T01140020220114065T0114 RPL P18
-
Upload
aliansya-zuchtari -
Category
Documents
-
view
215 -
download
0
Transcript of T01140020220114065T0114 RPL P18
-
7/31/2019 T01140020220114065T0114 RPL P18
1/33
-
7/31/2019 T01140020220114065T0114 RPL P18
2/33
-
7/31/2019 T01140020220114065T0114 RPL P18
3/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Formal Modeling and
Verification Cleanroom software engineeringandformal methods
Both demand a specialized specification approach and each applies
a unique verification method.
Both are quite rigorous and neither is used widely by the software
engineering community.
If you must build bullet-proof software, these methods can
help immeasurably.
3
-
7/31/2019 T01140020220114065T0114 RPL P18
4/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
The Cleanroom Process Model
4
RequirementsGathering
Box Structure
Specification
Formal
Design
Correctness
VerificationCode
InspectionStatistical
U seTesting
Cerfification
Test Planning
SystemEngineering
RequirementsGathering
Box Structure
Specification
Formal
Design
Correctness
VerificationCode
InspectionStatistical
U seTesting
Cerfification
Test Planning
RequirementsGathering
Box Structure
Specification
For ma l
Design
Correctness
VerificationCode
InspectionStatistical
U seTesting
Cerfification
Test Planning
increm ent #1
increm ent #2
increm ent #n
-
7/31/2019 T01140020220114065T0114 RPL P18
5/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
The Cleanroom Strategy-I Increment Planning
adopts the incremental strategy
Requirements Gathering
defines a description of customer level requirements
Box Structure Specification describes the functional specification
Formal Design
specifications (called black boxes) are iteratively refined (with anincrement) to become analogous to architectural and procedural
designs (called state boxes and clear boxes, respectively). Correctness Verification
verification begins with the highest level box structure(specification) and moves toward design detail and code using a setof correctness questions. If these do not demonstrate that the
specification is correct, more formal (mathematical) methods forverification are used. 5
-
7/31/2019 T01140020220114065T0114 RPL P18
6/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
The Cleanroom Strategy-II Code Generation, Inspection and Verification
the box structure specifications, represented in a specialized language, aretransmitted into the appropriate programming language.
Statistical Test Planning a suite of test cases that exercise of probability distribution of usage are
planned and designed
Statistical Usage Testing execute a series of tests derived from a statistical sample (the probability
distribution noted above) of all possible program executions by all users froma targeted population
Certification once verification, inspection and usage testing have been completed (and all
errors are corrected) the increment is certified as ready for integration.
6
-
7/31/2019 T01140020220114065T0114 RPL P18
7/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Box Structure Specification
BB1
BB1.1
BB1.2
BB1.n
BB1.1.1
BB1.1.2
BB1.1.3
SB1.1.1
CB1.1.1.1
CB1.1.1.2
CB1.1.1.3
black box
state box
clear box
-
7/31/2019 T01140020220114065T0114 RPL P18
8/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Box Structures
f : S * RS R
black box
state box
clear box
SRb l a c k b o x ,g
S t a t e
T
S R
S t a t e
T
g1 1
g1 2
g1 3
cg 1
-
7/31/2019 T01140020220114065T0114 RPL P18
9/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Design Refinement &VerificationIf a function f is expanded into a sequence g and h, the correctnessIf a function f is expanded into a sequence g and h, the correctness
condition for all input to f is:condition for all input to f is:
Does g followed by h do f?
When a function f is refined into a conditional (if-then-else), theWhen a function f is refined into a conditional (if-then-else), thecorrectness condition for all input to f is:correctness condition for all input to f is:
Whenever condition is true does g do f and whenever isfalse, does h do f?
When function f is refined as a loop, the correctness conditions for allWhen function f is refined as a loop, the correctness conditions for all
input to f is:input to f is: Is termination guaranteed?
Whenever is true does g followed by f do f, and whenever is false, does skipping the loop still do f?
-
7/31/2019 T01140020220114065T0114 RPL P18
10/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Advantages of DesignVerification It reduces verification to a finite process. It lets cleanroom teams verify every line of
design and code.
