Page 1
– 18 – 2016-07-18 – main –
Softw
aretech
nik
/Softw
are-E
ngin
eering
Lectu
re18:
Runtim
eVerifi
catio
n,
Review
&
Wra
pup
2016-0
7-1
8
Pro
f.Dr.A
nd
reas
Po
de
lski,Dr.B
ern
dW
estp
hal
Alb
ert-Lu
dw
igs-Un
iversität
Freib
urg,G
erm
any
To
pic
Area
Co
de
Qu
ality
Assu
ran
ce:C
on
tent
– 18 – 2016-07-18 – Sblockcontent –
2/
41
•In
trod
uctio
nan
dV
ocab
ulary
•L
imits
of
So
ftware
Testin
g
•G
lass-Bo
xTe
sting
•S
tatem
en
t-,bran
ch-,te
rm-co
verage
.
•O
the
rA
pp
roach
es
•M
od
el-b
ased
testin
g,
•R
un
time
verificatio
n.
•S
oftw
areq
uality
assuran
cein
alarge
rsco
pe
.
•P
rog
ramV
erificatio
n
•p
artialand
totalco
rrectn
ess,
•P
roo
fS
yste
mP
D.
•R
un
time
Ve
rification
•R
evie
w
•C
od
eQ
A:D
iscussio
n
VL
15
VL
16
...
VL
17
...
VL
18
...
Co
nten
t
– 18 – 2016-07-18 – Scontent –
3/
41
•R
un
time
-Ve
rification
•Id
ea
•A
ssertio
ns
•L
SC
-Ob
serve
rs
•R
evie
ws
•R
ole
san
darte
facts
•R
evie
wp
roce
du
re
•S
tron
ger
and
we
aker
variants
•D
o’s
and
Do
n’ts
inC
od
eQ
A
•C
od
eQ
ATe
chn
iqu
es
Re
visited
•Te
st
•R
un
time
-Ve
rification
•R
evie
w
•S
taticC
he
cking
•Fo
rmalV
erificatio
n
•D
ep
en
dab
ility
Ru
n-T
ime
Verifi
catio
n
– 18 – 2016-07-18 – main –
5/
41
Ru
n-T
ime
Verifi
catio
n:
Idea
– 18 – 2016-07-18 – Sruntime –
6/
41
So
ftware
S•
Assu
me
,the
reis
afu
nctio
nf
inso
ftware
Sw
ithth
efo
llow
ing
spe
cification
:
•p
re-co
nd
ition
:p
,p
ost-co
nd
ition
:q.
•C
om
pu
tation
path
so
fS
may
loo
klike
this:
σ0
α1
−−→σ1
α2
−−→σ2···
αn−
1
−−−→
σn
call
f−−
−→σn+1···
σm
fretu
rns
−−−−−→
σm
+1···
•A
ssum
eth
ere
arefu
nctio
nscheckp
andcheckq ,
wh
ichch
eck
wh
eth
erp
andq
ho
ldat
the
curre
nt
pro
gramstate
,an
dw
hich
do
no
tm
od
ifyth
ep
rog
ramstate
(exce
pt
for
pro
gramco
un
ter.
•Id
ea:cre
ateso
ftware
S′
by
(i)e
xten
din
gS
by
imp
lem
en
tation
so
fcheckp
andcheckq
,(ii)
callcheckp
right
after
en
terin
gf
,
(iii)call
checkq
right
be
fore
retu
rnin
gfro
mf
.
•Fo
rS
′,ob
tainco
mp
utatio
np
aths
like:
σ0
α1
−−→σ1
α2
−−→σ2···
αn−
1
−−−→
σn
call
f−−
−→σn+1
checkp
−−−−→
σ′n+1···
σm
checkq
−−−−→
σ′m
fretu
rns
−−−−−→
σm
+1···
•Ifcheckp
andcheckq
no
tifyu
so
fvio
lation
so
fp
orq,
the
nw
eare
no
tified
off
violatin
gits
spe
cification
wh
en
run
nin
gS
′(=
atru
n-tim
e).
Page 2
Ru
n-T
ime
Verifi
catio
n:
Exa
mp
le
– 18 – 2016-07-18 – Sruntime –
7/
41
123
45
678
+2
7
78
90
45
6+
12
3=
1int
ma
in()
{23
while
(tru
e)
{4
int
x=
rea
d_
nu
mb
er
()
;5
int
y=
rea
d_
nu
mb
er
()
;67
int
sum
=a
dd
(x
,y
);
89v
erify
_s
um
(x
,y
,su
m)
;1011
dis
pla
y(su
m)
;12
}13
}
1void
ve
rify_
su
m(
int
x,
int
y,
2int
sum
)3
{4
if
(sum
!=(x
+y
)5
||(x
+y
>9
99
99
99
96
&&
!(sum
<0
)))7
{8
fp
rin
tf
(s
tde
rr,
9"
ve
rify_
su
m:
erro
r\
n"
);
10a
bo
rt(
);
11}
12}
AVery
Usefu
lS
pecia
lC
ase:
Assertio
ns
– 18 – 2016-07-18 – Sruntime –
8/
41
•M
ayb
eth
esim
ple
stin
stance
of
run
time
verificatio
n:A
ssertio
ns.
•A
vailable
instan
dard
librarie
so
fm
any
pro
gramm
ing
langu
ages
(C,C
++,Java,...).
•Fo
re
xamp
le,th
eC
stand
ardlib
rarym
anu
alread
s:
1A
SS
ER
T(3
)L
inu
xP
rogram
me
r’sM
anu
alA
SS
ER
T(3
)23
NA
ME
4asse
rt−
abo
rtth
ep
rogram
ifasse
rtion
isfalse
56S
YN
OP
SIS
7#
inclu
de
<assert.h
>89
void
assert(scalar
exp
ressio
n);
1011D
ES
CR
IPT
ION
12[...]
the
macro
assert()p
rints
ane
rror
me
ssageto
stanâ
13d
arde
rror
and
term
inate
sth
ep
rogram
by
calling
abo
rt(3)if
exp
ressio
n14
isfalse
(i.e.,co
mp
ares
eq
ualto
zero
).1516
Th
ep
urp
ose
of
this
macro
isto
he
lpth
ep
rogram
me
rfin
db
ugs
inh
is17
pro
gram.
Th
em
essage
"assertio
nfaile
din
filefo
o.c,
fun
ction
18d
o_
bar(),lin
e12
87
"is
of
no
he
lpat
alltoa
use
r.
•In
Cco
de
,assert
canb
ed
isable
din
pro
du
ction
cod
e(-DNDEBUG
).
Assertio
ns
At
Wo
rk
– 18 – 2016-07-18 – Sruntime –
9/
41
1A
SS
ER
T(3
)L
inu
xP
rogram
me
r’sM
anu
alA
SS
ER
T(3
)23
NA
ME
4asse
rt−
abo
rtth
ep
rogram
ifasse
rtion
isfalse
56S
YN
OP
SIS
7#
inclu
de
<assert.h
>89
void
assert(scalar
exp
ressio
n);
1011D
ES
CR
IPT
ION
12[...]
the
macro
assert()p
rints
ane
rror
me
ssageto
stanâ
13d
arde
rror
and
term
inate
sth
ep
rogram
by
calling
abo
rt(3)if
exp
ressio
n14
isfalse
(i.e.,co
mp
ares
eq
ualto
zero
).1516
Th
ep
urp
ose
of
this
macro
isto
he
lpth
ep
rogram
me
rfin
db
ugs
inh
is17
pro
gram.
Th
em
essage
"assertio
nfaile
din
filefo
o.c,
fun
ction
18d
o_
bar(),lin
e12
87
"is
of
no
he
lpat
alltoa
use
r.
•T
he
abstract
f-e
xamp
lefro
mru
n-tim
eve
rification
:
1void
f(
..
.)
{2
as
se
rt(
p)
;3
..
.4
as
se
rt(
q)
;5
}
•C
om
pu
teth
ew
idth
of
ap
rogre
ssb
ar:
12int
pro
gre
ss
_b
ar_
wid
th(
int
pro
gre
ss
,int
win
do
w_
left
,int
win
do
w_
righ
t)
3{
4a
ss
ert
(w
ind
ow
_le
ft<=
win
do
w_
righ
t)
;/
*p
re−
co
nd
ition
*/
5.
..
6/
*tre
at
sp
ec
ial
ca
se
s0
an
d10
0*
/7
..
