t01140020220114065t0114 rpl p18

7/31/2019 T01140020220114065T0114 RPL P18

1/33

7/31/2019 T01140020220114065T0114 RPL P18

2/33

7/31/2019 T01140020220114065T0114 RPL P18

3/33

These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).

Slides copyright 2011 by Roger Pressman.

Formal Modeling and

Verification Cleanroom software engineeringandformal methods

Both demand a specialized specification approach and each applies

a unique verification method.

Both are quite rigorous and neither is used widely by the software

engineering community.

If you must build bullet-proof software, these methods can

help immeasurably.

3

7/31/2019 T01140020220114065T0114 RPL P18

4/33



The Cleanroom Process Model

4

RequirementsGathering

Box Structure

Specification

Formal

Design

Correctness

VerificationCode

InspectionStatistical

U seTesting

Cerfification

Test Planning

SystemEngineering


Box Structure

Specification

Formal

Design

Correctness

VerificationCode


U seTesting

Cerfification

Test Planning


Box Structure

Specification

For ma l

Design

Correctness

VerificationCode


U seTesting

Cerfification

Test Planning

increm ent #1

increm ent #2

increm ent #n

7/31/2019 T01140020220114065T0114 RPL P18

5/33



The Cleanroom Strategy-I Increment Planning

adopts the incremental strategy

Requirements Gathering

defines a description of customer level requirements

Box Structure Specification describes the functional specification

Formal Design

specifications (called black boxes) are iteratively refined (with anincrement) to become analogous to architectural and procedural

designs (called state boxes and clear boxes, respectively). Correctness Verification

verification begins with the highest level box structure(specification) and moves toward design detail and code using a setof correctness questions. If these do not demonstrate that the

specification is correct, more formal (mathematical) methods forverification are used. 5

7/31/2019 T01140020220114065T0114 RPL P18

6/33



The Cleanroom Strategy-II Code Generation, Inspection and Verification

the box structure specifications, represented in a specialized language, aretransmitted into the appropriate programming language.

Statistical Test Planning a suite of test cases that exercise of probability distribution of usage are

planned and designed

Statistical Usage Testing execute a series of tests derived from a statistical sample (the probability

distribution noted above) of all possible program executions by all users froma targeted population

Certification once verification, inspection and usage testing have been completed (and all

errors are corrected) the increment is certified as ready for integration.

6

7/31/2019 T01140020220114065T0114 RPL P18

7/33



Box Structure Specification

BB1

BB1.1

BB1.2

BB1.n

BB1.1.1

BB1.1.2

BB1.1.3

SB1.1.1

CB1.1.1.1

CB1.1.1.2

CB1.1.1.3

black box

state box

clear box

7/31/2019 T01140020220114065T0114 RPL P18

8/33



Box Structures

f : S * RS R

black box

state box

clear box

SRb l a c k b o x ,g

S t a t e

T

S R

S t a t e

T

g1 1

g1 2

g1 3

cg 1

7/31/2019 T01140020220114065T0114 RPL P18

9/33



Design Refinement &VerificationIf a function f is expanded into a sequence g and h, the correctnessIf a function f is expanded into a sequence g and h, the correctness

condition for all input to f is:condition for all input to f is:

Does g followed by h do f?

When a function f is refined into a conditional (if-then-else), theWhen a function f is refined into a conditional (if-then-else), thecorrectness condition for all input to f is:correctness condition for all input to f is:

Whenever condition is true does g do f and whenever isfalse, does h do f?

When function f is refined as a loop, the correctness conditions for allWhen function f is refined as a loop, the correctness conditions for all

input to f is:input to f is: Is termination guaranteed?

Whenever is true does g followed by f do f, and whenever is false, does skipping the loop still do f?

7/31/2019 T01140020220114065T0114 RPL P18

10/33



Advantages of DesignVerification It reduces verification to a finite process. It lets cleanroom teams verify every line of

design and code.

It results in a near zero defect level. It scales up.

