Verification and Validation

Similar documents
Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 22 Slide 1

Objectives. Chapter 19. Verification vs. validation. Topics covered. Static and dynamic verification. The V&V process

Verification and Validation

ΗΜΥ 317 Τεχνολογία Υπολογισμού

Ingegneria del Software II academic year: Course Web-site: [

Part 5. Verification and Validation

Static and dynamic Testing

Verification and Validation

Verification and Validation

Verification Using Static Analysis

Verification and Validation. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 22 Slide 1

Verification and Validation. Assuring that a software system meets a user s needs. Verification vs Validation. The V & V Process

Verification and Validation. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 22 Slide 1

Lecture 9. Verification and Validation. Assuring that a software system meets a user's needs. Tutorial Questions. Verification and Validation

Learning outcomes. Systems Engineering. Debugging Process. Debugging Process. Review

Software Testing. Software Testing

CS314 Software Engineering Peer Reviews

Verification and Validation

EXAMINING THE CODE. 1. Examining the Design and Code 2. Formal Review: 3. Coding Standards and Guidelines: 4. Generic Code Review Checklist:

Lecture 15 Software Testing

Examining the Code. [Reading assignment: Chapter 6, pp ]

Static Analysis in C/C++ code with Polyspace

Verification, Testing, and Bugs

Chapter 8 Software Testing. Chapter 8 Software testing

Three General Principles of QA. COMP 4004 Fall Notes Adapted from Dr. A. Williams

Static Analysis of C++ Projects with CodeSonar

Oracle Developer Studio Code Analyzer

Chapter 11, Testing. Using UML, Patterns, and Java. Object-Oriented Software Engineering

Using Static Code Analysis to Find Bugs Before They Become Failures

Topic: Software Verification, Validation and Testing Software Engineering. Faculty of Computing Universiti Teknologi Malaysia

Object-Oriented and Classical Software Engineering

Object-Oriented and Classical Software Engineering

Techniques for the unambiguous specification of software

Chapter 8. Achmad Benny Mutiara

Motivation was to facilitate development of systems software, especially OS development.

1 Visible deviation from the specification or expected behavior for end-user is called: a) an error b) a fault c) a failure d) a defect e) a mistake

Software Design Models, Tools & Processes. Lecture 6: Transition Phase Cecilia Mascolo

SOFTWARE ENGINEERING SOFTWARE VERIFICATION AND VALIDATION. Saulius Ragaišis.

Terminology. There are many different types of errors and different ways how we can deal with them.

Static Program Analysis Part 1 the TIP language

TESTING. Overview Slide 6.2. Testing (contd) Slide 6.4. Testing Slide 6.3. Quality issues Non-execution-based testing

By V-cubed Solutions, Inc. Page1. All rights reserved by V-cubed Solutions, Inc.

Static Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU

MC: Meta-level Compilation

Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE. The University of Tokyo

Language Translation. Compilation vs. interpretation. Compilation diagram. Step 1: compile. Step 2: run. compiler. Compiled program. program.

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

Chapter 8 Software Testing

Variables and literals

Topics in Software Testing

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

Testing! Prof. Leon Osterweil! CS 520/620! Spring 2013!

Agenda. Peer Instruction Question 1. Peer Instruction Answer 1. Peer Instruction Question 2 6/22/2011

Testing, code coverage and static analysis. COSC345 Software Engineering

Motivation was to facilitate development of systems software, especially OS development.

Verification and Test with Model-Based Design

Testing. Prof. Clarkson Fall Today s music: Wrecking Ball by Miley Cyrus

All the subjective part of 2011 papers solved complete reference numbers

Chapter 8 Software Testing. Chapter 8 So-ware tes0ng

Chapter 2 Basic Elements of C++

MTAT : Software Testing

CS 2505 Computer Organization I Test 1. Do not start the test until instructed to do so!

Laboratory Assignment #4 Debugging in Eclipse CDT 1

Verification by Static Analysis

Lecture 3 Notes Arrays

Lecture Notes on Arrays

Verification & Validation of Open Source

High Performance Computing MPI and C-Language Seminars 2009

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

In this Lecture you will Learn: Testing in Software Development Process. What is Software Testing. Static Testing vs.

CERT C++ COMPLIANCE ENFORCEMENT

Chapter 10. Testing and Quality Assurance

CSCI0330 Intro Computer Systems Doeppner. Lab 02 - Tools Lab. Due: Sunday, September 23, 2018 at 6:00 PM. 1 Introduction 0.