It results in a near zero defect level. It scales up.
It produces better code than unit testing.
10
-
7/31/2019 T01140020220114065T0114 RPL P18
11/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Cleanroom Testing
statistical use testing tests the actual usage of the program
determine a usage probability distribution
analyze the specification to identify a set of stimuli stimuli cause software to change behavior
create usage scenarios
assign probability of use to each stimuli
test cases are generated for each stimuli according tothe usage probability distribution
-
7/31/2019 T01140020220114065T0114 RPL P18
12/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Certification
12
1.1. Usage scenarios must be created.Usage scenarios must be created.
2.2. A usage profile is specified.A usage profile is specified.
3.3. Test cases are generated from the profile.Test cases are generated from the profile.4.4. Tests are executed and failure data areTests are executed and failure data arerecorded and analyzed.recorded and analyzed.
5.5. Reliability is computed and certified.Reliability is computed and certified.
-
7/31/2019 T01140020220114065T0114 RPL P18
13/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Certification Models
Sampling model. Software testing executesSoftware testing executes mm randomrandomtest cases and is certified if no failures or a specifiedtest cases and is certified if no failures or a specifiednumbers of failures occur. The value ofnumbers of failures occur. The value ofmm is derivedis derivedmathematically to ensure that required reliability ismathematically to ensure that required reliability is
achieved.achieved.
Component model. A system composed ofA system composed ofnncomponents is to be certified. The component modelcomponents is to be certified. The component modelenables the analyst to determine the probability thatenables the analyst to determine the probability that
componentcomponent ii will fail prior to completion.will fail prior to completion.Certification model. The overall reliability of the systemThe overall reliability of the systemis projected and certified.is projected and certified.
-
7/31/2019 T01140020220114065T0114 RPL P18
14/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Formal Methods Formal methods used in developing computer systems aremathematically based techniques for describing system properties. Such
formal methods provide frameworks within which people can specify,develop, and verify systems in a systematic, rather than ad hocmanner.
The Encyclopedia of Software Engineering[Mar01]
The Problem with conventional specs:
contradictions
ambiguities vagueness
incompleteness
mixed levels of abstraction
-
7/31/2019 T01140020220114065T0114 RPL P18
15/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Formal Specification Desired propertiesconsistency, completeness, and lackof ambiguityare the objectives of all specificationmethods
The formal syntax of a specification language enables
requirements or design to be interpreted in only oneway, eliminating ambiguity that often occurs when anatural language (e.g., English) or a graphical notationmust be interpreted
The descriptive facilities of set theory and logic
notation enable clear statement of facts(requirements).
Consistency is ensured by mathematically proving thatinitial facts can be formally mapped (using inferencerules) into later statements within the specification.
15
-
7/31/2019 T01140020220114065T0114 RPL P18
16/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Formal Methods Concepts data invarianta condition that is true throughout the
execution of the system that contains a collection of data
state
Many formal languages, such as OCL (Section 28.5) ,
use the notion of states as they were discussed inChapters 7 and 8, that is, a system can be in one ofseveral states, each representing an externallyobservable mode of behavior.
The Z language (Section 28.6)defines a state as thestored data which a system accesses and alters
operationan action that takes place in a system andreads or writes data to a state
preconditiondefines the circumstances in which aparticular operation is valid
postcondition defines what happens when an
operation has completed its action16
-
7/31/2019 T01140020220114065T0114 RPL P18
17/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
An ExamplePrint Spooler
17
Limits
LP1->750
LP2->500
LAS1->300
LAS2->200
Devicequeues
ftax->650
newdata->450
exres->50
persons->700
Size
LP1
LP2
LAS1
LAS2
ftax
newdata
exres
persons
filesawaitingprinting
-
7/31/2019 T01140020220114065T0114 RPL P18
18/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
States and Data InvariantThe state of the spooler is represented by the four componentsThe state of the spooler is represented by the four componentsQueues, OutputDevices, Limits,Queues, OutputDevices, Limits, andand Sizes.Sizes.
