# ECE 453 - Software Testing, Quality Assurance, and Maintenance

## Introduction

### Testing and Verification

- **Testing**: An ad-hoc software validation method that proves the existence of faults.
- **Verification**: A formal software validation method that proves the software satisfies its specifications.
- **Static Program Verification**: The algorithmic discovery of the properties of a program by inspection of its source text.
- **Formal Methods**: The general area of research related to program specification and verification.

### Undecidability

- **Undecidability**: A problem is undecidable if there does not exists a Turning machine that can solve it.
- **Rice's Theorem**: For any non-trivial property of partial functions, no general and effective method can decide whether an algorithm computes a partial function with that property.

### User Effort vs Verification Assurance


- *From Least Effort / Least Assurance to Most Effort / Most Assurance.*


1. Testing
2. Symbolic Execution: Automated Test-Case Generation
3. Automated Verification
4. Deductive Verification

### Key Challenges

- *Testing*: Coverage
- *Symbolic Execution and Automated Verification*: Scalability 
- *Deductive Verification*: Usability
- *Common Challenges*: Specification / Oracle

## Fault, Error, and Failure

### Definitions

- **Fault**: A static defect in software.
- **Error**: An incorrect internal state (*unobserved*).
- **Failure**: An incorrect external behavior with respect to the expected external behavior (*observed*).

### RIP Model

- Three conditions must be present for an error to be observed: failure.
  1. **Reachability**: The location or locations in the program that contain the fault must be reached.
  2. **Infection**: After execution the location, the state of the program must be incorrect.
  3. **Propagation**: The infected state must propagate to cause some output of the program to be incorrect.

### Addressing Faults

1. **Fault Avoidance**: Better Design, Better Programming Languages, ...
2. **Fault Detection**: Testing, Debugging, ...
3. **Fault Tolerance**: Redundancy, Isolation, ...

## Foundations: Syntax, Semantics, and Graphs

### WHILE: A Simple Imperative Language

#### Syntatic Entities

##### Terminals


- *Atomic Tokens*.


1. **Integers**: $n \in Z$
2. **Booleans**: $\text{true}, \text{false} \in B$
3. **Locations (Program Variables)**: $x, y \in L$

##### Non-Terminals


- *Composition of Tokens*.


1. **Atomic Expressions**: $e \in Aexp$
2. **Boolean Expressions**: $b \in Bexp$
3. **Statements**: $c \in Stmt$

#### Syntax of Arithmetic Expressions

$$
\begin{aligned}
\text{e } ::= &\; n     &\text{ for } n \in Z \\
      &\vert -n &\text{ for } n \in Z \\
      &\vert x  &\text{ for } x \in L \\
      &\vert e_1 \text{ aop } e_2 \\
      &\vert \text{'('e')'} \\
\text{aop } ::= &\; \text{'*' } \vert \text{ '/' } \vert \text{ '-' } \vert \text{ '+'}
\end{aligned}
$$

- *No Declarations*
- *Only Integer Variables*.
- *No Side-Effects*.

#### Syntax of Boolean Expressions

$$
\begin{aligned}
\text{b } ::= &\; \text{'true'} \\
    &\vert \text{'false'} \\
    &\vert \text{'not' } b \\
    &\vert e_1 \text{ rop } e_2 &\text{ for } e_1, e_2 \in Aexp \\
    &\vert e_1 \text{ bop } e_2 &\text{ for } e_1, e_2 \in Bexp \\
    &\vert \text{'('b')'} \\
\text{rop } ::= &\; \text{'<' } \vert \text{ '<=' } \vert \text{ '=' } \vert \text{ '>=' } \vert \text{ '>'} \\
\text{bop } ::= &\; \text{'and' } \vert \text{ 'or'}
\end{aligned}
$$

#### Syntax of Statements

$$
\begin{aligned}
\text{s } ::= &\; \text{skip} \\
    &\vert x := e \\
    &\vert \text{if } b \text{ then } s \;[\text{else } s] \\
    &\vert \text{while } b \text{ do } s \\
    &\vert \text{'\{' } slist \text{ '\}'} \\
    &\vert \text{print_state} \\
    &\vert \text{assert } b \\
    &\vert \text{assume } b \\
    &\vert \text{havoc } v1, ..., vN \\
\text{slist } ::= &\; s (\text{';'} s)* \\
\text{prog } ::= &\; \text{slist} 
\end{aligned}
$$

### Abstract Syntax Tree

- An **abstract syntax tree** is a tree in which each node represents a syntactic entity.

### Visitor Design Pattern

- An object-oriented design pattern that separates an algorithm from an element on which it operates.
- **Assignment Notes**: In Python, the method handle is used to dynamic dispatch calls: `visit_Stmt()`.

### Non-Determinism vs. Randomness

- A **deterministic** function always returns the same result on the same input.
- A **non-deterministic** function may return different values on the same input.
- A **random** function may choose a different value with a probability distribution.
- A non-deterministic choice cannot be implemented.

### Syntax and Semantics

- **Syntax**: Determines how things are expressed.
- **Semantics**: Determines how syntax is interpreted to give meaning.

### Semantics of Programming Languages

- **Denotational Semantics**: The meaning of a program is defined as the mathematical object it computes.
- **Axiomatic Semantics**: The meaning of a program is defined in terms of its effect on the truth of logical assertions.
- **Operational Semantics**: The meaning of a program is defined by formalizing the individual computation steps of the program.

### Semantics of WHILE

- A **state** $s$ is a function from $L$ to $Z$.
    - It assigns a value for every variable.
- The set of all states is $Q = L \to Z$.

#### Notation

- *Empty State*: $\left[\right]$
- *State*: $\left[x := 10, y := 15, z := 5\right]$
- *Substitution*: $s\left[x := 10\right]$

### Judgement

- $\langle e, q \rangle \Downarrow n$ states that an *expression* $e$ in *state* $q$ has a *value* $n$.
- *Note: Evaluate $n$ in a judgement $\langle e, q \rangle \Downarrow n$.*

### Inference Rules

$$
\frac{F_1 ... F_n}{G} \text{ where } H
$$

- An **inference rule** defines a relation between judgements $F_1, ..., F_n$ and $G$.
    - The judgements $F_1, ..., F_n$ are the **premises** of the rule.
    - The judgements $G$ is the **conclusion** of the rule.
    - The formula $H$ is called the **side condition** of the rule.
    - If $n = 0$, the rule is called an **axiom**. In this case, the line separating premises and conclusion may be omitted.
- A **derivation** infers new facts from existing facts.

### Inference Rules for Aexp

- *Note: Expression would not mutate state; side-effect free.*

$$
\begin{aligned}
&\frac{}{\langle n, q \rangle \Downarrow n} \\[1em]
&\frac{}{\langle x, q \rangle \Downarrow q(x)} \\[1em]
&\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} + e_{2}, q \rangle \Downarrow (n_{1} + n_{2})} \\[1em]
&\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} - e_{2}, q \rangle \Downarrow (n_{1} - n_{2})} \\[1em]
&\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} * e_{2}, q \rangle \Downarrow (n_{1} * n_{2})}
\end{aligned}
$$

### Inference Rules for Bexp

- *Note: Expression would not mutate state; side-effect free.*

$$
\begin{aligned}
&\frac{}{\langle \text{true}, q \rangle \Downarrow \text{true}} \\[1em]
&\frac{}{\langle \text{false}, q \rangle \Downarrow \text{false}} \\[1em]
&\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} = e_{2}, q \rangle \Downarrow (n_{1} = n_{2})} \\[1em]
&\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} \le e_{2}, q \rangle \Downarrow (n_{1} \le n_{2})} \\[1em]
&\frac{\langle b_{1}, q \rangle \Downarrow t_{1} \quad \langle b_{2}, q \rangle \Downarrow t_{2}}{\langle b_{1} \land b_{2}, q \rangle \Downarrow (t_{1} \land t_{2})}
\end{aligned}
$$

