ࡱ> `!:4uڄ)S !k(xTilTU}Ldf:@7N鴳.qH**" @*Ŋ`LJ+y14$<JK!3Ec?9, HF'BAB"G6N HOF_ZÞ b' N y,Æ5Bh/2e㤗 By,]!Tq\OnJ:|,8)g{p5I9B2[ݣ~'$f 1F8 Xx~Π-0ȓKæ:"ȻIe)z4Rg^.w2urrY"p:rtL6I5lO5\g~gUK<1o-a$7~W Ve3^D#xKF)̧xy'ו.AyjZ|&ȗ}~ӯdlZڅ:R$Je:lʼnO&YH5(LZ} V|q|X8גGY:+`Fs}?+cz$OC-  X#Cc$?'?%`oC4 %PN!q>h?ENIFa^*8B]Ifry5S%ፅOF™cƌQٕ" vB2b!ZO>GKr!NǠAy{i-V-쬷Te7K;"u+,+ϖ|Bi4;Lg4Z K:%8%yT XO@_~Y&rtx7*.б*7 #'JE ll ~ǥcɕ ;50蠽^m/`&9::ʮU6/]ˊ= O7sKpG}~SKe-#W:J5.GE UZNUJ8tP1hqCõ6 OװMi*kkdm(Ϭ`3h/Yn1"vg.+3m|מ 5Xra9#Nפi08z^vV6l^dk"UmȧpΦ6⃛N9t4t`% st`-) m%͡6rcy, p;, WBywOHG9` s,s qT8k`>˹F+I3VQ,>QzBzG7d?gSx*oþ9SbEtQ[6%$?6@( j/ 0DArialNew RoDLX0Wo 0DTimes New RomanX0Wo 0 b0.  @n?" dd@  @@`` |     2,2$:4u AA1?@8ʚ;k8ʚ;g4FdFd0ppp@ <4dddd 0LD<4!d!d 0LD <4BdBd. 0L80___PPT10 ? -O  =e: OO Verification Research Results!!6[John Joseph Chilenski Associate Technical Fellow Boeing Commercial Airplanes July 27, 2005 \ZF Background\Boeing is conducting a three phase research project into the verification of object-oriented technology (OOT) Phase I was a survey of current OOT verification practices in use within commercial aviation projects Results were presented as part of the  OO ? discussion earlier today Phase II is an investigation into the data coupling and control coupling (DC3) aspects of OOT Results to date will be presented in this discussionbofG^5ofG^5 Background (continued)Phase III will be An investigation into the adequacy of structural coverage analysis done at the object code level instead of the source code level in OOT Identification of concerns and open issues concerning OOT software verification that identify issues requiring further research&  AgendaCoupling = Dependence Object Oriented Issues Inheritance Aggregation Association Polymorphism Static Dispatch Dynamic Dispatch:.1!.1! Coupling = DependenceUGiven the material in DO-178B, DO-248B FAQ#9 & FAQ#67 and CAST-19, we can conclude that the intent of the structural coverage analyses of the confirmation of DC3 is to: Provide an objective assessment (measure) of the completeness of the requirements-based tests of the integrated components Demonstration of the presence of intended interactions (function) between those components Support the demonstration of the absence of unintended interactions (function) between those components This indicates that the confirmation of DC3 is specifically targeted at the integration process and its testsb{[ho{[ho  Coupling = DependenceIntegration focuses on dependencies and interfaces between components Semantic dependence between two program points has been shown to be uncomputable in the general case In standard CS usage, multiple components can be Independent (uncoupled) Dependent (coupled) Control Dependent control coupled Data Dependent data coupled Both Control and data dependence have been shown to be conservative approximations of semantic dependenceZ,ZZZZ ZZfZ, f  Coupling = DependenceGIn standard CS usage, a data dependence exists between two components if one component defines a data object and the other component