Theory and Practice of Co-verification Process: UniTesK Story

About This Presentation

Title:

Theory and Practice of Co-verification Process: UniTesK Story

Description:

... UniTesK tools J_at_T test system runtime support Components of J_at_va translator CTesK abstract types library Lanit-Tercom IPv6 implementation DSP software ... – PowerPoint PPT presentation

Number of Views:98

Avg rating:3.0/5.0

Slides: 99

Provided by: Vict59

Category:

more less

Transcript and Presenter's Notes

Title: Theory and Practice of Co-verification Process: UniTesK Story

1
Theory and Practice ofCo-verification Process
UniTesK Story

RedVerst group of ISP RAS
Alexander K. Petrenko
Victor V. Kuliamin
http//www.ispras.ru

2
Overview

Introduction Why co-verification?
Main part What is UniTesK?Solving Engineering
Problems
Case studies

3
What these numbers mean?
9 1
180 ?109 21 ?109
total revenue of US software development companies loss caused by inadequate testing infrastructure for US economy1

The Economic Impacts of Inadequate Infrastructure
for Software Testing,
NIST Report, May 2002

4
Waterflow Process Model
Requirements
Design
Implementation
Testing
Deployment
5
Iterative Process Model
Requirements
Design
Implementation
Testing
Deployment
6
Agile Development Methods Expansion
Percent of organizations using modern development
methods
According to The Decision is in Agile versus
Heavy Methodologies by Robert Charette, Cutter
IT Journal, vol. 2, No. 19, 2002 http//www.cutter
.com/freestuff/apmupdate.html
7
Agile Development Methods Expansion
Percent of organizations recognizing more than
50 of projects as agile
According to The Decision is in Agile versus
Heavy Methodologies by Robert Charette, Cutter
IT Journal, vol. 2, No. 19, 2002 http//www.cutter
.com/freestuff/apmupdate.html
8
Inadequate Quality of Software
Loss Potential Cost Reduction Total Sales
Software Vendors 21.2?109 10.6?109 180?109
Software Users 38.3?109 11.7?109
Total 59.5?109 22.2?109
The Economic Impacts of Inadequate Infrastructure
for Software Testing, NIST Report, May 2002
9
Evolution of Testing

Localization of errors
Demonstration of errors
Testing is the process of executing a program or
system with the intent of finding errors Myers,
1979
The purpose of testing is to show that a program
has bugs Hetzel, 1988
Evaluation of quality
Testing is the process of operating a system or
component under specified conditions, observing
or recording the results, and making an
evaluation of some aspect of the system or
component IEEE 90

10
Co-verification

Verification confirms that activity products
properly reflect the requirements specified for
them at the beginning of the activity.
Co-verification process
Perform verification of activity before
proceeding to the dependent activities
Prepare all the artifacts needed for verification
concurrently with main activity products

11
Co-verification Development Process
Business Modeling
Deployment
Requirements
Integration
Architecture Design
Implementation
Component Design
12
Main Part Overview

Traditional approaches to verification
UniTesK approach
Example

13
Traditional Software Development Process
Design and development Verification

Requirements Analysis
Design
Implementation-debugging

Requirements Elicitation
Test Case Design
Test Implementation
Test Execution
Test Result Analysis

14
Co-verification Process
Design and development Verification

Requirements Analysis
Design
Implementation-debugging

Requirements Elicitation
Test Case Design
Test Implementation
Test Execution
Test Result Analysis

15
UniTesK Approach
UniTesK
Tools
.N_at_T
J_at_T
CTesK
VDMTesK
Uniform Test Architecture
Uniform Specification Extension
Integration with Development Environments
Foundations
Model Based Testing
16
Requirements Formalization
Requirements
Requirements
Formal Specifications
17
Co-verification Support
Formal Specifications
Requirements
Ambiguity? Incompleteness?
Inconsistency?
18
Engineering Problems (1)

Specification technique should support
Easy transformation of requirements into
specifications
Easy automation of further test development
Functional test coverage definition
High reusability of specifications
Specification notation should not require special
education and skills

19
Specification Techniques

ExecutableImperative state based specifications
ConstraintsState based data type constraints,
pre- and postconditions, internal invariants
AxiomaticAction based axioms