Program Correctness and Efficiency. Chapter 2

Leveraging Formal Methods Based Software Verification to Prove Code Quality & Achieve MISRA compliance

Software Engineering (CSC 4350/6350) Rao Casturi

CS 424 Software Quality Assurance & Testing LECTURE 3 BASIC CONCEPTS OF SOFTWARE TESTING - I

Programming Languages Third Edition. Chapter 7 Basic Semantics

C How to Program, 6/e by Pearson Education, Inc. All Rights Reserved.

Undefined Behaviour in C

A Practical Approach to Programming With Assertions

Memory Analysis tools

Hacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019

Verification and Validation. Verification and validation

In Java we have the keyword null, which is the value of an uninitialized reference type

CS61C : Machine Structures

Review! * follows a pointer to its value! & gets the address of a variable! Pearce, Summer 2010 UCB! ! int x = 1000; Pearce, Summer 2010 UCB!

Principle of Complier Design Prof. Y. N. Srikant Department of Computer Science and Automation Indian Institute of Science, Bangalore

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

State-Based Testing Part B Error Identification. Generating test cases for complex behaviour

Page 1. Stuff. Last Time. Today. Safety-Critical Systems MISRA-C. Terminology. Interrupts Inline assembly Intrinsics

C Program Development and Debugging under Unix SEEM 3460

EL2310 Scientific Programming

Lecture 4 September Required reading materials for this class

Darshan Institute of Engineering & Technology for Diploma Studies

CS 6371: Advanced Programming Languages

Computer Science and Software Engineering University of Wisconsin - Platteville 9-Software Testing, Verification and Validation

Who are we? Andre Platzer Out of town the first week GHC TAs Alex Crichton, senior in CS and ECE Ian Gillis, senior in CS

Static Analysis Techniques

Inspection Overview Massood Towhidnejad Computer & Software Engineering Dept. Embry-Riddle University

Transcription:

Verification and Validation Minsoo Ryu Hanyang University

Topics Covered 1. Verification and Validation 2. Software Inspections 3. Automated Static Analysis 4. Verification and Formal Methods 2 2

1. Verification vs. Validation (Boehm) Verification "Are we building the product right The software should conform to its specification Validation "Are we building the right product. The software should do what the user really requires Validation is a more general process and goes beyond the verification 3 3

V & V goals Verification and validation should establish confidence that the software is fit for purpose This does NOT mean completely free of defects Rather, it must be good enough for its intended use and the type of use will determine the degree of confidence that is needed 4 4

Two Complementary Approaches in V & V Software inspections Analyze and check work products such as the requirements document, design diagrams, and the program source code Concerned with analysis of the static system representation to discover problems (static verification) Software testing Run an implementation of the software with test data Concerned with exercising and observing product behaviour (dynamic verification) 5 5

Topics Covered 1. Verification and Validation 2. Software Inspections 3. Automated Static Analysis 4. Verification and Formal Methods 6 6

2. Software inspections Software inspections generally focus on source code The purpose is to find errors, omissions, and anomalies Three major advantages over testing During testing, errors can mask (hide) other errors Incomplete versions of a system can be inspected without additional cost As well as searching for program defects, an inspection can also consider broader quality attributes of a program such as compliance with standards, portability, and maintainability 7 7

Success of Inspections Fagan (1986) reported that more than 60% of the errors in a program can be detected using informal program inspections Mills et al. (1987) suggest that a more formal approach to inspection can detect more than 90% of the errors in a program Selby and Basili (1987) empirically compared the effectiveness of inspections and testing They found that static code reviewing was more effective and less expensive than defect testing in discovering program faults 8 8

Failure of Inspections It has proven to be difficult to introduce formal inspections into many software development organizations Software engineers with program testing experience are sometimes reluctant to accept that inspections can be more effective for defect detection than testing Managers may be suspicious because inspections require additional costs during design and development It is difficult to convince a hard-pressed manager that this time can be made up later because less time will be spent on program debugging 9 9

The Program Inspection Process The notion of a formalized inspection process was first developed at IBM in the 1970s (Fagan) Four roles: author, reader, tester, and moderator The reader reads the code aloud to the inspection team, the tester inspects the code from the testing perspective, and the moderator organizes the process A number of alternative approaches (Gilb and Graham, 1993) have been developed These are all based on a team with members from different backgrounds making a careful, line-by-line review of the program source code 10 10

The Program Inspection Process Grady and Van Slack (1994) suggested six roles They do not think that reading the program aloud is necessary The same person can take more than one role 11 11

Inspection roles Author or owner Inspector Reader Scribe Chairman or moderator Chief moderator The programmer or designer responsible for producing the program or document. Responsible for fixing defects discovered during the inspection process. Finds errors, omissions and inconsistencies in programs and documents. May also identify broader issues that are outside the scope of the inspection team. Presents the code or document at an inspection meeting. Records the results of the inspection meeting. Manages the process and facilitates the inspection. Reports process results to the Chief moderator. Responsible for inspection process improvements, checklist updating, standards development etc. 12 12