### Semantics of Statements

- $\langle s, q \rangle \Downarrow q'$
    - where $s$ is the **Program Statement**.
    - where $q$ is the **Input Program State**.
    - where $q'$ is the **Output Program State**.
    
$$
\begin{aligned}
&\frac{}{\langle \text{skip}, q \rangle \Downarrow q} \\[1em]
&\frac{}{\langle \text{print_state}, q \rangle \Downarrow q} \\[1em]
&\frac{\langle s_{1}, q \rangle \Downarrow q'' \quad \langle s_{2}, q'' \rangle \Downarrow q'}{\langle s_{1} \text{ ; } s_{2}, q \rangle \Downarrow q'} \\[1em]
&\frac{\langle e, q \rangle \Downarrow n}{\langle x := e, q \rangle \Downarrow q[x := n]} \\[1em]
&\frac{\langle b, q \rangle \Downarrow \text{true} \quad \langle s_{1}, q \rangle \Downarrow q'}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q \rangle \Downarrow q'} \\[1em]
&\frac{\langle b, q \rangle \Downarrow \text{false} \quad \langle s_{2}, q \rangle \Downarrow q'}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q \rangle \Downarrow q'}
\end{aligned}
$$

### Derivation $\implies$ Execution

- **Top-Down**: Execution.
- **Bottom-Up**: Explanation.

> Show that $\langle p := 0 \text{ ; } x := 1 \text{ ; } n := 2, [] \rangle \Downarrow [p := 0, x := 1, n := 2]$.

$$
\cfrac{\cfrac{}{\cfrac{\langle 0, [] \rangle \Downarrow 0}{\langle p := 0, [] \rangle \Downarrow [p := 0]}} \quad \cfrac{}{\cfrac{\langle 1, [p := 0] \rangle \Downarrow 1}{\langle x := 1, [p := 0] \rangle \Downarrow [p := 0, x := 1]}}}{\cfrac{\langle p := 0 \text{ ; } x := 1, [] \rangle \Downarrow [p := 0, x:= 1] \quad \langle n := 2, [p := 0, x := 1] \rangle \Downarrow [p := 0, x := 1, n := 2]}{\langle p := 0 \text{ ; } x := 1 \text{ ; } n := 2, [] \rangle \Downarrow [p := 0, x := 1, n := 2]}}
$$

### Semantics of Loops

- Let $T$ be a special state, **top**, that represents divergence, such as an infinite loop.
- Any statement in a divergent state is treated like "skip".

$$
\begin{aligned}
&\frac{\langle b, q \rangle \Downarrow \text{false}}{\langle \text{while } b \text{ do } s, q \rangle \Downarrow q}\\[1em]
&\frac{\langle b, q \rangle \Downarrow \text{true} \quad \langle s \text{ ; while } b \text{ do } s, q \rangle \Downarrow q'}{\langle \text{while } b \text{ do } s, q \rangle \Downarrow q'}\\[1em]
&\frac{}{\langle \text{while true do } s, q \rangle \Downarrow T}\\[1em]
&\frac{}{\langle s, T \rangle \Downarrow T}\\[1em]
\end{aligned}
$$

### Properties of Semantics

- A semantic is **deterministic** if every program statement has exactly one possible derivation in any state.
- Two statements are **semantically equivalent** if for every input state they derive the same output state.

#### Structural Induction

- To prove a property $P$ on a derivation tree.
    1. *Base Case*: Prove $P$ for all of the axioms.
    2. *Inductive Hypothesis*: Assume $P$ holds before every rule.
    3. *Induction*: Prove that $P$ holds at the end of every rule.
- Use structural induction to prove that the semantics are deterministic.

