SlideShare une entreprise Scribd logo

Testing, fixing, and proving with contracts

Carlo A. Furia
Carlo A. Furia

Invited tutorial at the 9th International Conference on Tests & Proofs (TAP 2015) part of STAF 2015 in L'Aquila, Italy.

Logiciels
1  sur  73
Testing, Fixing, and Proving with Contracts Carlo A. Furia Chair of Software Engineering, ETH Zurich bugcounting.net @bugcounting
The (AlpTransit) Gotthard tunnel The tunnel • 57 km long • construction at both ends • underneath the Gotthard massif 2 Erstfeld • canton Uri • German-speaking • weather probably cloudy Bodio • canton Ticino • Italian-speaking • weather probably sunny
Users with different requirements Joe the programmer • little or no background in formal techniques • weak and simple (incomplete) specifications • design not optimal for verification • bugs: full verification is unattainable • looks for low hanging fruits of verification Verification expert • fluent in formal logic techniques • strong, often complete, specifications • design for full verification • could use automation of simpler steps • aims at the holy grail of verified software 3
The Eiffel Verification Environment 4 Inspector AutoTest AutoFix AutoProof GUI Verification Assistant
The Eiffel Verification Environment 5 GUI Verification Assistant CLI ComCom (web)Inspector AutoTest AutoFix AutoProof
A key ingredient: contracts Contracts are a form of lightweight specification: • Assertions (pre- and postconditions, invariants) • Contract language = Boolean expressions • Executable: bring immediate benefits for testing, debugging, and so on Verification tools in EVE take advantage of (simple) functional specifications in the form of contracts.
Auto-active user/tool interaction 1. Code + Annotations 2. Push button 3. Verification outcome 4. Correct/Revise 7
Roadmap AutoTest: find faults automatically 8 AutoFix: patch faults automatically Verification assistant: combine tests & proofs Two-step verification: help debug failed proofs AutoProof: prove realistic programs 1. 2. 3. 4. 5.
Next stop: AutoTest AutoTest: find faults automatically 9 AutoFix: patch faults automatically Verification assistant: combine tests & proofs Two-step verification: help debug failed proofs AutoProof: prove realistic programs 1. 2. 3. 4. 5.
AutoTest in a nutshell AutoTest is a push-button generator of unit tests • Test = sequence of method calls on objects • Contracts as oracles: target call o.m – Invalid test: o does not satisfy m’s precondition – Passing test: all contracts evaluate to True – Failing test: some contract evaluates to False 10 Similar tools: • Korat (Java + assertions) • QuickCheck (Haskell)
How AutoTest works 11 Random object o Random method m call o.m Invalid test Failing test: bug found • Existing object from object pool • Fresh object of primitive type (e.g. random integer) • New object of class type (call constructor) Passing test Add any new objects to object pool Classification based on runtime contract checking
Test generation strategies AutoTest is a push-button generator of unit tests • Basic generation strategy: random • Other strategies as extensions: – Random+ – Adaptive-random (object distance) – Precondition satisfaction – Stateful testing 12
Demo example: Bank Account class ACCOUNT balance: INTEGER deposit (amount: INTEGER) require 0 <= amount ensure balance = old balance + amount withdraw (amount: INTEGER) require 0 <= amount ensure balance_set: amount <= old balance implies balance = old balance - amount balance_not_set: amount > old balance implies balance = old balance invariant balance_nonnegative: balance >= 0 13
Demo 1: bug finding AutoTest finds a bug in the implementation of withdraw that violates postcondition balance_not_set. withdraw (amount: INTEGER) require 0 <= amount do balance := balance + amount ensure balance_set: amount <= old balance implies balance = old balance - amount balance_not_set: amount > old balance implies balance = old balance 14
Demo 1: bug finding AutoTest finds a bug in the implementation of withdraw that violates postcondition balance_not_set. 15
Next stop: AutoFix AutoTest: find faults automatically 16 Verification assistant: combine tests & proofs Two-step verification: help debug failed proofs AutoProof: prove realistic programs 1. 3. 4. 5. AutoFix: patch faults automatically 2.
AutoFix in a nutshell AutoFix is a push-button generator of fixes 17 AutoFix Coding code + contracts bugs + patches Similar tools: • GenProg, Kali (C) • PAR (Java)
How AutoFix works Program + Contracts Test suite Suspicious states AutoTest Candidate fixes Valid fixes Validation & rankingAnalysis Synthesis  count = 1  count = 2  count = 0 count = 0 @ L4 if count = 0 then ...
AutoFix: Components Program state abstraction: • snapshots: location, predicate, value Fault localization: • static information: proximity to failing location/expression • dynamic information: number of failing/passing tests 19
AutoFix: Components Program state abstraction: • snapshots : location, predicate, value Synthesis: • enumeration of common replacement expressions and instructions • conditional execution: @ location: if predicate = value then some fix action 20
AutoFix: Components Validation: • regression testing with all available tests for method being fixed • valid fix: passes all available tests Ranking: • based on suspiciousness score of snapshots 21
Demo 1b: bug fixing AutoFix builds fixes for the bug in the implementation of withdraw. A “high-quality” (proper, correct) fix: 22
Demo 1b: bug fixing AutoFix builds fixes for the bug in the implementation of withdraw. A fix that just happens to pass all tests: 23
Experiments with AutoFix Source programs: standard data-structure libraries, text library, card game. LOC of source + contracts # Unique errors % Fixed errors % High-quality fixes Time: test + fix [minutes] Fix implementation: 73’000 204 42% 25% 17 + 3 Fix contracts: 24’500 44 95% 25% 31 + 3
Experiments with AutoFix Source programs: standard data-structure libraries, text library, card game. GenProg, according to the analysis by [Qui+, ISSTA’15]: < 2% LOC of source + contracts # Unique errors % Fixed errors % High-quality fixes Time: test + fix [minutes] Fix implementation: 73’000 204 42% 25% 17 + 3
Next stop: Verification assistant AutoTest: find faults automatically 26 Two-step verification: help debug failed proofs AutoProof: prove realistic programs 1. 4. 5. AutoFix: patch faults automatically 2. Verification assistant: combine tests & proofs 3.
Integrating different tools A verification assistant manages individual tools – Select tools and program parts to be verified – Collect results and aggregate them Classes Data pool Tools Verification Assistant . . . AutoTest AutoProof C1 C2 Cn AutoFix AT n AT 2 AT 1 … AP n AT 2 AP 1 … AInAT 2 AI1 … AF n AT 2 AF 1 … 27 Inspector
Scores: aggregated verification results Each method & class receives a correctness score • A value in the interval [-1, 1] • Estimate of evidence for correctness -1 0 1 Evidence of incorrectness Evidence of correctness Lack of evidence Conclusive evidence Conclusive evidence 28
Score for testing • Failing test case: conclusive evidence of incorrectness • Passing test case: increases evidence of correctness • Absolute value may vary according to other metrics – used heuristics, coverage, testing time, … -1 0 1 29
Score for testing • Failing test case: conclusive evidence of incorrectness • Passing test case: increases evidence of correctness • Absolute value may vary according to other metrics – used heuristics, coverage, testing time, … -1 0 1 Failing test case 30
Score for testing • Failing test case: conclusive evidence of incorrectness • Passing test case: increases evidence of correctness • Absolute value may vary according to other metrics – used heuristics, coverage, testing time, … -1 0 1 Failing test case Passing test case 31
Score for testing • Failing test case: conclusive evidence of incorrectness • Passing test case: increases evidence of correctness • Absolute value may vary according to other metrics – used heuristics, coverage, testing time, … -1 0 1 Failing test case Passing test case Passing test case 32
Score for testing • Failing test case: conclusive evidence of incorrectness • Passing test case: increases evidence of correctness • Absolute value may vary according to other metrics – used heuristics, coverage, testing time, … -1 0 1 Failing test case Passing test case Passing test case Passing test case 33
Score for correctness proofs AutoProof is sound but incomplete: – Timeout: score 0 – Failed proof: score -0.2 -1 0 1 Failed proof for a complete tool Successful proof for a sound tool 34
Combining scores of different tools • Running each tool determines a score for each method • Overall score for a class: weighted average • Weights depend on the relative confidence in reliability of tools – may be application and configuration dependent • Overall score of modules (packages) may also weigh components differently according to their criticality 35
Demo 2: combined testing and proving The verification assistant runs on the version of ACCOUNT patched by AutoFix: deposit does not verify, but passes all tests  reasonable confidence in its correctness. 36
Next stop: Two-step verification AutoTest: find faults automatically 37 AutoProof: prove realistic programs 1. 5. AutoFix: patch faults automatically 2. Verification assistant: combine tests & proofs 3. Two-step verification: help debug failed proofs 4.
Modular proofs Verifiers such as AutoProof perform modular reasoning • Effects of a call to method m within the caller = m’s specification (pre, post, frame) 38 deposit (amount: INTEGER) require 0 <= amount do update_balance (amount) How we wrote it: How AutoProof sees it: deposit (amount: INTEGER) require 0 <= amount do assert update_balance.pre havoc update_balance.frame assume update_balance.post
