Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

Transcription

1 Applications of Logic in Software Engineering CS402, Spring 2016 Shin Yoo

2 Acknowledgements I borrow slides from: Moonzoo Kim Theo C. Ruys ( SpinTutorial.pdf) CBMC & Daniel Kroening (

3 What are computers good at? Logical arguments? Fast computation?

4 What is the battlefront in AI? Prolog? Big data + machine learning?

5 (a rhetorical) Question You are given a very long, very complex formula in propositional logic. You have to show its validity. How do you proceed? Preprocess(?) the formula as much as possible to make it simpler; try proof calculus. Start constructing the truth table.

6 How do you check whether your program is correct? Prove its correctness. That is, the program has to be correct (with respect to a set of specifications). This is called verification. Check its behaviour as thoroughly as possible. That is, execute the program with as many inputs as possible, and check that the behaviour conforms to the expectation. This is called validation (also, more commonly, testing). Check its behaviour with the input you had in mind. That is, execute the program with the given example input, and check that it does not crash. This is called.. umm

7 2 Solving Various Problems using SAT Solver Sudoku Puzzle Encoding 1 Encoding 2 Verify/Testing C Programs Encoding 3 Optimal Path Planning Encoding CNF SAT Formula SAT Solver Latin Square Problem Traveling Salesmen Probelm Encoding n Moonzoo Kim, CS402, Spring 2013

8 Operational Semantics of Software A system execution is a sequence of s s 0 s 1 s 0 s 1 x:0,y:0 x:0,y:1 A has an environment s :Var-> Val s 2 x:1,y:2 s 11 x:5,y:1 A system has its semantics as a set of system executions s 3 s 4 x:1,y:3 x:2,y:4 s 12 s 13 x:5,y:2 x:5,y:3 s 21 x:7,y:3 s 14 x:5,y:4 s 22 x:7,y:4 3 Moonzoo Kim, CS402, Spring 2013

9 What is Model Checking? [Clarke & Emerson 1981]: Model checking is an automated technique that, given a finite- model of a system and a logical property, systematically checks whether this property holds for (a given initial in) that model. Model checking tools automatically verify whether M = φ holds, where M is a (finite-) model of a system and property φ is d in some formal notation. Problem: space explosion! SPIN [Holzmann 1991] is one of the most powerful model checkers. Based on [Vardi & Wolper 1986]. Although finite-, the model of a system typically grows exponentially. Thursday 11-Apr-2002 Theo C. Ruys - SPIN Beginners' Tutorial 5 Theo C. Ruys (

10 Pros and Cons of Model Checking Pros Fully automated and provide complete coverage Concrete counter examples Full control over every detail of system behavior Highly effective for analyzing embedded software multi-threaded systems Cons State explosion problem An abstracted model may not fully reflect a real system Needs to use a specialized modeling language Modeling languages are similar to programming languages, but simpler and clearer 5

11 Example of Model Checking thread A() { unsigned char x; again: x++; goto again; x:0 x:1 x:2 x:255 thread A() { unsigned char x; again: x++; goto again; x:0,y:0 x:1,y:0 x:0,y:1 x:1,y:1 x:0,y:255 x:1,y:255 thread B() { unsigned char y; again: y++; goto again; x:2,y:0 x:255,y:0 x:2,y:1 x:2,y:255 x:255,y:255 4

12 But wait what? CS402 dealt with greek alphabets, not C code. How do we reason about arbitrary programming languages using what we have learnt so far? My answer: but you also did not expect to solve Nonogram in CS402 - that has nothing to do with greek alphabets either :)

13 Example. Sort (1/2) Suppose that we have an array of 4 elements each of which is 1 byte long unsigned char a[4]; We wants to verify sort.c works correctly main() { sort(); assert(a[0]<= a[1]<= a[2]<=a[3]); Hash table based explicit model checker (ex. Spin) generates at least 2 32 (= 4x10 9 = 4G) s 4G s x 4 bytes = 16 Gbytes, no way Binary Decision Diagram (BDD) based symbolic model checker (ex. NuSMV) takes 200 MB in 400 sec 8/23