uses that definition of the data object under some operational scenario The data user is dependent on the data definer D is data dependent on A because of C D is data dependent on B because of YN/L/L  Coupling = DependenceOIn standard CS usage, a control dependence exists between two components when the execution of one component depends on the other One component calls the other under some operational scenario The callee is dependent on the caller B is control dependent on A because A calls B D is control dependent on A because A conditionally calls Dt>&jX>&T    Coupling = DependencepOne component defines the data objects that determine the execution sequence taken by the other component under some operational scenario This is just a special form of data dependence where the use of the data object is in a decision that determines whether the callee is called or not D is control dependent on A because of C D is control dependent on B because of YNRgRdCoupling = Dependence<Verification of a data dependence can be accomplished by execution of a definition-use-association (DUA) A DUA for an object X (dX, uX, X) is formed by a pair of statements: A definition statement (dX) where X is given a value A use statement (uX) where the value given to X in dX is used (A.5, D.3, C) (B.3, D.3, Y)iEsi(-! b@, %Coupling = DependenceVerification of a control dependence can either be accomplished by execution of a DUA or call-association A call-association between two components A, B, (A, c, B, p) is formed by A call site c (a statement in A where B is called), and A predicate p that identifies the conditions under which the call will occur (A, A.3, B, A.entered) (A, A.6, D, A.entered and C.A.4) (A.5, D.3, C) (B.3, D.3, Y)NjJUjJU,E  )Coupling = DependenceThese analyses are standard in compiler optimization Coverage of DUA s has been looked at for over 20 years Data flow coverage Coverage of inter-procedural/inter-class DUA s has been looked at as an integration testing adequacy criterion for over 15 years (inter-procedural) and is emerging for OOT (inter-class) Commercial tools are becoming available to perform these analyses Including the coverage analysis Coverage of call associations requires further work~mZZZ Z5Zm  5,Bc$~Object Oriented Issues  Inheritance, Aggregation, Association HObject Oriented Issues  Inheritance1The parent class(es) should be tested before the child class The hierarchical integration testing (HIT) methodology can be used to determine which parts of the parent need to be tested before which parts of the child This is the last relationship which should be stubbed These are the most complex stubs:>!>!  