The data invariant has five components:The data invariant has five components:
Each output device is associated with an upper limit of print linesEach output device is associated with an upper limit of print lines
Each output device is associated with a possibly nonempty queueEach output device is associated with a possibly nonempty queueof files awaiting printingof files awaiting printing
Each file is associated with a sizeEach file is associated with a size
Each queue associated with an output device contains files thatEach queue associated with an output device contains files that
have a size less than the upper limit of the output devicehave a size less than the upper limit of the output device
There will be no more thanThere will be no more thanMaxDevsMaxDevs output devices administeredoutput devices administeredby the spoolerby the spooler
-
7/31/2019 T01140020220114065T0114 RPL P18
19/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Operations
An operation which adds a new output device to thespooler together with its associated print limit
An operation which removes a file from the queueassociated with a particular output device
An operation which adds a file to the queue associatedwith a particular output device
An operation which alters the upper limit of print lines fora particular output device
An operation which moves a file from a queue associatedwith an output device to another queue associated with asecond output device
-
7/31/2019 T01140020220114065T0114 RPL P18
20/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Pre- & Post-conditions
For the first operation (adds a new output device to the spoolerFor the first operation (adds a new output device to the spoolertogether with its associated print limit):together with its associated print limit):
Precondition: the output device name does not already existthe output device name does not already existand that there are currently less thanand that there are currently less thanMaxDevsMaxDevs output devicesoutput devices
known to the spoolerknown to the spooler
Postcondition: the name of the new device is added to thethe name of the new device is added to thecollection of existing device names, a new entry is formed for thecollection of existing device names, a new entry is formed for thedevice with no files being associated with its queue, and thedevice with no files being associated with its queue, and thedevice is associated with its print limit.device is associated with its print limit.
-
7/31/2019 T01140020220114065T0114 RPL P18
21/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Mathematical Concepts*
sets and constructive set specification
set operators
logic operators
sequences
*A discussion of sets and constructive specification (slides 20 - 24) is no longer included within
SEPA, 7/e, but is included here for those who are unfamiliar with the basic concepts.
-
7/31/2019 T01140020220114065T0114 RPL P18
22/33
-
7/31/2019 T01140020220114065T0114 RPL P18
23/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Set Operators
A specialized set of symbology is used to represent set and logicoperations.
ExamplesTheP operator is used to indicate membership of a set. For
example, the expression
x P XTheoperators , , and # take sets as their operands. The
predicate A , B
has the value true if the members of the set A are containedin the set B and has the value false otherwise.
The union operator,
-
7/31/2019 T01140020220114065T0114 RPL P18
24/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Logic Operators
Another important component of a formal method is logic: thealgebra of true and false expressions.
Examples:
V or
not => implies
Universal quantification is a way of making a statement about theelements of a set that is true for every member of the set. Universalquantification uses the symbol, . An example of its use is
i, j : N i >j => i2
>j2
which states that for every pair of values in the set of naturalnumbers, ifi is greater than j, then i2 is greater than j2.
-
7/31/2019 T01140020220114065T0114 RPL P18
25/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Sequences Sequences are designated using angle brackets. For
example, the preceding sequence would normally bewritten as k Jones, Wilson, Shapiro, Estavezl
Catenation, X, is a binary operator that forms a sequence
constructed by adding its second operand to the end of itsfirst operand. For example,
k 2, 3, 34, 1l X k12, 33, 34, 200 l = k 2, 3, 34, 1, 12, 33, 34,200 l
Other operators that can be applied to sequences are head,tail, front, and last.
head k 2, 3, 34, 1, 99, 101 l = 2 tail k 2, 3, 34, 1, 99, 101 l = 73, 34, 1,99, 1018 lastk 2, 3, 34, 1, 99, 101 l = 101 frontk 2, 3, 34, 1, 99, 101 l = 72, 3, 34, 1, 998
25
-
7/31/2019 T01140020220114065T0114 RPL P18
26/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Formal Specification The block handler
The block handler maintains a reservoir of unused blocks and will also keeptrack of blocks that are currently in use. When blocks are released from adeleted file they are normally added to a queue of blocks waiting to beadded to the reservoir of unused blocks.