20
Executable Specifications

Are very close to some implementation
Are easy to use in the industry
Can be transformed into prototypes
Are not close to requirements( v e½ln
lim(xn1 ½(xn x/xn)) )
Unsuitable for test coverage measurement
Can cause problems with conformance checkingHow
to compare the results?
Are highly reusable as executable code
But are low reusable as criteria of correctness

21
Constraint Specifications

Have the structure similar with implementation
Are easy to use in the industry
But have different form
Are close to requirements in most cases
Are easy to construct from requirements
Suitable for test coverage measurement
Counterexample memory management subsystem
Can be directly used in conformance checking
Special constructs enabling reuse can be added

22
Axiomatic Specifications

Are far from common implementations and have
greatly different structure
Can hardly be introduced in the industry
Are usually far from requirements
Are hard to develop in real-life projects
Can hardly be used for coverage measurement
But sometimes are the only appropriate form
Can be used for conformance checking
But provide poor error localization
Reusability is a problem

23
Comparison of Specification Techniques
24
Specification Notation

Specification language
Suitable for capture abstract properties
Has formal semantics
Requires complex mediator layer for
implementation
Requires special education, mastering is enduring
Extension of programming language
Abstract concepts can be added by libraries
Ambiguous parts of language can be excluded
Complex mediators are not required
Mastering can be made more effective
Facilitates co-verification process

25
UniTesK Specification Technique

Constraint Specifications
Preconditions and postconditions of operations
Data type constraints
Functional coverage description based on
specification structure

UniTesK
.N_at_T
J_at_T
CTesK
VDMTesK
Uniform Test Architecture
Uniform Specification Extension
Integration with Development Environments
Model Based Testing
26
UniTesK Specification Technique

Constraint Specifications
Preconditions and postconditions of operations
Data type constraints

specification Operation() pre block, returning
Boolean value post block, returning Boolean
value use _at_ to refer to pre-value of expressions
invariant Invariant() block, returning Boolean
value
27
Priority Queue Example
0
5
2
enq ()
enq ()
deq ()
enq ()
5
5
4
3
1
1
size ()

void enq (Object obj, int priority)priority ?
Min_Priority, Max_Priority
Object deq ()
int size ()

28
J_at_va Specification Extension of Java

specification package pqueue
public class PQueueSpecification
specification public void enq(Object obj, int
prty)
reads obj, prty
updates items.?, priorities.?
pre return obj ! null
post
int i 0
for(i 0
i lt items.size()
((Integer)priorities.elementAt(i)).i
ntValue() gt prty
i
)
...

UniTesK
.N_at_T
J_at_T
CTesK
VDMTesK
Uniform Test Architecture
Uniform Specification Extension
Integration with Development Environments
Model Based Testing
29
Model State Definition

specification package
public class PQueueSpecification
// List of elements of the queue
public List items new List()
// Accompanying list of their priorities
public IntList priorities new IntList()

30
Data Integrity Constraints Lists are not Null

public class PQueueSpecification
public List items new List()
public IntList priorities new IntList()
invariant ListsAreNotNull()
return items ! null priorities ! null

31
Data Integrity Constraints Lists Sizes are
Equal

public class PQueueSpecification
invariant ListsSizesAreEqual()
return items.size() priorities.size()

32
Data Integrity Constraints Priorities Lie in
the Range

public class PQueueSpecification
public static int Min_Priority
public static int Max_Priority
invariant PrioritiesLieInTheRange()
for(int i 0 i lt priorities.size() i)
if( priorities.get(i) lt Min_Priority
priorities.get(i) gt Max_Priority
)
return false
return true

33
Data Integrity Constraints Priorities do not
Increase

public class PQueueSpecification
invariant PrioritiesDoNotIncrease()
for(int i 1 i lt priorities.size() i)
if( priorities.get(i-1) lt priorities.get(i)
)
return false
return true

34
Operation Specification size() Method

public class PQueueSpecification
specification public int size ()
reads this.?
pre return true
post
return size items.size()

35
Operation Specification enq() Method

public class PQueueSpecification
specification public void enq (Object obj, int
prty)
reads obj, prty
updates this.?
pre
return obj ! null
Min_Priority lt prty
prty lt Max_Priority
post
int i 0
for(i 0
i lt items.size() priorities.get(i)
gt prty
i
)
PQueueSpecification new_state
(PQueueSpecification)_at_clone()