It produces better code than unit testing.

10

7/31/2019 T01140020220114065T0114 RPL P18

11/33



Cleanroom Testing

statistical use testing tests the actual usage of the program

determine a usage probability distribution

analyze the specification to identify a set of stimuli stimuli cause software to change behavior

create usage scenarios

assign probability of use to each stimuli

test cases are generated for each stimuli according tothe usage probability distribution

7/31/2019 T01140020220114065T0114 RPL P18

12/33



Certification

12

1.1. Usage scenarios must be created.Usage scenarios must be created.

2.2. A usage profile is specified.A usage profile is specified.

3.3. Test cases are generated from the profile.Test cases are generated from the profile.4.4. Tests are executed and failure data areTests are executed and failure data arerecorded and analyzed.recorded and analyzed.

5.5. Reliability is computed and certified.Reliability is computed and certified.

7/31/2019 T01140020220114065T0114 RPL P18

13/33



Certification Models

Sampling model. Software testing executesSoftware testing executes mm randomrandomtest cases and is certified if no failures or a specifiedtest cases and is certified if no failures or a specifiednumbers of failures occur. The value ofnumbers of failures occur. The value ofmm is derivedis derivedmathematically to ensure that required reliability ismathematically to ensure that required reliability is

achieved.achieved.

Component model. A system composed ofA system composed ofnncomponents is to be certified. The component modelcomponents is to be certified. The component modelenables the analyst to determine the probability thatenables the analyst to determine the probability that

componentcomponent ii will fail prior to completion.will fail prior to completion.Certification model. The overall reliability of the systemThe overall reliability of the systemis projected and certified.is projected and certified.

7/31/2019 T01140020220114065T0114 RPL P18

14/33



Formal Methods Formal methods used in developing computer systems aremathematically based techniques for describing system properties. Such

formal methods provide frameworks within which people can specify,develop, and verify systems in a systematic, rather than ad hocmanner.

The Encyclopedia of Software Engineering[Mar01]

The Problem with conventional specs:

contradictions

ambiguities vagueness

incompleteness

mixed levels of abstraction

7/31/2019 T01140020220114065T0114 RPL P18

15/33



Formal Specification Desired propertiesconsistency, completeness, and lackof ambiguityare the objectives of all specificationmethods

The formal syntax of a specification language enables

requirements or design to be interpreted in only oneway, eliminating ambiguity that often occurs when anatural language (e.g., English) or a graphical notationmust be interpreted

The descriptive facilities of set theory and logic

notation enable clear statement of facts(requirements).

Consistency is ensured by mathematically proving thatinitial facts can be formally mapped (using inferencerules) into later statements within the specification.

15

7/31/2019 T01140020220114065T0114 RPL P18

16/33



Formal Methods Concepts data invarianta condition that is true throughout the

execution of the system that contains a collection of data

state

Many formal languages, such as OCL (Section 28.5) ,

use the notion of states as they were discussed inChapters 7 and 8, that is, a system can be in one ofseveral states, each representing an externallyobservable mode of behavior.

The Z language (Section 28.6)defines a state as thestored data which a system accesses and alters

operationan action that takes place in a system andreads or writes data to a state

preconditiondefines the circumstances in which aparticular operation is valid

postcondition defines what happens when an

operation has completed its action16

7/31/2019 T01140020220114065T0114 RPL P18

17/33



An ExamplePrint Spooler

17

Limits

LP1->750

LP2->500

LAS1->300

LAS2->200

Devicequeues

ftax->650

newdata->450

exres->50

persons->700

Size

LP1

LP2

LAS1

LAS2

ftax

newdata

exres

persons

filesawaitingprinting

7/31/2019 T01140020220114065T0114 RPL P18

18/33



States and Data InvariantThe state of the spooler is represented by the four componentsThe state of the spooler is represented by the four componentsQueues, OutputDevices, Limits,Queues, OutputDevices, Limits, andand Sizes.Sizes.

