Slashdot Mirror
Tools To Automate Checking of Software Design
heck writes "Scientific American describes some of the work to develop tools for examining the design of software for logical inconsistencies. The article is by one of the developers of Alloy, but the article does reference other tools (open and closed source) in development. The author admits that widespread usage of the tools are years away, but it is interesting reading the approach they are taking regarding validation of design."
Back in the mid-80s I attended a seminar in Atlanta, it was about automated software engineering... and tools and workbenches that would take as input specifications and design parameters and would crank out entire suites of software/applications. (Heck, there was even a new acronym for it, can't remember what it was, but it was a hot, hot, hot button for a few years.) We were pretty much warned our careers were over, automation was here to generate what we as professionals had studied years to create.
It never happened. It never came close to happening. We are as far away today or further from tools that can generate applications transcendentally.
I was skeptical then, I'm skeptical now. Tools like the ones described are useful, but they're not foolproof, and they hardly supplant the intuition and "art" that is programming.
At best tools are an adjunct to the software development process, not to be a replacement for common sense testing and design and code walkthroughs. I could construct many scenarios that logically would be consistent but have no relationship to the desired end of the application, i.e., a logic consistency tool would not detect a problem. Any poorly designed system with these "new" tools applied will merely be rigorously poor systems.
As for the prime example (in the Scientific American article) of the Denver International Airport baggage handling debacle, I doubt logic analysis tools would have had much impact on the success or failure of that effort. I knew people involved in the project, and "logic consistency" in their software was the least of their problems. (I would have loved to been on a team to design and develop that system -- I think it was a cool concept, and ultimately VERY feasible... )
I did get one benefit from the Atlanta Seminar -- I got a football signed by Fran Tarkenton (he was CEO of one of the startup companies fielding a software generating workbench).
This may be great for catching some bugs, but I think the majority of problems within software are not from "conflicting" instructions, they come from the program doing to wrong thing (i.e. not what we wanted) or simply performing an illegal opearation in the process of getting the correct results. Neither of these cases is a logical inconsistancy. Now maybe if we all programmed in Prolog this would be more useful ...
Philosophy.
For members of IEEE with a subscription to IEEE Computer Society's Transactions on Software Engineering, the last issue (April) has a very interesting article related to this stuff titled: Interactive Fault Localization Techniques in a Spreadsheet Environment. Basically, the article explains how they have worked to develop and test techniques that allow "end-user programmers" (people who create formulas in spreadsheets and such) to use automated fault localization testing tools to help debug their "applications" (spreadsheets) at runtime. Pretty interesting stuff that they found in their analysis. (It's easier for you to just go read it than for me to attempt to summarize it at the end of my work week. ;)
From what I'm reading it looks like these programs preform all sorts of different executions, thats great and all, but they probably dont behve like real people do. The average user isn't going to create a file and then (in the middle of that) start running the delete file interface. Also I doubt these tests include other common user issues (like clicking the same function over and over again if it doesn't respond immedietly). Maybe I'm just not understanding what these do... but if I'm even half right, real world tests are the way to go.
Shots: A Populist Parable
There are many ways to translate an algorithm into code, as there are ways to express ideas in English (or any other "natural") langauges. Would this do anything to eliminate/reduce the inconsistencies/errors in the code that are meant to implement algorhythms considered/proved correct?
It was a very interesting piece. It talked about the problems of locking (more locks makes deadlocks easier, but they get harder to track down) and the way the code went about finding problems. Basically it remember when any lock was taken or released, which locks were open before that, etc. Through this it can produce warnings. For example if lock B needs lock A, but there is a situation where lock B is taken without A being taken it will flag that.
