Title: RE04 keynote
1Chapter5 Quality Assurance
- Jean-Christophe Libbrecht
- Jérôme Paul
- Julien Goffaux
2Introduction
- The latter errors are found, the more costly
their repair is. - Result of this activity is a consolidated RD.
3introduction
- Quality Assurance consists of
- Detecting defects
- Reporting them
- Analysing their cause
- Undertaking actions to fix them
4introduction
- Mains techniques
- Inspections and reviews
- Queries on a requirement database
- Animation-based validation
- Formal verification
5introduction
- When?
- Into requirement documentation
- As soon as portion of specification are available
- Differences with Requirement evaluation
- Not in the same time
- Not the same goal
6Inspections and reviews
- Ask selected people to inspect the DR
individually - Provide list of problem to be solve together
- It works !
- Can even outperform code testing
- Proved to work well on Requirements Documents (RD)
7Inspection process
- Inspection planning
- Size of the team
- Schedule
- Format of the reports
8Inspection process
- Individual reviewing
- Free mode
- Checklist based
- Process based
9Inspection process
- Defect evaluation at review meetings
- Defects found by each inspector
- are collected and discussed
- Analysis of the causes
- gt Reduce false positives
10Inspection process
- RD consolidation
- Document revised to address all the concerns
11Inspection guidelines
- What?
- Facts
- Constructive
- Approved by all inspectors
- Well structured
- Who?
- Inspectors ? authors
- Representative of all stakeholders viewpoints
- Peoples with different background
- gt Minimum size 3
12Inspection guidelines
- When?
- Not too soon ...
- ... Not too late
- Where?
- Critical parts
- Safety-security-related
13Requirement inspection checklists Defect-based
checklist
- Omission
- Contradiction
- Inadequacy
- Ambiguity
- Unmeasurability
- Noise
- Overspecification
14Defect-based checklist
- Unfeasibility
- Ununtelligibility
- Poor structuring
- Forward reference
- Remorse
- Poor modifiability
- Opacity
15Other checklists
- Quality-specific
- Focus on non-functional requirements
- Unspecified reponses to out-of-range values
- Are all inputs from sensors used ?
- ...
- Domain-specific
- Focus on domain-related requirements
- Provide increasingly specific guidance in defect
search
16Other checklists
- Language-based checklists
- Use the specific constructs of the structured
(semi)-formal language in the RD. - Can be automated !
- Decision tables is there a value for every
field - Global template check the conformance of RD
organization to the structure presented by the
template - Diagrammatic language surface-level consistency
and completeness within and between diagrams - Formal specification languages semantically
richer consistency and completeness
17Conclusion of inspection
- Inspection and reviews are
- Even more effective than code inspection.
- Widest in scope and applicability ( any format
supported) - Costly in ressources and time
18Queries on a requirements database
19Queries on a requirements database
- This technique is
- Tool supported
- Simple and effective
- Adapted for large specifications
- Working on parts of the RD that are specified in
terms of diagrammatic notations (cf. 4.3)
20What's the idea ?
- Maintain specifications in a requirements DB
- Queries on DB
21In practice...
- Meta-tools can perform automatic derivation of
- RDB's schema
- Language-specific database engine
22How does it work ?
- Input
- Meta-specification of the diagram language
- Output
- A DB engine with
- A diagram-specific query language
- A processor for specification querying
23And now... an example
- Context
- Part of the RD is specified with data-flow
diagrams - Complex operations are recursively refined into
finer ones - We want to make sure that each data flowing out a
complex operation appears as data flowing out of
one (or more) of its sub-operation(s).
24example.next()
- We check the opposite
- Is there any output data flowing out of this
operation that is not flowing out of any of the
refining sub-operations? - This checks
- Consistency between adjacent levels of operation
refinement - Completeness on the refining data-flow diagram
25example.next()
- Same question in a DFD-specific query language
26The result
- Empty set
- No inconsistency detected
- Non-empty set
- which indicates the output flows missing in the
DFD refining the operation
27Remark
- The DFD-specific query language and its
query-engine are generated from a specification
of the DFD language in an ER meta-language
28Example of ER meta-specification
29The good news of the day
- In practice, these structural checks are automated
30Requirement validation by specification animations
31Reminder
- We want to
- check the adequacy of requirements and
assumptions - see wether the system-to-be as specified
corresponds to the stakeholders expectations
32Validation scenarios
- With the stakeholders, we will check
- interactions among system components
- sequencing
33Visualization
- Visualization is possible
- Scenarios enactment tools
34The problem ...
