization: not all combinations.For C /\ D, check (C, D), (C, D), (C, D).For C \/ D, check (C, D), (C, D), (C, D).
![Page 164: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/164.jpg)
Preliminary:Relativizing assertions(Book: Chapter 7)
(B) : x1= y1 * x2 + y2 /\ y2 >= 0Relativize B) w.r.t. the assignment
becomes B) [Y\g(X,Y)]e(B) expressed w.r.t. variables at
A.) (B)A =x1=0 * x2 + x1 /\ x1>=0
Think about two sets of variables,before={x, y, z, …} after={x’,y’,z’…}.
Rewrite (B) using after, and the assignment as a relation between the set of variables. Then eliminate after.
Here: x1’=y1’ * x2’ + y2’ /\ y2’>=0 /\x1=x1’ /\ x2=x2’ /\ y1’=0 /\ y2’=x1now eliminate x1’, x2’, y1’, y2’.
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
Y=g(X,Y)
![Page 165: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/165.jpg)
Verification conditions: tests
C) B)= t(X,Y) /\C)D) B)=t(X,Y) /\D)
B)= D) /\ y2x2y2>=x2
B
C
D
B
C
Dt(X,Y)
FT
FT
![Page 166: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/166.jpg)
How to find values for coverage?
•Put true at end of path.
•Propagate path backwards.
•On assignment, relativize expression.
•On “yes” edge of decision, add decision as conjunction.
•On “no” edge, add negation of decision as conjunction.
•Can be more specific when calculating condition with multiple condition coverage.
A>1 & B=0
A=2 | X>1
X=X+1
X=X/Ano
no
yes
yes
true
true
![Page 167: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/167.jpg)
How to find values for coverage?
A>1 & B=0
A=2 | X>1
X=X+1
X=X/Ano
no
yes
yes
true
true
A≠2 /\ X>1
(A≠2 /\ X/A>1) /\ (A>1 & B=0)
A≠2 /\ X/A>1Need to find a
satisfying assignment:
A=3, X=6, B=0
Can also calculate path condition forwards.
![Page 168: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/168.jpg)
How to cover a flow chart? Cover all nodes, e.g., using search
strategies: DFS, BFS. Cover all paths (usually impractical). Cover each adjacent sequence of N nodes. Probabilistic testing. Using random number
generator simulation. Based on typical use. Chinese Postman: minimize edge traversal
Find minimal number of times time to travel each edge using linear programming or dataflow algorithms.
![Page 169: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/169.jpg)
Test cases based on data-flow analysis
Partition the program into pieces of code with a single entry/exit point.
For each piece find which variables are set/used/tested.
Various covering criteria: from each set to
each use/test From each set to
some use/test.
X:=3
z:=z+x
x>y
t>y
![Page 170: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/170.jpg)
Test case design for black box testing
Equivalence partition Boundary value
analysis Cause-effect graphs
![Page 171: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/171.jpg)
Equivalence partition
Goals: Find a small number of test cases. Cover as much possibilities as you can.
Try to group together inputs for which the program is likely to behave the same.
Specificationcondition
Valid equivalenceclass
Invalid equivalenceclass
![Page 172: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/172.jpg)
Example: A legal variable
Begins with A-Z Contains [A-Z0-9] Has 1-6 characters.
Specificationcondition
Valid equivalenceclass
Invalid equivalenceclass
Starting char
Chars
Length
Starts A-Z Starts other
[A-Z0-9] Has others
1-6 chars 0 chars, >6 chars
1 2
3 4
56 7
![Page 173: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/173.jpg)
Equivalence partition (cont.)
Add a new test case until all valid equivalence classes have been covered. A test case can cover multiple such classes.
Add a new test case until all invalid equivalence class have been covered. Each test case can cover only one such class.
Specificationcondition
Valid equivalenceclass
Invalid equivalenceclass
![Page 174: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/174.jpg)
Example
AB36P (1,3,5) 1XY12 (2) A17#%X (4)
Specificationcondition
Valid equivalenceclass
Invalid equivalenceclass
Starting char
Chars
Length
Starts A-Z Starts other
[A-Z0-9] Has others
1-6 chars 0 chars, >6 chars
1 2
3 4
56 7
(6) VERYLONG (7)
![Page 175: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/175.jpg)
Boundary value analysis
In every element class, select values that are closed to the boundary. If input is within range -1.0 to +1.0,
select values -1.001, -1.0, -0.999, 0.999, 1.0, 1.001.
If needs to read N data elements, check with N-1, N, N+1. Also, check with N=0.
![Page 176: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/176.jpg)
For Unit Testing
Write “drivers”, which replaces procedures calling the code.
Write “stubs”, which replaces procedures called by the code.
Tested unit
Driver
StubStubStub
Driver
![Page 177: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/177.jpg)
package bucket;import java.util.*;import java.math.*;public class BugBucketSort{ public static void main(String[] args) { Random r = new Random(100); r.nextInt(100); LinkedList<Integer> ls = new LinkedList<Integer>(); for (int j = 0; j < 10; j++) ls.push(r.nextInt(100)); System.out.println(ls); bucketSort(ls); } public static void bucketSort(LinkedList<Integer> ls) { LinkedList<HashMap<Integer,Integer>> la = new LinkedList<HashMap<Integer,Integer>>(); for (int i = 0 ; i<11; i++)//BUG should be 10 instead of 11 la.add(new HashMap<Integer,Integer>()); System.out.println("\nValues in the array: "+la.size()); for (int j = 0; j < ls.size(); j++) { la.get((int)ls.get(j)/10).put((int)ls.get(j)%10, ls.get(j)); } System.out.println("\nThe ordered array is:"); System.out.print("["); for (int i = 0; i < la.size(); i++) for (int k = 1; k < 10; k++)//BUG needs to start with k=0 { if(la.get(i).containsKey(k)) System.out.print(la.get(i).get(k)+" "); } System.out.println("]"); }}
Bucket sort:With bugs!!