36
Auxiliary Methods

public class PQueueSpecification
public boolean equals (PQueueSpecification
other)
return items.equals(other.items)
priorities.equals(other.priorities)
public Object clone ()
PQueueSpecification result new
PQueueSpecification()
result.items (List)items.clone()
result.priorities (IntList)priorities.clone(
)
return result

37
Operation Specification deq() Method

public class PQueueSpecification
specification public Object deq ()
updates this.?
post
if(items.isEmpty())
return deq null items.isEmpty()
else
PQueueSpecification new_state
(PQueueSpecification)_at_clone()
Object result new_state.items.first()
new_state.items.removeFirst()
new_state.priorities.removeFirst()
return this.equals(new_state) deq
result

38
Coverage Goals Definition
Formal Specifications pre
--------------------------- post
---------------------------
--------------------------------------------------
--------------------------------------
-------- ------------ ----------------------
--------------- ----------------------
------------------------
---------------------------------------------
------------------------------------------------
-- ---- --------------------------
-----------
Requirements
Testable Specifications pre
--------------------------- post
---------------------------
--------------------------------------------------
--------------------------------------
-------- ------------ ----------------------
--------------- -----------------------
-----------------------
----------------------------------------------
-----------------------------------------------
--- ---- ------------------------------
-------
Test Case 1 --------------- --------------- ------
--
1
2
3
39
Co-verification Support
Formal Specifications pre
--------------------------- post
---------------------------
--------------------------------------------------
--------------------------------------
-------- ------------ ----------------------
--------------- ----------------------
------------------------
---------------------------------------------
------------------------------------------------
-- ---- --------------------------
-----------
UniTesK supports this transformation with
techniques and tools
Testable Specifications pre
--------------------------- post
---------------------------
--------------------------------------------------
--------------------------------------
-------- ------------ ----------------------
--------------- -----------------------
-----------------------
----------------------------------------------
-----------------------------------------------
--- ---- ------------------------------
-------
Software -----------------------------------
---------------- ----------------------------
----------------------- ---------------------
------------------------------
--------------------------------------------------
- -------------------------------------------
-------- ------------------------------------
--------------- -----------------------------
---------------------- ----------------------
-----------------------------
--------------------------------------------------
-
40
Engineering Problems (2)

More than one coverage metric is needed
Automatic extraction of coverage goals
Enabling test designer to introduce additional
goals

41
Several Levels of Coverage Metrics
1.2.1 1.2.2
1.1 1.2 1.3
Formal Specifications pre
--------------------------- post
---------------------------
--------------------------------------------------
--------------------------------------
-------- ------------ ----------------------
--------------- -----------------------
-----------------------
----------------------------------------------
-----------------------------------------------
--- ---- ------------------------------
-------
1.3.1 1.3.2 1.3.3
1
2
2.1 2.2
3
3.1.1 3.1.2 3.1.3
3.1 3.2
42
Definition of Coverage Goals Functionality
Branches

Functional coverage description based on
specification structure

post if(a b) ... branch Case 1 ...
else if(!c d) ... branch Case 2 ... else
... branch Case 3 ...
Branches Disjuncts
Case 1 a
Case 1 !a ? b
Case 2 !a ? !b ? !c ? d
Case 3 !a ? !b ? c
Case 3 !a ? !b ? !c ? !d
43
Functionality Branches in size() Method

public class PQueueSpecification
specification public int size ()
reads this.?
post
branch Single branch
return size items.size()

44
Functionality Branches in enq() Method

specification public void enq (Object obj, int
prty)
reads obj, prty
updates this.?
pre return obj ! null
post
int i 0
for(i 0
i lt items.size() priorities.get(i) gt
prty
i
)
branch Single branch
PQueueSpecification new_state
(PQueueSpecification)_at_clone()
new_state.items.add(i, obj)
new_state.priorities.add(i, prty)

