lecture 17 software engineering research
play

Lecture 17: Software Engineering Research 2015-07-16 Prof. Dr. - PowerPoint PPT Presentation

Nov 21, 2023 •387 likes •1.84k views

Softwaretechnik / Software-Engineering Lecture 17: Software Engineering Research 2015-07-16 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal 17 2015-07-16 main Albert-Ludwigs-Universit at Freiburg, Germany Schedule of the Block

  1. Modeling: Monitoring Function Decomposition gives way to additional proof obligations: No interference between networks (by design). No collisions (TDMA). [Guard time analysis] Topology subsumption: Verifying a maximal subnetwork is enough. To make models tractable, we require optimization: Each component has an individual clock. [Quasi-equal clock reduction] Support plug-in models: Separate environment and design. Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 12 / 23

  2. Modeling: Sensor Failures Modeled as timed automata networks with UPPAAL: x 1 x 1 Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 13 / 23

  3. Modeling: Sensor Failures x 4 x 126 Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 14 / 23

  4. Verification: Monitoring Function Other model components: Auxiliary automata: Master, Central clock, Monitor Inner network: 10 Repeaters Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 15 / 23

  5. Verification: Monitoring Function Other model components: Auxiliary automata: Master, Central clock, Monitor Inner network: 10 Repeaters Found 2 flaws: Timing was off by 1 tic Frequency intrusion Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 15 / 23

  6. Verification: Monitoring Function Other model components: Auxiliary automata: Master, Central clock, Monitor Inner network: 10 Repeaters Found 2 flaws: Timing was off by 1 tic Frequency intrusion A revised design was successfully verified: Sensors as slaves Repeaters as slaves Query seconds MB States seconds MB States Detection 36,070.78 3,419.00 190M 231.84 230.59 6M No Spurious 97.44 44.29 0.6M 3.94 10.14 0.15M No LZ-Collision 12,895.17 2,343.00 68M 368.58 250.91 9.6M Detection Possible 10,205.13 557.00 26M 38.21 55.67 1.2M Verification is scalable for real world problems (!). But additional effort is required. Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 15 / 23

  7. Modeling: Alarm Function Alarms are transmitted (semi-)asynchronously using CSMA-CD / Collision resolution using tree splitting. Slot t 0 0 1 2 3 4 5 6 7 8 8 7 6 ID 127 (0111 1111) ID 85 8 7 7 7 (0101 0101) ID 42 8 8 8 8 8 7 (0010 1010) 8 8 8 8 8 8 8 ID 1 (0000 0001) Each component ID induces a unique timing pattern for retrying transmissions. Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 16 / 23

  8. Modeling: Alarm Function Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 17 / 23

  9. Verification: Alarm Function For single, explicit topologies: Timed automata / UPPAAL. Full collision Query ids seconds MB States OneAlarm - 3 . 6 ± 1 43 . 1 ± 1 59 k ± 15 k seq 4.7 67.1 110,207 TwoAlarms seq 44 . 6 ± 11 311 . 4 ± 102 641 k ± 159 k TenAlarms opt 41 . 8 ± 10 306 . 6 ± 80 600 k ± 140 k Checking one topology is feasible, but the procedure does not scale for full verification (more than 10 126 possible topologies). [Parameterized Verification of Aggregation Protocols] Models are still useful for simulation: extracted expected alarm times for different scenarios. Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 18 / 23

  10. Verification: Alarm Function For single, explicit topologies: Timed automata / UPPAAL. Limited Collision Query ids seconds MB States OneAlarm - 1 . 4 ± 1 38 . 3 ± 1 36 k ± 14 k seq 0.5 24.1 19,528 TwoAlarms seq 17 . 3 ± 6 179 . 1 ± 61 419 k ± 124 k TenAlarms opt 17 . 1 ± 6 182 . 2 ± 64 412 k ± 124 k Checking one topology is feasible, but the procedure does not scale for full verification (more than 10 126 possible topologies). [Parameterized Verification of Aggregation Protocols] Models are still useful for simulation: extracted expected alarm times for different scenarios. Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 18 / 23

  11. Verification: Alarm Function For increased confidence: Does the collision resolution algorithm guarantee non-starvation? Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 19 / 23

  12. Verification: Alarm Function For increased confidence: Does the collision resolution algorithm guarantee non-starvation? Created an untimed model in PROMELA / SPIN. N : number of colliding components. I : set of IDs that may participate in the collision. Check all possible N -collision scenarios: vary IDs and timing. Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 19 / 23