Inspection Pre-conditions A precise specification must be available Team members must be familiar with the organisation standards Syntactically correct (compilable) code or other system representations must be available 13 13

The Inspection Process (by Michael Fagan in the mid-1970s) 14 14

Planning The Inspection Process The moderator selects an inspection team, organizing a meeting room, and ensure that the material to be inspected and its specifications are complete Overview The program to be inspected is presented to the inspection team The author describes what the program is intended to do Individual preparation Each inspection team member studies the specification and the program and looks for defects in the code 15 15

Inspection meeting The Inspection Process Focus on defect detection, standards conformance, and poor quality programming Suggest how these defects should be corrected This meeting should be fairly short (no more than two hours) Rework The program s author should make changes to correct the identified problems Follow-up The moderator should decide whether a reinspection is required and that defects have been successfully fixed The program is then approved by the moderator for release 16 16

Inspection Checklists During an inspection, a checklist of common programmer errors is often used to focus the discussion The checklist varies according to programming language Glib and Graham emphasize that each organization should develop its own inspection checklist based on local standards and practices 17 17

Inspection Checks 1 Data faults Control faults Input/output faults Are all program variables initialised before their values are used? Have all constants been named? Should the upper bound of arrays be equal to the size of the array or Size -1? If character strings are used, is a de limiter explicitly assigned? Is there any possibility of buffer overflow? For each conditional statement, is the condition correct? Is each loop certain to terminate? Are compound statements correctly bracketed? In case statements, are all possible cases accounted for? If a break is required after each case in case statements, has it been included? Are all input variables used? Are all output variables assigned a value before they are output? Can unexpected inputs cause corruption? 18 18

Inspection Checks 2 Interface faults Storage management faults Exception management faults Do all function and method calls have the correct number of parameters? Do formal and actual parameter types match? Are the parameters in the right order? If components access shared memory, do they have the same model of the shared memory structure? If a linked structure is modified, have all links been correctly reassigned? If dynamic storage is used, has space been allocated correctly? Is space explicitly de-allocated after it is no longer required? Have all possible error conditions been taken into account? 19 19

Inspection time Inspection Rates 500 statements/hour during overview 125 source statement/hour during individual preparation 90-125 statements/hour can be inspected Inspection is therefore an expensive process The cost of inspecting 100 lines of code is roughly equivalent to one person-day effort However, the effort required for the program inspection is probably less than half the effort that would be required for equivalent defect testing 20 20

Lightweight Code Review Over-the-Shoulder: The reviewer physically looks over the author's shoulder and is walked through the code Pros: Easy to implement, no tools required Cons: Interrupts reviewers, hard to know which code is reviewed, impossible to measure Email Pass-Around: Code differences are emailed automatically by the version control system. Reviewers respond to changes when they have time Pros: Easy to set up, nothing to purchase, works remotely Cons: No tracking -- don't know if found defects were fixed, often reviews never happen because everyone assumes someone else looked at it, no metrics; reviews "fizzle out instead of finishing. Hard to follow conversations as emails get replied to and forwarded among several people 21 21

Lightweight Code Review Tool-Based Review: Use a development tool specifically designed to assist in code review. A variety of open-source and commercial tools exist Pros: Removes most of the busywork associated with filecollection, discussion/defect management, and metrics/reporting. Tracks reviews and defects. Cons: Have to learn and integrate another tool, can cost money. Pair-Programming: Two developers at the same keyboard and monitor working on the code together Pros: Deep level of review; teams know review is happening but it's difficult to track. Cons: Large time investment, some developers dislike it. Requires coordinating with someone else's schedule. 22 22

Social Aspects of Code Review The Ego Effect Personal Growth Negative Emotions 23 23

The Ego Effect Peer review invokes the ego Jerry always forgets to check for NULL. Immediate improvement in code quality Senior developers stop being lazy Still works with 33% review coverage 24 24

Personal Growth if ( integrate.equals( s ) ) Surprising Effects Learning not related to the goal of the review Reviewer learns too Fun! 25 25

The Big Brother Effect Negative Emotions Hurt feelings 26 26

Topics Covered 1. Verification and Validation 2. Software Inspections 3. Automated Static Analysis 4. Verification and Formal Methods 27 27

3. Automated Static Analysis Static analyzers are software tools for source text processing They parse the program text and try to discover potentially erroneous conditions and bring these to the attention of the V & V team They are very effective as an aid to inspections - they are a supplement to but not a replacement for inspections 28 28