### Structural Operational Semantics (*Small-Step*)

- *Execution of One Statement*: $\langle s, q \rangle \implies \langle t, q' \rangle$
    - where $s$ is the statement to execute.
    - where $q$ is the input state.
    - where $t$ is the rest of the program.
    - where $q'$ is the output state.

### Small-Step Semantics for WHILE

$$
\begin{aligned}
&\frac{}{\langle \text{skip}, q \rangle \implies q}\\[1em]
&\frac{\langle s_{1}, q \rangle \implies q'}{\langle s_{1} \text{ ; } s_{2}, q \rangle \implies \langle s_{2}, q' \rangle}\\[1em]
&\frac{\langle s_{1}, q \rangle \implies \langle \mathbf{s_{3}}, q' \rangle}{\langle s_{1} \text{ ; } s_{2}, q \rangle \implies \langle \mathbf{s_{3}} \text{ ; } s_{2}, q' \rangle}\\[1em]
&\frac{\langle b, q \rangle \Downarrow \text{true}}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q \rangle \implies \langle s_{1}, q \rangle}\\[1em]
&\frac{\langle b, q \rangle \Downarrow \text{false}}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q \rangle \implies \langle s_{2}, q \rangle}\\[1em]
&\frac{}{\langle \text{while } b \text{ do } s, q \rangle \implies \langle \text{if } b \text{ then } (s \text{ ;  while } b \text{ do } s) \text{ else skip}, q \rangle}
\end{aligned}
$$

### Properties of Small Step Semantics

- Small step semantics are a **transition system**: $TS = (S, R)$.
    - where $S$ is a set of states: $\langle s, q \rangle$.
    - where $R$ is a transition relation on a pair of states.
        - $(x, y) \in R \iff (x \implies y)$ is a true judgement in small-step semantics.
- **Derivation Sequence**: A path $x_{1}, x_{2}, x_{3}, ....$ in $TS$ corresponds to a program execution.
- Properties of small-step semantics are established by induction on the length of the derivation.
- A small step semantic is deterministic if there is only one derivation for every configuration.

### Programming to Modeling

- **Assertions**: `assert e` - Aborts an execution when $e$ is false, no-op otherwise.
```cpp
void assert(bool b) {
    if (!b)
        error();
}
```
- **Non-Determinism**: `havoc x` - Assign a variable $x$ a non-deterministic value.
```cpp
void havoc(int &x) {
    int y;
    x = y;
}
```
- **Assumptions**: `assume e` - Block execution if $e$ is false, no-op otherwise.
```cpp
void assume(bool e) {
    while (!e);
}
```

### Safety Specifications as Assertions

- **Correct**: If all executions that satisfy all assumptions also satisfy all assertions.
- **Incorrect**: If there exists an execution that satisfies all of the assumptions and violdates at least one assertion.
- Assumptions $\implies$ Pre-Conditions.
- Assertions $\implies$ Properties.

### Graphs, Paths, Cycle

- A **graph**, $G = (N, E)$, is an ordered pair consisting of a node set, $N$, and an edge set, $E = \{(n_{i}, n_{j})\}$.
    - **Directed**: If the pairs in $E$ are ordered.
    - **Undirected**: If the pairs in $E$ are unordered.
- A **path**, $P$, through a directed graph $G = (N, E)$ is a sequence of edges $\left( (u_{1}, v_{1}), (u_{2}, v_{}), ... (u_{t}, v_{t}) \right)$ such that the following is true.
    - where $v_{k - 1} = u_{k}$ for all $1 < k \le t$.
    - where $u_{1}$ is the start node.
    - where $u_{t}$ is the end node.
    - The length of a path is the number of edges in the path.
- A **cycle** in a graph $G$ is a path whose start node and end node are the same.
- A **tree** is an acyclic, undirected graph.
- A **directed acyclic graph (DAG)** is a directed graph without cycles.
- Every tree is isomorphic to a prefix-closed subset of $N^{*}$ for some natural number $N$.