  13. Verification: Alarm Function For increased confidence: Does the collision resolution algorithm guarantee non-starvation? Created an untimed model in PROMELA / SPIN. N : number of colliding components. I : set of IDs that may participate in the collision. Check all possible N -collision scenarios: vary IDs and timing. Results: Reproduced the hidden terminal problem. For N = 2: found a problem with IDs 0 and 128. For N = { 3 .. 10 } : still not scaling to all IDs, used sampling (31744). | I | N sec. MB States 255 2 49 1,610 1,235,970 H 10 3,393 6,390 6,242,610 L 10 4,271 10,685 10,439,545 Rnd 10 4,465 11,534 11,268,368 average 4,138 9,994 9,763,809 Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 19 / 23

  14. Lessons Learned Generalized test procedures are useful for verification: Developers are already used to producing test specifications. Thus: are cost-effective for increasing confidence. Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 20 / 23

  15. Lessons Learned Generalized test procedures are useful for verification: Developers are already used to producing test specifications. Thus: are cost-effective for increasing confidence. Models are useful: For validation. As documentation. But still not very accesible for developers. Formal verification shows potential to relieve the effort of testing. Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 20 / 23

  16. Conclusions Formal methods are able to handle typical industrial scenarios (but require expert knowledge). The customers are confident early in the process that certification tests will be passed. Implementation is easier when based on a verified design. Other requirements can be simply tested. Still expensive: Almost as expensive as the certification test itself. Additional value: Formal methods not only improve confidence but helps structure development processes. Difficult technology transfer: SMEs prefer to scale out instead of up. Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 21 / 23

  17. Outlook Check whether the source code of the implementation corresponds to the design models. Interrupt based implementations are hard to verify. Use the models to perform model-based testing. Investigate reuse strategies (new features, product lines). Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 22 / 23

  18. Sergio Feo-Arenis (Uni. Freiburg) Wireless Fire Alarm System SWT 2015 23 / 23

  19. Towards Successful Subcontracting for Software in Small to Medium-Sized Enterprises RELAW Workshop, 2012-09-25 Bernd Westphal 1 , Daniel Dietsch 1 , Sergio Feo-Arenis 1 , Andreas Podelski 1 , Louis Pahlow 2 , Jochen Morsbach 3 , Barbara Sommer 3 , Anke Fuchs 3 , Christine Meierh¨ ofer 3 1 Albert-Ludwigs-Universit¨ at Freiburg, Germany – 0 – 2012-09-25 – main – 2 Universit¨ at des Saarlandes, Saarbr¨ ucken, Germany 3 Universit¨ at Mannheim, Germany

  20. Outline ◮ Introduction • What is sub-contracting for software? • When is it succesful? • Why is it ofen not successful? • The Salomo Approach: • Overview • Checkable Requirements, Checking Tool • Regulations in the Contract • Related Work • Conclusion and Further Work – 0 – 2012-09-25 – Scontent – 2 /17

  21. Successful Subcontracting for Software in SMEs SME A SME B e r a w t f o S – 0 – 2012-09-25 – Ssuccess – 3 /17

  22. Successful Subcontracting for Software in SMEs Customer Contractor e r a w t f o S – 0 – 2012-09-25 – Ssuccess – 3 /17

  23. Successful Subcontracting for Software in SMEs § Customer Contractor – 0 – 2012-09-25 – Ssuccess – 4 /17

  24. Successful Subcontracting for Software in SMEs § Customer Contractor develop e r Software a w t f o deliver S – 0 – 2012-09-25 – Ssuccess – 4 /17

  25. Successful Subcontracting for Software in SMEs § Customer Contractor develop e r Software a w t f o deliver S accept – 0 – 2012-09-25 – Ssuccess – :-) :-) pay 4 /17

  26. Subcontracting for Software in SMEs in Reality § Customer Contractor develop Software Software :-( :-( deliver – 0 – 2012-09-25 – Sreality – 5 /17

  27. Subcontracting for Software in SMEs in Reality § Customer Contractor develop Software Software :-( :-( deliver There are three main sources of disputes (and thus uncertainty ): • misunderstandings in the requirements , – 0 – 2012-09-25 – Sreality – 5 /17

  28. Bringing Software-related Disputes to Court... . . . is generally highly unattractive for SME: – 0 – 2012-09-25 – Sreality – 6 /17

  29. Bringing Software-related Disputes to Court... . . . is generally highly unattractive for SME: (i) a court ruling takes time , thus further delays the project, – 0 – 2012-09-25 – Sreality – 6 /17

  30. Bringing Software-related Disputes to Court... . . . is generally highly unattractive for SME: (i) a court ruling takes time , thus further delays the project, (ii) a court ruling incurs costs , – 0 – 2012-09-25 – Sreality – 6 /17