14 Example. Sort (2/2) 1. #include <stdio.h> 2. #define N 5 3. int main(){ 4. int data[n], i, j, tmp; 5. /* Assign random values to the array*/ 6. for (i=0; i<n; i++){ 7. data[i] = nondet_int(); /* It misses the last element, i.e., data[n-1]*/ 10. for (i=0; i<n-1; i++) 11. for (j=i+1; j<n-1; j++) 12. if (data[i] > data[j]){ 13. tmp = data[i]; 14. data[i] = data[j]; 15. data[j] = tmp; /* Check the array is sorted */ 18. for (i=0; i<n-1; i++){ 19. assert(data[i] <= data[i+1]); SAT-based Bounded Model Checker Total CNF clause with 6224 boolean propositional variables Theoretically, choices should be evaluated!!! SAT UNSAT VSIDS Conflicts 73 Decisions 2435 Time(sec) VSIDS Conflicts Decisions Time(sec) /23

15 Overview of SAT-based Bounded Model Checking Requirements Formal Requirement Properties (F W) C Program Abstract Model Requirements Formal Requirement Properties in C (ex. assert( x < a[i]); ) C Program Model Checker Translation to SAT formula Satisfied Not satisfied SAT Solver Okay Counter example Satisfied Okay Not satisfied Counter example 10/23

16 Software Model Checking as a SAT problem (1/4) Control-flow simplification All side effect are removed i++ => i=i+1; Control flow is made explicit continue, break => goto Loop simplification for(;;), do { while() => while() 11/23

17 Software Model Checking as a SAT problem (2/4) Unwinding Loop Original code x=0; while(x < 2){ y=y+x; x++; Unwinding the loop 1 times x=0; if (x < 2) { y=y+x; x++; /* Unwinding assertion */ assert(!(x < 2)) Unwinding the loop 3 times x=0; if (x < 2) { y=y+x; x++; if (x < 2) { y=y+x; x++; if (x < 2) { y=y+x; x++; /*Unwinding assertion*/ assert (! (x < 2)) 12/23

18 Scalability of Path Search Let s consider the following CFG: L1 L2 L3 L4 This is a loop with an if inside. CBMC: Bounded Model Checking for ANSI-C 14

19 Scalability of Path Search Let s consider the following CFG: L1 L2 L3 L4 This is a loop with an if inside. Q: how many paths for n iterations? CBMC: Bounded Model Checking for ANSI-C 14

20 Bounded Model Checking I Bounded Model Checking (BMC) is the most successful formal validation technique in the hardware industry I Advantages: 4 Fully automatic 4 Robust 4 Lots of subtle bugs found I Idea: only look for bugs up to specific depth I Good for many applications, e.g., embedded systems CBMC: Bounded Model Checking for ANSI-C 15

21 Model Checking as a SAT problem (3/4) From C Code to SAT Formula Original code x=x+y; if (x!=1) x=2; else x++; assert(x<=3); Generate constraints Convert to static single assignment (SSA) x 1 =x 0 +y 0 ; if (x 1!=1) x 2 =2; else x 3 =x 1 +1; x 4 =(x 1!=1)?x 2 :x 3 ; assert(x 4 <=3); C x 1 =x 0 +y 0 x 2 =2 x 3 =x 1 +1 (x 1!=1 x 4 =x 2 x 1 =1 x 4 =x 3 ) P x 4 <= 3 Check if C P is satisfiable, if it is then the assertion is violated C P is converted to Boolean logic using a bit vector representation for the integer variables y 0,x 0,x 1,x 2,x 3,x 4 14/23

22 Model Checking as a SAT problem (4/4) Example of arithmetic encoding into pure propositional formula Assume that x,y,z are three bits positive integers represented by propositions x 0 x 1 x 2, y 0 y 1 y 2, z 0 z 1 z 2 C z=x+y (z 0 $(x 0 y 0 ) ( (x 1 Æy 1 ) Ç (((x 1 y 1 )Æ(x 2 Æy 2 ))) Æ (z 1 $(x 1 y 1 ) (x 2 Æy 2 )) Æ (z 2 $(x 2 y 2 )) 15/23 Eventually, everything is Boolean.

23 Classic Model Checking (initial) Design (manual) abstractions Abstract Verification Model Model Checker refinement techniques Implementation Thursday 11-Apr-2002 Theo C. Ruys - SPIN Beginners' Tutorial 7

24 Modern Model Checking Implementation systematic abstraction techniques Verification Model Model Checker Abstraction is the key activity in both approaches. This talk deals with pure SPIN, i.e., the classic model checking approach. To cope with the space explosion. Thursday 11-Apr-2002 Theo C. Ruys - SPIN Beginners' Tutorial 8

25 But that looks extremely painful to do manually every time we want to prove something, doesn t it?

26 SMT: Satisfiability Modulo Theories SMT problem: decision problem for logical formulas with respect to background theories in classical first-order-logic. SMT instance is a predicate logic formula; the aim is to determine whether such a formula is satisfiable. The underlying problem is still one of Boolean Satisfiability problem.