The data invariant has five components:The data invariant has five components:

Each output device is associated with an upper limit of print linesEach output device is associated with an upper limit of print lines

Each output device is associated with a possibly nonempty queueEach output device is associated with a possibly nonempty queueof files awaiting printingof files awaiting printing

Each file is associated with a sizeEach file is associated with a size

Each queue associated with an output device contains files thatEach queue associated with an output device contains files that

have a size less than the upper limit of the output devicehave a size less than the upper limit of the output device

There will be no more thanThere will be no more thanMaxDevsMaxDevs output devices administeredoutput devices administeredby the spoolerby the spooler

7/31/2019 T01140020220114065T0114 RPL P18

19/33



Operations

An operation which adds a new output device to thespooler together with its associated print limit

An operation which removes a file from the queueassociated with a particular output device

An operation which adds a file to the queue associatedwith a particular output device

An operation which alters the upper limit of print lines fora particular output device

An operation which moves a file from a queue associatedwith an output device to another queue associated with asecond output device

7/31/2019 T01140020220114065T0114 RPL P18

20/33



Pre- & Post-conditions

For the first operation (adds a new output device to the spoolerFor the first operation (adds a new output device to the spoolertogether with its associated print limit):together with its associated print limit):

Precondition: the output device name does not already existthe output device name does not already existand that there are currently less thanand that there are currently less thanMaxDevsMaxDevs output devicesoutput devices

known to the spoolerknown to the spooler

Postcondition: the name of the new device is added to thethe name of the new device is added to thecollection of existing device names, a new entry is formed for thecollection of existing device names, a new entry is formed for thedevice with no files being associated with its queue, and thedevice with no files being associated with its queue, and thedevice is associated with its print limit.device is associated with its print limit.

7/31/2019 T01140020220114065T0114 RPL P18

21/33



Mathematical Concepts*

sets and constructive set specification

set operators

logic operators

sequences

*A discussion of sets and constructive specification (slides 20 - 24) is no longer included within

SEPA, 7/e, but is included here for those who are unfamiliar with the basic concepts.

7/31/2019 T01140020220114065T0114 RPL P18

22/33

7/31/2019 T01140020220114065T0114 RPL P18

23/33



Set Operators

A specialized set of symbology is used to represent set and logicoperations.

ExamplesTheP operator is used to indicate membership of a set. For

example, the expression

x P XTheoperators , , and # take sets as their operands. The

predicate A , B

has the value true if the members of the set A are containedin the set B and has the value false otherwise.

The union operator,

7/31/2019 T01140020220114065T0114 RPL P18

24/33



Logic Operators

Another important component of a formal method is logic: thealgebra of true and false expressions.

Examples:

V or

not => implies

Universal quantification is a way of making a statement about theelements of a set that is true for every member of the set. Universalquantification uses the symbol, . An example of its use is

i, j : N i >j => i2

>j2

which states that for every pair of values in the set of naturalnumbers, ifi is greater than j, then i2 is greater than j2.

7/31/2019 T01140020220114065T0114 RPL P18

25/33



Sequences Sequences are designated using angle brackets. For

example, the preceding sequence would normally bewritten as k Jones, Wilson, Shapiro, Estavezl

Catenation, X, is a binary operator that forms a sequence

constructed by adding its second operand to the end of itsfirst operand. For example,

k 2, 3, 34, 1l X k12, 33, 34, 200 l = k 2, 3, 34, 1, 12, 33, 34,200 l

Other operators that can be applied to sequences are head,tail, front, and last.

head k 2, 3, 34, 1, 99, 101 l = 2 tail k 2, 3, 34, 1, 99, 101 l = 73, 34, 1,99, 1018 lastk 2, 3, 34, 1, 99, 101 l = 101 frontk 2, 3, 34, 1, 99, 101 l = 72, 3, 34, 1, 998

25

7/31/2019 T01140020220114065T0114 RPL P18

26/33



Formal Specification The block handler

The block handler maintains a reservoir of unused blocks and will also keeptrack of blocks that are currently in use. When blocks are released from adeleted file they are normally added to a queue of blocks waiting to beadded to the reservoir of unused blocks.