  31. Bringing Software-related Disputes to Court... . . . is generally highly unattractive for SME: (i) a court ruling takes time , thus further delays the project, (ii) a court ruling incurs costs , (iii) it is uncertain whether the necessary compensation can be achieved, – 0 – 2012-09-25 – Sreality – 6 /17

  32. Bringing Software-related Disputes to Court... . . . is generally highly unattractive for SME: (i) a court ruling takes time , thus further delays the project, (ii) a court ruling incurs costs , (iii) it is uncertain whether the necessary compensation can be achieved, (iv) a court only decides over the rights and duties of each party, no suggestion how to use the decision to achieve project success , – 0 – 2012-09-25 – Sreality – 6 /17

  33. Bringing Software-related Disputes to Court... . . . is generally highly unattractive for SME: (i) a court ruling takes time , thus further delays the project, (ii) a court ruling incurs costs , (iii) it is uncertain whether the necessary compensation can be achieved, (iv) a court only decides over the rights and duties of each party, no suggestion how to use the decision to achieve project success , (v) mutual trust between the former partners is hampered , already achieved project progress may be lost . – 0 – 2012-09-25 – Sreality – 6 /17

  34. Bringing Software-related Disputes to Court... . . . is generally highly unattractive for SME: (i) a court ruling takes time , thus further delays the project, (ii) a court ruling incurs costs , (iii) it is uncertain whether the necessary compensation can be achieved, (iv) a court only decides over the rights and duties of each party, no suggestion how to use the decision to achieve project success , (v) mutual trust between the former partners is hampered , already achieved project progress may be lost . In addition, there is a high uncertainty about the outcome: • given unclear requirements, – 0 – 2012-09-25 – Sreality – an appointed expert witness may confirm either interpretation . 6 /17

  35. Subcontracting for Software in SMEs in Reality § Customer Contractor develop Software Software :-( :-( deliver There are three main sources of disputes (and thus uncertainty ): • misunderstandings in the requirements , – 0 – 2012-09-25 – Sreality – 7 /17

  36. Subcontracting for Software in SMEs in Reality § Customer Contractor develop Software Software :-( :-( deliver There are three main sources of disputes (and thus uncertainty ): • misunderstandings in the requirements , • misunderstandings or (under-regulations) of acceptance testing procedure , – 0 – 2012-09-25 – Sreality – 7 /17

  37. Subcontracting for Software in SMEs in Reality § Customer Contractor develop Software Software :-( :-( deliver There are three main sources of disputes (and thus uncertainty ): • misunderstandings in the requirements , • misunderstandings or (under-regulations) of acceptance testing procedure , – 0 – 2012-09-25 – Sreality – • misunderstandings of regulations of the contract . 7 /17

  38. Subcontracting for Software in SMEs in Reality § Customer Contractor develop Software Software :-( :-( deliver There are three main sources of disputes (and thus uncertainty ): • misunderstandings in the requirements , • misunderstandings or (under-regulations) of acceptance testing procedure , – 0 – 2012-09-25 – Sreality – • misunderstandings of regulations of the contract . Many SMEs conclude: subcontracting for software is too risky due to these three main sources of uncertainty . 7 /17

  39. Observation • (Legal) certainty is crucial for subcontracting between SMEs: Outcomes of possible court judgements need to be as clear as possible . • To achieve legal certainty , we need (a) clear and precise requirements , they avoid the 1st source of uncertainty. (b) clear and precise acceptance testing procedures , they avoid the 2nd source of uncertainty. (c) standardised legal contracts which integrate (a) and (b), they avoid the 3rd source of uncertainty. The contract allows a judge to decide on (a) and (b), and thus increases legal certainty. – 0 – 2012-09-25 – main – 8 /17

  40. Outline • Introduction • What is sub-contracting for software? • When is it succesful? • Why is it ofen not successful? ◮ The Salomo Approach: • Overview • Checkable Requirements, Checking Tool • Regulations in the Contract • Related Work • Conclusion and Further Work – 0 – 2012-09-25 – Scontent – 9 /17

  41. Towards (Legal) Certainty modular con- tract Customer Contractor Ingredients: checkable require- • new notion: ments checkable requirement , Software Software • new notion: checking tool . checking • a new, modular software tool development contract , accept y/n/? :-) :-) The modular contract assumes: a subset of requirements is designated as checkable requirements , includes: the checkable requirements in machine-readable form, codifies: agreement that outcome of corresponding checking tool is — with – 0 – 2012-09-25 – main – few and exactly specified exceptions — binding for both parties, provides: legal certainty . 10 /17