- Identification of representative scenario sample
from the specified requirements and assumptions,
for comprehensive system coverage MAY NOT BE EASY
35Another approach animating parts of the
specified system
- How ?
- Extract or generate an executable model of the
software-to-be from the specifications - Simulate system behaviour
- Visualize
- check with stakeholders
36Simulation
- Submit events to the model that mimic behaviours
of the environment - The model software reacts to these events
37Visualization
- Shows how suggestive representation of system
evolves dynamically
38Remark simulation gtlt animation
- Simulation
- execution of software model
- Animation
- Visualization, in a suggestive form, of the
simulated model in its environment
39Another remark prototyping VS animation
- Prototype
- Quick implementation in a very high level
language - Not necessarily based on a model
- Pays less attention to system visualization
40Many tools for animations
- State-based
- Jaza (Z), B-core, B-toolkit (B), VDM-tools (VDM),
... - Transition-based
- SCR animator (SCR), Statemate, Rhapsody
(Statecharts), Nimbus (RSML), LTSA (labelled
transition system) - History-based
- FAUST
41Extracting an executable model from the
specifications
- Determine the part of the specification we want
to animate for adequacy checking - Transform it into an executable version that is
semantically equivalent
42Example
- For state machine specifications, the result is
typically a set of parallel state machines (one
per class we want to animate) - In our train system one state machine for the
dynamics of - The train doors
- The train moves
- ...
43Simulating the model
- Instantiation of the extracted model
- Ex
- a single train and 3 stations
- 2 trains and 1 station
- Execution of the instantiated state machines
- NextState function
44Role of the NextState function
- Control the concurrent activation of multiple
transitions fired by the occurrence of multiple
triggering events - Handle clock ticking for the animator's stepwise
execution
45Definition of NextState
46Remark
- Two conflicting transition are BOTH discarded
- A less strict approach
- Keep one of the conflicting transition
- Problem arbitrary choice
47Visualizing the simulation
- Suggestive way
- Animator should make the stakeholders convenient
to input events and watch the model's reactions
48Visualization formats
- Textual
- I Text command
- O execution trace
- Diagrammatic
- I Event selection wrt the current state
- O Tokens processing along the model diagrams
together with state visualization - Domain-specific
- I domain-specific control devices
- O new values on domain-specific monitors
49Some tools skills
- Control devices and panel
- SCR and RSML
- Domain scene
- LTSA and FAUST
50A running example
51Conclusion on requirement animationAdvantages
- Concrete technique for checking a specification
- May reveal subtle inadequacies and other defects
- One of the best ways of getting stakeholders and
practitioners into the quality assurance loop - Interesting animation scenarios may provide
acceptance test data for free - Animators can be coupled with other analysis
tools - monitors that detect property violations on the
fly - model checkers
52Conclusion on requirement animationInconvenient
- Need of a formal specification
- No guarantee that rewarding animation sequences
will be played - The user of the animator needs to be experimented
and to know about tricky things that can happen
in the environment - Animation scenarios should be carefully
elaborated to to ensure comprehensive model
coverage - Gap between the animated model and the original
specification
53Formal verification
- Checks on a specification that can be automated
by tools - Specification must be formal
- Checks depend on the specific constructs of the
specification language
54Formal verification
- Language checks
- Dedicated consistency and completeness checks
- Model checking
- Theorem proving
55Languages checks
- Syntax checking
- Every expression in the specification must be
grammatically well formed according to the syntax
rules of the language - Example Free' Free instead of Free' Free
56Languages checks
- Type checking
- Each variable must have a specified type and all
uses of this variable must be convenient with the
type declaration - Example Free Ambulance and Free'Form
57Languages checks
- Static semantic checking
- Each variable must be declared and have a
specified initial value - Variable must be used within their scope and so
forth
58Languages checks
- Circularity checking
- No variable is being defined in terms of itself
- Example Ambulance Ambulance \ amb?