Static Analysis Checks Fault class Data faults Control faults Input/output faults Interface faults Storage management faults Static analysis check Variables used before initialisation Variables declared but never used Variables assigned twice but never used between assignments Possible array bound violations Undeclared variables Unreachable code Unconditional branches into loops Variables output twice with no intervening assignment Parameter type mismatches Parameter number mismatches Non-usage of the results of functions Uncalled functions and procedures Unassigned pointers Pointer arithmetic 29 29

Stages of Static Analysis Control flow analysis Checks for loops with multiple exit or entry points, finds unreachable code, etc. Data use analysis Detects uninitialized variables, variables written twice without an intervening assignment, variables which are declared but never used, etc. Interface analysis Checks the consistency of routine and procedure declarations and their use 30 30

Stages of Static Analysis Information flow analysis Identifies the dependencies of output variables Does not detect anomalies itself but highlights information for code inspection or review Path analysis Identifies paths through the program and sets out the statements executed in that path Again, potentially useful in the review process Both these stages generate vast amounts of information They must be used with care 31 31

Static Analyzers for C Static analyzers are particularly valuable when C is used C does not have strict type rules and error-prone features such as pointers C, C++, and Java are weakly typed language since they provide a number of ways to get around the type system such as casts and implicit conversion But Java has removed some error-prone features All variables must be initialized No goto statements, so unreachable code is less likely to be created Storage management is automatic 32 32

Static Analyzers for C Coverity (originated from Stanford Checker) Uses model checking to verify source correctness Its most notable use was under a Department of Homeland Security contract, in which it was used to examine 32 Free and open source applications for bugs (many of which have since been fixed) http://www.coverity.com CCured (UC Berkeley) Is a source-to-source translator for C It analyzes the C program to determine the smallest number of runtime checks that must be inserted in the program to prevent all memory safety violations The resulting program is memory safe, meaning that it will stop rather than overrun a buffer or scribble over memory that it shouldn't touch http://manju.cs.berkeley.edu/ccured/ 33 33

Introspector (GCC) Static Analyzers for C Is a software tool to explore the structure of programs that can be compiled with the GNU Compiler Collection The project was started in early 2002, and made a release in November 2003 It has been restarted in November 2004 and is gaining new form Others HP Code Advisor MS Visual Studio (VS2005) 34 34

Lint Lint was the original name given to a particular tool that flagged suspicious and non-portable constructs (i.e., likely to be bugs) in C language source code The term is now applied generically to tools that flag suspicious usage in software written in any computer language The term lint-like behavior is sometimes applied to the process of flagging suspicious language usage Lint-like tools generally perform static analysis of source code Lint first appeared (outside of Bell Labs) in the seventh version (V7) of the UNIX operating system in 1979 It was a part of PCC, the Portable C Compiler, which was a second compiler included with that system (aside from the principal PDP-11 compiler) 35 35

Lint Static Analysis 138% more lint_ex.c #include <stdio.h> printarray (Anarray) int Anarray; { printf( %d?anarray); } main () { int Anarray[5]; int i; char c; printarray (Anarray, i, c); printarray (Anarray) ; } 139% cc lint_ex.c 140% lint lint_ex.c lint_ex.c(10): warning: c may be used before set lint_ex.c(10): warning: i may be used before set printarray: variable # of args. lint_ex.c(4) :: lint_ex.c(10) printarray, arg. 1 used inconsistently lint_ex.c(4) :: lint_ex.c(10) printarray, arg. 1 used inconsistently lint_ex.c(4) :: lint_ex.c(11) printf returns value which is always ignored 36 36

Topics Covered 1. Verification and Validation 2. Software Inspections 3. Automated Static Analysis 4. Verification and Formal Methods 37 37

4. Verification and Formal Methods Formal methods are based on mathematical representations of the software, usually a formal specification Formal methods are mainly concerned with mathematical analysis of the specification They transform the specification to a more detailed, semantically equivalent representation and/or formally verify that one representation of the system is semantically equivalent to another representation They are the ultimate static verification technique 38 38

Cost of Formal Methods Verifying a nontrivial software takes a great deal of time and requires specialized tools such as theorem provers and mathematical expertise It is therefore an extremely expensive process and, as the system size increases, the costs of formal verification increase disproportionately Many people think that formal verification is not costeffective The same level of confidence can be achieved more cheaply by using other validation techniques such as inspection and system testing 39 39

Reliability and Formal Methods It is sometimes claimed that the use of formal methods for system development leads to more reliable and safer systems However, formal specification and proof do not guarantee that the software will be reliable in practical use The specification may not reflect the real requirements of system users The proof may contain errors The proof may assume a usage pattern which is incorrect 40 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback