University of Oregon
Computer & Information Science

CIS 610
Software Analysis and Test
Winter 1998

Assigned Readings

1. Experience with Inspection in Ultralarge-Scale Developments. Glen W. Russel. IEEE Software, January 1991, pages 25-31.

2. An Introduction to Proving the Correctness of Programs. Sidney L. Hantler and James C. King. ACM Computing Surveys, September 1976, pp 331-353.

The technique described here is sometimes called "symbolic execution." It can be partially automated; the difficult parts to automate are simplfication of predicates and checking of assertions (which are really the same thing: an assertion is true if it simplifies to TRUE.) Although this approach to program verification is seldom practical in itself, some reasoning in this style is used in many other verification techniques, so you should understand it.

3. The Larch Family of Specification Languages. J.V. Guttag, J.J. Horning, and J.M. Wing. IEEE Software, September 1985, pp. 24-36.

There are really two things I want you to get out of this paper. First, the algebraic specification style described in this paper is fairly representative of modern specification methodology, especially when the implementation is object-based or object-oriented.

Second, and more fundamental, is the two-tiered approach. It is very difficult to devise a specification language that is, on the one hand, "clean" enough for formal reasoning, and on the other hand is practical for describing program or module specifications. Larch side-steps this problem by giving specifications at two different levels. The "shared language" specifications are as simple and clean as possible; good for formal reasoning but lousy for describing program interfaces. The "interface language" specfications contain the nitty-gritty that is necessary to describe program interfaces. Gluing these two together is an important concept, and it is not limited to algebraic specifications like Larch. The important idea is to not try to make one kind of specification serve both purposes, but rather to tie together two kinds of specification, each of which is suited to its purpose.

4. The Model Checker SPIN. Gerard J. Holzmann. IEEE Transactions on Software Engineering 23(5), May 1997.

While directly proving the correctness of a paper is seldom practical, it is often possible to prove useful properties about models that have been constructed specifically for that purpose. Even though verification of the model does not guarantee that the code is correct, finding and correcting bugs in such a model is much, much easier than finding and correcting the corresponding bugs in code. One of the areas in which this approach has been most useful is verification of concurrency properties (e.g., absence of deadlock, mutual exclusion) in finite-state models of concurrent processes. Several different kinds of models of techniques have been used for this purpose; the tool SPIN uses one of the conceptually simpler approaches, which makes it a good introduction to the field. Also, it is among the most mature and practically useful of the existing finite-state verification tools.

5. Towards a Method of Programming with Assertions. David S. Rosenblum. IEEE Transactions on Software Engineering.

There are really two aspects to this paper. Part of it describes an assertion checking system called APP, which is similar to (but rather simpler and more limited than) the ANNA assertion language for Ada that preceded it. (The Gnu assertion-checking package nana [see nana user manual] provides functionality roughly equivalent to APP, and unlike APP is freely available for anyone to download. )

The second part of the paper, and in some ways the more interesting part, is the experience report on using APP --- what kinds of assertions seemed to be useful. Although the evidence reported here is really anecdotal, it provides some useful insight into the way assertion packages can be used in practice.

Lecture notes in PDF* format

Software Dependability Qualities

Basic definitions and distinctions: Correctness, reliability, robustness, safety

Software Process for QA

An overview of software development processes from the perspective of quality assurance

Software Inspections

Mostly Fagan code inspections, but also a brief look at active design reviews as described by Parnas and Weiss, and phased inspections as described by Knight and Myer. [Had trouble with the PDF format? We can troubleshoot later, but here's a PostScript version for now.]

Formal Verification (intro)

Floyd- and Hoare-style verification with preconditions and postconditions; algebraic specification; two-tier specifications a la Larch. (The notes on these slides are not very complete, particularly toward the end. )

Model Checking

An introduction to the basic ideas of temporal logic model checking, such as provided by tools like Spin. (Sorry, just slides for now with no additional notes.)

Static Analysis

Process Algebra

I apparently had a revision control problem and wiped out an earlier version of this page to which the process algebra slides had already been linked.

Dynamic Testing (1)

This is the first of (at least) two lectures on testing. Additional lectures will cover more on test oracles, test automation, and specification-based test selection. Some of the material in this lecture was written or revised by Mauro Pezze` of Politecnico di Milano.

Test Oracles

Just a short introduction ... doing the exercises should be more interesting than listening to the lecture.

Integration and System Testing

The first part of these slides largely talks about the category-partition method as an example of specification-based partition testing at the system or subsystem level. The second part raises issues in integration testing of object-oriented programs --- without providing much in the way of solutions.

Documents are in PDF* format.

Formal Technical Reviews (Inspections)

• On The Evaluation of Software Inspections and Tests. Jarir K. Chaar, IBM TJ Watson laboratory.
• Experiences with CSRS: An Instrumented Software Review Environment. Philip M. Johnson, Danu Tjahjono, Dadong Wan, Robert S. Brewer. Presented at the Pacific Northwest Software Quality Conference, 1993.
• Improving Software Quality through Computer Supported Collaborative Review. Philip M. Johnson and Danu Tjahjono, Third European Conference on Computer Supported Cooperative Work, Milan, Italy, September, 1993.
• SOFTWARE FORMAL INSPECTIONS GUIDEBOOK, Office of Safety and Mission Assurance, NASA 1993. (68 pages)
• Formal Technical Review archive on the World-Wide-Web (maintained by Phil Johnson at U. Hawaii).

PVS: A tool for formal specification and verification by theorem proving

• PVS: A prototype verification system. (Very brief overview, circa 1992)
• An Elementary Tutorial on PVS
• A Less Elementary Tutorial on PVS
• A tutorial introduction to PVS. Ricky Butler. Workshop on Industrial-strength Formal Methods, 1995.
• Mechanized Formal Methods: Progress and Prospects, J. Rushby

General notes on theorem proving and formal methods from the developers of PVS

• Automated Deduction and Formal Methods, J. Rushby, CAV 96/CADE 96.
• Acceptance of Formal Methods: Lessons from Hardware Verification
  (This is not one of those whiny "they'd don't use FM because they're afraid of math" pieces, but a nicely reasoned consideration of why verification techniques are catching on in the hardware world. Among the lessons: Use formal techniques for finding bugs, not for producing proofs of correctness. Focus on the tricky bits, where testing is least effective, or where testing and formal analysis find different problems.)

Larch: Two tiered specifications (algebraic/functional + operational)

• Larch: Languages and Tools for Formal Specification by J.V. Guttag and J.J. Horning, with S.J. Garland, K.D. Jones, A. Modet, and J.M. Wing. (259 page book)
• The Larch Shared Language: Some Open Problems by J.J. Horning
  (Despite what you might guess from the title, this is actually a very nice overview of the design decisions that were taken to make Larch a practical specification tool rather than a theoretical toy, as well as an honest appraisal of some things that didn't quite work out as well as one would like.)
• There are also a number of Web resources for Larch and related projects; http://larch-www.lcs.mit.edu:8001/larch/index.html is a good place to start.

PDF format and troubleshooting

*PDF (portable document format) version 2, which requires Acrobat Reader or Acrobat Exchange version 3. The Reader is available for several platforms (Solaris Sparc and x86, Linux, Mac OS, Windows 3.1, 95 and NT, HPUX, etc.) free from Adobe, http://www.adobe.com.

If you try to view a PDF document with Netscape, and it reports an error in the file, there is a good chance that the Netscape PDF plugin is an old version (Acrobat version 2 or 1). You can get the newest plugin from Adobe. If you can't install it in Netscape, you can still save the file and then read the PDF document within Acrobat version 3. And if you still have problems, please let me know.

Here is a tip from Chris Schleicher on configuring Netscape, in a reply to a student:

>When I select "Software Inspections" on Michal Young's web page for cis
>610
>	http://www.cs.uoregon.edu/~michal/Classes/W98/
>I get a window saying Acrobat Reader 2.1 and then an error window with the
>message
>	There was an error processing a page. The document
>may be damaged (9).

Netscape doesn't necessarily use the same version as the one in
your path.  Here it's using the old version.  To fix this, go into
Netscape Edit | Preferences | Navigator | Applications and find the
association for PDF files.  Change the application from
    /local/apps/AcroRead/bin/acroread %s
to
    /local/bin/acroread %s
to make Netscape do the right thing.

Last update: 5 January 1998
Please report broken links and other problems to Michal Young