Modular proofs in practice Verifiers such as AutoProof perform modular reasoning • Necessary for scalability • Consistent with design-by-contract and information hiding • But providing the detailed specifications necessary for verification may be tedious or overly complex 39
Specification writing fatigue Providing the specification necessary for verification may be tedious, especially in the most straightforward cases. deposit (amount: INTEGER) require 0 <= amount do update_balance (amount) ensure balance = old balance + amount How we wrote it: How we thought about it: 40 deposit (amount: INTEGER) require 0 <= amount do balance := balance + amount ensure balance = old balance + amount
Debugging failed verification When verification fails with verifiers such as AutoProof (modular, sound, incomplete): • There is a bug? • The program is correct, but the specification is insufficient? To help debug failed verification attempts AutoProof features two-step verification. 41
Two-step verification Two-step verification improves user feedback, especially in the presence of little specification. 1. First verification step – Standard modular verification 2. Second verification step – Ignore specification of called routines and loops – Uses inlining and unrolling Feedback: combination of outcomes of 1 & 2 42
Step 1: modular verification update_balance (a: INTEGER) do balance := balance + a end deposit (amount: INTEGER) require 0 <= amount do update_balance (amount) ensure balance = old balance + amount Postcondition violated Modular verification fails. 43 No postcondition of callee: effect on balance undefined
Step 2: verification with inlining Verification with inlining succeeds. Attribute balance is incremented by amount. Feedback: change (strengthen) the specification of update_balance. 44 update_balance (a: INTEGER) do balance := balance + a end deposit (amount: INTEGER) require 0 <= amount do balance := balance + amount ensure balance = old balance + amount
Demo 2b: two-step verification AutoProof with two-step verification runs on the version of ACCOUNT patched by AutoFix: deposit verifies after inlining update_balance • Provide postcondition to update_balance or • Direct AutoProof to use update_balance inlined 45 Follow this demo at http://bit.do/tap-tutorial (Switch to tab account2.e)
Two-step verification: feedback r require Pr do s ensure Qr s require Ps do : ensure Qs Step 1: modular Step 2: inlined Suggestion Verify r Verify s Verify r Ps fails Succeeds Succeeds Weaken Ps or use inlined Qr fails Succeeds Succeeds Strengthen Qs or use inlined Succeeds Qs fails Succeeds Strengthen Ps / Weaken Qs
Two-step verification: feedback r require Pr do s ensure Qr s require Ps do : ensure Qs Step 1: modular Step 2: inlined Suggestion Verify r Verify s Verify r Ps fails Succeeds Succeeds Weaken Ps or use inlined Qr fails Succeeds Succeeds Strengthen Qs or use inlined Succeeds Qs fails Succeeds Strengthen Ps / Weaken Qs 1
Two-step verification: feedback r require Pr do s ensure Qr s require Ps do : ensure Qs Step 1: modular Step 2: inlined Suggestion Verify r Verify s Verify r Ps fails Succeeds Succeeds Weaken Ps or use inlined Qr fails Succeeds Succeeds Strengthen Qs or use inlined Succeeds Qs fails Succeeds Strengthen Ps / Weaken Qs 2
Two-step verification: feedback r require Pr do s ensure Qr s require Ps do : ensure Qs Step 1: modular Step 2: inlined Suggestion Verify r Verify s Verify r Ps fails Succeeds Succeeds Weaken Ps or use inlined Qr fails Succeeds Succeeds Strengthen Qs or use inlined Succeeds Qs fails Succeeds Strengthen Ps / Weaken Qs 3
Next stop: AutoProof AutoTest: find faults automatically 50 1. AutoFix: patch faults automatically 2. Verification assistant: combine tests & proofs 3. AutoProof: prove realistic programs 5. Two-step verification: help debug failed proofs 4.
AutoProof in a nutshell AutoProof is an auto-active verifier for Eiffel • Prover for functional properties • All-out support of object-oriented idiomatic structures (e.g. patterns) – Based on class invariants • Flexible: incrementality – Proving simple properties requires little annotations – Proving complex properties is possible with more effort 51
Demo 3: a taste of AutoProof AutoProof verifies method transfer with suitable specification transfer (amount: INTEGER; other: ACCOUNT) -- Transfer `amount' from this account to `other'. require amount_non_negative: 0 <= amount amount_available: amount <= balance do withdraw (amount) other.deposit (amount) ensure deposit_done: other.balance = old other.balance + amount withdrawal_done: balance = old balance - amount 52 Follow this demo at http://bit.do/tap-tutorial (Switch to tab account3.e)
Sound program verifiers compared 53 more complex properties more automation static analysis interactive (KIV) ESC/Java2 OpenJML Spec# VCC Chalice Dafny KeY VeriFast
Reasoning with class invariants Class invariants are a natural way to reason about object-oriented programs: invariant = consistency of objects 54 ACCOUNT invariant balance >= 0
LIST ACCOUNT Multi-object structures Object-oriented programs involve multiple objects (duh!), whose consistency is often mutually dependent 55 invariant balance >= 0 balance = sum (transactions) transactions
AUDITOR LIST ACCOUNT Consistency of multi-object structures Mutually dependent object structures require extra care to enforce, and reason about, consistency (cmp. encapsulation) 56 invariant balance >= 0 balance = sum (transactions) transactions
AUDITOR LIST ACCOUNT Consistency of multi-object structures Mutually dependent object structures require extra care to enforce, and reason about, consistency (cmp. encapsulation) 57 invariant balance >= 0 balance = sum (transactions) transactions
Open and closed objects When (at which program points) must class invariants hold? To provide flexibility, objects in AutoProof can be open or closed 58 CLOSED OPEN Object: Consistent Inconsistent State: Stable Transient Invariant: Holds May not hold
LIST ACCOUNT Ownership For hierarchical object structures, AutoProof offers an ownership protocol 59 invariant balance >= 0 owns = [ transactions ] balance = sum (transactions) transactions owns
LIST ACCOUNT Ownership For hierarchical object structures, AutoProof offers an ownership protocol 60 invariant balance >= 0 owns = [ transactions ] balance = sum (transactions) transactions AUDITOR owns
add_node LIST ACCOUNT Ownership For hierarchical object structures, AutoProof offers an ownership protocol 61 transactions AUDITOR owns invariant balance >= 0 owns = [ transactions ] balance = sum (transactions)
add_node LIST ACCOUNT Ownership For hierarchical object structures, AutoProof offers an ownership protocol 62 transactions AUDITOR owns invariant balance >= 0 owns = [ transactions ] balance = sum (transactions)
add_node LIST ACCOUNT Ownership For hierarchical object structures, AutoProof offers an ownership protocol 63 transactions AUDITOR owns invariant balance >= 0 owns = [ transactions ] balance = sum (transactions)
add_node LIST ACCOUNT Ownership For hierarchical object structures, AutoProof offers an ownership protocol 64 transactions AUDITOR owns update_balance invariant balance >= 0 owns = [ transactions ] balance = sum (transactions)
LIST ACCOUNT Ownership For hierarchical object structures, AutoProof offers an ownership protocol 65 invariant balance >= 0 owns = [ transactions ] balance = sum (transactions) transactions AUDITOR owns
Demo 4: ownership in AutoProof AutoProof verifies the ACCOUNT with an owned list of transactions transactions: SIMPLE_LIST [INTEGER] -- History of transactions: -- positive integer = deposited amount -- negative integer = withdrawn amount -- latest transactions in back of list 66 Follow this demo at http://bit.do/tap-tutorial (Switch to tab account4.e)
ACCOUNT Semantic collaboration For collaborative object structures, AutoProof offers a novel protocol: semantic collaboration 67 invariant interest_rate = bank.rate BANK bank
bank bank ACCOUNT Semantic collaboration For collaborative object structures, AutoProof offers a novel protocol: semantic collaboration 68 invariant interest_rate = bank.rate BANK bank
subjects observers Semantic collaboration • Subjects = objects my consistency depends on • Observers = objects whose consistency depends on me 69 invariant subjects = [ bank ] Current in bank.observers -- Implicit in AutoProof interest_rate = bank.rate bank bank ACCOUNTBANK bank
Demo 5: collaboration in AutoProof AutoProof verifies the ACCOUNT with a BANK that sets a master interest rate bank: BANK -- Provider of this account invariant non_negative_rate: 0 <= interest_rate bank_exists: bank /= Void consistent_rate: interest_rate = bank.master_rate 70 Follow this demo at http://bit.do/tap-tutorial (Switch to tabs account5.e sand bank5.e)
AutoProof on realistic software Verification benchmarks: EiffelBase2 – a realistic container library: # programs LOC SPEC/CODE Verification time 25 4400 Lines: 1.0 Tokens: 1.9 Total: 3.4 min Longest method: 12 sec Average method: < 1 sec # classes LOC SPEC/CODE Verification time 46 8400 Lines: 1.4 Tokens: 2.7 Total: 7.2 min Longest method: 12 sec Average method: < 1 sec
Testing, fixing, and proving with contracts: acknowledgements 72 Julian Tschannen Nadia Polikarpova Yu (Max) Pei Yi (Jason) Wei Andreas Zeller Bertrand MeyerIlinca Ciupa-MoserAndreas Leitner
Testing, fixing, and proving with contracts (in Eiffel) 1. AutoTest 73 2. AutoFix 3. Verif. assist. 4. Two-step 5. AutoProof http://se.inf.ethz.ch/research/ eve/ http://cloudstudio.ethz.ch/ comcom/ See TAP 2015’s proceedings for references to technical papers