  42. Checkable Specification/Requirement, Checking Tool • A checkable specification is a pair ( ϕ, T ) comprising a program property ϕ and a backend T . • A backend maps a program p and a program property ϕ to a result T ( p, ϕ ) ∈ { Yes , No , Unknown } such that the result is • Yes only if the program has the property, • No only if the program does not have the property. – 0 – 2012-09-25 – main – 11 /17

  43. Checkable Specification/Requirement, Checking Tool • A checkable specification is a pair ( ϕ, T ) comprising a program property ϕ and a backend T . • A backend maps a program p and a program property ϕ to a result T ( p, ϕ ) ∈ { Yes , No , Unknown } such that the result is • Yes only if the program has the property, • No only if the program does not have the property. • A checking tool maps a set of checkable specifications Φ = { ( ϕ 1 , T 1 ) , . . . , ( ϕ n , T n ) } , n ∈ N 0 , to a checking tool result { ( ϕ 1 , s 1 ) , . . . , ( ϕ n , s n ) } , s i ∈ { Yes , No , Unknown } . – 0 – 2012-09-25 – main – 11 /17

  44. Checkable Specification/Requirement, Checking Tool • A checkable specification is a pair ( ϕ, T ) comprising a program property ϕ and a backend T . • A backend maps a program p and a program property ϕ to a result T ( p, ϕ ) ∈ { Yes , No , Unknown } such that the result is • Yes only if the program has the property, • No only if the program does not have the property. • A checking tool maps a set of checkable specifications Φ = { ( ϕ 1 , T 1 ) , . . . , ( ϕ n , T n ) } , n ∈ N 0 , to a checking tool result { ( ϕ 1 , s 1 ) , . . . , ( ϕ n , s n ) } , s i ∈ { Yes , No , Unknown } . – 0 – 2012-09-25 – main – • A requirement is called checkable requirement if and oly if a checkable specification can (mechanically) be derived from it. 11 /17

  45. Backend Examples • “The Program Compiles” : wrapper applies compiler and yields • Yes , compiler C in version V produces a non-empty executable. • No , otherwise. – 0 – 2012-09-25 – main – 12 /17

  46. Backend Examples • “The Program Compiles” : wrapper applies compiler and yields • Yes , compiler C in version V produces a non-empty executable. • No , otherwise. • “Test Coverage” : wrapper applies unit-tests • Yes , normal termination of unit tests indicates 100% branch coverage, • No , normal termination and branch coverage below 100%, • Unknown , otherwise. – 0 – 2012-09-25 – main – 12 /17

  47. Backend Examples • “The Program Compiles” : wrapper applies compiler and yields • Yes , compiler C in version V produces a non-empty executable. • No , otherwise. • “Test Coverage” : wrapper applies unit-tests • Yes , normal termination of unit tests indicates 100% branch coverage, • No , normal termination and branch coverage below 100%, • Unknown , otherwise. • “Absence of Generic Errors” : wrapper applies, e.g., Frama-C • Yes , all assertions related to safe memory access hold or not tried, • No , at least one assertion has status surely invalid , and • Unknown otherwise. – 0 – 2012-09-25 – main – 12 /17

  48. Backend Examples • “The Program Compiles” : wrapper applies compiler and yields • Yes , compiler C in version V produces a non-empty executable. • No , otherwise. • “Test Coverage” : wrapper applies unit-tests • Yes , normal termination of unit tests indicates 100% branch coverage, • No , normal termination and branch coverage below 100%, • Unknown , otherwise. • “Absence of Generic Errors” : wrapper applies, e.g., Frama-C • Yes , all assertions related to safe memory access hold or not tried, • No , at least one assertion has status surely invalid , and • Unknown otherwise. • “Invariant Satisfied” : wrapper applies, e.g., VCC – 0 – 2012-09-25 – main – • Yes , verifier output indicates invariant proven; Unknown , otherwise. 12 /17

  49. Backend Examples • “The Program Compiles” : wrapper applies compiler and yields • Yes , compiler C in version V produces a non-empty executable. • No , otherwise. • “Test Coverage” : wrapper applies unit-tests • Yes , normal termination of unit tests indicates 100% branch coverage, • No , normal termination and branch coverage below 100%, • Unknown , otherwise. • “Absence of Generic Errors” : wrapper applies, e.g., Frama-C • Yes , all assertions related to safe memory access hold or not tried, • No , at least one assertion has status surely invalid , and • Unknown otherwise. • “Invariant Satisfied” : wrapper applies, e.g., VCC – 0 – 2012-09-25 – main – • Yes , verifier output indicates invariant proven; Unknown , otherwise. • “Certification” : expert reviews of programs 12 /17