45
Functionality Branches in deq() Method

specification public Object deq ()
updates this.?
post
if(items.isEmpty())
branch Empty queue
return deq null items.isEmpty()
else
branch Nonempty queue
PQueueSpecification new_state
(PQueueSpecification)_at_clone()
Object result new_state.items.firstElement
()
new_state.items.removeFirstElement()
new_state.priorities.removeFirstElement()
return this.equals(new_state) deq
result

46
Additional Coverage Goals enq()
1
0
5
2
7
4
5
5
4
3
1
1
1
1
1
1
47
Additional Coverage Goals deq()
5
5
4
3
1
1
5
4
3
1
48
Definition of Coverage Goals Marked Paths
post if(a b c)
branch Case 1 ...
if(a) mark a holds
Branches Marked Paths Disjuncts
Case 1 a holds Case 1 a
Case 1 Case 1 !a ? b
Case 1 Case 1 !a ? !b ? c
49
Marked Paths in enq() Method

post
int i 0
for(i 0
i lt items.size() priorities.get(i) gt
prty
i
)
if( items.isEmpty() )
mark "Insertion in the empty queue"
else if( prty gt priorities.maximum() )
mark "Insertion in the head"
else if( prty priorities.maximum() prty
priorities.minimum() )
mark "Insertion with single existing
priority"
else if( prty priorities.maximum() )
mark "Insertion with maximum priority"
else if( prty lt priorities.minimum() )
mark "Insertion in the tail with new
priority"
else if( prty priorities.minimum() )

50
Marked Paths in deq() Method

post
if(items.isEmpty())
branch Empty queue
...
else
if( items.size() 1 )
mark "Single element in the queue"
else if( !(priorities.maximum()
priorities.get(1)) )
mark "Single element with maximum priority,
several elements in the queue"
else if( priorities.toSet().size() gt 1 )
mark "Several elements with maximum
priority, there are other priorities"
else
mark "Several elements in the queue with
the same priority"
branch Nonempty queue

51
Test Implementation
Testable Specifications pre
--------------------------- post
---------------------------
--------------------------------------------------
--------------------------------------
-------- ------------ ----------------------
--------------- -----------------------
-----------------------
----------------------------------------------
-----------------------------------------------
--- ---- ------------------------------
-------
Test Case 1 --------------- --------------- ------
--
Test Program
Test Scenario
52
Co-verification Support
Formal Specifications pre
--------------------------- post
---------------------------
--------------------------------------------------
--------------------------------------
-------- ------------ ----------------------
--------------- ----------------------
------------------------
---------------------------------------------
------------------------------------------------
-- ---- --------------------------
-----------
Testable Specifications pre
--------------------------- post
---------------------------
--------------------------------------------------
--------------------------------------
-------- ------------ ----------------------
--------------- -----------------------
-----------------------
----------------------------------------------
-----------------------------------------------
--- ---- ------------------------------
-------
UniTesK supports this transformations with
techniques and tools
Software -----------------------------------
---------------- ----------------------------
----------------------- ---------------------
------------------------------
--------------------------------------------------
- -------------------------------------------
-------- ------------------------------------
--------------- -----------------------------
---------------------- ----------------------
-----------------------------
--------------------------------------------------
-
Test Scenario
53
Engineering Problems (3)

Test construction technique should ensure
coverage goals achievement
Enabling test designer to introduce additional
tests
Tests should be decoupled with implementation

54
Overview of UniTesK Approach to Test
Implementation

Test construction technique traversal of FSM
FSM is constructed in so far that its traversal
ensures coverage
FSM represented implicitly as test scenario
Implicit representation saves a lot of work
Test scenarios can be
Generated on the base of templates and
specifications
Developed manually
Developed in mixed way
Mediators are used to decouple test scenarios and
implementation
The same three ways to develop mediators

55
UniTesK Test Architecture

From specification we can generate oracle to
check the conformance of system behaviour
The entire test is constructed as a test sequence
intended to achieve some coverage
Test sequence required is produced on-the-fly
during test execution as a transition tour of FSM
model

UniTesK
.N_at_T
J_at_T
CTesK
VDMTesK
Uniform Test Architecture
Uniform Specification Extension
Integration with Development Environments
Model Based Testing
56
UniTesK Test Architecture
Test sequence construction
Test Engine
Test Action Iterator
Test sequence construction
Oracle
Specification
Target system
57
Test Sequence Construction
Test Engine
Test Action Iterator
58
Engineering Problems FSM Construction (4)