.8
as
se
rt(
0<
pro
gre
ss
&&
pro
gre
ss
<10
0);
//
ex
trem
al
ca
se
sa
lrea
dy
trea
ted
9.
..
10a
ss
ert
(w
ind
ow
_le
ft<=
r&
&r
<=w
ind
ow
_rig
ht
);
/*
po
st−
co
nd
ition
*/
11return
r;
12}
Assertio
ns
At
Wo
rkII
– 18 – 2016-07-18 – Sruntime –
10/
41
Tre
eN
od
e
- ke
y : in
t
leftC
hild
righ
tCh
ild
pa
ren
t
0,1
0,1
0,1
Ob
ject
va
lue
*
inv
: self.k
ey
<=
righ
tCh
ild.k
ey
&&
self.k
ey
>=
leftC
hild
.ke
y
•R
ecallth
estru
cture
mo
de
lwith
Pro
to-O
CL
con
straint
from
Exe
rciseS
he
et
4.
•A
ssum
e,w
ead
da
me
tho
dset_key
()to
classTre
eN
od
e:
1cla
ss
Tre
eN
od
e{
23private
int
ke
y;
4T
ree
No
de
pa
ren
t,
left
Ch
ild,
rig
ht
Ch
ild;
56publi
cint
ge
t_k
ey
(){
return
ke
y;
}78
publi
cvoid
se
t_k
ey
(int
ne
w_
key
){
9k
ey
=n
ew
_ke
y;
10}
11}
•W
ecan
che
ckco
nsiste
ncy
with
the
Pro
to-O
CL
con
straint
atru
ntim
eb
yu
sing
assertio
ns:
1publi
cvoid
se
t_k
ey
(int
ne
w_
key
){
2a
ss
ert
(p
are
nt
==
null
||p
are
nt
.g
et_
ke
y()
<=n
ew
_ke
y)
;3
as
se
rt(
lef
tC
hild
==
null
||n
ew
_ke
y<=
lef
tC
hild
.g
et_
ke
y()
);
4a
ss
ert
(rig
ht
Ch
ild=
=null
||n
ew
_ke
y<=
righ
tC
hild
.g
et_
ke
y()
);
56k
ey
=n
ew
_ke
y;
7}
•U
sejava
-ea
...
toe
nab
leasse
rtion
che
cking
(disab
led
by
de
fault).
(cf.https://docs.oracle.com/javase/8/docs/technotes/guides/language/assert.html)
Mo
reC
om
plex
Ru
n-T
ime
Verifi
catio
n:
LS
CO
bservers
– 18 – 2016-07-18 – Sruntime –
11/4
1
ha
lf_id
le req
ue
st_
se
nt
tea
_s
ele
cte
d
so
ft_s
ele
cte
d
wa
ter_
se
lec
ted
idle
DO
K?
OK
!
wa
ter_
en
ab
led
:= fa
lse
,so
ft_e
na
ble
d :=
fals
e,
tea
_e
na
ble
d :=
fals
e
DT
EA
!
DW
AT
ER
!
DS
OF
T!
tea
_e
na
ble
d
TE
A?
so
ft_e
na
ble
d
SO
FT
?
wa
ter_
en
ab
led
WA
TE
R?
Ch
oiceP
ane
l:
LS
C:
bu
yw
ater
AC
:true
AM
:in
variant
I:strict
Use
rC
oinV
alidato
rC
ho
icePan
el
Disp
en
ser
C50
pWATER
¬(C
50!∨E1!∨pSOFT!
∨pTEA!∨pFIL
LUP!)
water
_in
_sto
ck
dWATER
OK
¬(dSoft!
∨dTEA!)
st:
{idle,wsel,ssel,tsel,reqs,half};
take_event(E:{TAU,WATER,SOFT,TEA,...
}){
boolstable=1;
switch(st){
caseidle:
switch(E){
caseWATER:
if(water_enabled){st:=wsel;stable:=0;}
;;
caseSOFT:
...
}
casewsel:
switch(E){
caseTAU:
send_DWATER();st:=reqs;
hey_observer_I_just_sent_DWATER();
;;
}}
hey_observer_I_just_sent_DWATER();
q1
q2
q3
q4
q5
q6
¬C50!
C50!
¬C50?
∧
ϕ1
∧
¬W
ATER!
C50?∧ϕ
1∧
¬W
ATER!
¬C50?
∧
WATER!∧
ϕ1
¬C50?
∧ϕ
1
C50?∧
ϕ1
C50?∧
WATER!∧
ϕ1
¬W
ATER!
∧ϕ
1
WATER!∧
ϕ1
¬W
ATER?∧
ϕ1
WATER?∧
ϕ1∧
water
_in
_stock
q1
q2
q3
q4
¬dW
ATER!∧
ϕ2
dW
ATER!∧
ϕ2
¬dW
ATER?∧
¬OK
!∧
ϕ2
dW
ATER?∧
OK
!∧
ϕ2∧
¬output_
blocked
¬OK
?∧
ϕ2
OK
?∧
ϕ2
true
dW
ATER?∧
OK
!∧
ϕ2∧
output_
blocked
Ru
n-T
ime
Verifi
catio
n:
Discu
ssion
– 18 – 2016-07-18 – Sruntime –
12/
41
•E
xpe
rien
ce:
Du
ring
de
velo
pm
en
t, assertio
ns
for
pre
/p
ost
con
ditio
ns
and
inte
rme
diate
invarian
tsare
ane
xtrem
ely
po
we
rful
too
lwith
ave
ryattractive
gain
/e
ffort
ratio(lo
we
ffort,h
ighgain
).
•A
ssertio
ns
effe
ctively
wo
rkas
safe-g
uard
again
stu
ne
xpe
cted
use
of
fun
ction
san
dre
gre
ssion
,e
.g.du
ring
later
main
ten
ance
or
efficie
ncy
imp
rove
me
nt.
•C
anse
rveas
form
al(sup
po
rto
f)do
cum
en
tation
:
“De
arre
ade
r,atth
isp
oin
tin
the
pro
gram,Ie
xpe
ctco
nd
ition
expr
toh
old
,be
cause
...”.
•D
eve
lop
me
nt-
vs.Re
lease
Ve
rsion
s:
•C
om
mo
np
ractice:
•d
eve
lop
me
nt
versio
nw
ithru
n-tim
eve
rification
en
able
d(cf.a
ssert(3)
),
•re
lease
versio
nw
itho
ut
run
-time
verificatio
n.
Ifru
n-tim
eve
rification
ise
nab
led
ina
rele
aseve
rsion
,
•so
ftware
sho
uld
term
inate
asg
racefu
llyas
po
ssible
(e.g.try
tosave
data),
•save
info
rmatio
nfro
masse
rtion
failure
ifp
ossib
lefo
rfu
ture
analysis.
Risk:w
ithb
adlu
ck,the
softw
areo
nly
be
have
sw
ellb
ecau
seo
fth
eru
n-tim
eve
rification
cod
e...
Th
en
disab
ling
run
-time
verificatio
n“b
reaks”
the
softw
are.Ye
tve
ryco
mp
lex
run
-time
verificatio
nm
aysign
ificantly
slow
do
wn
the
softw
are,so
ne
ed
sto
be
disab
led
...
Page 3
Co
nten
t
– 18 – 2016-07-18 – Scontent –
13/
41
•R
un
time
-Ve
rification
•Id
ea
•A
ssertio
ns
•L
SC
-Ob
serve
rs
•R
evie
ws
•R
ole
san
darte
facts
•R
evie
wp
roce
du
re
•S
tron
ger
and
we
aker
variants
•D
o’s
and
Do
n’ts
inC
od
eQ
A
•C
od
eQ
ATe
chn
iqu
es
Re
visited
•Te
st
•R
un
time
-Ve
rification
•R
evie
w
•S
taticC
he
cking
•Fo
rmalV
erificatio
n
•D
ep
en
dab
ility
Review
– 18 – 2016-07-18 – main –
14/
41
Review
s
– 18 – 2016-07-18 – Sreview –
15/
41
rev.ite
m
ref.d
ocs
revie
wse
ssion
revie
wse
ssion
pro
toco
l
moderator
author
reviewer
transcrip
t
•In
pu
tto
Re
view
Se
ssion
:
•R
evie
wite
m:can
be
eve
ryclo
sed
,h
um
an-re
adab
lep
arto
fso
ftware
(do
cum
en
tation
,mo
du
le,te
std
ata,
installatio
nm
anu
al,etc.)
So
cialaspe
ct:itis
anarte
factw
hich
ise
xamin
ed
,no
tth
eh
um
an(w
ho
create
dit).