Recommandé

AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...
AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...
AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...
jamieayre
 
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Sung Kim
 
Software testing: an introduction - 2017
Software testing: an introduction - 2017Software testing: an introduction - 2017
Software testing: an introduction - 2017
XavierDevroey
 
White Box Testing V0.2
White Box Testing V0.2White Box Testing V0.2
White Box Testing V0.2
Nivetha Padmanaban
 
White Box testing by Pankaj Thakur, NITTTR Chandigarh
White Box testing by Pankaj Thakur, NITTTR ChandigarhWhite Box testing by Pankaj Thakur, NITTTR Chandigarh
White Box testing by Pankaj Thakur, NITTTR Chandigarh
Pankaj Thakur
 
Testes? Mas isso não aumenta o tempo de projecto? Não quero...
Testes? Mas isso não aumenta o tempo de projecto? Não quero...Testes? Mas isso não aumenta o tempo de projecto? Não quero...
Testes? Mas isso não aumenta o tempo de projecto? Não quero...
Comunidade NetPonto
 
Whitebox
WhiteboxWhitebox
Whitebox
Oana Feidi
 
Control Flow Testing
Control Flow TestingControl Flow Testing
Control Flow Testing
Hirra Sultan
 

Recommandé

AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...
AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...
AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...
jamieayre
 
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Sung Kim
 
Software testing: an introduction - 2017
Software testing: an introduction - 2017Software testing: an introduction - 2017
Software testing: an introduction - 2017
XavierDevroey
 
White Box Testing V0.2
White Box Testing V0.2White Box Testing V0.2
White Box Testing V0.2
Nivetha Padmanaban
 
White Box testing by Pankaj Thakur, NITTTR Chandigarh
White Box testing by Pankaj Thakur, NITTTR ChandigarhWhite Box testing by Pankaj Thakur, NITTTR Chandigarh
White Box testing by Pankaj Thakur, NITTTR Chandigarh
Pankaj Thakur
 
Testes? Mas isso não aumenta o tempo de projecto? Não quero...
Testes? Mas isso não aumenta o tempo de projecto? Não quero...Testes? Mas isso não aumenta o tempo de projecto? Não quero...
Testes? Mas isso não aumenta o tempo de projecto? Não quero...
Comunidade NetPonto
 
Whitebox
WhiteboxWhitebox
Whitebox
Oana Feidi
 
Control Flow Testing
Control Flow TestingControl Flow Testing
Control Flow Testing
Hirra Sultan
 
REMI: Defect Prediction for Efficient API Testing (

ESEC/FSE 2015, Industria...
REMI: Defect Prediction for Efficient API Testing (

ESEC/FSE 2015, Industria...REMI: Defect Prediction for Efficient API Testing (

ESEC/FSE 2015, Industria...
REMI: Defect Prediction for Efficient API Testing (

ESEC/FSE 2015, Industria...
Sung Kim
 
White box testing
White box testingWhite box testing
White box testing
Neethu Tressa
 
Python: Object-Oriented Testing (Unit Testing)
Python: Object-Oriented Testing (Unit Testing)Python: Object-Oriented Testing (Unit Testing)
Python: Object-Oriented Testing (Unit Testing)
Damian T. Gordon
 