Implicit specifications are hard to resolve
Nondeterminism
Huge numbers of states and transitions

59
Factorization Based on Coverage Goals
Helps to cope with state explosion and
nondeterminism
I. B. Bourdonov, A. S. Kossatchev, V. V.
Kuliamin. Using Finite State Machines in Program
Testing. Programming and Computer Software, Vol.
26, No. 2, 2000, pp. 61-73
60
Implicit State Machine Description
Allows not to resolve implicit constraints Makes
factorization easier
61
State Machine Construction Based on Coverage Goals
operation domain defined by precondition
parameters
2
3
coverage goals
1
states
62
Test Sequence Construction for Implicit FSM
Test Engine
Test Action Iterator
63
Test Scenario
Test sequence construction
Test Engine
Test Action Iterator
Test Scenario
Oracle
Specification
Target system
64
Priority Queue Example enq() Coverage Goals

if( items.isEmpty() )
mark "Insertion in the empty queue"
else if( prty gt priorities.maximum() )
mark "Insertion in the head"
else if( prty priorities.maximum() prty
priorities.minimum() )
mark "Insertion with single existing priority"
else if( prty priorities.maximum() )
mark "Insertion with maximum priority"
else if( prty lt priorities.minimum() )
mark "Insertion in the tail with new priority"
else if( prty priorities.minimum() )
mark "Insertion with minimum priority"
else if( !priorities.contains(prty) )
mark "Insertion in the middle with new
priority"
else
mark "Insertion in the middle with existing
priority"

States
Empty queue
Single priority is used
At least two priorities are used
At least three priorities are used
?
Arguments
At least three different priorities should be
provided
65
Priority Queue Example deq() Coverage Goals

if(items.isEmpty())
branch Empty queue
else
if( items.size() 1 )
mark "Single element in the queue"
else if( !(priorities.maximum()
priorities.get(1)) )
mark "Single element with maximum priority,
several elements in the queue"
else if( priorities.toSet().size() gt 1 )
mark "Several elements with maximum priority,
there are other priorities"
else
mark "Several elements in the queue with the
same priority"

States
Empty queue
Single element in the queue
Single element with maximum priority, several
priorities
Several elements with maximum priority, several
priorities
Several elements with the single used priority
66
Priority Queue Example Analysis of Determinism
0
1
2
deq()
0 Empty queue
1 Single element in the queue
2 Several elements with single used priority
To make the behavior deterministic we should
split this state according to the number of
elements
67
Priority Queue Example Analysis of Determinism

0
1
2
3
deq()
A
0,1,2, Number of elements with maximum
priority
A Single element with maximum priority, several
priorities
To make the behavior deterministic we should
split this state according to the number of
elements with the next priority
And so on, for all priorities (by induction)
68
Priority Queue Example Resulting State

Resulting state S int ? int ismap from
integers to integers, wherekey is priorityvalue
is the number of queue elements having such
priority

69
Reference to Specification Object

scenario public class PQueueTestScenario
// Reference to the object under test
public PQueueSpecification queue

70
State Construction Method

scenario public class PQueueTestScenario
public AbstractGenState getGenState()
IntToIntMapGenState state new
IntToIntMapGenState()
for(int p PQueueSpecification.Min_Priority
p lt queue.priorities.toSet().size()
p
)
int n queue.priorities.numberOf(p)
if( n ! 0 ) state.put(p, n)
return state

71
Definition of Test Actions size() method

scenario public class PQueueTestScenario
scenario public boolean size()
queue.size()
return true

72
Definition of Test Actions enq() method

scenario public class PQueueTestScenario
scenario public boolean enq()
Object arg new Object()
iterate( int priority PQueueSpecification.Mi
n_Priority
priority lt PQueueSpecification.Max_P
riority
priority
queue.priorities.toSet().size()
lt 3
queue.priorities.contains(prior
ity)
queue.priorities.numberOf(prior
ity) lt 2
)
queue.enq(param, priority)
return true

73
Definition of Test Actions deq() method

scenario public class PQueueTestScenario
scenario public boolean deq()
queue.deq()
return true