The state

used, free: P BLOCKSBlockQueue: seq P BLOCKS

Data Invariant

used > free = \

used < free = AllBlocks

i: dom BlockQueue BlockQueuei # used

i, j : dom BlockQueue i j => BlockQueue i > BlockQueue j = \

Precondition#BlockQueue > 0

Postcondition

used' = used \ headBlockQueue

free = free < head BlockQueue

BlockQueue' = tail BlockQueue

7/31/2019 T01140020220114065T0114 RPL P18

27/33



Formal Specification

Languages A formal specification language is usually composed ofthree primary components: a syntax that defines the specific notation with which the

specification is represented

semantics to help define a "universe of objects" [WIN90] that

will be used to describe the system a set of relations that define the rules that indicate which

objects properly satisfy the specification

The syntactic domain of a formal specification language isoften based on a syntax that is derived from standard settheory notation and predicate calculus.

The semantic domain of a specification language indicateshow the language represents system requirements.

7/31/2019 T01140020220114065T0114 RPL P18

28/33



Object Constraint Language (OCL)

a formal notation developed so that users of UMLcan add more precision to their specifications

All of the power of logic and discrete

mathematics is available in the language However the designers of OCL decided that only

ASCII characters (rather than conventionalmathematical notation) should be used in OCL

statements.

7/31/2019 T01140020220114065T0114 RPL P18

29/33



OCL Overview

Like an object-oriented programming language,an OCL expression involves operators operatingon objects.

However, the result of a complete expressionmust always be a Boolean, i.e. true or false.

The objects can be instances of the OCLCollection class, of which Set and Sequenceare two subclasses.

See Table 28.1 for summary of OCL notation

7/31/2019 T01140020220114065T0114 RPL P18

30/33



BlockHandlerusing UML

Block

number

addBlock()

BlockHandler

BlockSet

1

*

1*

removeBlock()

allBlocks

free used

blockQueue

{ordered}

{subset}

{subset}

**

*

1 1 1

elements

7/31/2019 T01140020220114065T0114 RPL P18

31/33



BlockHandlerin OCL No block will be marked as both unused and used.

contextBlockHandler inv:

(self.used->intersection(self.free)) ->isEmpty()

All the sets of blocks held in the queue will be subsets of the collection of currently used blocks.

contextBlockHandler inv:

blockQueue->forAll(aBlockSet | used->includesAll(aBlockSet ))

No elements of the queue will contain the same block numbers.

contextBlockHandlerinv: blockQueue->forAll(blockSet1, blockSet2 |

blockSet1 blockSet2 implies

blockSet1.elements.number->excludesAll(blockSet2.elements.number))

The expression before implies is needed to ensure we ignore pairs where both elementsare the same Block.

The collection of used blocks and blocks that are unused will be the total collection of blocks thatmake up files.

contextBlockHandlerinv: allBlocks = used->union(free)

The collection of unused blocks will have no duplicate block numbers.

contextBlockHandlerinv:

free->isUnique(aBlock | aBlock.number)

The collection of used blocks will have no duplicate block numbers.

contextBlockHandlerinv:

used->isUnique(aBlock | aBlock.number)

7/31/2019 T01140020220114065T0114 RPL P18

32/33

7/31/2019 T01140020220114065T0114 RPL P18

33/33

These slides are designed to accompany Software Engineering: A Practitioners Approach 8/e (McGraw Hill 2011)

BlockHandlerin Z

BlockHandler

used, free : PBLOCKSBlockQueue : seq PBLOCKS

used>free = \

used BlockQueue i>BlockQueue j = \

The following example of a schema describes the state of the block handlerThe following example of a schema describes the state of the block handlerand the data invariant:and the data invariant:

See Section 21.7.2 for further expansion of the specification

t01140020220114065t0114 rpl p18

Documents