Qtp Basics
Qtp BasicsQtp Basics
Qtp Basics
mehramit
 
White Box Testing
White Box TestingWhite Box Testing
White Box Testing
Alisha Roy
 
ISTQB Foundation level Sample Paper - Part 3
ISTQB Foundation level Sample Paper - Part 3 ISTQB Foundation level Sample Paper - Part 3
ISTQB Foundation level Sample Paper - Part 3
Parul Chotalia
 
Software Testing & Debugging
Software Testing & DebuggingSoftware Testing & Debugging
Software Testing & Debugging
Computing Cage
 
Istqb question-paper-dump-12
Istqb question-paper-dump-12Istqb question-paper-dump-12
Istqb question-paper-dump-12
TestingGeeks
 
Istqb sample paper 2011- www.ajoysingha.info
Istqb sample paper 2011- www.ajoysingha.infoIstqb sample paper 2011- www.ajoysingha.info
Istqb sample paper 2011- www.ajoysingha.info
TestingGeeks
 
Istqb exam sample_paper_2
Istqb exam sample_paper_2Istqb exam sample_paper_2
Istqb exam sample_paper_2
TestingGeeks
 
Why Unit Testingl
Why Unit TestinglWhy Unit Testingl
Why Unit Testingl
priya_trivedi
 
Debug me
Debug meDebug me
Debug me
Noha Elprince
 
Rv11
Rv11Rv11
Rv11
Wolfgang Grieskamp
 
system verilog
system verilogsystem verilog
system verilog
Vinchipsytm Vlsitraining
 
Some important definitions in softaware testing
Some important definitions in softaware testingSome important definitions in softaware testing
Some important definitions in softaware testing
Shwetketu Rastogi
 
Test driven development and unit testing with examples in C++
Test driven development and unit testing with examples in C++Test driven development and unit testing with examples in C++
Test driven development and unit testing with examples in C++
Hong Le Van
 
Unit Tesing in iOS
Unit Tesing in iOSUnit Tesing in iOS
Unit Tesing in iOS
Ciklum Ukraine
 
Automock: Interaction-Based Mock Code Generation
Automock: Interaction-Based Mock Code GenerationAutomock: Interaction-Based Mock Code Generation
Automock: Interaction-Based Mock Code Generation
Sabrina Souto
 
Qtp ans
Qtp ansQtp ans
Qtp ans
TestingGeeks
 
1. dan odprte kode - Splošno o Mozilli
1. dan odprte kode - Splošno o Mozilli1. dan odprte kode - Splošno o Mozilli
1. dan odprte kode - Splošno o Mozilli
Nino Vranešič
 
Los cúmulos estelares
Los cúmulos estelaresLos cúmulos estelares
Los cúmulos estelares
Antonio González Atienza
 
PERSPECTIVAS TEÓRICAS EN EL CAMPO DE LA HISTORIA DEL SIGLO XIX
PERSPECTIVAS TEÓRICAS EN EL CAMPO DE LA HISTORIA DEL SIGLO XIXPERSPECTIVAS TEÓRICAS EN EL CAMPO DE LA HISTORIA DEL SIGLO XIX
PERSPECTIVAS TEÓRICAS EN EL CAMPO DE LA HISTORIA DEL SIGLO XIX
Fátima De Sá
 

Contenu connexe

Tendances

REMI: Defect Prediction for Efficient API Testing (

ESEC/FSE 2015, Industria...
REMI: Defect Prediction for Efficient API Testing (

ESEC/FSE 2015, Industria...REMI: Defect Prediction for Efficient API Testing (

ESEC/FSE 2015, Industria...
REMI: Defect Prediction for Efficient API Testing (

ESEC/FSE 2015, Industria...
Sung Kim
 
Qtp Basics
Qtp BasicsQtp Basics
Qtp Basics
mehramit
 
Istqb question-paper-dump-12
Istqb question-paper-dump-12Istqb question-paper-dump-12
Istqb question-paper-dump-12
TestingGeeks
 
Istqb sample paper 2011- www.ajoysingha.info
Istqb sample paper 2011- www.ajoysingha.infoIstqb sample paper 2011- www.ajoysingha.info
Istqb sample paper 2011- www.ajoysingha.info
TestingGeeks
 
Istqb exam sample_paper_2
Istqb exam sample_paper_2Istqb exam sample_paper_2
Istqb exam sample_paper_2
TestingGeeks
 
Automock: Interaction-Based Mock Code Generation
Automock: Interaction-Based Mock Code GenerationAutomock: Interaction-Based Mock Code Generation
Automock: Interaction-Based Mock Code Generation
Sabrina Souto
 

Tendances (19)

REMI: Defect Prediction for Efficient API Testing (

ESEC/FSE 2015, Industria...
REMI: Defect Prediction for Efficient API Testing (

ESEC/FSE 2015, Industria...REMI: Defect Prediction for Efficient API Testing (

ESEC/FSE 2015, Industria...
REMI: Defect Prediction for Efficient API Testing (

ESEC/FSE 2015, Industria...
 
White box testing
White box testingWhite box testing
White box testing
 
Python: Object-Oriented Testing (Unit Testing)
Python: Object-Oriented Testing (Unit Testing)Python: Object-Oriented Testing (Unit Testing)
Python: Object-Oriented Testing (Unit Testing)
 
Qtp Basics
Qtp BasicsQtp Basics
Qtp Basics
 
White Box Testing
White Box TestingWhite Box Testing
White Box Testing
 
ISTQB Foundation level Sample Paper - Part 3
ISTQB Foundation level Sample Paper - Part 3 ISTQB Foundation level Sample Paper - Part 3
ISTQB Foundation level Sample Paper - Part 3
 
Software Testing & Debugging
Software Testing & DebuggingSoftware Testing & Debugging
Software Testing & Debugging
 
Istqb question-paper-dump-12
Istqb question-paper-dump-12Istqb question-paper-dump-12
Istqb question-paper-dump-12
 
Istqb sample paper 2011- www.ajoysingha.info
Istqb sample paper 2011- www.ajoysingha.infoIstqb sample paper 2011- www.ajoysingha.info
Istqb sample paper 2011- www.ajoysingha.info
 
Istqb exam sample_paper_2
Istqb exam sample_paper_2Istqb exam sample_paper_2
Istqb exam sample_paper_2
 
Why Unit Testingl
Why Unit TestinglWhy Unit Testingl
Why Unit Testingl
 
Debug me
Debug meDebug me
Debug me
 
Rv11
Rv11Rv11
Rv11
 
system verilog
system verilogsystem verilog
system verilog
 
Some important definitions in softaware testing
Some important definitions in softaware testingSome important definitions in softaware testing
Some important definitions in softaware testing
 
Test driven development and unit testing with examples in C++
Test driven development and unit testing with examples in C++Test driven development and unit testing with examples in C++
Test driven development and unit testing with examples in C++
 
Unit Tesing in iOS
Unit Tesing in iOSUnit Tesing in iOS
Unit Tesing in iOS
 
Automock: Interaction-Based Mock Code Generation
Automock: Interaction-Based Mock Code GenerationAutomock: Interaction-Based Mock Code Generation
Automock: Interaction-Based Mock Code Generation
 