HObject Oriented Issues  AggregationObjects of one class incorporate objects of other class(es) as attributes The encapsulated class should be tested before the encapsulating class Only in the case of circular dependencies will stubs be needed&??2 HObject Oriented Issues  AssociationPCall  one of A s methods calls one of B s methods Access  one of A s methods accesses one of B s attributes Parameter  one of A s methods contains a parameter of type B The called class should be tested before the calling class Only in the case of circular dependencies will stubs be needed Apparently quite common In an ORD, this is considered the weakest form of dependency This relationship should be broken/stubbed first Least complex stubs Many different weighting functions have been published Break the one which requires the fewest stubs ?>17.?> 17. nObject Oriented Issues  Polymorphism  Static DispatchWith static dispatch, each reference resolves to a single entity (object or method) This is what we are used to in procedural / imperative programming Each call site resolves to a single call association Only a single set of DUA s exist They can all be tested as usual6TCyTCy( pObject Oriented Issues  Polymorphism  Dynamic DispatchWith dynamic dispatch, each reference resolves to a set of possible entities (objects or methods) This is the famous pointer problem in C/C++ Each call site resolves to a set of possible call associations Multiple sets of DUA s exist One for each possible call association Adequate testing of polymorphism is an active research area No definitive answer yet b,^'=b,^'=pObject Oriented Issues  Polymorphism  Dynamic Dispatch`Multiple approaches have been suggested Every dispatch site has been executed and every possible dispatch target has been executed Every possible object binding and every concrete method Every possible object/method binding  Flattened class methods / dispatch table Recommendation in the OOTiA Handbook For each dispatch equivalence class, every dispatch site has been executed and every possible dispatch target has been executedb([]Q([]Q !pObject Oriented Issues  Polymorphism  Dynamic DispatchbFor each dispatch equivalence class, every dispatch site has been executed and every dispatch target has been executed from at least one of those sites Every possible dispatch target has been executed from every dispatch site Every possible object binding and every concrete method Every possible object/method binding Researchers agree this is probably  safe From the CS perspective Researchers agree this is generally intractableJ]*0J]*  0  ConclusionMuch work left to do Report due out before the end of the year May not have the polymorphism problem solved Stay tuned & 6@. @. ; ` 3` 999MMM` f` f3` 3>?" dd@x? " }d@i dA"  n?" dd@   @@``P\     `<p>> 88087(  6  T4gֳgֳ ?"|K  FClick to edit Master text styles Second level Third level Fourth level!    G  Z<gֳgֳ ?"0  T Click to edit Master title style! !(   `g5%g5% ?"c0  r Page *0    `hgg ?"t    b*0    `(gֳgֳ ?"``  `*0 1T   "  BCDE F kk` n p{ Q 2      n L +     { R *     e >   ~ p _ dO A= *   bD(r W;xc@y-2 K2  = \h |7  u#FGja4fB`:k,t: '^E+gqG, Y"|YcM9'@~:{  *Fb~ '/7?HR9\Sgmr}  / F [ r  ! 3   B p # N w y r l h: d^ b a b d h l r7 zQ j  0 Kf! C e      9m ]S 8     - Nv nQ +      s G0 R u    n P 3       j P 6            w g U C 0        x _ D (    s , T     / ^' u/ 6 < C I N S W 8[ Q_ kb d f g h h h +f Ld kb ^ Y T O H $A A8 _0 |'      $ ? Z t    q _ L 9 4% K a P H ? # 7 0 2 !             