![Page 178: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/178.jpg)
package bucket;import java.util.*;import java.math.*;public class BucketSort{ public static void main(String[] args) { Random r = new Random(100); r.nextInt(100); LinkedList<Integer> ls = new LinkedList<Integer>(); for (int j = 0; j < 10; j++) ls.push(r.nextInt(100)); System.out.println(ls);// System.out.println((int) 17 / 5); bucketSort(ls); } public static void bucketSort(LinkedList<Integer> ls) { LinkedList<HashMap<Integer,Integer>> la = new LinkedList<HashMap<Integer,Integer>>(); for (int i = 0 ; i<10; i++) la.add(new HashMap<Integer,Integer>()); System.out.println("\nValues in the array: "+la.size()); for (int j = 0; j < ls.size(); j++) { la.get((int)ls.get(j)/10).put((int)ls.get(j)%10, ls.get(j)); } System.out.println("\nThe ordered array is:"); System.out.print("["); for (int i = 0; i < la.size(); i++) for (int k = 0; k < 10; k++) { if(la.get(i).containsKey(k)) System.out.print(la.get(i).get(k)+" "); } System.out.println("]"); }}
Bucket sort:Without bugs!!
![Page 179: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/179.jpg)
class MergeSortAlgorithm{ public static int [] mergeSort(int array[])
{ int loop;int rightIndex = 0;int [] leftArr = new int[array.length / 2];int [] rightArr = new int[(array.length - array.length) / 2];if (array.length <= 1)
return array;for (loop = 0 ; loop < leftArr.length ; ++loop)
leftArr[loop] = array[loop];for (; rightIndex < rightArr.length ; ++loop)
rightArr[rightIndex++] = array[loop];mergeSort(leftArr);
rightArr = mergeSort(rightArr);array = merge(leftArr,rightArr);return array; }
public static int [] merge(int [] leftArr , int [] rightArr){ int [] newArray = new int[leftArr.length + rightArr.length];
int leftIndex = 0; int rightIndex = 0; int newArrayIndex = 0;while (leftIndex < leftArr.length && rightIndex < rightArr.length){ if (leftArr[leftIndex] < rightArr[rightIndex])
newArray[newArrayIndex] = leftArr[leftIndex++];newArray[newArrayIndex] = rightArr[rightIndex++];}
while (rightIndex < rightArr.length) newArray[newArrayIndex++] = rightArr[rightIndex++];
while (leftIndex < leftArr.length) newArray[newArrayIndex++] = leftArr[leftIndex++];
return newArray;}public static void print(int [] arr , String caller){ int loop;
for (loop = 0 ; loop < arr.length ; ++loop) System.out.println("caller " + caller + " : " + arr[loop]);}public static void main(String [] args){ int []originalArray = {1,5,4,3,7};
print(originalArray,"before"); originalArray = mergeSort(originalArray);print(originalArray,"after"); }}
![Page 180: Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008](https://reader036.vdocuments.net/reader036/viewer/2022062417/55160e39550346a2308b51b5/html5/thumbnails/180.jpg)
class MergeSortAlgorithm{ public static int [] mergeSort(int array[])
{ int loop;int rightIndex = 0;int [] leftArr = new int[array.length / 2];int [] rightArr = new int[(array.length - array.length) / 2]; // BUGif (array.length <= 1)
return array;for (loop = 0 ; loop < leftArr.length ; ++loop)
leftArr[loop] = array[loop];for (; rightIndex < rightArr.length ; ++loop)
rightArr[rightIndex++] = array[loop];mergeSort(leftArr); // BUGrightArr = mergeSort(rightArr);array = merge(leftArr,rightArr);return array; }
public static int [] merge(int [] leftArr , int [] rightArr){ int [] newArray = new int[leftArr.length + rightArr.length];
int leftIndex = 0; int rightIndex = 0; int newArrayIndex = 0;while (leftIndex < leftArr.length && rightIndex < rightArr.length){ if (leftArr[leftIndex] < rightArr[rightIndex])
newArray[newArrayIndex] = leftArr[leftIndex++];newArray[newArrayIndex] = rightArr[rightIndex++]; //
TWO BUGS}while (rightIndex < rightArr.length) newArray[newArrayIndex++] =
rightArr[rightIndex++];while (leftIndex < leftArr.length) newArray[newArrayIndex++] =
leftArr[leftIndex++];return newArray;}
public static void print(int [] arr , String caller){ int loop;
for (loop = 0 ; loop < arr.length ; ++loop) System.out.println("caller " + caller + " : " + arr[loop]);}public static void main(String [] args){ int []originalArray = {1,5,4,3,7};
print(originalArray,"before"); originalArray = mergeSort(originalArray);print(originalArray,"after"); }}