Qtp ans
Qtp ansQtp ans
Qtp ans
 

En vedette

라이브바카라『OPT』.『ASIA』생방송카지노 싸이트
라이브바카라『OPT』.『ASIA』생방송카지노 싸이트라이브바카라『OPT』.『ASIA』생방송카지노 싸이트
라이브바카라『OPT』.『ASIA』생방송카지노 싸이트
ghsiduh
 
플레이텍카지노 『OX600』。『COM』바둑동영상
플레이텍카지노 『OX600』。『COM』바둑동영상 플레이텍카지노 『OX600』。『COM』바둑동영상
플레이텍카지노 『OX600』。『COM』바둑동영상
ghsiduh
 
온라인배팅 ''SX797.COM'' 바카라테이블
온라인배팅 ''SX797.COM'' 바카라테이블온라인배팅 ''SX797.COM'' 바카라테이블
온라인배팅 ''SX797.COM'' 바카라테이블
hkspodf
 
대박『SX797』『СOM』온라인카지노
대박『SX797』『СOM』온라인카지노대박『SX797』『СOM』온라인카지노
대박『SX797』『СOM』온라인카지노
gjsokdfjl
 
인터넷카지노『SX797。COM 』바카라사이트 싸이트
인터넷카지노『SX797。COM 』바카라사이트 싸이트인터넷카지노『SX797。COM 』바카라사이트 싸이트
인터넷카지노『SX797。COM 』바카라사이트 싸이트
gjsokdfjl
 
보독카지노 싸이트 『OX600』。『COM』바카라설명 싸이트
보독카지노 싸이트 『OX600』。『COM』바카라설명 싸이트보독카지노 싸이트 『OX600』。『COM』바카라설명 싸이트
보독카지노 싸이트 『OX600』。『COM』바카라설명 싸이트
gjsokdfjl
 
Tetrad analysis, positive and negative interference, mapping through somatic ...
Tetrad analysis, positive and negative interference, mapping through somatic ...Tetrad analysis, positive and negative interference, mapping through somatic ...
Tetrad analysis, positive and negative interference, mapping through somatic ...
Promila Sheoran
 

En vedette (20)

1. dan odprte kode - Splošno o Mozilli
1. dan odprte kode - Splošno o Mozilli1. dan odprte kode - Splošno o Mozilli
1. dan odprte kode - Splošno o Mozilli
 
Los cúmulos estelares
Los cúmulos estelaresLos cúmulos estelares
Los cúmulos estelares
 
PERSPECTIVAS TEÓRICAS EN EL CAMPO DE LA HISTORIA DEL SIGLO XIX
PERSPECTIVAS TEÓRICAS EN EL CAMPO DE LA HISTORIA DEL SIGLO XIXPERSPECTIVAS TEÓRICAS EN EL CAMPO DE LA HISTORIA DEL SIGLO XIX
PERSPECTIVAS TEÓRICAS EN EL CAMPO DE LA HISTORIA DEL SIGLO XIX
 
라이브바카라『OPT』.『ASIA』생방송카지노 싸이트
라이브바카라『OPT』.『ASIA』생방송카지노 싸이트라이브바카라『OPT』.『ASIA』생방송카지노 싸이트
라이브바카라『OPT』.『ASIA』생방송카지노 싸이트
 
Layman's Report - LIFE Habitat Lince Abutre
Layman's Report - LIFE Habitat Lince AbutreLayman's Report - LIFE Habitat Lince Abutre
Layman's Report - LIFE Habitat Lince Abutre
 
The future of art & social media
The future of art & social mediaThe future of art & social media
The future of art & social media
 
플레이텍카지노 『OX600』。『COM』바둑동영상
플레이텍카지노 『OX600』。『COM』바둑동영상 플레이텍카지노 『OX600』。『COM』바둑동영상
플레이텍카지노 『OX600』。『COM』바둑동영상
 
Strategic Human Resource Management
Strategic Human Resource ManagementStrategic Human Resource Management
Strategic Human Resource Management
 
온라인배팅 ''SX797.COM'' 바카라테이블
온라인배팅 ''SX797.COM'' 바카라테이블온라인배팅 ''SX797.COM'' 바카라테이블
온라인배팅 ''SX797.COM'' 바카라테이블
 
How Restaurants & Pubs Should Use Social Media
How Restaurants & Pubs Should Use Social MediaHow Restaurants & Pubs Should Use Social Media
How Restaurants & Pubs Should Use Social Media
 
대박『SX797』『СOM』온라인카지노
대박『SX797』『СOM』온라인카지노대박『SX797』『СOM』온라인카지노
대박『SX797』『СOM』온라인카지노
 
인터넷카지노『SX797。COM 』바카라사이트 싸이트
인터넷카지노『SX797。COM 』바카라사이트 싸이트인터넷카지노『SX797。COM 』바카라사이트 싸이트
인터넷카지노『SX797。COM 』바카라사이트 싸이트
 
보독카지노 싸이트 『OX600』。『COM』바카라설명 싸이트
보독카지노 싸이트 『OX600』。『COM』바카라설명 싸이트보독카지노 싸이트 『OX600』。『COM』바카라설명 싸이트
보독카지노 싸이트 『OX600』。『COM』바카라설명 싸이트
 
Presentació dels resultats de l’exercici d’intercomparació per al mesurament ...
Presentació dels resultats de l’exercici d’intercomparació per al mesurament ...Presentació dels resultats de l’exercici d’intercomparació per al mesurament ...
Presentació dels resultats de l’exercici d’intercomparació per al mesurament ...
 
el tercer ojo
el tercer ojoel tercer ojo
el tercer ojo
 
Mehiläisten punkit ja muita loisia
Mehiläisten punkit ja muita loisiaMehiläisten punkit ja muita loisia
Mehiläisten punkit ja muita loisia
 
Tetrad analysis, positive and negative interference, mapping through somatic ...
Tetrad analysis, positive and negative interference, mapping through somatic ...Tetrad analysis, positive and negative interference, mapping through somatic ...
Tetrad analysis, positive and negative interference, mapping through somatic ...
 
Como fazer um powerpoint (1)
Como fazer um powerpoint (1)Como fazer um powerpoint (1)
Como fazer um powerpoint (1)
 
Punkit ja muita loisia. Lassi Kauko
Punkit ja muita loisia. Lassi KaukoPunkit ja muita loisia. Lassi Kauko
Punkit ja muita loisia. Lassi Kauko
 
Programming Logic for Any Programming Language - Session2
Programming Logic for Any Programming Language - Session2Programming Logic for Any Programming Language - Session2
Programming Logic for Any Programming Language - Session2
 

Similaire à Testing, fixing, and proving with contracts

software testing types jxnvlbnLCBNFVjnl/fknblb
software testing types jxnvlbnLCBNFVjnl/fknblbsoftware testing types jxnvlbnLCBNFVjnl/fknblb
software testing types jxnvlbnLCBNFVjnl/fknblb
jeyasrig
 
1779905011SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.pptx
1779905011SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.pptx1779905011SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.pptx
1779905011SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.pptx
abhivastrad007
 
Software testing methods, levels and types
Software testing methods, levels and typesSoftware testing methods, levels and types
Software testing methods, levels and types
Confiz
 