•R
efe
ren
ced
ocu
me
nts:n
ee
dto
en
able
anasse
ssme
nt
(req
uire
me
nts
spe
cification
,guid
elin
es
(e.g.co
din
gco
nve
ntio
ns),catalo
gue
of
qu
estio
ns
(“allvariable
sin
itialised
?”),
etc.)
•R
ole
s:
Mo
de
rator:
lead
sse
ssion
,resp
on
sible
for
pro
pe
rlyco
nd
ucte
dp
roce
du
re.
Au
tho
r:(re
pre
sen
tativeo
fth
e)creato
r(s)of
the
artefact
un
de
rre
view
;isp
rese
nt
toliste
nto
the
discu
ssion
s;can
answ
er
qu
estio
ns;
do
es
no
tsp
eak
up
ifn
ot
asked
.
Re
view
er(s):
pe
rson
wh
ois
able
toju
dge
the
artefact
un
de
rre
view
;may
be
diffe
ren
tre
view
ers
for
diffe
ren
tasp
ects
(pro
gramm
ing,to
olu
sage,e
tc.),atb
est
exp
erie
nce
din
de
tectin
gin
con
sisten
cies
or
inco
mp
lete
ne
ss.
Transcrip
tW
riter:
kee
ps
min
ute
so
fre
view
sessio
n,can
be
assum
ed
by
auth
or.
•T
he
revie
wte
amco
nsists
of
eve
ryb
od
yb
ut
the
auth
or(s).
Review
Pro
cedu
reO
verT
ime
– 18 – 2016-07-18 – Sreview –
16/
41
t
Plan
nin
g
An
alysis
Pre
paratio
n(2
w)
Re
view
Se
ssion
(2h
)
“3rd
ho
ur”
(1h
)
Po
stparatio
n(2
w)
Initiatio
n
Re
view
organ
isation
un
de
rgu
idan
ceo
fm
od
erato
r
Ap
pro
valof
revie
wite
m
plan
nin
g:revie
ws
ne
ed
time
inth
ep
roje
ctp
lan.
are
view
istrigge
red
,e.g.,
by
asu
bm
ission
toth
ere
vision
con
trolsy
stem
:
the
mo
de
rator
invite
s(in
clud
ere
view
item
inin
vitation
),and
states
revie
wm
ission
s.
pre
paratio
n:
revie
we
rsin
vestigate
revie
wite
m.
revie
wse
ssion
:re
view
ers
rep
ort,
evalu
ate,an
dd
ocu
me
nt
issue
s;re
solve
op
en
qu
estio
ns.
“3rd
ho
ur”:tim
efo
rin
form
alchat,
revie
we
rsm
aystate
pro
po
salsfo
rso
lutio
ns
or
imp
rove
me
nts.
po
stparatio
n:re
wo
rkre
view
item
;re
spo
nsib
ilityo
fth
eau
tho
r(s).an
alysis:im
pro
ved
eve
lop
me
nt
and
revie
wp
roce
ss.
•R
evie
we
rsre
-assess
rew
orke
dre
view
item
(un
tilapp
rovalis
de
clared
).
Review
Ru
les(L
udew
igand
Lich
ter,2013)
– 18 – 2016-07-18 – Sreview –
17/
41
(i)T
he
mo
de
rator
organ
ises
the
revie
w,issu
es
invitatio
ns,su
pe
rvises
the
revie
wse
ssion
.
(ii)T
he
mo
de
rator
may
term
inate
the
revie
wif
con
du
ction
isn
ot
po
ssible
,e
.g.,d
ue
toin
-p
uts,p
rep
aration
,or
pe
op
lem
issing.
(iii)T
he
revie
wse
ssion
islim
ited
to2
ho
urs.
Ifn
ee
de
d:o
rganise
mo
rese
ssion
s.
(iv)T
he
revie
wite
mis
un
de
rre
view
,n
ot
the
auth
or(s).
Re
view
ers
cho
ose
the
irw
ord
sacco
rdin
gly.A
uth
ors
ne
ithe
rd
efe
nd
the
mse
lves
no
rth
ere
view
item
.
(v)R
ole
sare
no
tm
ixed
up
,e.g.,th
em
od
erato
rd
oe
sn
ot
actas
revie
we
r.(E
xcep
tion
:auth
or
may
write
transcrip
t.)
(vi)S
tyle
issue
s(o
utsid
efixe
dco
nve
ntio
ns)
aren
ot
discu
ssed
.
(vii)T
he
revie
wte
amis
no
tsu
pp
ose
dto
de
-ve
lop
solu
tion
s.Issu
es
aren
ot
no
ted
do
wn
info
rmo
ftasks
for
the
auth
or(s).
(viii)E
achre
view
er
gets
the
op
po
rtun
ityto
pre
sen
th
er/
his
find
ings
app
rop
riately.
(ix)R
evie
we
rsn
ee
dto
reach
con
sen
sus
on
is-su
es,co
nse
nsu
sis
no
ted
do
wn
.
(x)Issu
es
areclassifie
das:
•critical(re
view
un
usab
lefo
rp
urp
ose),
•m
ajor
(usab
ilityse
vere
lyaffe
cted
),
•m
ino
r(u
sability
hard
lyaffe
cted
),
•go
od
(no
pro
ble
m).
(xi)T
he
revie
wte
amd
eclare
s:
•acce
pt
with
ou
tch
ange
s,
•acce
pt
with
chan
ges,
•d
on
ot
accep
t.
(xii)T
he
pro
toco
lissign
ed
by
allparticip
ants.
Stro
nger
an
dW
eaker
Review
Va
rian
ts
– 18 – 2016-07-18 – Sreview –
18/
41
•D
esig
nan
dC
od
eIn
spe
ction
(Fagan,19
76,19
86
)
•d
elu
xevarian
to
fre
view
,•
app
rox.5
0%
mo
retim
e,ap
pro
x.50
%m
ore
erro
rsfo
un
d.
•R
evie
w
•S
tructu
red
Walkth
rou
gh
•sim
ple
variant
of
revie
w:
•d
eve
lop
er
mo
de
rates
walkth
rou
gh-se
ssion
,X
P’s
pair
pro
gram
min
g(“o
n-th
e-fly
revie
w”?)
...
✘co
din
gco
din
g
...
tests
for...
spe
c.of...
pro
gramm
er
pro
gramm
er
•d
eve
lop
er
pre
sen
tsarte
fact(s),
•re
view
er
po
ses
(pre
pare
do
rsp
on
tane
ou
s)qu
estio
ns,
•issu
es
aren
ote
dd
ow
n,
•V
ariation
po
int:d
ore
view
ers
see
the
artefact
be
fore
the
sessio
n?
•le
sse
ffort,le
sse
ffective
.
→d
isadvan
tages:u
ncle
arre
po
nsib
ilities;“sale
sman”-d
eve
lop
er
may
trickre
view
ers.
•C
om
me
nt
(‘Ste
llun
gnah
me’)
•co
lleagu
e(s)o
fd
eve
lop
er
read
artefacts,
•d
eve
lop
er
con
side
rsfe
ed
back.
→ad
vantage
:low
organ
isation
aleffo
rt;→
disad
vantage
s:cho
iceo
fco
lleagu
es
may
be
biase
d;n
op
roto
col;
con
side
ration
of
com
me
nts
atd
iscretio
no
fd
eve
lop
er.
•C
arefu
lRe
adin
g(‘D
urch
sicht’)
•d
on
eb
yd
eve
lop
er,
•re
com
me
nd
ation
:“away
from
scree
n”(u
sep
rint-o
ut
or
diffe
ren
td
evice
and
situatio
n)
Page 4
So
me
Fin
al,
Gen
eral
Gu
idelin
es
– 18 – 2016-07-18 – main –
19/
41
Do
’sa
nd
Do
n’ts
inC
od
eQ
ua
lityA
ssura
nce
– 18 – 2016-07-18 – Sguide –
20
/4
1
Avo
idu
sing
spe
cialexam
inatio
nve
rsion
sfo
re
xamin
ation
.(Te
st-harn
ess,stu
bs,e
tc. may
have
erro
rsw
hich
may
cause
falsep
ositive
san
d(!)
ne
gatives.)
Avo
idto
stop
exam
inatio
nw
he
nth
efirst
erro
ris
de
tecte
d.
Cle
ar:Exam
inatio
nsh
ou
ldb
eab
orte
dif
the
exam
ine
dp
rogram
isn
ot
exe
cutab
leat
all.