74
Using Nondeterministic FSMs Bounded Queue
add
Empty
Empty
empty
Single element
Single element
Intermediate
Intermediate
Almost full
Almost full
fill
Full
Full
remove
75
Testing Concurrency

Fair Concurrency Axiom Concurrent execution of
several operations is correct if and only if it
is equivalent to somehow ordered one
So, to test the concurrent execution of calls we
should check that it behaves like some sequence
of the same calls
The system can be modeled as an ordinary FSM
Test engine generates pairs, triples, and so on,
of concurrent actions
System not satisfying Fair Concurrency Axiom
should be modeled as asynchronous FSM

76
Asynchronous FSM

Some transitions are fired by a stimulus
Some transitions are fired along with a reaction
Some transitions are empty, modeling internal
operation

/y
b/
/x
a/
a/
b/
Possible behavior input aba ouput
yyx xxyxyyyx
xyyyxy all possible outputs
xyxyyx, xyxyyxxyyx, xyyxxyyx
/y
/x
77
Co-verification Support Changes
Interface changed
???
Software -----------------------------------
-------- ------------------------------------
------- -------------------------------------
------ --------------------------------------
---
78
Engineering Problems (5)

Tests and implementation should be decoupled
Tests can be reused many times
Easy regression testing
Specification should be as abstract as possible
Specification should be even more reusable than
tests

79
Mediator

Mediator decouples specification and
implementation

Target system
80
Mediator Construction
Test Engine
Test Action Iterator
Test Scenario
Oracle
Specification
Mediator
Mediator in Extended Language
Target system
81
Open State Testing

Mediator constructs new model state only on the
base of new implementation state
Requires Implementation state should be
accessible by public fields or reliable observers
Implies Current model state actually corresponds
to implementation one
Detected failure demonstrates a fault in the last
operation
Transition tour is sufficient to ensure
reliability

Mediator
Target system
call
call
response
get state data
state data
construct new model state
82
Hidden State Testing

Mediator constructs new model state on the base
of old one and implementation call results
Implies Current model state is actually a
hypothesis
Detected failure can be manifestation of a fault
in any previously called operation
Transition tour is insufficient to ensure
reliability

Mediator
Target system
call
call
response
construct new model state
83
Mediator for Priority Queue

mediator public class PQueueMediator
// Extends specification class
extends PQueueSpecification
// Reference to an implementation object
implementation public PriorityQueue target

84
Model State Synchronization Method (Open State
Testing)

mediator public class PQueueMediator
public void mapStateUp()
items.clear()
priorities.clear()
if( target ! null )
for(int i target._clusters.size()- 1 i
gt 0 i--)
Vector v (Vector)target._clusters.elemen
tAt(i)
for(int j 0 j lt v.size() j)
items.add(v.elementAt(j))
priorities.add(i)

85
Mediator Methods (Open State Testing)

mediator public class PQueueMediator
public int size()
return target.size()
public void enq(Object obj, int prty)
target.enq(obj, prty)
public Object deq()
return target.deq()

86
Mediator Methods (Hidden State Testing)

mediator public class PQueueMediator
public int size()
return target.size()
public void enq(Object obj, int prty)
target.enq(obj, prty)
items.add(obj)
priorities.add(prty)
public Object deq()
Object result target.deq()

87
Test Scenario Initialization

scenario public class PQueueTestScenario
public PQueueTestScenario()
setTestEngine ( new DeterministicFSM_TestEngin
e() )
PQueueMediator.initClassState()
queue PQueueMediator.create(new
PriorityQueue())
queue.attachOracle()

88
UniTesK Practice Overview

UniTesK tools
UniTesK history
Training courses
QUTILUI project
Other case studies

89
UniTesK Tools
UniTesK
.N_at_T
J_at_T
CTesK
VDMTesK
Uniform Test Architecture
Uniform Specification Extension
Integration with Development Environments
Model Based Testing
90
UniTesK History

pre-UniTesK
1994 1996ISP RAS Nortel Networks contract
onfunctional test suite development for Switch
Operating System kernel
Few hundreds of bugs found in the OS kernel,
which had been 10 years in use
About 600K lines of Nortel code tested by
2001But failed to be introduced in Nortel
processes