Similaire à Testing, fixing, and proving with contracts (20)

software testing types jxnvlbnLCBNFVjnl/fknblb
software testing types jxnvlbnLCBNFVjnl/fknblbsoftware testing types jxnvlbnLCBNFVjnl/fknblb
software testing types jxnvlbnLCBNFVjnl/fknblb
 
Introduction to White box testing
Introduction to White box testingIntroduction to White box testing
Introduction to White box testing
 
Software Engineering (Testing Overview)
Software Engineering (Testing Overview)Software Engineering (Testing Overview)
Software Engineering (Testing Overview)
 
Lecture (Software Testing).pptx
Lecture (Software Testing).pptxLecture (Software Testing).pptx
Lecture (Software Testing).pptx
 
A Software Testing Intro
A Software Testing IntroA Software Testing Intro
A Software Testing Intro
 
Testing
TestingTesting
Testing
 
Lecture #6. automation testing (andrey oleynik)
Lecture #6. automation testing (andrey oleynik)Lecture #6. automation testing (andrey oleynik)
Lecture #6. automation testing (andrey oleynik)
 
Software testing software engineering.pdf
Software testing software engineering.pdfSoftware testing software engineering.pdf
Software testing software engineering.pdf
 
Testing fundamentals
Testing fundamentalsTesting fundamentals
Testing fundamentals
 
Unit 4 testing
Unit 4 testingUnit 4 testing
Unit 4 testing
 
1779905011SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.pptx
1779905011SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.pptx1779905011SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.pptx
1779905011SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.pptx
 
Software Quality Assurance
Software Quality AssuranceSoftware Quality Assurance
Software Quality Assurance
 
Software testing methods, levels and types
Software testing methods, levels and typesSoftware testing methods, levels and types
Software testing methods, levels and types
 
Ch11lect1 ud
Ch11lect1 udCh11lect1 ud
Ch11lect1 ud
 
Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...
Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...
Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...
 
Testing strategies,techniques & test case SE
Testing strategies,techniques & test case SETesting strategies,techniques & test case SE
Testing strategies,techniques & test case SE
 
How to Guarantee Continuous Value from your Test Automation
How to Guarantee Continuous Value from your Test AutomationHow to Guarantee Continuous Value from your Test Automation
How to Guarantee Continuous Value from your Test Automation
 
Testing
TestingTesting
Testing
 
Structured system analysis and design
Structured system analysis and design Structured system analysis and design
Structured system analysis and design
 
Object Oriented Testing(OOT) presentation slides
Object Oriented Testing(OOT) presentation slidesObject Oriented Testing(OOT) presentation slides
Object Oriented Testing(OOT) presentation slides
 

Dernier

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 

Dernier (20)