27 SMT: The Eager Approach Immediately encode the first order formulas into Boolean SAT, and invoke SAT solvers. Can rely on advances in Boolean SAT solvers However, loss of high-level semantics means sometimes it struggles with obvious ments, such as x + y = y + x.

28 Enabling Technology: SAT 1,000, ,000 10,000 1, number of variables of a typical, practical SAT instance that can be solved by the best solvers in that decade CBMC: Bounded Model Checking for ANSI-C 9

29 SMT: The Lazy Approach Davis-Putnam-Logemann-Loveland algorithm (DPLL) (1962) is a backtracking-based search algorithm that is used to determine satisfiability of propositional logic formulas in CNF form (i.e. CNF- SAT). Theory solver is concerned with feasibility of conjunctions of theory-specific predicates, infers new facts from known facts, and interacts with the SAT solver with respect to propagation and backtracking.

30 Concolic Testing Suppose we can solve satisfiability problems, extended with theories about integers, lists, arrays, etc. What can we use it for in order to check our programs?

31 void testme(int[] a) { if(a == null) return; if(a.length > 0) { if(a[0] == 42) throw new Exception( bug ); Solve false a==null false true a.length > 0 false true a[0] == 42 Execute true Constraints to Solve Data Observed Path Condition null a==null a!=null a!=null && a.length > 0 a!=null && a.length > 0 && a[0] == 42 { {0 {42 a!=null &&!(a.length > 0) a!=null && a.length > 0 && a[0]!= 42 No more path! ` Negate last condition and choose another path

32 Example typedef struct cell { int v; struct cell *next; cell; int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; Random Test Driver: random memory graph reachable from p random value for x Probability of reaching Error( ) is extremely low 11/42 Example from the slides CUTE: A Concolic Unit Testing Engine for C by K.Sen 2005

33 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p NULL, x=236 p=p 0, x=x 0 12/42

34 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p NULL, x=236 p=p 0, x=x 0 13/42

35 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p NULL, x=236 p=p 0, x=x 0 x 0 >0 14/42

36 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p NULL, x=236 p=p 0, x=x 0 x 0 >0!(p 0!=NULL) 15/42

37 Concolic Testing typedef struct cell { int v; struct cell *next; cell; int f(int v) { return 2*v + 1; Concrete concrete symbolic solve: x 0 >0 and p 0 NULL Symbolic constraints int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p NULL, x=236 p=p 0, x=x 0 x 0 >0 p 0 =NULL 16/42

38 Concolic Testing typedef struct cell { int v; struct cell *next; cell; int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p Concrete concrete symbolic solve: x 0 >0 and p 0 NULL x 0 =236, p 0 NULL, x= NULL p=p 0, x=x 0 Symbolic constraints x 0 >0 p 0 =NULL 17/42

39 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 634 NULL, x=236 p=p 0, x=x 0, p->v =v 0, p->next=n 0 18/42

40 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 634 NULL, x=236 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 19/42

41 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 634 NULL, x=236 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 p 0 NULL 20/42

42 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 634 NULL, x=236 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 p 0 NULL 2x 0 +1 v 0 21/42

43 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 634 NULL, x=236 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 p 0 NULL 2x 0 +1 v 0 22/42

44 Concolic Testing typedef struct cell { int v; struct cell *next; cell; int f(int v) { return 2*v + 1; Concrete concrete symbolic solve: x 0 >0 and p 0 NULL and 2x 0 +1=v 0 Symbolic constraints int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 634 NULL, x=236 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 p 0 NULL 2x 0 +1 v 0 23/42

45 Concolic Testing typedef struct cell { int v; struct cell *next; cell; int f(int v) { return 2*v + 1; Concrete concrete symbolic solve: x 0 >0 and p 0 NULL and 2x 0 +1=v 0 x 0 =1, p 0 NULL Symbolic constraints int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p NULL, x=236 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 p 0 NULL 2x 0 +1 v 0 24/42

46 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 3 NULL, x=1 p=p 0, x=x 0, p->v =v 0, p->next=n 0 25/42

47 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 3 NULL, x=1 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 26/42

48 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 3 NULL, x=1 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 p 0 NULL 27/42

49 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 3 NULL, x=1 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 p 0 NULL 2x 0 +1=v 0 28/42

50 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 3 NULL, x=1 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 p 0 NULL 2x 0 +1=v 0 n 0 p 0 29/42

51 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 3 NULL, x=1 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 p 0 NULL 2x 0 +1=v 0 n 0 p 0 30/42

52 Concolic Testing typedef struct cell { int v; struct cell *next; cell; int f(int v) { return 2*v + 1; concrete Concrete symbolic solve: x 0 >0 and p 0 NULL and 2x 0 +1=v 0 and n 0 =p 0 Symbolic constraints int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 3 NULL, x=1 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 p 0 NULL 2x 0 +1=v 0 n 0 p 0 31/42

53 Concolic Testing typedef struct cell { int v; struct cell *next; cell; int f(int v) { return 2*v + 1; concrete Concrete symbolic solve: x 0 >0 and p 0 NULL and 2x 0 +1=v 0 and n 0 =p 0 Symbolic constraints int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; x 0 =1, p 0 p NULL 3, x=1 3 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 p 0 NULL 2x 0 +1=v 0 n 0 p 0 32/42

54 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 3, x=1 p=p 0, x=x 0, p->v =v 0, p->next=n 0 33/42

55 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 3, x=1 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 34/42

56 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 3, x=1 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 p 0 NULL 35/42

57 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 3, x=1 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 p 0 NULL 2x 0 +1=v 0 36/42

58 Concolic Testing typedef struct cell { int v; struct cell *next; cell; concrete Concrete symbolic Symbolic constraints int f(int v) { return 2*v + 1; int testme(cell *p, int x) { if (x > 0) if (p!= NULL) if (f(x) == p->v) if (p->next == p) Error(); return 0; p 3 Error() reached, x=1 p=p 0, x=x 0, p->v =v 0, p->next=n 0 x 0 >0 p 0 NULL 2x 0 +1=v 0 n 0 =p 0 37/42

59 Limitations Unlike model checking, we operate directly on top of program source code: no abstraction. There may exist formulas that SMT solvers cannot handle: for example, if( sin(x) + cos(x) == 0.3) { error(); Some limitations on complex pointer and array operations. What if the aim of testing is not about logical correctness, such as execution time or memory usage?

60 Relative Strength Model checking: specify a property that needs to be checked, prove that either it is not violated, or there exists a counterexample Concolic testing: IF there is an explicit condition that you can check (e.g. assertions or exeptions), can try to reach them. Otherwise, produces a test input.

61

62 Teacher: add all numbers from 1 to 100! Young Gauss: = = 101 * 50 = 5050 Metaheuristic: Is it 1000? Teacher: No. Metaheuristic: Is it 1001? Teacher: No.. (after a while) Metaheuristic: Is it 5050? Teacher: Yes!

63 Metaheuristic Essentially smart trial and error Tries a solution Get feedback on how good it was Move the solution towards a better direction Repeat until problem is solved

64 Test Data Generation Fitness function (for branch coverage) = [approximation level] + normalise([branch distance]) path We want to execute a specific branch, but the current input value does not follow the required path. Then: Approximation Level = 2 Approximation level: number of nesting levels between current path and our target branch Branch Distance? Branch distance: distance in the current predicate between desired and current status

65 Branch Distance Wait, predicates are Boolean. What do you mean, distance? To satisfy x == y, convert it to b = x - y and minimise b: when it becomes 0, x becomes equal to y. To satisfy y >= x, convert it to b = x - y + K and minimise b: when it becomes 0, y is greater than x by K. Normalise: b norm = ^(-b)

66 Branch Distance Predicate f minimise until.. a > b b - a + K f < 0 a >= b b - a + K f <= 0 a < b a - b + K f < 0 a <= b a - b + K f <= 0 a == b a - b f == 0 a!= b - a - b f < 0 B. Korel, Automated software test data generation, IEEE Trans. Softw. Eng., vol. 16, pp , August 1990.

67 Fitness Function (11, 2, 1) app. lvl = 2 b. dist = 4 - c +1 f = 2 + ( ^-4) = False (11, 2, 11) app. lvl = 1 b. dist = c f = 1 + ( ^-2) = if(c >= 4) False True if(c <= 10) (11, 2, 9) app. lvl =0 b. dist = 11-2 f = 0 + ( ^-9) = False True if(a == b) app. lvl =0 b. dist = 2-2 f = 0 + ( ^0) = 0 True (2, 2, 9) target Test input (a, b, c), K = 1

68 Metaheuristics and Learning We arrive at the conclusion (i.e. qualifying test data) by observing individual instances (roughly speaking, individual assignments). This is, in a way, opposite to model checking. Advances in computational power empowers both verification and validation. More about metaheuristic and learning in CS492 in Autumn 2016 (Search-Based Software Engineering)