a   A Y  } o b b Q ? a -  _   ` _S B. &  _2zvu]qFm-ieca`__{`?emwX!P&FhlC2`z`&J\5":t /Qr 1Q'o2<IUco49oUNT#0imBM0{iW3G~z _S 1       ( 8 kH SW ;g "u       i M 1       e G (       X )      o D   } f uM M3 ( > S k O  w?:^W!Lex&k6,il,>wj*&b -$F<_Uzl&Ff  # 1 < H /Q RZ va i n r u /w Uw {w v s p l g >a ]Z }S K A 8 - ! 1 M jXF3lF  lJi(O4@`@`@`   Bi CDE4F>   i `S   @`L?   BCDEF @`?   Be CDE,F6 \e @`Y?`   0By CDElFvR?.  %a3AA#Rcwr# $ 1>M[j{ (3?L[j z':K^p 7Vsu]C(l:l YY|o`RJA90& A80(!OA 5*("9JS\eo9BJRY^%b-e5f>fBeEeJdMbPaS_V]YV ^ d k p t w x y x u q zl kc [[ MQ ?F 3: (,   8<@`F?@   Bz CDEXFdz y v q zl kd [\ MQ ?F 39 (-   R@.  %a3BA$Rcws$ $ 1?M[j{ )4@M\k {(:L^p 8Vsu]C(V _ e k p u x y z ]Y}oaRJB:0' B90("OA 5*)"9KS]fo9BKSY^%c-f5g>gBfEeJeMcPaS_V]Y/0@`@`^?B  B( CDEXFf}      # % ' ( ' $ z k [ M ? 3 (     y  0BS d!=Xqu]C(@qFhL^QTUJX?Z4[(\[ XSMD;0#=WpthYK ;$ +8 J \ n } T7*S j s | '09=@DHKNQT Y{riaWNE  %-5>BEJMPSV Y04@`@`@`{?0  BCDEF w%n+c2Z9RBHJ@R9[2e*n$y ,7 DOZep${*29@HRZcnw*7BNZdoy{peZOD7,yne[RJB92+y%odZNB 7 *zrjaZSLE?y9o4f/\*R&H#< 2' #&*/49>zDpJhR`YWaPiJqCz<71-(% '2= G%R(e2x<JXhz'2<GQewxoe[RG=2'@`@`  BC%DEF EEQG>6-& {n%%f%%|vpiaYQXkw"%)/4:@GPYahntx|ziX@`@`H  0޽h? ? 380___PPT10.8w遹 Boeing2000c  @c(    C "A B1bg"$ H@.WWWW  Tdgֳgֳ ?" 2  W#Click to edit Master subtitle style$ $  Zgֳgֳ ?"p  T Click to edit Master title style! !(   `g5%g5% ?"\z*  r Page *0    `gg ?"    b*0    `gֳgֳ ?"``  `*0 H  0޽h? ? 380___PPT10.8w遹 0 zrP  (     0a P    P*    0L     R*  d  c $ ?    08b  0  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  6 _P   P*    6 _   R*  H  0޽h ? 3380___PPT10.:w+l0 00(  x  c $D'p  x  c $( 2  H  0޽h ? 3380___PPT10.7w$  `$(  r  S 0   r  S |K  H  0޽h ? 380___PPT10.9wொr0  p(0(  (x ( c $ 0   x ( c $ |K  H ( 0޽h ? 380___PPT10.9wொr0  $0(  $x $ c $0   x $ c $|K  H $ 0޽h ? 380___PPT10.9wொr$  ,$(  ,r , S L0   r , S |K  H , 0޽h ? 380___PPT10.wׇ}  L$(  Lr L S &0   r L S &|K  H L 0޽h ? 3___PPT10i.xA+D=' = @B +  P(  Px P c $/0   x P c $h0|K   P <3x pprocedure A is begin B; if C then C := Something; D; end if; X := Something_Else; end A;q0 q P <6-h  d*procedure B is begin Y := X * Z; end B;+0 +  P <h2 Us eprocedure D is begin if C and Y > 0 then Z := 0; else Z := Z + 1; end if; end D;f0 fz ,p  P ,p ,$D 0`2 P 0'm`2  P 0 ,p l"  P <G߲H=In("% z 40 n   P 0 4n ,$D 0`2  P 040  `2  P 0 n l" P <GH%-IF4{ # H P 0޽h ?/@P P P P PP 3___PPT10.xA+D' = @B D]' = @BA?%,( < +O%,( < +DX' =%(D' =%(D' =4@BBBB%(E' =1B B`BPB1:Bhidden*3>+B#style.visibility= `B<*PD' =1:Bvisible*o3>+B#style.visibility<*P%(D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* P%(+  T(  Tx T c $P0   x T c $hQ|K   T <Dx pprocedure A is begin B; if C then C := Something; D; end if; X := Something_Else; end A;q0 q T <V-h  d*procedure B is begin Y := X * Z; end B;+0 +  T <\W Us eprocedure D is begin if C and Y > 0 then Z := 0; else Z := Z + 1; end if; end D;f0 fz - T -,$D 0`2 T 0-;`2 T 0 l" T <G*HKI?