Do
no
tm
od
ifyth
earte
factu
nd
er
exam
inatio
nd
urin
ge
xamin
atin.
•o
the
rwise
,itis
un
clear
wh
ate
xactlyh
asb
ee
ne
xamin
ed
(“mo
ving
target”),
(exam
inatio
nre
sults
ne
ed
tob
eu
niq
ue
lytrace
able
too
ne
artefact
versio
n.)
•fu
nd
ame
ntalflaw
sare
som
etim
es
easie
rto
de
tect
with
aco
mp
lete
pictu
reo
fu
nsu
ccessfu
l/succe
ssfulte
sts,
•ch
ange
sare
particu
larlye
rror-p
ron
e,sh
ou
ldn
ot
hap
pe
n“e
np
assant”
ine
xamin
ation
,
•fixin
gflaw
sd
urin
ge
xamin
ation
may
cause
the
mto
gou
nco
un
ted
inth
estatistics
(wh
ichw
en
ee
dfo
rallkin
ds
of
estim
ation
),
•ro
les
de
velo
pe
ran
de
xamin
or
ared
iffere
nt
any
way
:an
exam
ino
rfixin
gflaw
sw
ou
ldvio
lateth
ero
leassig
nm
en
t.
Do
no
tsw
itch(fin
egrain
ed
)be
twe
en
exam
inatio
nan
dd
eb
ug
gin
g.
Co
nten
t
– 18 – 2016-07-18 – Scontent –
21/
41
•R
un
time
-Ve
rification
•Id
ea
•A
ssertio
ns
•L
SC
-Ob
serve
rs
•R
evie
ws
•R
ole
san
darte
facts
•R
evie
wp
roce
du
re
•S
tron
ger
and
we
aker
variants
•D
o’s
and
Do
n’ts
inC
od
eQ
A
•C
od
eQ
ATe
chn
iqu
es
Re
visited
•Te
st
•R
un
time
-Ve
rification
•R
evie
w
•S
taticC
he
cking
•Fo
rmalV
erificatio
n
•D
ep
en
dab
ility
Co
de
Qu
ality
Assu
ran
ceTech
niq
ues
Revisited
– 18 – 2016-07-18 – main –
22
/4
1
Tech
niq
ues
Revisited
– 18 – 2016-07-18 – Sqawrapup –
23
/4
1
auto
-m
aticp
rove
“canru
n”to
olch
ainco
nsid
ere
de
xhau
s-tive
pro
veco
rrect
partial
resu
ltse
ntry
cost
Test
(✔)
✔✔
✘✘
✔✔
Ru
ntim
e-
Ve
rification
Re
view
Static
Ch
eckin
g
Ve
rification
Stre
ng
ths:
•can
be
fully
auto
matic
(yet
no
te
asyfo
rG
UIp
rogram
s);
•n
egative
test
pro
ves
“pro
gramn
ot
com
ple
tely
bro
ken
”,“canru
n”(o
rp
ositive
scen
arios);
•fin
alpro
du
ctis
exam
ine
d,th
us
too
lchain
and
platfo
rmco
nsid
ere
d;
•o
ne
cansto
pat
any
time
and
takep
artialresu
lts;
•fe
w,sim
ple
test
cases
areu
sually
easy
too
btain
;
•p
rovid
es
rep
rod
ucib
leco
un
ter-e
xamp
les
(goo
dstartin
gp
oin
tfo
rre
pair).
We
akne
sses:
•(in
mo
stcase
s)vastlyin
com
ple
te,th
us
no
pro
ofs
of
corre
ctne
ss;
•cre
ating
test
cases
for
com
ple
xfu
nctio
ns
(or
com
ple
xco
nd
ition
s)canb
ed
ifficult;
•m
ainte
nan
ceo
fm
any,co
mp
lex
test
cases
be
challe
ngin
g.
•e
xecu
ting
man
yte
stsm
ayn
ee
dsu
bstan
tialtime
(bu
t:canso
me
time
sb
eru
nin
paralle
l);
Tech
niq
ues
Revisited
– 18 – 2016-07-18 – Sqawrapup –
23
/4
1
auto
-m
aticp
rove
“canru
n”to
olch
ainco
nsid
ere
de
xhau
s-tive
pro
veco
rrect
partial
resu
ltse
ntry
cost
Test
(✔)
✔✔
✘✘
✔✔
Ru
ntim
e-
Ve
rification
✔(✔
)✔
(✘)
✘✔
(✔)
Re
view
Static
Ch
eckin
g
Ve
rification
Stre
ng
ths:
•fu
llyau
tom
atic(o
nce
ob
serve
rsare
inp
lace);
•p
rovid
es
cou
nte
r-exam
ple
;
•(n
early)fin
alpro
du
ctis
exam
ine
d,th
us
too
lchain
and
platfo
rmco
nsid
ere
d;
•o
ne
cansto
pat
any
time
and
takep
artialresu
lts;
•assert
-statem
en
tsh
avea
very
goo
de
ffort/
effe
ctratio
.
We
akne
sses:
•co
un
ter-e
xamp
les
no
tn
ece
ssarilyre
pro
du
cible
;
•m
ayn
egative
lyaffe
ctp
erfo
rman
ce;
•co
de
isch
ange
d,p
rogram
may
on
lyru
nb
ecau
seo
fth
eo
bse
rvers;
•co
mp
lete
ne
ssd
ep
en
ds
on
usage
,m
ayalso
be
vastlyin
com
ple
te,so
no
corre
ctne
ssp
roo
fs;
•co
nstru
cting
ob
serve
rsfo
rco
mp
lex
pro
pe
rties
may
be
difficu
lt,o
ne
ne
ed
sto
learn
ho
wto
con
struct
ob
serve
rs.
Page 5
Tech
niq
ues
Revisited
– 18 – 2016-07-18 – Sqawrapup –
23
/4
1
auto
-m
aticp
rove
“canru
n”to
olch
ainco
nsid
ere
de
xhau
s-tive
pro
veco
rrect
partial
resu
ltse
ntry
cost
Test
(✔)
✔✔
✘✘
✔✔
Ru
ntim
e-
Ve
rification
✔(✔
)✔
(✘)
✘✔
(✔)
Re
view
✘✘
✘(✔
)(✔
)✔
(✔)
Static
Ch
eckin
g
Ve
rification
Stre
ng
ths:
•h
um
anre
ade
rscan
un
de
rstand
the
cod
e,m
aysp
ot
po
int
erro
rs;
•re
po
rted
tob
eh
igh
lye
ffective
;
•o
ne
cansto
pat
any
time
and
takep
artialresu
lts;
•in
term
ed
iatee
ntry
costs;
goo
de
ffort/
effe
ctratio
achie
vable
.
We
akne
sses:
•n
oto
olsu
pp
ort;
•n
ore
sults
on
actuale
xecu
tion
,too
lchain
no
tre
view
ed
;
•h
um
anre
ade
rsm
ayo
verlo
ok
erro
rs;usu
allyn
ot
aimin
gat
pro
ofs.
•d
oe
s(in
gen
eral)n
ot
pro
vide
cou
nte
r-exam
ple
s,d
eve
lop
ers
may
de
ny
existe
nce
of
erro
r.
Tech
niq
ues
Revisited
– 18 – 2016-07-18 – Sqawrapup –
23
/4
1
auto
-m
aticp
rove
“canru
n”to
olch
ainco
nsid
ere
de
xhau
s-tive
pro
veco
rrect
partial
resu
ltse
ntry
cost
Test
(✔)
✔✔
✘✘
✔✔
Ru
ntim
e-
Ve
rification
✔(✔
)✔
(✘)
✘✔
(✔)
Re
view
✘✘
✘(✔
)(✔
)✔
(✔)
Static
Ch
eckin
g✔
(✘)
✘✔
(✔)
✔(✘
)
Ve
rification
Stre
ng
ths:
•th
ere
are(co
mm
ercial),fu
llyau
tom
aticto
ols
(lint,C
ove
rity,Po
lyspace
,etc.);
•so
me
too
lsare
com
ple
te(re
lativeto
assum
ptio
ns
on
langu
agese
man
tics,platfo
rm,e
tc.);
•can
be
faster
than
testin
g;
•o
ne
cansto
pat
any
time
and
takep
artialresu
lts.
We
akne
sses:
•n
ore
sults
on
actuale
xecu
tion
,too
lchain
no
tre
view
ed
;
•can
be
very
reso
urce
con
sum
ing
(iffe
wfalse
po
sitives
wan
ted
),e
.g.,cod
em
ayn
ee
dto
be
“de
signe
dfo
rstatic
analysis”.