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 

Testing, fixing, and proving with contracts

  • 1. Testing, Fixing, and Proving with Contracts Carlo A. Furia Chair of Software Engineering, ETH Zurich bugcounting.net @bugcounting
  • 2. The (AlpTransit) Gotthard tunnel The tunnel • 57 km long • construction at both ends • underneath the Gotthard massif 2 Erstfeld • canton Uri • German-speaking • weather probably cloudy Bodio • canton Ticino • Italian-speaking • weather probably sunny
  • 3. Users with different requirements Joe the programmer • little or no background in formal techniques • weak and simple (incomplete) specifications • design not optimal for verification • bugs: full verification is unattainable • looks for low hanging fruits of verification Verification expert • fluent in formal logic techniques • strong, often complete, specifications • design for full verification • could use automation of simpler steps • aims at the holy grail of verified software 3
  • 4. The Eiffel Verification Environment 4 Inspector AutoTest AutoFix AutoProof GUI Verification Assistant
  • 5. The Eiffel Verification Environment 5 GUI Verification Assistant CLI ComCom (web)Inspector AutoTest AutoFix AutoProof
  • 6. A key ingredient: contracts Contracts are a form of lightweight specification: • Assertions (pre- and postconditions, invariants) • Contract language = Boolean expressions • Executable: bring immediate benefits for testing, debugging, and so on Verification tools in EVE take advantage of (simple) functional specifications in the form of contracts.
  • 7. Auto-active user/tool interaction 1. Code + Annotations 2. Push button 3. Verification outcome 4. Correct/Revise 7
  • 8. Roadmap AutoTest: find faults automatically 8 AutoFix: patch faults automatically Verification assistant: combine tests & proofs Two-step verification: help debug failed proofs AutoProof: prove realistic programs 1. 2. 3. 4. 5.
  • 9. Next stop: AutoTest AutoTest: find faults automatically 9 AutoFix: patch faults automatically Verification assistant: combine tests & proofs Two-step verification: help debug failed proofs AutoProof: prove realistic programs 1. 2. 3. 4. 5.
  • 10. AutoTest in a nutshell AutoTest is a push-button generator of unit tests • Test = sequence of method calls on objects • Contracts as oracles: target call o.m – Invalid test: o does not satisfy m’s precondition – Passing test: all contracts evaluate to True – Failing test: some contract evaluates to False 10 Similar tools: • Korat (Java + assertions) • QuickCheck (Haskell)
  • 11. How AutoTest works 11 Random object o Random method m call o.m Invalid test Failing test: bug found • Existing object from object pool • Fresh object of primitive type (e.g. random integer) • New object of class type (call constructor) Passing test Add any new objects to object pool Classification based on runtime contract checking
  • 12. Test generation strategies AutoTest is a push-button generator of unit tests • Basic generation strategy: random • Other strategies as extensions: – Random+ – Adaptive-random (object distance) – Precondition satisfaction – Stateful testing 12
  • 13. Demo example: Bank Account class ACCOUNT balance: INTEGER deposit (amount: INTEGER) require 0 <= amount ensure balance = old balance + amount withdraw (amount: INTEGER) require 0 <= amount ensure balance_set: amount <= old balance implies balance = old balance - amount balance_not_set: amount > old balance implies balance = old balance invariant balance_nonnegative: balance >= 0 13
  • 14. Demo 1: bug finding AutoTest finds a bug in the implementation of withdraw that violates postcondition balance_not_set. withdraw (amount: INTEGER) require 0 <= amount do balance := balance + amount ensure balance_set: amount <= old balance implies balance = old balance - amount balance_not_set: amount > old balance implies balance = old balance 14
  • 15. Demo 1: bug finding AutoTest finds a bug in the implementation of withdraw that violates postcondition balance_not_set. 15
  • 16. Next stop: AutoFix AutoTest: find faults automatically 16 Verification assistant: combine tests & proofs Two-step verification: help debug failed proofs AutoProof: prove realistic programs 1. 3. 4. 5. AutoFix: patch faults automatically 2.
  • 17. AutoFix in a nutshell AutoFix is a push-button generator of fixes 17 AutoFix Coding code + contracts bugs + patches Similar tools: • GenProg, Kali (C) • PAR (Java)
  • 18. How AutoFix works Program + Contracts Test suite Suspicious states AutoTest Candidate fixes Valid fixes Validation & rankingAnalysis Synthesis  count = 1  count = 2  count = 0 count = 0 @ L4 if count = 0 then ...
  • 19. AutoFix: Components Program state abstraction: • snapshots: location, predicate, value Fault localization: • static information: proximity to failing location/expression • dynamic information: number of failing/passing tests 19
  • 20. AutoFix: Components Program state abstraction: • snapshots : location, predicate, value Synthesis: • enumeration of common replacement expressions and instructions • conditional execution: @ location: if predicate = value then some fix action 20
  • 21. AutoFix: Components Validation: • regression testing with all available tests for method being fixed • valid fix: passes all available tests Ranking: • based on suspiciousness score of snapshots 21
  • 22. Demo 1b: bug fixing AutoFix builds fixes for the bug in the implementation of withdraw. A “high-quality” (proper, correct) fix: 22
  • 23. Demo 1b: bug fixing AutoFix builds fixes for the bug in the implementation of withdraw. A fix that just happens to pass all tests: 23
  • 24. Experiments with AutoFix Source programs: standard data-structure libraries, text library, card game. LOC of source + contracts # Unique errors % Fixed errors % High-quality fixes Time: test + fix [minutes] Fix implementation: 73’000 204 42% 25% 17 + 3 Fix contracts: 24’500 44 95% 25% 31 + 3
  • 25. Experiments with AutoFix Source programs: standard data-structure libraries, text library, card game. GenProg, according to the analysis by [Qui+, ISSTA’15]: < 2% LOC of source + contracts # Unique errors % Fixed errors % High-quality fixes Time: test + fix [minutes] Fix implementation: 73’000 204 42% 25% 17 + 3
  • 26. Next stop: Verification assistant AutoTest: find faults automatically 26 Two-step verification: help debug failed proofs AutoProof: prove realistic programs 1. 4. 5. AutoFix: patch faults automatically 2. Verification assistant: combine tests & proofs 3.
  • 27. Integrating different tools A verification assistant manages individual tools – Select tools and program parts to be verified – Collect results and aggregate them Classes Data pool Tools Verification Assistant . . . AutoTest AutoProof C1 C2 Cn AutoFix AT n AT 2 AT 1 … AP n AT 2 AP 1 … AInAT 2 AI1 … AF n AT 2 AF 1 … 27 Inspector
  • 28. Scores: aggregated verification results Each method & class receives a correctness score • A value in the interval [-1, 1] • Estimate of evidence for correctness -1 0 1 Evidence of incorrectness Evidence of correctness Lack of evidence Conclusive evidence Conclusive evidence 28
  • 29. Score for testing • Failing test case: conclusive evidence of incorrectness • Passing test case: increases evidence of correctness • Absolute value may vary according to other metrics – used heuristics, coverage, testing time, … -1 0 1 29
  • 30. Score for testing • Failing test case: conclusive evidence of incorrectness • Passing test case: increases evidence of correctness • Absolute value may vary according to other metrics – used heuristics, coverage, testing time, … -1 0 1 Failing test case 30
  • 31. Score for testing • Failing test case: conclusive evidence of incorrectness • Passing test case: increases evidence of correctness • Absolute value may vary according to other metrics – used heuristics, coverage, testing time, … -1 0 1 Failing test case Passing test case 31
  • 32. Score for testing • Failing test case: conclusive evidence of incorrectness • Passing test case: increases evidence of correctness • Absolute value may vary according to other metrics – used heuristics, coverage, testing time, … -1 0 1 Failing test case Passing test case Passing test case 32
  • 33. Score for testing • Failing test case: conclusive evidence of incorrectness • Passing test case: increases evidence of correctness • Absolute value may vary according to other metrics – used heuristics, coverage, testing time, … -1 0 1 Failing test case Passing test case Passing test case Passing test case 33
  • 34. Score for correctness proofs AutoProof is sound but incomplete: – Timeout: score 0 – Failed proof: score -0.2 -1 0 1 Failed proof for a complete tool Successful proof for a sound tool 34
  • 35. Combining scores of different tools • Running each tool determines a score for each method • Overall score for a class: weighted average • Weights depend on the relative confidence in reliability of tools – may be application and configuration dependent • Overall score of modules (packages) may also weigh components differently according to their criticality 35
  • 36. Demo 2: combined testing and proving The verification assistant runs on the version of ACCOUNT patched by AutoFix: deposit does not verify, but passes all tests  reasonable confidence in its correctness. 36
  • 37. Next stop: Two-step verification AutoTest: find faults automatically 37 AutoProof: prove realistic programs 1. 5. AutoFix: patch faults automatically 2. Verification assistant: combine tests & proofs 3. Two-step verification: help debug failed proofs 4.
  • 38. Modular proofs Verifiers such as AutoProof perform modular reasoning • Effects of a call to method m within the caller = m’s specification (pre, post, frame) 38 deposit (amount: INTEGER) require 0 <= amount do update_balance (amount) How we wrote it: How AutoProof sees it: deposit (amount: INTEGER) require 0 <= amount do assert update_balance.pre havoc update_balance.frame assume update_balance.post