-Tz x@  T x@ ,$D 0`2 T 0x`2 T 0 @ l" T <GH]I H T 0޽h ?/@TTTTTT 3___PPT10.xA+(D' = @B D' = @BA?%,( < +O%,( < +DX' =%(D' =%(D' =4@BBBB%(E' =1B B`BPB1:Bhidden*3>+B#style.visibility= `B<*TD' =1:Bvisible*o3>+B#style.visibility<*T%(DX' =%(D' =%(D' =4@BBBB%(E' =1B B`BPB1:Bhidden*3>+B#style.visibility= `B<*TD' =1:Bvisible*o3>+B#style.visibility<*T%(+  X(  Xx X c $m0   x X c $n|K   X <8rx pprocedure A is begin B; if C then C := Something; D; end if; X := Something_Else; end A;q0 q X <t-h  d*procedure B is begin Y := X * Z; end B;+0 +  X <x Us eprocedure D is begin if C and Y > 0 then Z := 0; else Z := Z + 1; end if; end D;f0 fz ,p  X ,p ,$D 0`2 X 0'm`2  X 0 ,p l"  X <G߲H=In("% z 40 n   X 0 4n ,$D 0`2  X 040  `2  X 0 n l" X <GH%-IF4{ # H X 0޽h ?/@X X X X XX 3___PPT10.xA+D' = @B D' = @BA?%,( < +O%,( < +DX' =%(D' =%(D' =4@BBBB%(E' =1B B`BPB1:Bhidden*3>+B#style.visibility= `B<*XD' =1:Bvisible*o3>+B#style.visibility<*X%(DX' =%(D' =%(D' =4@BBBB%(E' =1B B`BPB1:Bhidden*3>+B#style.visibility= `B<* XD' =1:Bvisible*o3>+B#style.visibility<* X%(+  `(  `x ` c $0    ` c $|K  a ` <Ԛx pprocedure A is begin B; if C then C := Something; D; end if; X := Something_Else; end A;q0 q ` <-h  d*procedure B is begin Y := X * Z; end B;+0 +  ` < Us eprocedure D is begin if C and Y > 0 then Z := 0; else Z := Z + 1; end if; end D;f0 fz ,p  ` ,p ,$D 0`2 ` 0'm`2  ` 0 ,p l"  ` <G߲H=In("% z 40 n   ` 0 4n ,$D 0`2  ` 040  `2  ` 0 n l" ` <GH%-IF4{ # H ` 0޽h ?/@` ` ` ` `` 3___PPT10.xq3+D' = @B D]' = @BA?%,( < +O%,( < +DX' =%(D' =%(D' =4@BBBB%(E' =1B B`BPB1:Bhidden*3>+B#style.visibility= `B<*`D' =1:Bvisible*o3>+B#style.visibility<*`%(D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* `%(+  y q d (  dx d c $0    d c $||K  a d <x pprocedure A is begin B; if C then C := Something; D; end if; X := Something_Else; end A;q0 q d <ȏ-h  d*procedure B is begin Y := X * Z; end B;+0 +  d < Us eprocedure D is begin if C and Y > 0 then Z := 0; else Z := Z + 1; end if; end D;f0 fz ,p  d ,p ,$D 0`2 d 0'm`2  d 0 ,p l"  d <G߲H=In("% z 40 n   d 0 4n ,$D 0`2  d 040  `2  d 0 n l" d <GH%-IF4{ # z - d -,$D 0`2 d 0-;`2 d 0 l" d <G*HKI?-Tz x@  d x@ ,$D 0`2 d 0x`2 d 0 @ l" d <GH]I H d 0޽h ?Od d d d dddddddd 3  ___PPT10 .xq3+k Db ' = @B D ' = @BA?%,( < +O%,( < +DX' =%(D' =%(D' =4@BBBB%(E' =1B B`BPB1:Bhidden*3>+B#style.visibility= `B<*dD' =1:Bvisible*o3>+B#style.visibility<*d%(DX' =%(D' =%(D' =4@BBBB%(E' =1B B`BPB1:Bhidden*3>+B#style.visibility= `B<*dD' =1:Bvisible*o3>+B#style.visibility<*d%(DX' =%(D' =%(D' =4@BBBB%(E' =1B B`BPB1:Bhidden*3>+B#style.visibility= `B<*dD' =1:Bvisible*o3>+B#style.visibility<*d%(D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* d%(+$  \$(  \r \ S l0   r \ S (|K  H \ 0޽h ? 380___PPT10. x 擙i"  !x!11tH(  tx t c $00    t  `p1?6  ;A0  t  `1?[{   ;B0  t  `@1?{  ;C0  t  `1?[6  ;D0  t  `1?f ;E0  t  `|1?[f  ;F0   t  `1? {  ;G0   t  `1?[  ;H0 d  t <1? E E d  t <1? E d  t <1?- f6- |" t TGH'Iu1?E d t <1?f6d t <1?[d t@ <1?- { - d t <1?E E [d t <1?[d t <1?FF[d t <1? { d t@ <1?J { Jd t <1?d t@ <1?  pB t HD1?s s [jB t BD1?TT[pB t HD1?s TpB t@ HD1?