The article has MUCH better descriptions. But through the use of this the software can find locking bugs that may not be triggered on a normal system under normal loads. Here is summary bit:
"So, even though a particular deadlock might only happen as the result of unfortunate timing caused by a specific combination of strange hardware, a rare set of configuration options, 220V power, a slightly flaky video controller, Mars transiting through Leo, an old version of gcc, an application which severely stresses the system (yum, say), and an especially bad Darl McBride hair day, the validator has a good chance of catching it. So this code should result in a whole class of bugs being eliminated from the kernel code base; that can only be a good thing."
It was a piece of code from Ingo Molnar, you should be able to find it on the kernel mailing-list and read about it.
Kudos, by the way, to LWN for the great article.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
None of those tools have ever been demonstrated to be cost-effective means of making software more dependable. It's an article of faith that adding a complex notation and another complex set of tools to the development process makes the product any better.
This reminds me of my previous job. One day the owner of the company came up with a brilliant idea. He had just watched the movie "Finding Nemo" and asked me, "have you ever seen finding nemo? You know those little silver fish? I think we should design a system based on those little silver fish. If we get enough small components they can be combined into any piece of software. Eventually we wouldn't need any more components and thus no more software developers. All of our software would be made by sales guys who could just combine these components into any software we need." I remember thinking to myself that we could just start with quarks and we could build everything in the universe. But I didn't say anything and was just happy to not be chosen to be on the team creating the silver fish.
6 years later, dozens of programmers, and millions of dollars, the finding nemo architecture has been a bust. The owner of the company refuses to give up on the idea. They currently have created components of "and" and "or" gates and use "wires" to put them together. It reminds me of entry level electrical engineering. Back before they tell you that writing software on flash is usually easier and cheaper than wiring together dozens of IC's. In any case, I eventually did get sucked into the project and promptly left the company.
Yet another article about a supposed solution to software quality problems by an author who just happens to have such a solution to sell you.
Software design and coding isn't easy, and beyond the fundamentals (code coverage tools, unit testing frameworks, etc.), I have yet to see automation tools that increase software quality in any real way.
Any person who knows anything about software quality knows that the answer is not to use "a tool that explores billions of possible executions of the system, looking for unusual conditions that would cause it to behave in an unexpected way."
For one thing, you need to approach at least the level of human intelligence to understand what is intended by a software design or code module, and often even humans don't understand it. If you don't understand what was expected, how in the hell can you look for unexpected conditions??
In short, if this is truly what the author is proposing, i.e., brute force checking of design/code, I would have to say the author just doesn't get it.
Now a computer can discover the flaws in the design of a piece software, and advise the developers of them. Who, if they're in any way involved in design of games, will promptly ignore them and release a post-release patch to fix the issues they knew were there anyway. But hang on.. just how will you check for inconsistencies in the design of the analysis tools?
These types of algorithmic testing tools are useful for small, truly critical functionality that has to work perfectly. It's not cost effective to try to model typical complex software in a manner that supports testing as described in the article. Most programming is not about designing the next great single algorithm, it's about integrating data, interacting with users, and providing all the logic to handle the myriad special cases that make up user requirements. Rarely is such a testing tool going to cover all the possibilities without a gargantuan effort to model the software -- which effort will most likely not be able to keep up with the actual development anyway. These tools won't be widely accepted until they can automatically read source code and create a software's model without programmer input.
--- JurassicPizza
Sounds like some producer wants a magic-bullet program to replace some bad-performing designer. Even in the case of a 'useful' tool to apply to projects, this is likely to become an excuse for when an inconsistency is found later on by QA- "the program said it was good!"
It's not going to find everything, let alone fix it. See Turing: the halting problem.
Yes, we understand these tags always apply: fud, dupe, typo, slashdotted, topic name
If they're checking the software design for inconsistencies, then they're too late. What is needed is some way to formally specify user requirements, so that they can be checked for completeness and consistency. Use cases are nice, but they're not sufficiently rigorous to capture absolutely all the requirements. I know there have been some schemes tossed around for requirements validation, but none that I've seen have really been general-purpose enough for the average project.
Just junk food for thought...