•m
any
falsep
ositive
scan
be
very
ann
oy
ing
tod
eve
lop
ers
(iffast
che
cksw
ante
d);
•d
istingu
ishfalse
from
true
po
sitives
canb
ech
allen
ging;
•co
nfig
urin
gth
eto
ols
(tolim
itfalse
po
sitives)can
be
challe
ngin
g.
Tech
niq
ues
Revisited
– 18 – 2016-07-18 – Sqawrapup –
23
/4
1
auto
-m
aticp
rove
“canru
n”to
olch
ainco
nsid
ere
de
xhau
s-tive
pro
veco
rrect
partial
resu
ltse
ntry
cost
Test
(✔)
✔✔
✘✘
✔✔
Ru
ntim
e-
Ve
rification
✔(✔
)✔
(✘)
✘✔
(✔)
Re
view
✘✘
✘(✔
)(✔
)✔
(✔)
Static
Ch
eckin
g✔
(✘)
✘✔
(✔)
✔(✘
)
Ve
rification
(✔)
✘✘
✔✔
(✘)
✘
Stre
ng
ths:
•so
me
too
lsup
po
rtavailab
le(fe
wco
mm
ercialto
ols);
•co
mp
lete
(relative
toassu
mp
tion
so
nlan
guage
sem
antics,p
latform
,etc.);
•th
us
canp
rovid
eco
rrectn
ess
pro
ofs;
•can
pro
veco
rrectn
ess
for
mu
ltiple
langu
agese
man
ticsan
dp
latform
sat
atim
e;
•can
be
mo
ree
fficien
tth
ano
the
rte
chn
iqu
es.
We
akne
sses:
•n
ore
sults
on
actuale
xecu
tion
,too
lchain
no
tre
view
ed
;
•n
ot
man
yin
term
ed
iatere
sults:“h
alfo
fa
pro
of”
may
no
tallo
wan
yu
sefu
lcon
clusio
ns;
•e
ntry
cost
high
:significan
ttrain
ing
isu
sefu
ltokn
ow
ho
wto
de
alwith
too
llimitatio
ns;
•p
rovin
gth
ings
isch
allen
ging:failin
gto
find
ap
roo
fd
oe
sn
ot
allow
any
use
fulco
nclu
sion
;
•false
ne
gatives
(bro
ken
pro
gram“p
rove
d”
corre
ct)hard
tod
ete
ct.
Qu
ality
Assu
ran
ce—
Co
nclu
din
gD
iscussio
n
– 18 – 2016-07-18 – main –
24
/4
1
Pro
po
sal:
Dep
end
ab
ilityC
ases
(Jackso
n,2009)
– 18 – 2016-07-18 – Sdepend –
25
/4
1
•A
de
pe
nd
able
system
iso
ne
you
cand
ep
en
do
n—
that
is,you
canp
laceyo
ur
trust
init.
“De
velo
pe
rs[sh
ou
ld]
exp
ress
the
criticalpro
pe
rties
and
make
ane
xplicit
argu
me
nt
that
the
system
satisfies
the
m.”
qu
alityassu
rance
—(1)
Ap
lann
ed
and
system
aticp
attern
of
allactio
ns
ne
cessary
top
rovid
ead
eq
uate
con
fide
nce
that
anite
mo
rp
rod
uct
con
form
sto
estab
lishe
dte
chn
i-calre
qu
irem
en
ts.IE
EE
610
.12(19
90
)
Pro
po
sed
Ap
pro
ach:
•Id
en
tifyth
ecriticalre
qu
irem
en
ts,and
de
term
ine
wh
atle
velo
fco
nfid
en
ceis
ne
ed
ed
.
Mo
stsy
stem
sd
oalso
have
no
n-criticalre
qu
irem
en
ts.
•C
on
struct
ad
ep
en
dab
ilitycase
:
•an
argum
en
t,that
the
softw
are,in
con
cert
with
oth
er
com
po
ne
nts,e
stablish
es
the
criticalpro
pe
rties.
•T
he
casesh
ou
ldb
e
•au
ditab
le:can
(easily)b
ee
valuate
db
yth
ird-p
artyce
rtifier.
•co
mp
lete
:no
ho
les
inth
eargu
me
nt,an
yassu
mp
tion
sth
atare
no
tju
stified
sho
uld
be
no
ted
(e.g.assu
mp
tion
so
nco
mp
iler,o
np
roto
colo
be
yed
by
use
rs,etc.)
•so
un
d:e
.g.sho
uld
no
tclaim
fullco
rrectn
ess
[...]b
ased
on
no
ne
xhau
stivete
sting;
sho
uld
no
tm
akeu
nw
arrante
dassu
mp
tion
so
nin
de
pe
nd
en
ceo
fco
mp
on
en
tfailu
res;e
tc.
Critica
lS
ystems
– 18 – 2016-07-18 – Sdepend –
26
/4
1
Still,it
see
ms
likeco
mp
ute
rsyste
ms
mo
reo
rle
ssin
evitab
lyh
avee
rrors.
Th
en
wh
y...
Laurent ERRERA, CC BY-SA 2.0, com-mons.wikimedia.org/w/index.php?curid=29838567
•...
do
mo
de
rnp
lane
sfly
atall?
(i)ve
rycare
fuld
eve
lop
me
nt,
(ii)ve
ryth
oro
ugh
analy
sis,
(iii)stro
ng
regu
latory
ob
ligation
s.
Plu
s:classicalen
gine
erin
gw
isdo
mfo
rh
ighre
liability,like
red
un
dan
cy.
angle
∠∠∠
velo
city
FC1
FC2
FC3
share
dm
em
ory
actuato
r
(Mru
gallae
tal.,2
00
5)
Robert Bosch GmbH
•...
do
mo
de
rncars
drive
atall?
(i)care
fuld
eve
lop
me
nt,
(ii)th
oro
ugh
analy
sis,
(iii)re
gulato
ryo
bligatio
ns.
Plu
s:classicalen
gine
erin
gw
isdo
mfo
rh
ighre
liability,like
mo
nito
ring.
el
2
el
3
el
https://www.iav.com/sites/default/files/attachments/seite/ak-egas-v5-5-en-130705.pdf
Page 6
Tell
Th
emW
ha
tYo
u’ve
To
ldT
hem
...
– 18 – 2016-07-18 – Sttwytt –
27
/4
1
•R
un
time
Ve
rification
•(as
the
nam
esu
ggests)ch
ecks
pro
pe
rties
atp
rog
ramru
n-tim
e,
•a
goo
dp
inch
ofassert
’scan
be
avalu
able
safe-gu
ardagain
st
•re
gressio
ns,
•u
sageo
utsid
esp
ecificatio
n,
•e
tc.
and
serve
asfo
rmald
ocu
me
ntatio
no
fassu
mp
tion
s.
•R
evie
w(stru
cture
de
xamin
ation
of
artefacts
by
hu
man
s)
•(m
ildvarian
t)advo
cated
inth
eX
Pap
pro
ach,
•n
ot
un
com
mo
n:
lead
pro
gramm
er
revie
ws
allcom
mits
from
team
me
mb
ers,
•lite
rature
rep
orts
goo
de
ffort/e
ffect
ratioach
ievab
le.
•A
llapp
roach
es
toco
de
qu
alityassu
rance
have
the
ir
•ad
vantage
san
dd
rawb
acks.
•W
hich
tou
se?It
de
pe
nd
s!
•D
ep
en
dab
ilityC
ases
•an
(aud
itable
,com
ple
te,so
un
d)argu
me
nt,
that
aso
ftware
has
the
criticalpro
pe
rties.
Referen
ces
– 18 – 2016-07-18 – main –
28
/4
1
Referen
ces
– 18 – 2016-07-18 – main –
29
/4
1
Fagan,M
.(1976
).D
esign
and
cod
ein
spe
ction
sto
red
uce
erro
rsin
pro
gramd
eve
lop
me
nt.
IBM
System
sJo
urna
l,15
(3):18
2–
211.
Fagan,M
.(198
6).
Ad
vance
sin
softw
arein
spe
ction
s.IE
EE
Tran
sactio
ns
On
So
ftwa
reE
ngin
eering,12
(7):74
4–
75
1.
IEE
E(19
90
).IE
EE
Sta
nd
ard
Glo
ssary
of
So
ftwa
reE
ngin
eering
Termin
olo
gy.S
td6
10.12
-199
0.