  50. Regulations in the Contract • The modular software development contract • consists of a framework contract , referred to by individual contract, • customisation by several contractual modules . – 0 – 2012-09-25 – main – 13 /17

  51. Regulations in the Contract • The modular software development contract • consists of a framework contract , referred to by individual contract, • customisation by several contractual modules . • The acceptance checking procedure is regulated in two clauses: (i) checkable requirements tested with and only with checking tool. Exit option : if • backend is evidently erroneous, or • the parties agree to consider the result erroneous, or • there is an “ Unknown ” among only “ Yes ”s and “ Unknown ”s, then the clause for other requirements applies. (ii) testing procedure for other requirements determined by customer. – 0 – 2012-09-25 – main – 13 /17

  52. Outline • Introduction • What is sub-contracting for software? • When is it succesful? • Why is it ofen not successful? • The Salomo Approach: • Overview • Checkable Requirements, Checking Tool • Regulations in the Contract ◮ Related Work • Conclusion and Further Work – 0 – 2012-09-25 – Scontent – 14 /17

  53. Related Work • (Berenbach, Lo & Sherman, 2010) Scope limited to the time after the contract has been awarded, limited discussion regarding contract compliance check. • (Governatori, Milosevic, & Sadiq, 2006) — formalise contract conditions Use FCL to formalise requirements business rules and tools which decide compliance as acceptance checking procedure. • (Breaux, Ant´ on, Spafford, 2009) — delegation We consider top-level obligations and verification sets without delegation. • (Fanmuy, Fraga & Llor´ ens, 2012) — requirements verification Use requirements verification as acceptance checking procedure if creation of a requirements document is subject of a contract. – 0 – 2012-09-25 – main – 15 /17

  54. Conclusion and Further Work • We tackle a main challenge of contracting for software: legal uncertainty . • We outline a possible approach to resolve three reasons of uncertainty: a modular legal contract codifies the mutual agreement that checkable requirements are verified by checking tool exclusively. • Both, contractor and customer have strong interest in obtaining positive checking results since positive results mean certainty . • Our contract is well-suited for a gradual introduction of formal methods — any backend is supported as long as both parties agree. • Formal methods effort promises increased confidence in software quality. Further work : • legally support traceability, change-requests. – 0 – 2012-09-25 – main – • consider a concept of delegation similar to (Breaux et al., 2009) , • provide more backends. 16 /17

  55. Thanks. – 0 – 2012-09-25 – main – http://www.salomo-projekt.de 17 /17

  56. Traces, Interpolants, and Automata: a New Approach to Automatic Software Verification Jochen Hoenicke University of Freiburg joint work with Andreas Podelski and Matthias Heizmann 16 July 2015

  57. Software Verification ◮ prove or disprove that a given program satisfies a given specification

  58. Software Verification ◮ prove or disprove that a given program satisfies a given specification ◮ problem is undecidable [Turing, 1936]

  59. ULTIMATE

  60. Example ℓ 0 assume p != 0; ℓ 0 : while(n >= 0) ℓ 1 : p != 0 { ℓ 2 : assert p != 0; ℓ 1 n < 0 ℓ 5 if(n == 0) n >= 0 { p := 0; ℓ 3 : n-- ℓ 2 p == 0 ℓ err } n == 0 ℓ 4 : n--; n != 0 ℓ 3 } p := 0 ℓ 4 pseudocode control flow graph

  61. Example ℓ 0 assume p != 0; ℓ 0 : while(n >= 0) ℓ 1 : p != 0 p != 0 { ℓ 2 : assert p != 0; ℓ 1 n < 0 ℓ 5 if(n == 0) n >= 0 n >= 0 { p := 0; ℓ 3 : n-- ℓ 2 p == 0 p == 0 ℓ err } n == 0 ℓ 4 : n--; n != 0 ℓ 3 } p := 0 ℓ 4 pseudocode control flow graph

  62. 1. take trace π 1 p != 0 n >= 0 p == 0

  63. 1. take trace π 1 2. consider trace as program P 1 p != 0 n >= 0 p == 0 1: assume p != 0; 2: assume n >= 0; 3: assert p != 0; pseudocode of P 1

  64. true 1. take trace π 1 2. consider trace as program P 1 p != 0 3. analyze correctness or P 1 p � = 0 n >= 0 p � = 0 p == 0 false � � �

  65. true 1. take trace π 1 2. consider trace as program P 1 p != 0 3. analyze correctness or P 1 p � = 0 4. generalize program P 1 ◮ add transitions n >= 0 p � = 0 n-- p == 0 false { p � = 0 } { p � = 0 } is valid Hoare triple n-- � � �

  66. true 1. take trace π 1 2. consider trace as program P 1 p != 0 3. analyze correctness or P 1 p � = 0 4. generalize program P 1 ◮ add transitions n >= 0 n != 0 p � = 0 n-- p == 0 false { p � = 0 } { p � = 0 } is valid Hoare triple n-- � � � { p � = 0 } { p � = 0 } is valid Hoare triple n != 0

  67. true 1. take trace π 1 2. consider trace as program P 1 p != 0 3. analyze correctness or P 1 p � = 0 4. generalize program P 1 ◮ add transitions n >= 0 n != 0 p � = 0 n-- n >= 0 p == 0 false { p � = 0 } { p � = 0 } is valid Hoare triple n-- � � � { p � = 0 } { p � = 0 } is valid Hoare triple n != 0 { p � = 0 } { p � = 0 } is valid Hoare triple n >= 0

  68. true 1. take trace π 1 2. consider trace as program P 1 p != 0 3. analyze correctness or P 1 p � = 0 4. generalize program P 1 ◮ add transitions n >= 0 all \{ p := 0 } p � = 0 p == 0 false � � �

  69. all true 1. take trace π 1 2. consider trace as program P 1 p != 0 3. analyze correctness or P 1 p � = 0 all \{ p := 0 } 4. generalize program P 1 ◮ add transitions n >= 0 all \{ p := 0 } p � = 0 p == 0 false all � � �

  70. q 0 all true 1. take trace π 1 2. consider trace as program P 1 p != 0 3. analyze correctness or P 1 4. generalize program P 1 ◮ add transitions q 1 p � = 0 all \{ p := 0 } ◮ merge locations p == 0 q 2 false all � � �

  71. q 0 ℓ 0 all p != 0 p != 0 ℓ 1 ℓ 5 n < 0 q 1 all \{ p := 0 } n >= 0 ℓ 2 ℓ err n-- p == 0 n == 0 p == 0 ℓ 3 n != 0 p := 0 ? � � � q 2 ℓ 4 all program P program P 1

  72. New View on Programs “A program defines a language over the alphabet of statements.”

  73. New View on Programs “A program defines a language over the alphabet of statements.” ◮ Set of statements: alphabet of formal language e.g., Σ = { p != 0 , n >= 0 , n == 0 , p := 0 , n != 0 , n < 0 , } p == 0 , n-- ,

  74. New View on Programs “A program defines a language over the alphabet of statements.” ◮ Set of statements: alphabet of formal language e.g., Σ = { p != 0 , n >= 0 , n == 0 , p := 0 , n != 0 , n < 0 , } p == 0 , n-- , ◮ Control flow graph: automaton over the alphabet of statements ◮ Error location: accepting state of this automaton

  75. New View on Programs “A program defines a language over the alphabet of statements.” ◮ Set of statements: alphabet of formal language e.g., Σ = { p != 0 , n >= 0 , n == 0 , p := 0 , n != 0 , n < 0 , } p == 0 , n-- , ◮ Control flow graph: automaton over the alphabet of statements ◮ Error location: accepting state of this automaton ◮ Error trace of program: word accepted by this automaton

  76. q 0 ℓ 0 all p != 0 p != 0 ℓ 1 ℓ 5 n < 0 q 1 all \{ p := 0 } n >= 0 ℓ 2 ℓ err n-- p == 0 n == 0 p == 0 ℓ 3 n != 0 p := 0 ? � � � q 2 ℓ 4 all program P program P 1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 17: Software Engineering Research 2015-07-16 Prof. Dr. Andreas Podelski, Dr. Bernd

Lecture 17: Software Engineering Research 2015-07-16 Prof. Dr. Andreas Podelski, Dr. Bernd

Softwaretechnik / Software-Engineering Lecture 17: Software Engineering Research 2015-07-16 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal 17 2015-07-16 main Albert-Ludwigs-Universit at Freiburg, Germany Schedule of the Block

934 views • 72 slides
Lecture 1 Dr. Tom Way CSC 4700 1 Introduction Dr. Tom Way CSC 4700 2 Software engineering

Lecture 1 Dr. Tom Way CSC 4700 1 Introduction Dr. Tom Way CSC 4700 2 Software engineering

What is Software Engineering? CSC 4700 Software Engineering Lecture 1 Dr. Tom Way CSC 4700 1 Introduction Dr. Tom Way CSC 4700 2 Software engineering Facts Fact : The economies of ALL developed nations are dependent on software.