Making a tool to check most programs for errors sounds extremely complicated, but wouldn't it be possible to make a more simple tool that checks the security of a PHP/MySQL website?
A good design correctly models the concept of what it is you're trying to achive with the program. Ultimately this means the programming interfaces (APIs) for each concept are correct [1]. Don't design interfaces around procedures. Don't design interfaces around the physical world. Design to *concepts* and *ideas*. This is superior because you will never discover at a later time that the code is fundamentally flawed and needs to be totally re-written. If the interface correctly models the concept, by definition, it CANNOT be wrong. If it is wrong then you simply didn't understand the concept well enough or you failed to translate that concept into a suitable interface and you just need to think more and type less. If you do get things right you'll find that major peices dovetail together perfectly [2]. The implementation can be wrong and may need to be re-written but if the interface correctly represents the concept the re-write will be localized to one library or part of a library. That is a much more straight forward matter than using a bad design and finding half way through a project that the required changes transcend the whole system.
And thus you cannot validate a design because that would require representing a concept and determining if an interface suitably models it. That is HARD. If that were possible you would effectively have a thinking, rationalizing, brain (Artifical Intelligence) in which case you wouldn't be dorking around with validating programs, you would be dynamically generating them.
[1] Frequently people advocate that interfaces are "well defined". That just means there are no holes in the logic of it's use. Personally I think a well defined interface is useless if it does not correctly model a concept. You can always go back and fill in the holes later.
[2] Although this is also when you discover that you didn't get the concept right and need to adjust the interface (hopefully not by much)
Wow. It's indeed a table, even a good target for implementation as an HTML table. It has links in it, which point to places to look at software. And yet it's presented as an image, not even an image map, so despite already being on a website, we have no choice but to type them in!
If this is reliable, I don't mind unreliability, but at least let me copy and paste!
Don't thank God, thank a doctor!
You must have been tired when you posted: The article you linked to is only readable by people who have a current membership. Too bad.
Mike
"The mind works quicker than you think!"
CASE, code generators, etc. have their place and can be successful. I have created and used these types of tools and continue to enjoy analyzing where they are a good fit.
OLTP business applications tend to be the best fit because there are many many forms/transactions to create and they tend to be relatively simple (mostly data validation, some calculations, database update, etc.). The work that is being automated is not creative problem solving but rather the application of a solution multiple times to similar but not identical entities.
But ultimately the real work is the proper abstraction of the business process and this still requires a human.
Isn't this just glorified static code analysis?
There are tons of static analysis programs out there that look for everything from errors to memory leaks to security weaknesses to gathering code quality metrics to conformance to stylistic standards.
For example I use PMD to help tone up my Java code already. There are even fancier software packages that claim to do more interesting things, but it is all just static analysis.
There's a ton of similar projects listed on PMD's site alone. In fact Eclipse itself employs a lot of static analysis checks to give you those helpful hints and warnings that javac would not catch on its own. And that is just for Java and just for detecting common coding errors. There are whole other categories of these applications that take a higher level look at the architecture.
These kinds of tools are quite common and effective at cutting down on errors when used properly. They can also speed development by avoiding troublesome pitfalls that can take hours or days to debug. Or worse, cause the failure of the project. Just reading through the existing checks these kinds of programs make can educate you on best practices to help prevent writing bad code in the first place.
And before everyone goes "oh yeah, we used that once, pain in the ass," you should read the top best practice on PMD's website. Choose the rules that are right for you. Start slow. Don't turn everything on just to watch thousands of pages of errors fly by when you're only interested in 20 that really matter.
You then want the automated tool to map out the paths through the code, substituting every variable for an equivalent expression consisting of the inputs that would go into producing that variable, for each path. (This works for loops, so long as you can decompose the condition for the loop.)
Finally, the tool would need to determine one or more ranges of inputs for which at least one variable CANNOT meet the preconditions or postconditions set, in some path, but which are not expressly prohibited from being input at that point.