<jB t BD1?::[ t Z 1?  9I0  t Z1?P J 9I0   t Z1?@ 9I0  "t Z 1?  :As0  #t Z1?  :As0  $t Z1?` /Z  :As0  %t Z\ 1?0_  :As0  &t Z#1?0_z :As0  't Z('1?` :As0  (t Zp*1?p  :As0  )t Z-1?  :As0  *t Z<11? p  :As0  +t Z41?  :As0  ,t Z81? :Ag0  -t Z;1?@8:  :Ag0 ^B .t@ 6D1?@@dB /t <D1?@O !t Z?1? :Ag0  0t  `B1?P  J UObject Relation Diagram (ORD)0 0 1t  ``G1? : hI  Inheritance Ag  Aggregation As  Association50 5H t 0޽h ? tt t tt ttt tttttttttttttt t t t t tt 3___PPT10i.P0+D=' = @B +}   0$(  0r 0 S xN0   r 0 S 4O|K  H 0 0޽h ? 3___PPT10i.wP3+D=' = @B +  040(  4x 4 c $S0   x 4 c $T|K  H 4 0޽h ? 3___PPT10i.wP3+D=' = @B +0   80(  8x 8 c $0   x 8 c $<|K  H 8 0޽h ? 380___PPT10.wP30  @<0(  <x < c $T[0   x < c $\|K  H < 0޽h ? 380___PPT10.wP30  P@0(  @x @ c $pb0   x @ c $c|K  H @ 0޽h ? 380___PPT10.wP30  `h0(  hx h c $i0   x h c $j|K  H h 0޽h ? 380___PPT10.wP30  pp0(  px p c $ r0   x p c $r|K  H p 0޽h ? 380___PPT10.wP30  l0(  lx l c $z0   x l c $z|K  H l 0޽h ? 380___PPT10.wP3rl>@8|݌A y:P "* $0'h)+Oh+'0  hp    ,4Structural Coverage IssuesJohn Joseph Chilenskisu Boeing2000  air140kf0 191Microsoft PowerPointsu@Zw@rc8w@` #Gg  & &&#TNPPX2OMi & TNPP &&TNPP    --- !---&Z"y.  --  *[    >-- ^{:8N @d K{  ?{ X * @cS$ X yUSj]lJ?R/Y uf i ir u 9 s G  0s 9 H r I N x  TD r v ~ g 8     | H     c6  @ q -  R | Y 6 Y  @R cu]?ua$%S<S2wHcR M @ N    Te   )nm(HL& ' * ? @(--3--$ m%4&#'$&'<"#$""m%--3--$*)y%*(+*)--3--$ 2;0a/-)+-V.0032--3--^$-:665%5k42w2k2(w2c223c77p88K6993Z:3 ;'7'66W65n5b5n557&c77p88882A8:r;;;~;H[;,;:--3--V8  Hi%kA(cLg\K   2C&,  2--3--a8 4Ho4l 2'Ky3yKV'4l<I`ll2a2--3--J8=9=<<`<<lt>>t>`:>===E=<`<<%]>ki>]>.>`==--3--48 >=H=19=19=UQ=UQ===U >U==>=Q=Q=H=H=T=k====----'&--iyH--j}w@v }ww0- @Times New Roman}ww0- 3.2 OO Verification 884  $$(. 3.2 BResearch Results4  $ (4 (.--_0-- 3@Arialw@v }ww0- .'2 EJohn Joseph Chilenski  .@Arialw@ }ww0- ..2 CAssociate Technical Fellow . .02 5Boeing Commercial Airplanes . .2 F July 27, 2005 .--"System 0-&TNPP &՜.+,D՜.+,     <On-screen ShowThe Boeing Company8<, ArialTimes New Roman Boeing2000!OO Verification Research Results BackgroundBackground (continued)AgendaCoupling = DependenceCoupling = DependenceCoupling = DependenceCoupling = DependenceCoupling = DependenceCoupling = DependenceCoupling = DependenceCoupling = Dependence@Object Oriented Issues Inheritance, Aggregation, Association%Object Oriented Issues Inheritance%Object Oriented Issues Aggregation%Object Oriented Issues Association8Object Oriented Issues Polymorphism Static Dispatch9Object Oriented Issues Polymorphism Dynamic Dispatch9Object Oriented Issues Polymorphism Dynamic Dispatch9Object Oriented Issues Polymorphism Dynamic Dispatch Conclusion  Fonts UsedDesign Template Slide Titles8_AdHocReviewCycleID_EmailSubject _AuthorEmail_AuthorEmailDisplayName$HiSoftware Conference materialsisjohn.j.chilenski@boeing.comChilenski, John Joe _,air140kfair140kf  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root EntrydO)PicturesCurrent UserSummaryInformation(PPowerPoint Document(8,DocumentSummaryInformation8