  • 39. Modular proofs in practice Verifiers such as AutoProof perform modular reasoning • Necessary for scalability • Consistent with design-by-contract and information hiding • But providing the detailed specifications necessary for verification may be tedious or overly complex 39
  • 40. Specification writing fatigue Providing the specification necessary for verification may be tedious, especially in the most straightforward cases. deposit (amount: INTEGER) require 0 <= amount do update_balance (amount) ensure balance = old balance + amount How we wrote it: How we thought about it: 40 deposit (amount: INTEGER) require 0 <= amount do balance := balance + amount ensure balance = old balance + amount
  • 41. Debugging failed verification When verification fails with verifiers such as AutoProof (modular, sound, incomplete): • There is a bug? • The program is correct, but the specification is insufficient? To help debug failed verification attempts AutoProof features two-step verification. 41
  • 42. Two-step verification Two-step verification improves user feedback, especially in the presence of little specification. 1. First verification step – Standard modular verification 2. Second verification step – Ignore specification of called routines and loops – Uses inlining and unrolling Feedback: combination of outcomes of 1 & 2 42
  • 43. Step 1: modular verification update_balance (a: INTEGER) do balance := balance + a end deposit (amount: INTEGER) require 0 <= amount do update_balance (amount) ensure balance = old balance + amount Postcondition violated Modular verification fails. 43 No postcondition of callee: effect on balance undefined
  • 44. Step 2: verification with inlining Verification with inlining succeeds. Attribute balance is incremented by amount. Feedback: change (strengthen) the specification of update_balance. 44 update_balance (a: INTEGER) do balance := balance + a end deposit (amount: INTEGER) require 0 <= amount do balance := balance + amount ensure balance = old balance + amount
  • 45. Demo 2b: two-step verification AutoProof with two-step verification runs on the version of ACCOUNT patched by AutoFix: deposit verifies after inlining update_balance • Provide postcondition to update_balance or • Direct AutoProof to use update_balance inlined 45 Follow this demo at http://bit.do/tap-tutorial (Switch to tab account2.e)
  • 46. Two-step verification: feedback r require Pr do s ensure Qr s require Ps do : ensure Qs Step 1: modular Step 2: inlined Suggestion Verify r Verify s Verify r Ps fails Succeeds Succeeds Weaken Ps or use inlined Qr fails Succeeds Succeeds Strengthen Qs or use inlined Succeeds Qs fails Succeeds Strengthen Ps / Weaken Qs
  • 47. Two-step verification: feedback r require Pr do s ensure Qr s require Ps do : ensure Qs Step 1: modular Step 2: inlined Suggestion Verify r Verify s Verify r Ps fails Succeeds Succeeds Weaken Ps or use inlined Qr fails Succeeds Succeeds Strengthen Qs or use inlined Succeeds Qs fails Succeeds Strengthen Ps / Weaken Qs 1
  • 48. Two-step verification: feedback r require Pr do s ensure Qr s require Ps do : ensure Qs Step 1: modular Step 2: inlined Suggestion Verify r Verify s Verify r Ps fails Succeeds Succeeds Weaken Ps or use inlined Qr fails Succeeds Succeeds Strengthen Qs or use inlined Succeeds Qs fails Succeeds Strengthen Ps / Weaken Qs 2
  • 49. Two-step verification: feedback r require Pr do s ensure Qr s require Ps do : ensure Qs Step 1: modular Step 2: inlined Suggestion Verify r Verify s Verify r Ps fails Succeeds Succeeds Weaken Ps or use inlined Qr fails Succeeds Succeeds Strengthen Qs or use inlined Succeeds Qs fails Succeeds Strengthen Ps / Weaken Qs 3
  • 50. Next stop: AutoProof AutoTest: find faults automatically 50 1. AutoFix: patch faults automatically 2. Verification assistant: combine tests & proofs 3. AutoProof: prove realistic programs 5. Two-step verification: help debug failed proofs 4.
  • 51. AutoProof in a nutshell AutoProof is an auto-active verifier for Eiffel • Prover for functional properties • All-out support of object-oriented idiomatic structures (e.g. patterns) – Based on class invariants • Flexible: incrementality – Proving simple properties requires little annotations – Proving complex properties is possible with more effort 51
  • 52. Demo 3: a taste of AutoProof AutoProof verifies method transfer with suitable specification transfer (amount: INTEGER; other: ACCOUNT) -- Transfer `amount' from this account to `other'. require amount_non_negative: 0 <= amount amount_available: amount <= balance do withdraw (amount) other.deposit (amount) ensure deposit_done: other.balance = old other.balance + amount withdrawal_done: balance = old balance - amount 52 Follow this demo at http://bit.do/tap-tutorial (Switch to tab account3.e)
  • 53. Sound program verifiers compared 53 more complex properties more automation static analysis interactive (KIV) ESC/Java2 OpenJML Spec# VCC Chalice Dafny KeY VeriFast
  • 54. Reasoning with class invariants Class invariants are a natural way to reason about object-oriented programs: invariant = consistency of objects 54 ACCOUNT invariant balance >= 0
  • 55. LIST ACCOUNT Multi-object structures Object-oriented programs involve multiple objects (duh!), whose consistency is often mutually dependent 55 invariant balance >= 0 balance = sum (transactions) transactions
  • 56. AUDITOR LIST ACCOUNT Consistency of multi-object structures Mutually dependent object structures require extra care to enforce, and reason about, consistency (cmp. encapsulation) 56 invariant balance >= 0 balance = sum (transactions) transactions
  • 57. AUDITOR LIST ACCOUNT Consistency of multi-object structures Mutually dependent object structures require extra care to enforce, and reason about, consistency (cmp. encapsulation) 57 invariant balance >= 0 balance = sum (transactions) transactions
  • 58. Open and closed objects When (at which program points) must class invariants hold? To provide flexibility, objects in AutoProof can be open or closed 58 CLOSED OPEN Object: Consistent Inconsistent State: Stable Transient Invariant: Holds May not hold
  • 59. LIST ACCOUNT Ownership For hierarchical object structures, AutoProof offers an ownership protocol 59 invariant balance >= 0 owns = [ transactions ] balance = sum (transactions) transactions owns
  • 60. LIST ACCOUNT Ownership For hierarchical object structures, AutoProof offers an ownership protocol 60 invariant balance >= 0 owns = [ transactions ] balance = sum (transactions) transactions AUDITOR owns
  • 61. add_node LIST ACCOUNT Ownership For hierarchical object structures, AutoProof offers an ownership protocol 61 transactions AUDITOR owns invariant balance >= 0 owns = [ transactions ] balance = sum (transactions)
  • 62. add_node LIST ACCOUNT Ownership For hierarchical object structures, AutoProof offers an ownership protocol 62 transactions AUDITOR owns invariant balance >= 0 owns = [ transactions ] balance = sum (transactions)
  • 63. add_node LIST ACCOUNT Ownership For hierarchical object structures, AutoProof offers an ownership protocol 63 transactions AUDITOR owns invariant balance >= 0 owns = [ transactions ] balance = sum (transactions)
  • 64. add_node LIST ACCOUNT Ownership For hierarchical object structures, AutoProof offers an ownership protocol 64 transactions AUDITOR owns update_balance invariant balance >= 0 owns = [ transactions ] balance = sum (transactions)
  • 65. LIST ACCOUNT Ownership For hierarchical object structures, AutoProof offers an ownership protocol 65 invariant balance >= 0 owns = [ transactions ] balance = sum (transactions) transactions AUDITOR owns
  • 66. Demo 4: ownership in AutoProof AutoProof verifies the ACCOUNT with an owned list of transactions transactions: SIMPLE_LIST [INTEGER] -- History of transactions: -- positive integer = deposited amount -- negative integer = withdrawn amount -- latest transactions in back of list 66 Follow this demo at http://bit.do/tap-tutorial (Switch to tab account4.e)
  • 67. ACCOUNT Semantic collaboration For collaborative object structures, AutoProof offers a novel protocol: semantic collaboration 67 invariant interest_rate = bank.rate BANK bank
  • 68. bank bank ACCOUNT Semantic collaboration For collaborative object structures, AutoProof offers a novel protocol: semantic collaboration 68 invariant interest_rate = bank.rate BANK bank
  • 69. subjects observers Semantic collaboration • Subjects = objects my consistency depends on • Observers = objects whose consistency depends on me 69 invariant subjects = [ bank ] Current in bank.observers -- Implicit in AutoProof interest_rate = bank.rate bank bank ACCOUNTBANK bank
  • 70. Demo 5: collaboration in AutoProof AutoProof verifies the ACCOUNT with a BANK that sets a master interest rate bank: BANK -- Provider of this account invariant non_negative_rate: 0 <= interest_rate bank_exists: bank /= Void consistent_rate: interest_rate = bank.master_rate 70 Follow this demo at http://bit.do/tap-tutorial (Switch to tabs account5.e sand bank5.e)
  • 71. AutoProof on realistic software Verification benchmarks: EiffelBase2 – a realistic container library: # programs LOC SPEC/CODE Verification time 25 4400 Lines: 1.0 Tokens: 1.9 Total: 3.4 min Longest method: 12 sec Average method: < 1 sec # classes LOC SPEC/CODE Verification time 46 8400 Lines: 1.4 Tokens: 2.7 Total: 7.2 min Longest method: 12 sec Average method: < 1 sec
  • 72. Testing, fixing, and proving with contracts: acknowledgements 72 Julian Tschannen Nadia Polikarpova Yu (Max) Pei Yi (Jason) Wei Andreas Zeller Bertrand MeyerIlinca Ciupa-MoserAndreas Leitner
  • 73. Testing, fixing, and proving with contracts (in Eiffel) 1. AutoTest 73 2. AutoFix 3. Verif. assist. 4. Two-step 5. AutoProof http://se.inf.ethz.ch/research/ eve/ http://cloudstudio.ethz.ch/ comcom/ See TAP 2015’s proceedings for references to technical papers