91
UniTesK Tools History

1999-2000
Conception
2001
J_at_T Prototype
CTesK Lite
2002
VDM TesK
J_at_T Product
2003
J_at_T Suite 1.2 (Java and C testing)
CTesK Full
.N_at_T

92
Sqrt Specification in J_at_va and Extended C

class SqrtSpecification
specification static double sqrt(double x)
reads x
pre return x gt 0
post
if(x 0)
branch "Zero argument"
return sqrt 0
else
branch "Positive argument"
return sqrt gt 0
Math.abs((sqrtsqrt-x)/x
lt epsilon

specification double SQRT(double x) reads
(double)x pre return x gt 0. coverage
ZP if(x 0.) return (ZERO, "Zero
argument") else return (POS, "Positive
argument") post if(coverage(ZP,
ZERO)) return SQRT 0. else
return SQRT gt 0.
abs((SQRTSQRT - x)/x) lt
epsilon
operation signature declaration
functional branches definition
postcondition
access constraints
precondition
93
Training Courses
CTesK training was conducted for Tercom
(St.-Petersburg, Russia), Saarland University
(Germany) J_at_T training was conducted for
Systematic Software Engineering (Denmark)
94
QUTILUI Project

GoalRedesign of SOS Queue Manipulation Utilities
Subsystem
Activities
Requirements elicitation
Specification development
Specification review
Architecture design
Component design
Implementation
Testing and debugging

95
QUTILUI Project Results
----------- ----------- ----------- -----------
- - - - - - - - - - - - - - - - - - - - - - - - -
- - -

Bugs removed
No bugs found after the project end!
25 decrease of implementation size
Design documentation appeared
And it became actual!
Tests demonstrated conformance with requirements

-------- -------- ----
96
Other Examples of UniTesK Usage

IPv6 implementations
Microsoft Research
Mobile IPv6 (in Windows CE 4.1)
mpC Workshop
Debug API
mpC expression static and dynamic semantics
Optimization units in Intel compilers
UniTesK tools
J_at_T test system runtime support
Components of J_at_va translator
CTesK abstract types library
Lanit-Tercom
IPv6 implementation
DSP software

97
References

B. Bourdonov, A.S. Kossatchev, V.V. Kuliamin,
A.K. Petrenko,. UniTesK Test Suite Architecture//
Proceedings of FME2002 conference, Copenhagen,
Denmark, LNCS, No. 2391, 2002, pp. 77-88.
I.B.Burdonov, A.V.Demakov, A.A.Jarov,
A.S.Kossatchev, V.V.Kuliamin, A.K.Petrenko,
S.V.Zelenov. J_at_va extension of Java for
real-life specification and testing // Proc. of
Andrei Ershov Fourth International Conference
PCI01, Novosibirsk, LNCS, Vol. 2244, 2001,
pp.301-308.
A.K. Petrenko, V.V. Kuliamin, I.B. Bourdonov,
A.S. Kossatchev. Experiences in using testing
tools and technology in real-life applications//
Proceedings of SETT01, India, Pune, 2001
A.K.Petrenko, V.V.Kuliamin, I.B.Burdonov,
A.V.Demakov, A.A.Jarov, A.S.Kossatchev,
S.V.Zelenov. J_at_va extension of Java for
real-life specification and testing// Proceedings
of PSI01, Novosibirsk, LNCS 2244, 2001,
pp.301-308.
A.K.Petrenko. Specification Based Testing
Towards Practice. Proceedings of PSI01,
Novosibirsk, LNCS 2244, 2001, pp.157-162.
A.Petrenko, A.Vorobiev. Industrial Experience in
Using Formal Methods for Software Development in
Nortel Networks// Proceedings of Testing Computer
Software Conference TCS 2000, Washington, June,
2000.
V.V. Kuliamin, I.B. Bourdonov, A.S. Kossatchev.
Using Finite State Machines in Program Testing//
Programming and Computer Software, Vol. 26, No.
2, 2000, pp. 61-73.
I. Bourdonov, A. Kossatchev, A. Petrenko, and D.
Galter. KVEST Automated Generation of Test
Suites from Formal Specifications// Proceedings
of World Congress of Formal Methods, Toulouse,
France, LNCS, No. 1708, 1999, pp. 608-621