175 views • 6 slides
Research Software Engineering Fellow of the Software Sustainability Institute EPSRC RSE

Research Software Engineering Fellow of the Software Sustainability Institute EPSRC RSE

Robert Haines University of Manchester Computer Science Software Engineering Research Software Engineering Fellow of the Software Sustainability Institute EPSRC RSE Network Co-I UKRSE executive I am not a researcher

409 views • 3 slides
Unified Modelling UML Language What is UML? (me, 10 min) 9 different diagram types

Unified Modelling UML Language What is UML? (me, 10 min) 9 different diagram types

Last update: 15 June 2005 Software Architecture Lecture 12: UML Prof. Dr. Bertrand Meyer Till G. Bay Chair of Softw are Engineering Software Architecture - Lecture 12 Chair of Softw are Engineering Software Architecture - Lecture 12

70 views • 5 slides
TDDD89 Lecture 4 - Research methods Ola Leifler 2 Literature Cohen, Paul. Empirical Methods

TDDD89 Lecture 4 - Research methods Ola Leifler 2 Literature Cohen, Paul. Empirical Methods

TDDD89 Lecture 4 - Research methods Ola Leifler 2 Literature Cohen, Paul. Empirical Methods in Artificial Intelligence Experimentation in Software Engineering Case Study Research in Software Engineering Weapons of Math

1.22k views • 39 slides
Software Engineering Prof. Dr. Bertrand Meyer Dr. Manuel Oriol Dr. Bernd Schoeller Lecture 2:

Software Engineering Prof. Dr. Bertrand Meyer Dr. Manuel Oriol Dr. Bernd Schoeller Lecture 2:

Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer Dr. Manuel Oriol Dr. Bernd Schoeller Lecture 2: Software Engineering Fundamentals Today We try to put Software Engineering in an historical perspective We

731 views • 53 slides
A Research Framework for Empirical Software Engineering Collaboration and Its Application in a

A Research Framework for Empirical Software Engineering Collaboration and Its Application in a

Software Engineering Center Information-technology Promotion Agency, Japan A Research Framework for Empirical Software Engineering Collaboration and Its Application in a Software Development Project Yoshiki Mitani*, Nahomi Kikuchi**, Tomoko

360 views • 6 slides
Today &amp; next lecture Aims of the course Introduction to issues of software quality Axiomatic

Today &amp; next lecture Aims of the course Introduction to issues of software quality Axiomatic

Chair of Software Engineering Chair of Software Engineering Software Verification Contracts, Trusted Components and Patterns Bertrand Meyer Manuel Oriol Till Bay ETH, Fall 2008 Today &amp; next lecture Aims of the course Introduction to

405 views • 36 slides
CS 294-73 Software Engineering for Scientific Computing Lecture 8:

CS 294-73 Software Engineering for Scientific Computing Lecture 8:

CS 294-73 Software Engineering for Scientific Computing Lecture 8: Unstructured grids and sparse matrices Back to Poissons equation. 2 09/19/2017 CS294-73 Lecture 8 Some Vector Calculus x ,

358 views • 25 slides
Software Engineering Prof. Dr. Bertrand Meyer MarchJune 2007 Lecture 2: The Personal Software

Software Engineering Prof. Dr. Bertrand Meyer MarchJune 2007 Lecture 2: The Personal Software

Chair of Softw are Engineering Software Engineering Prof. Dr. Bertrand Meyer MarchJune 2007 Lecture 2: The Personal Software Process PSP: the background CMMI: Capability Maturity Model Integration (originally: CMM) From late 1980s,

718 views • 40 slides
Software Development: Tools and Processes Lecture -2: Basic concepts 1 The Software Engineering

Software Development: Tools and Processes Lecture -2: Basic concepts 1 The Software Engineering

Software Development: Tools and Processes Lecture -2: Basic concepts 1 The Software Engineering Crisis Nearly 1/3 of information technology (computer and software) projects were cancelled before completion Average overrun of project

376 views • 26 slides
SOFTWARE-SELECTION AND Model-Driven Software Engineering Research Group Department of Software

SOFTWARE-SELECTION AND Model-Driven Software Engineering Research Group Department of Software

SOLVING THE QUALITY-BASED SOFTWARE-SELECTION AND Model-Driven Software Engineering Research Group Department of Software Engineering University of Isfahan HARDWARE-MAPPING PROBLEM Samaneh Hoseindoost s.hoseindoost@eng.ui.ac.ir WITH ACO

320 views • 15 slides
CS 294-73 Software Engineering for Scientific Computing Lecture 5: More

CS 294-73 Software Engineering for Scientific Computing Lecture 5: More

CS 294-73 Software Engineering for Scientific Computing Lecture 5: More tools: Gmake, debuggers, git, visualization GNU Make (https://www.gnu.org/software/make/manual) A tricky bit of script parsing to manipulate files

