Checking Formal Specifications by Testing

Formal specification methods hold promise for bridging the wide gap between an intuitive idea for solving a problem by computer, and the executable program that attempts to do the job. The use of formalism is itself a good thing, allowing professionals to understand and analyze their work better. However, formal methods are an aid to human effort, not a panacea. Conventional software testing can be an ideal complement to formally directed development. Tests are concrete and immediately comprehensible to end users, and they are unlikely to miss mistakes because of a pernicious correlation with the formal work. Research is needed on ways to make formal specifications and testing work together to realize the potential of both. Tests should serve to increase confidence that a formal method has been correctly applied. Such tests would free the developers from tedious checking of formalism details, and the success of only a few tests would have real significance for the software’s correctness. As an example of a formalism/testing partnership, this talk describes joint work with Sergio Antoy [4] on automatically checking a conventional implementation of an abstract data type against its formal algebraic specification. 1 Formal Methods and Testing In the “old days” when formal methods were identified with proving an implementation program correct with respect to a first-order logic specification, this proving was thought to be antithetical to testing. The two methods were viewed as being at opposite ends of a spectrum: the formal work was abstract, precise, and concerned with the function the program computes; testing was practical, sloppy, and concerned only with finite support for that function. A more modern viewpoint considers the two subjects complementary. Today’s formal methods are still abstract and precise, but now much more broadly concerned with expressing and reasoning about specifications. Testing today is still practical and sometimes sloppy, but it can be the most technical and precise of the other software-development arts. Specification and testing remain at ∗On leave from Portland State University, Department of Computer Science and Center for Software Quality Research, Portland, OR 97207, USA opposite ends of the development time-line, so there is maximum scope for testing to serve as a check on the whole process. To mention a promising interaction in which testing benefits from a formal specification, consider automatic random testing. This idea is to subject code to inputs chosen at random, where the random generation of test points is planned and automated using a formal description of a program’s input domain. To be effective, random testing must employ far more test points than the usual “by hand” tests. Hence it is practical only if the results can be automatically checked, and here again a formal specification is the answer. Many formal specifications are effective in that they provide a decision procedure for whether or not any input-output pair conforms to the specification. In the other direction, testing has the potential to detect mistakes in software development, mistakes which may arise from poor communication between end users and software experts (that is, the formal specifications are for the wrong problem), and mistakes in carrying through development (that is, the formal specifications have not been properly followed). Here the technical nature of both disciplines comes to the fore: it should be possible to devise tests that pinpoint common mistakes, and if the tests succeed, to gain great confidence that nothing is wrong.

[1]  Nancy G. Leveson,et al.  The Use of Self Checks and Voting in Software Error Detection: An Empirical Study , 1990, IEEE Trans. Software Eng..

[2]  Michael J. O'Donnell,et al.  Equational Logic as a Programming Language. , 1987 .

[3]  Sergio Antoy Design Strategies for Rewrite Rules , 1990, CTRS.

[4]  Gerard Huet,et al.  Conflunt reductions: Abstract properties and applications to term rewriting systems , 1977, 18th Annual Symposium on Foundations of Computer Science (sfcs 1977).

[5]  Harlan D. Mills,et al.  Theory of Modules , 1987, IEEE Transactions on Software Engineering.

[6]  Ellis Horowitz,et al.  Abstract data types and software validation , 1978, CACM.

[7]  Paola Forcheri,et al.  Specification-based code generation , 1990, Twenty-Third Annual Hawaii International Conference on System Sciences.

[8]  Ellis Horowitz,et al.  The design of data type specifications , 1976, ICSE '76.

[9]  Hans-Jörg Kreowski,et al.  Algebraic system specification and development , 1991, Lecture Notes in Computer Science.

[10]  M.-C. Gaudel,et al.  Generation of test data from algebraic specifications , 1988, [1988] Proceedings. Second Workshop on Software Testing, Verification, and Analysis.

[11]  Gérard P. Huet,et al.  Proofs by Induction in Equational Theories with Constructors , 1980, FOCS.

[12]  Phyllis G. Frankl,et al.  Case studies on testing object-oriented programs , 1991, TAV4.

[13]  R. Hamlet RANDOM TESTING , 1994 .

[14]  Jan A. Bergstra,et al.  Algebraic specification , 1989 .

[15]  Elaine J. Weyuker,et al.  A Formal Notion of Program-Based Test Data Adequacy , 1983, Inf. Control..

[16]  Nachum Dershowitz,et al.  Confluence of Conditional Rewrite Systems , 1988, CTRS.

[17]  Jan Willem Klop,et al.  Term rewriting systems: a tutorial , 1987 .

[18]  Sergio Antoy,et al.  Using Term Rewriting to Verify Software , 1994, IEEE Trans. Software Eng..

[19]  Richard G. Hamlet,et al.  Automatically Checking an Implementation against Its Formal Specification , 2000, IEEE Trans. Software Eng..

[20]  John V. Guttag,et al.  Notes on Type Abstraction , 1978, Program Construction.

[21]  Jean-Pierre Jouannaud,et al.  Operational Semantics for Order-Sorted Algebra , 1985, ICALP.

[22]  David R. Musser,et al.  Dynamic Verification of C++ Generic Algorithms , 1997, IEEE Trans. Software Eng..

[23]  Gérard P. Huet,et al.  Confluent Reductions: Abstract Properties and Applications to Term Rewriting Systems , 1980, J. ACM.

[24]  Nancy G. Leveson,et al.  An experimental evaluation of the assumption of independence in multiversion programming , 1986, IEEE Transactions on Software Engineering.

[25]  D. Knuth,et al.  Simple Word Problems in Universal Algebras , 1983 .

[26]  Jan Willem Klop,et al.  Term Rewriting Systems: From Church-Rosser to Knuth-Bendix and Beyond , 1990, ICALP.

[27]  Constance L. Heitmeyer,et al.  Automated consistency checking of requirements specifications , 1996, TSEM.

[28]  Bjarne Stroustrup,et al.  The C++ Programming Language, First Edition , 1986 .

[29]  Sriram Sankar Run-time consistency checking of algebraic specifications , 1991, TAV4.

[30]  Richard G. Hamlet,et al.  Data Abstraction, Implementation, Specification, and Testing , 1981, TOPL.

[31]  Hartmut Ehrig,et al.  Fundamentals of Algebraic Specification 1 , 1985, EATCS Monographs on Theoretical Computer Science.

[32]  Daniel Hoffman,et al.  Module test case generation , 1989, TAV3.