Jackson
,D.(2
00
9).
Ad
irect
path
tod
ep
en
dab
leso
ftware
.C
om
m.A
CM
,52
(4).
Lud
ew
ig,J.and
Lich
ter,H
.(20
13).
So
ftwa
reE
ngin
eering.
dp
un
kt.verlag,3
.ed
ition
.
Mru
galla,C.,R
ob
be
,O.,S
chin
z,I.,Tob
en
,T.,and
We
stph
al,B.(2
00
5).
Form
alverificatio
no
fa
sen
sor
votin
gan
dm
on
itorin
gU
ML
mo
de
l.In
Siv
Hild
eH
ou
mb
,JanJü
rjen
s,R.F.,e
dito
r,Pro
ceedin
gso
fth
e4
thIn
terna
tion
al
Wo
rksho
po
nC
riticalS
ystems
Develo
pm
ent
Usin
gM
od
eling
Lan
guages
(CS
DU
ML
200
5),page
s3
7–5
1.Tech
nisch
eU
nive
rsitätM
ün
che
n.
Lookin
gB
ack:
18
Lectu
reson
Softw
are
Engin
eering
– 18 – 2016-07-18 – main –
30
/4
1
Wh
at
Did
We
Do
?
– 18 – 2016-07-18 – Sresume –
32
/4
1
So
me
Em
pirica
lF
ind
ing
s(B
usch
ermö
hle
eta
l.(2
00
6))
– 1 – 2016-04-18 – Ssuccess –
14/
36
3.17
30.16
6.88
5.03
25.66
29.1
1-9,9
99
10,0
00
-99
,99
9
100
,00
0-4
99
,99
9
50
0,0
00
-99
9,9
99
≥1,0
00
,00
0
no
tsp
ecifie
d
bu
dge
tine
(37
8re
spo
nse
s)
33.072.91
10.0522.4925.13
≤3
>3
-6
>6
-12
>12
-24
>2
4
plan
ne
dd
uratio
nin
mo
nth
s(3
78
resp
on
ses)
0%
10%
20
%
30
%
40
%
50
%
60
%
70%
bu
sine
sscritical
missio
ncritical
safety
critical
Criticality
(37
8re
spo
nse
s,30
’no
tsp
ec.’)
97.352.65
com
ple
ted
cance
lled
pro
ject
com
ple
tion
(37
8re
spo
nse
s)
72.01
24.73
2.45
kep
t
early
late
de
adlin
e(3
68
resp
on
ses)
0.27
82.61
4.89 4.89 5.16 1.92
5-4
9%
50
-74%
75
-89
%
90
-94
%
95
-99
%
100
%
main
fun
ction
alityre
alised
(36
8re
spo
nse
s)
81.52
11.14 3.26
kep
t
be
low
abo
ve
bu
dge
t(3
68
resp
on
ses)
29.67
15.385.49
9.89
20.88
<2
0%
20
-49
%
50
-99
%
100
-199
%
≥2
00
%
de
adlin
em
issed
by
(91
resp
on
ses)
4.89
57.61
8.157.61
13.04
4.89
2.99
<2
5%
25
-49
%
50
-74%
75
-89
%
90
-94
%
95
-99
%
100
%
seco
nd
aryfu
nctio
nality
realise
d(3
68
resp
on
ses)
Fro
mA
bstra
ctto
Co
ncrete
Syn
tax
– 12 – 2016-06-20 – Sumlsig –
10/
48
C
Dx:Int
f(In
t):Bool
get_x()
:Int
p0..1
p0..1
n0..∗
S=
(T,C,V
,atr,F
,mth)
•T
={Int,B
ool}
•C
={C
,D}
•V
={x
:Int,p
:C
0,1 ,n
:C
∗ }
•atr
={C
7→{p
,n},D
7→{p
,x}}
•F
={f:Int→
Bool,get_
x:Int}
•mth
={C
7→∅,D
7→{f
,get_x}}
Mo
reIn
teresting
Exa
mp
le
– 12 – 2016-06-20 – Socl –
38
/4
8
σ:
1C
:C
x=
13
|n
Cx:Int
n
0..1
∀c:C
•x(n
(c))6=
27
•S
imilar
toth
ep
revio
us
slide
,we
ne
ed
the
value
of
σ(σ(IJcK(σ
,β))(n
))(x)
•IJcK(σ
,β)=
β(c)
=1C
•σ(IJcK(σ
,β))(n
)=
σ(1C)(n
)=
∅
•σ(σ(IJcK(σ
,β))(n
))(x)=
⊥
by
the
follo
win
gru
le:
IJv(F
)K(σ,β
)=
{
σ(u
′)(v)
,ifIJF
K(σ,β
)=
{u′}
⊆dom(σ
)
⊥,o
the
rwise
(ifv:C
0,1
)
Exa
mp
le
– 14 – 2016-06-30 – Sumlstm –
30
/3
8
Idle
waitO
K
hav
e_c1
00
_o
r_e1
>
hav
e_c1
00
hav
e_e1
hav
e_c1
50
>h
ave_
c50
>
drin
kR
eady
Idle
waitO
K
hav
e_c1
00
_o
r_e1
>
hav
e_c1
00
hav
e_e1
hav
e_c1
50
>h
ave_
c50
>
drin
kR
eady
E1
/itsCh
ang
er->
giv
eback
_1
00
()
C5
0/itsC
ho
icePan
el->
enab
le_W
ater();E
1/
itsCh
ang
er->
giv
eback
_1
00
()
C5
0
C5
0/
itsCh
ang
er->
giv
eback
_5
0()
C5
0
E1
/itsCh
oiceP
anel->
enab
leSo
ft();
E1
C5
0
OK
En
try A
ction
:itsC
ho
icePan
el->
enab
le_W
ater();
En
try A
ction
:itsC
ho
icePan
el->
enab
le_S
oft();
En
try A
ction
:itsC
ho
icePan
el->
enab
le_T
ea();
Tea_selected
InactiveSoft_selected
Water_selected
Request_sent
Tea_selected
InactiveSoft_selected
Water_selected
Request_sent
TEA[Tea_enabled]
/itsDrinkD
ispenser->G
EN(D
TEA)
/itsDrinkD
ispenser->G
EN(D
SOFT);
if (itsCoinValidator
->IS_IN(have_c150))
itsChanger->giveback_50();
WATER
[Water_enabled]
/disable_all();
SOFT[Soft_enabled]
/itsDrinkD
ispenser->G
EN(D
WATER
);if (itsC
oinValidator->IS_IN(have_c150))
itsChanger->giveback_100();
else if (itsCoinValidator->IS_IN
(have_c100))itsC
hanger->giveback_50();
onon
T2Tea_out
T1T3
S2Soft_out
S1S3
W2
Water_out
W1
W3
FillingUp
on
T2Tea_out
T1T3
S2Soft_out
S1S3
W2
Water_out
W1
W3
FillingUp
DTEA
/Prepare_Tea();itsC
oinValidator->G
EN(O
K);
DTEA
/Prepare_Tea();itsC
oinValidator->G
EN(O
K);
DTEA
/Prepare_Tea();itsC
oinValidator->G
EN(O
K);
DSO
FT/Prepare_Soft();itsC
oinValidator->G
EN(O
K);
DSO
FT/Prepare_Soft();itsC
oinValidator->G
EN(O
K);
DSO
FT/Prepare_Soft();itsC
oinValidator->G
EN(O
K);
DW
ATER/
Prepare_Water();
itsCoinValidator
->GEN
(OK
);
DW
ATER/
Prepare_Water();
itsCoinValidator
->GEN
(OK
);
DW
ATER/
Prepare_Water();
itsCoinValidator
->GEN
(OK
); FILLUP/itsC
oinValidator->update_C
hoicePanel();
VC
CW
eb-In
terface
– 17 – 2016-07-14 – Svcc –
39
/4
4E
xamp
lep
rog
ramDIV
:http://rise4fun.com/Vcc/4Kqe
V-M
od
ellX
T:
Decisio
nP
oin
ts
– 5 – 2016-05-09 – Svxt –
34
/6
2
%''������(��1 �2����
� -.
&5. ����� �
�������
��-.