59Dedicated consistency and completeness checks
- Relies on input-output relations
- Relations are functions
- Relations are total
60Dedicated consistency and completeness checks
- Checking disjointness of input cases for
consistency - Check that relation is a function
- Conditions entries in each input row of the table
are pairwise disjoint No same input with
different input - Cond_Entry1 Cond_Entry2 false
61Dedicated consistency and completeness checks
- Application of Checking disjointness of input
cases for consistency - (OnAcident OR OnRoad) AND (NOT OnAcident AND NOT
OnRoad) - (OnAcident AND NOT OnAccident AND NOT OnRoad) OR
(OnRoad AND NOT OnRoad AND NOT OnAccident)? - (false AND NOT OnRoad) OR (false AND NOT
OnAccident)? - false
62Dedicated consistency and completeness checks
- Checking coverage of input cases for
exhaustiveness - Check that function is total
- The conditions entries cover all possible cases
- Cond_Entry1 v ... v Cond_EntryN true
63Dedicated consistency and completeness checks
- Checking coverage of input cases for
exhaustiveness - (OnAcident OR OnRoad) OR (NOT OnAcident AND NOT
OnRoad) - (OnAcident OR OnRoad OR NOT OnAcident) AND
(OnAcident OR OnRoad OR NOT OnRoad) - (true OR NOT OnAcident) AND (true OR NOT
OnRoad) true
64Model Checking
- Verify that a formally specified model satisfies
some desired property. - Explore the model in a systematic way to search
for property violations
65Model Checking
- Brute-force search algorithm builds the model's
reachability graph - Reachability graph and algorithm
- Contains all possible reachable states
- Explored by recursively generating next nodes
- Testing node if it violate the property
- Visited state are marked to avoid cycling
- Algorithm terminates when a bad states is reached
or when all states has been visited - If a bad node is reached, violating path is
produced
66Model Checking
- Property
- MovementState 'moving' -gt DoorsState 'closed'
- A possible counterexample
- Init (doorsClosed,trainStopped)?
- Start (doorsClosed,trainMoving)?
- Speed 0 (doorsClosed,trainStopped)?
- Opening (doorsOpen,trainStopped)?
- Start (doorsOpen,trainMoving)?
67Model Checking
- Properties verifiable by checker
- Reachability simply inspect reachability graph
- Safety undesirable condition may never happen
(?P)? - Liveness desirable condition must eventually
hold (?P)?
68Model Checking
- Issues
- Combinatorial explosion of states valuesVars
- Length and comprehensibility of counterexample
69Model Checking
- Best-known variants
- SPIN
- properties formalized in TTL
- state machine model must be expressed in PROMELA
- the visited states are maintained in a tunable
hash table - SMW
- properties formalized in CTL
- branching temporal logic where histories have a
tree structure with branching to alternative
successor states - sets of visited states are represented
symbolically by binary decision diagrams
70 PROMELA
spin -a increment.spin Translate the
model to C cc -DSAFETY -o pan pan.c
Compile the model ./pan
Run the model
pan assertion violated ((sumlt2)(counter2))
(at depth 20)? pan wrote
increment.spin.trail (Spin Version 4.2.5
-- 2 April 2005)? Warning Search not
completed Partial Order
Reduction Full statespace search for
never claim - (none
specified)? assertion violations
cycle checks -
(disabled by -DSAFETY)? invalid
end states State-vector 40 byte,
depth reached 22, errors 1 45
states, stored 13 states, matched
58 transitions ( storedmatched)?
51 atomic steps hash
conflicts 0 (resolved)? 2.622 memory
usage (Mbyte)?
71Model Checking
- Alloy analyzer
- Input model is specified in Alloy,a state-based
specification language - Property specified in Alloy
- Model is first instantied by restricting the
range of the model variables to a few values, in
order to avoid state explosion - The analyzer tries to satisfy the negation of the
claim within that bounded model, using an
efficient SAT solver
72(No Transcript)
73Model Checking
- Strengths
- Verification fully automated
- No human intervention is required during
verification - Analysis is exhaustive
- Help debugging with the counterexample
74Theorem Proving
- Verify property deductively rather than
algorithmically - Target property (Theorem) can be derived form the
the formal specification (axioms) by a sequence f
applications of inference rules - User may be required to confirm or reject
generated lemmas that the tool cannot verify
75Theorem Proving
- Inferences rules
- Modus Ponens
- Chaining rules
- First-order functional substitutivity
- First-order predicate substitutivity
- Z-specific rule
76Theorem Proving
77Theorem Proving
78Theorem Proving
- Assertion to verify
- Verification
79Theorem Proving
- Strengths
- Soundness and completeness
- Infinite state spaces can be handled
- Issues
- Difficulty to use it
- No concrete counterexample produced