The state
used, free: P BLOCKSBlockQueue: seq P BLOCKS
Data Invariant
used > free = \
used < free = AllBlocks
i: dom BlockQueue BlockQueuei # used
i, j : dom BlockQueue i j => BlockQueue i > BlockQueue j = \
Precondition#BlockQueue > 0
Postcondition
used' = used \ headBlockQueue
free = free < head BlockQueue
BlockQueue' = tail BlockQueue
-
7/31/2019 T01140020220114065T0114 RPL P18
27/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Formal Specification
Languages A formal specification language is usually composed ofthree primary components: a syntax that defines the specific notation with which the
specification is represented
semantics to help define a "universe of objects" [WIN90] that
will be used to describe the system a set of relations that define the rules that indicate which
objects properly satisfy the specification
The syntactic domain of a formal specification language isoften based on a syntax that is derived from standard settheory notation and predicate calculus.
The semantic domain of a specification language indicateshow the language represents system requirements.
-
7/31/2019 T01140020220114065T0114 RPL P18
28/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
Object Constraint Language (OCL)
a formal notation developed so that users of UMLcan add more precision to their specifications
All of the power of logic and discrete
mathematics is available in the language However the designers of OCL decided that only
ASCII characters (rather than conventionalmathematical notation) should be used in OCL
statements.
-
7/31/2019 T01140020220114065T0114 RPL P18
29/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
OCL Overview
Like an object-oriented programming language,an OCL expression involves operators operatingon objects.
However, the result of a complete expressionmust always be a Boolean, i.e. true or false.
The objects can be instances of the OCLCollection class, of which Set and Sequenceare two subclasses.
See Table 28.1 for summary of OCL notation
-
7/31/2019 T01140020220114065T0114 RPL P18
30/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
BlockHandlerusing UML
Block
number
addBlock()
BlockHandler
BlockSet
1
*
1*
removeBlock()
allBlocks
free used
blockQueue
{ordered}
{subset}
{subset}
**
*
1 1 1
elements
-
7/31/2019 T01140020220114065T0114 RPL P18
31/33
These slides are designed to accompany Software Engineering: A Practitioners Approach, 8/e (McGraw-Hill 2011).
Slides copyright 2011 by Roger Pressman.
BlockHandlerin OCL No block will be marked as both unused and used.
contextBlockHandler inv:
(self.used->intersection(self.free)) ->isEmpty()
All the sets of blocks held in the queue will be subsets of the collection of currently used blocks.
contextBlockHandler inv:
blockQueue->forAll(aBlockSet | used->includesAll(aBlockSet ))
No elements of the queue will contain the same block numbers.
contextBlockHandlerinv: blockQueue->forAll(blockSet1, blockSet2 |
blockSet1 blockSet2 implies
blockSet1.elements.number->excludesAll(blockSet2.elements.number))
The expression before implies is needed to ensure we ignore pairs where both elementsare the same Block.
The collection of used blocks and blocks that are unused will be the total collection of blocks thatmake up files.
contextBlockHandlerinv: allBlocks = used->union(free)
The collection of unused blocks will have no duplicate block numbers.
contextBlockHandlerinv:
free->isUnique(aBlock | aBlock.number)
The collection of used blocks will have no duplicate block numbers.
contextBlockHandlerinv:
used->isUnique(aBlock | aBlock.number)
-
7/31/2019 T01140020220114065T0114 RPL P18
32/33
-
7/31/2019 T01140020220114065T0114 RPL P18
33/33
These slides are designed to accompany Software Engineering: A Practitioners Approach 8/e (McGraw Hill 2011)
BlockHandlerin Z
BlockHandler
used, free : PBLOCKSBlockQueue : seq PBLOCKS
used>free = \
used BlockQueue i>BlockQueue j = \
The following example of a schema describes the state of the block handlerThe following example of a schema describes the state of the block handlerand the data invariant:and the data invariant:
See Section 21.7.2 for further expansion of the specification