������+������
��1 ������
Exa
mp
le:Illu
strative
Ob
jectD
iag
ram
(Sch
um
ann
etal.,
2008
)
– 12 – 2016-06-20 – Sodatwork –
30
/4
8
:Iterato
r:Fo
rest
:Iterato
r
A:N
od
eE
:No
de
en
d:B
aseNo
de
B:N
od
eC
:No
de
F:N
od
e
D:N
od
e be
gin_
ite
nd
_it
no
de
no
de
firstCh
ild
pare
nt
firstCh
ild
pare
nt
ne
xtSib
pre
vSib
lastCh
ildfirstC
hild
pare
nt
ne
xtSib
pre
vSib
lastCh
ildfirstC
hild
pare
nt
ne
xtSib
pre
vSib
BaseN
od
ep
aren
t:B
aseNo
de∗
pre
vSib
ling
:BaseN
od
e∗
ne
xtSib
ling
:BaseN
od
e∗
firstCh
ild:B
aseNo
de∗
lastCh
ild:B
aseNo
de∗
No
de
data
:TN
od
e(d
ata:T
)
Iterato
r
op
erato
r++
():Ite
rator
op
erato
r−−
():Ite
rator
op
erato
r∗():BaseN
od
e0,1
Fore
st
app
en
dTo
pLe
vel(d
ata:T)
app
en
dC
hild
(pare
nt
:Iterato
r,data
:T)
rem
ove
(it:Ite
rator
)d
ep
th(it
:Iterato
r):i
nt
en
d():Ite
rator
be
gin():Ite
rator
em
pty():b
ool
size():i
nt
node
begin_
iten
d_it
Exa
mp
le
– 14 – 2016-06-30 – Simpl –
18/
38
W0
dis
pen
se
Wi
FIL
LU
P?
w :=
3
FIL
LU
P?
w :=
3
w =
= 0
DO
K!
w >
0D
OK
!D
WA
TE
R?
w :=
w - 1
intw
:=3;
typedef{Wi,d
ispen
se,W
0}st_
T;
st_T
st:=
Wi;
Set〈A
ct〉take
_actio
n(Act
α){
Set〈A
ct〉R
:=∅;
if�st
=Wi:
if�α=
DWATER?:
w:=
w−1;
st:=
disp
ense;
if(w
=0)
R:=
R∪{DOK!};
if(w
>0)
R:=
R∪{DOK!};
�α=
FIL
LUP?:
w:=
3;
st:=
Wi;
R:=
R∪{FIL
LUP?,D
WATER?};
fi;
�st
=disp
ense
:if�α=
DOK!∧
w=
0:st
:=W0;
R:=
R∪{FIL
LUP?};
�α=
DOK!∧
w>
0:st
:=Wi;
R:=
R∪{FIL
LUP?};
fi;
�st
=W0
:if�α=
FIL
LUP?:
w:=
3;
st:=
Wi;
R:=
R∪{FIL
LUP?,D
WATER?};
fi;
fi;
retu
rnR;
}
Covera
ge
Exa
mp
le
– 16 – 2016-07-11 – Scover –
26
/4
4
intf
(intx
,inty
,intz
){i1
:if(x
>100
∧y>
10)s1
:z=
z∗2;
else
s2
:z=
z/2
;i2
:if(x
>500
∨y>
50)
s3
:z=
z∗5
;s4
:;
}
i1
s1
s2
i2
s3
s4
true
fals
e
true
fals
e
•R
eq
uire
me
nt:{
true}
f{
true}
(no
abn
orm
alterm
inatio
n),i.e
.Soll=
Σ∗∪Σ
ω.
In
%%
i2/
%
x,y
,zi1/t
i1/f
s1
s2
i2/t
i2/f
c1
c2
s3
s4
stmcn
dte
rm
501,11,0
✔✔
✔✔
✔✔
75
50
25
501,0,0
✔✔
✔✔
✔✔
100
75
25
0,0
,0✔
✔✔
✔10
010
07
5
0,5
1,0
✔✔
✔✔
✔10
010
010
0
test
suite
cove
rage
empirical data
informal/formalscalesmetricsMcCabe complexity
costsDelphi method
COCOMOproject planning
role, artefact, activity
waterfall model
spiral modelV-model XTXP, Scrumrequirements on requirements
dictionary etc.language patterns
Decision Tables
completeness etc.
conflict axioms
FMand customers
use cases & diagrams
sequence diagrams
LSC syntaxTBAcuts, firedsets
automaton construction
prechartsRE with scenarios
definition SWLSC vs. software
design, architecture
modularity, information hiding
modelviews and viewpoints
Class Diagrams
systemstates, ODs
(Proto-)OCLCFA
Uppaalquery languagedesign checks
implementing CFA
UML state machines
Rhapsodyarchitecture/design patterns
test casethe crux of testing
choosing test cases
coveragemodel-based testing
while programs
Hoare triples
calculus PDVCCruntime verification
ReviewQA summary
Intro
.P
roce
ssM
anage
me
nt
Re
qu
irem
en
tsE
ngin
ee
ring
Arch
itectu
re&
De
signC
od
eQ
uality
Assu
rance
VL
1V
L2
VL
3V
L4
VL
5V
L6
VL
7V
L8
VL
9V
L10
VL
11V
L12
VL
13V
L14
VL
15V
L16
VL
17V
L18
Page 7
– 18 – 2016-07-18 – Sresume –
33
/4
1
Exp
ectatio
ns
– 2 – 2016-04-21 – Sgoals –
4/
47
•n
on
e,b
ecau
sem
and
atory
cou
rse
•o
verall
✔w
ell-stru
cture
dle
cture
s
(✔)
praxis
orie
nte
d
✘p
racticalkno
wle
dge
abo
ut
plan
nin
g,de
signin
gan
dte
sting
softw
are
✔im
pro
veskills
inscie
ntific
wo
rk
(✔)
mo
reab
ou
tscie
ntific
me
tho
ds
•o
the
rco
urse
s
✘m
ore
on
ho
wco
urse
sare
linke
dto
geth
er
✘skills
we
ne
ed
too
rganise
So
Pra
✔m
ayb
etran
sfer
kno
wle
dge
inS
oP
ra
•“re
alwo
rld”
✔vo
cabu
laryan
dm
eth
od
sin
pro
fessio
nalso
ftware
de
velo
pm
en
t
✔le
arnh
ow
thin
gsw
ork
ina
com
pan
y,toe
asier
inte
gratein
tote
ams,e
.g.,com
mu
nicatio
n
•kin
ds
of
softw
are
✔e
mb
ed
de
dsyste
ms
and
softw
are
✘h
ow
toco
mb
ine
HW
and
SW
parts
Intro
du
ction
L1:
18.4
.,Mo
n
L2
:2
1.4.,
Th
uS
cales,M
etrics,
Co
stsL
3:
25
.4.,M
on
T1:
28
.4.,
Th
u
De
velo
pm
en
tL
4:
2.5
.,Mo
n
-5
.5.,
Th
u
Pro
cess
L5
:9
.5.,M
on
L6
:12
.5.,
Th
u
-16
.5.,M
on
-19
.5.,
Th
u
T2
:2
3.5
.,Mo
n
-2
6.5
.,T
hu
L7:
30
.5.,M
on
L8
:2
.6.,
Th
uR
eq
uire
me
nts
En
gine
erin
gL
9:
6.6
.,Mo
n
T3
:9
.6.,
Th
u
L10:
13.6
.,Mo
n
L11:
16.6
.,T
hu
Arch
itectu
re&
De
signL
12:
20
.6.,M
on
T4
:2
3.6
.,T
hu
L13
:2
7.6.,M
on
So
ftware
Mo
nd
ellin
gL
14:
30
.6.,
Th
u
L15
:4
.7.,Mo
n
T5
:7.7.,
Th
u
L16
:11.7.,M
on
L17:
14.7.,
Th
uQ
uality
Assu
rance
(Testin
g,Form
alV
erificatio
n)
L18
:18
.7.,Mo
nW
rap-U
pL
19:
21.7.,
Th
u
– 18 – 2016-07-18 – Sresume –
34
/4
1
Exp
ectatio
ns
Co
nt’d
– 2 – 2016-04-21 – Sgoals –
5/
47
•so
ftware
de
velo
pm
en
t
✔u
nd
erstan
dh
ow
softw
ared
eve
lop
me
nt
practically
wo
rks
✔d
eve
lop
ing,m
aintain