345 views • 31 slides
Lecture on Automated Software Engineering Alloy: Analyzing Software Requirements, Design and

Lecture on Automated Software Engineering Alloy: Analyzing Software Requirements, Design and

Lecture on Automated Software Engineering Alloy: Analyzing Software Requirements, Design and Algorithms Martin Monperrus, Ph.D. version of Oct 15, 2012 Creative Commons Attribution License Copying and modifying are authorized as long as

818 views • 34 slides
Tools and Behavioral Abstraction A Direction for Software Engineering K. Rustan M. Leino

Tools and Behavioral Abstraction A Direction for Software Engineering K. Rustan M. Leino

Tools and Behavioral Abstraction A Direction for Software Engineering K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Future of Software Engineering symposium ETH, Zurich, Switzerland 23 November 2010

244 views • 23 slides
Lecture 5: Project Management Software Engineering, SS 06 History What is a project? Every

Lecture 5: Project Management Software Engineering, SS 06 History What is a project? Every

Chair of Softw are Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Lecturer: Hermann Lehner (http://sct.inf.ethz.ch/h) Slides: Based on KSE06 With kind permission of Peter Mller Lecture 5: Project

241 views • 3 slides
Text Mining in R ( tm 101) ViennaR Mario Annau, 22.2.2016

Text Mining in R ( tm 101) ViennaR Mario Annau, 22.2.2016

Text Mining in R ( tm 101) ViennaR Mario Annau, 22.2.2016 Textmining? Sta&lt;s&lt;cal analysis of textual data Use Cases include Spam Filtering

533 views • 11 slides
Metaphor Identification Ji Kozmr Procedure on Czech Palack University Olomouc annDH,

Metaphor Identification Ji Kozmr Procedure on Czech Palack University Olomouc annDH,

Applying MIPVU Dalibor Pavlas Ondej Vrabe Metaphor Identification Ji Kozmr Procedure on Czech Palack University Olomouc annDH, Sofia, 8. 8. 2018 Czech metaphor corpus - motivation Cognitive linguistics Conceptual

636 views • 14 slides
Personal Health Informatics CS 8803 Fall 2015 Introduction: Aug 17th, 2015 Lauren Wilcox Asst

Personal Health Informatics CS 8803 Fall 2015 Introduction: Aug 17th, 2015 Lauren Wilcox Asst

Personal Health Informatics CS 8803 Fall 2015 Introduction: Aug 17th, 2015 Lauren Wilcox Asst Prof Office Hours M 3:30pm 345 TSRB Background Research CS PhD, 2013 Columbia University HCI, Health Informatics

630 views • 43 slides
APM(Robot) Towards a platform for meta-reasoning in robotic applications Cdric Dinont,

APM(Robot) Towards a platform for meta-reasoning in robotic applications Cdric Dinont,

APM(Robot) Towards a platform for meta-reasoning in robotic applications Cdric Dinont, Franois Gaillard and Michal Soulignac Computer Science Department ISEN Lille 1/22 APM(Robot): Towards a platform for meta-reasoning in robotic

492 views • 22 slides
SIG ECI Questionnaire for ECI Questionnaire Questionnaire for Early Career Investigators ready

SIG ECI Questionnaire for ECI Questionnaire Questionnaire for Early Career Investigators ready

COST ACTION CA15137 MC meeting, Podgorica, 7 - 8 March 2019 SIG ECI Questionnaire for ECI Questionnaire Questionnaire for Early Career Investigators ready Draws from interviews of SIG ECI Stphani e and Karolina: first draft

721 views • 6 slides
Introduction Daniel Arribas-Bel &amp; Thomas de Graaff September 5, 2014 Introduction Why this

Introduction Daniel Arribas-Bel &amp; Thomas de Graaff September 5, 2014 Introduction Why this

Introduction Daniel Arribas-Bel &amp; Thomas de Graaff September 5, 2014 Introduction Why this workshop? In the social sciences few attention to what tools to use (and why they make sense) Increasing need for/in openness &amp;

750 views • 28 slides
SOLILOQUY: A Cautionary Tale P. Campbell M. Groves D. Shepherd CESG 1 Outline We describe

SOLILOQUY: A Cautionary Tale P. Campbell M. Groves D. Shepherd CESG 1 Outline We describe

SOLILOQUY: A Cautionary Tale P. Campbell M. Groves D. Shepherd CESG 1 Outline We describe SOLILOQUY, a lattice-based primitive de- signed at CESG in 2007. SOLILOQUY has several nice properties; in particular the public key is very compact

674 views • 20 slides
NTRU Prime Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit

NTRU Prime Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit

1 NTRU Prime Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische

1.4k views • 66 slides

More recommend