ing
softw
areat
bigge
rscale
✔asp
ects
of
softw
ared
eve
lop
me
nt
•so
ftware
pro
ject
man
agem
en
t
✔le
arnw
hat
isim
po
rtant
top
lan
✔h
ow
tostru
cture
the
pro
cess
of
ap
roje
ct
✔h
ow
toke
ep
con
trolo
fp
roje
ct,me
asure
succe
ss
✘w
hich
pro
jects
ne
ed
full-tim
ep
roje
ctm
anage
r
✘w
hich
kind
of
do
cum
en
tation
isre
allyn
ece
ssary
✘w
ant
toge
tb
ette
rin
lead
ing
ate
am;h
ow
tole
adte
amo
fe
ngin
ee
rs
•co
ste
stimatio
n
✔h
ow
toe
stimate
time
and
effo
rt
( ✘)
form
alme
tho
ds
for
be
tter
plan
nin
go
fp
roje
cts
✘to
ols
wh
ichh
elp
plan
nin
g
•q
uality
✔le
arnw
ays
ho
wto
jud
geq
uality
base
do
nth
ere
qu
irem
en
ts
✔avo
idm
istakes
du
ring
softw
ared
eve
lop
me
nt
✔m
akeb
ette
rp
rogram
s,or
make
pro
grams
mo
ree
fficien
tly
Intro
du
ction
L1:
18.4
.,Mo
n
L2
:2
1.4.,
Th
uS
cales,M
etrics,
Co
stsL
3:
25
.4.,M
on
T1:
28
.4.,
Th
u
De
velo
pm
en
tL
4:
2.5
.,Mo
n
-5
.5.,
Th
u
Pro
cess
L5
:9
.5.,M
on
L6
:12
.5.,
Th
u
-16
.5.,M
on
-19
.5.,
Th
u
T2
:2
3.5
.,Mo
n
-2
6.5
.,T
hu
L7:
30
.5.,M
on
L8
:2
.6.,
Th
uR
eq
uire
me
nts
En
gine
erin
gL
9:
6.6
.,Mo
n
T3
:9
.6.,
Th
u
L10:
13.6
.,Mo
n
L11:
16.6
.,T
hu
Arch
itectu
re&
De
signL
12:
20
.6.,M
on
T4
:2
3.6
.,T
hu
L13
:2
7.6.,M
on
So
ftware
Mo
nd
ellin
gL
14:
30
.6.,
Th
u
L15
:4
.7.,Mo
n
T5
:7.7.,
Th
u
L16
:11.7.,M
on
L17:
14.7.,
Th
uQ
uality
Assu
rance
(Testin
g,Form
alV
erificatio
n)
L18
:18
.7.,Mo
nW
rap-U
pL
19:
21.7.,
Th
u
– 18 – 2016-07-18 – Sresume –
35
/4
1
Exp
ectatio
ns
Co
nt’d
– 2 – 2016-04-21 – Sgoals –
6/
47
•re
qu
irem
en
ts
✔fo
rmalw
ays
tosp
ecify
req
uire
me
nts
✔le
arnte
chn
iqu
es
tore
du
cem
isun
de
rstand
ings
✔u
nd
erstan
dty
pe
so
fre
qu
irem
en
ts
( ✔)
learn
ho
wre
qu
irem
en
tsare
tob
estate
d
(✔)
ho
wto
create
req
uire
me
nts/sp
ecificatio
nd
ocu
me
nt
•d
esig
n
✔te
chn
iqu
es
for
de
sign
✔p
red
ictp
ote
ntialrisks
and
cruciald
esign
erro
rs
(✘)
com
eu
pw
ithgo
od
de
sign,le
arnh
ow
tod
esign
( ✘)
practicalkn
ow
led
geo
nap
plicatio
no
fd
esign
patte
rns
✘h
ow
tostru
cture
,com
po
seco
mp
on
en
ts,ho
wto
de
fine
inte
rfaces
✘stan
dard
sfo
rke
ep
ing
parts
of
pro
ject
com
patib
le
✘h
ow
togu
arante
ea
particu
larre
liability
•Im
ple
me
ntatio
n
(✔)
mo
du
larp
rogram
min
g,be
tter
do
cum
en
tation
of
big
pro
jects
✘m
ore
of
com
pu
ters
and
pro
gramm
ing,w
ritefaste
rb
ette
rp
rogram
s
✘stre
ngth
san
dw
eakn
esse
so
fstan
dard
s,trainin
gin
the
irap
plicatio
n
✘im
pro
veco
din
gskills
✘h
ow
toin
crease
(softw
are)pe
rform
ance
Intro
du
ction
L1:
18.4
.,Mo
n
L2
:2
1.4.,
Th
uS
cales,M
etrics,
Co
stsL
3:
25
.4.,M
on
T1:
28
.4.,
Th
u
De
velo
pm
en
tL
4:
2.5
.,Mo
n
-5
.5.,
Th
u
Pro
cess
L5
:9
.5.,M
on
L6
:12
.5.,
Th
u
-16
.5.,M
on
-19
.5.,
Th
u
T2
:2
3.5
.,Mo
n
-2
6.5
.,T
hu
L7:
30
.5.,M
on
L8
:2
.6.,
Th
uR
eq
uire
me
nts
En
gine
erin
gL
9:
6.6
.,Mo
n
T3
:9
.6.,
Th
u
L10:
13.6
.,Mo
n
L11:
16.6
.,T
hu
Arch
itectu
re&
De
signL
12:
20
.6.,M
on
T4
:2
3.6
.,T
hu
L13
:2
7.6.,M
on
So
ftware
Mo
nd
ellin
gL
14:
30
.6.,
Th
u
L15
:4
.7.,Mo
n
T5
:7.7.,
Th
u
L16
:11.7.,M
on
L17:
14.7.,
Th
uQ
uality
Assu
rance
(Testin
g,Form
alV
erificatio
n)
L18
:18
.7.,Mo
nW
rap-U
pL
19:
21.7.,
Th
u
– 18 – 2016-07-18 – Sresume –
36
/4
1
Exp
ectatio
ns
Co
nt’d
– 2 – 2016-04-21 – Sgoals –
7/
47
•co
de
qu
alityassu
rance
✔m
eth
od
sfo
rte
sting
togu
arante
eh
ighle
velo
fq
uality
( ✔)
ho
wto
con
du
ctm
ost
exh
austive
test
asp
ossib
lein
reaso
nab
letim
e
✔fo
rmalm
eth
od
slike
pro
gramve
rification
✘le
arnab
ou
tp
racticalimp
lem
en
tation
of
the
seto
ols
•e
xtrain
form
ation
•“w
illwo
rkas
teach
er”
•“w
ant
tow
ork
on
me
dicalso
ftware”
•“w
ant
tow
ork
inau
tom
otive
ind
ustry”
•“w
orke
das
softw
are-e
ngin
ee
r”
Intro
du
ction
L1:
18.4
.,Mo
n
L2
:2
1.4.,
Th
uS
cales,M
etrics,
Co
stsL
3:
25
.4.,M
on
T1:
28
.4.,
Th
u
De
velo
pm
en
tL
4:
2.5
.,Mo
n
-5
.5.,
Th
u
Pro
cess
L5
:9
.5.,M
on
L6
:12
.5.,
Th
u
-16
.5.,M
on
-19
.5.,
Th
u
T2
:2
3.5
.,Mo
n
-2
6.5
.,T
hu
L7:
30
.5.,M
on
L8
:2
.6.,
Th
uR
eq
uire
me
nts
En
gine
erin
gL
9:
6.6
.,Mo
n
T3
:9
.6.,
Th
u
L10:
13.6
.,Mo
n
L11:
16.6
.,T
hu
Arch
itectu
re&
De
signL
12:
20
.6.,M
on
T4
:2
3.6
.,T
hu
L13
:2
7.6.,M
on
So
ftware
Mo
nd
ellin
gL
14:
30
.6.,
Th
u
L15
:4
.7.,Mo
n
T5
:7.7.,
Th
u
L16
:11.7.,M
on
L17:
14.7.,
Th
uQ
uality
Assu
rance
(Testin
g,Form
alV
erificatio
n)
L18
:18
.7.,Mo
nW
rap-U
pL
19:
21.7.,
Th
u
Th
at’s
To
da
y’sS
oftw
are
En
gin
eering
—M
ore
or
Less...
– 18 – 2016-07-18 – main –
37
/4
1
– 18 – 2016-07-18 – main –
38
/4
1
Page 8
Co
min
gS
oo
nto
Yo
ur
Lo
cal
Lectu
reH
all...
– 18 – 2016-07-18 – main –
39
/4
1
Th
ursd
ay,
20
16
-07
-21
,1
20
0to
14
00
:
Plen
ary
Tu
toria
l6
&Q
uestio
ns
Sessio
n
in1
01
-0-0
26
(righ
th
ere)
– 18 – 2016-07-18 – main –
41/
41