The tool would then be able to show you the path that is buggy (but not where - the results may be valid but incorrect at ANY point prior to the invalid data showing up). The programmer could then decide if the input should be allowed, or use the information about the path to actually debug the code.
This is not a foolproof method:
Decomposition of unrolled paths is the ONLY way to test for unexpected side-effects, self-modifying code and other inconsistant systems. Because it is a limited approach, however, such code should really be avoided where possible.
Decomposition without unrolling (a common form of static testing) is useless in any case where there is any kind of non-fatal error that slowly accumulates, as everything is generally going to be valid on a single pass through. Static testing without decomposition (an even more common form of static testing) is unlikely to catch most non-fatal bugs.
Slow poisoning through an accumulation of non-fatal bugs that - in and of themselves - don't stray too far from what's expected are probably the most common.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Yeah, that investigation was called the "AD/Cycle", and Fran Tarkenton was the CEO of Knowledgware at the time.
The thing is, on an abstract level, "Designing Code from Logically-Proven Constructs" (the title of a book by James Martin) makes total sense: If the base elements are logically proven, and if the complex elements are constructed of base elements, then the output will have no un-proven output. However, the design of the programs needs to be at a meta-level to the operation. (Thanks, Goedel!) I could, for instance, design a program to operate your sprinkler system perfectly by using logically-proven elements. I would have to design at a higher level to make allowances for the fact that you live in New Orleans and the sprinkler is now under 4 feet of floodwater.
The key, to me, is getting the best design upstream and having a clear logical system for translating the requirements downstream to an operational level. Criticisms will be leveled about model-driven architecture, UML and even flowcharts, but those are conceptual maps, not code. They are SUPPOSED to be more abstract than the code for clarity. (They are a language, and language is still imprecise. As Korzybsky said, "The map is not the territory.") Aristotelian logic still has its limits, so tools like this are good, but as the article implies, not sufficient at this time.
Mike
"The mind works quicker than you think!"
I work in the field of formal verification. I've seen all sort of comments here, mainly of the kind "hey, I know what to do, and these guys don't", but nobody, really nobody, wondered "maybe there is some truth in what all these people do"? Come on! Nobody expects to check for errors the whole internet explorer or firefox :) But if you have a communication protocol which is _supposed_ to be secure, the only way to know that it _is_ secure is to explore all of its states. And, also... do you remember when they said that ASM was the way to go and C could get you nowhere? Come on, before judging learn a little more about motivations of people working for a purpose. Yes, quality of software is one thing, and _maybe_ stability or robusteness are different things (well I don't think so), but are they incompatible? Would more robust or stable software improve your life? Don't program crash for idiot reasons? Don't you think that if they'd been verified, they would not crash?
There you go, blaming your tools...
3 75871-4590326?v=glance&n=283155
There are environments that have had great success implementing UML in their design process. My favorite example is from Nokia:
http://www.powells.com/biblio?isbn=0521645301
I had trouble wrapping my head around UML until I read Jaaksi's books (there's more than one), and I've been using Rational Rose since 1996. I never found or developed a clear system for making it work until I read his books.
A book that clearly describes the case for code generation (and the limits) is this one:
http://www.amazon.com/gp/product/1930110979/104-3
The author has apparently developed a network for the support of gode generation, and has some useful tools.
Now, what the world REALLY needs, is a method of making the UML tools in VISIO do what they are supposed to do...(Some tools ARE truly deficient!)
Mike
"The mind works quicker than you think!"
I actually read this article last week, unlike most of the people who've responded so far. The principle behind this concept is reasonably sound, except that the example they've given in it (seating Montagues and Capulets at Romeo & Juliet's reception) requires you to understand every unspoken assumption to make the tester work properly.
Jackson doesn't claim it'll find everything. What he says is that it carefully synthesizes the two previous approaches to software testing, reducing the amount of time-expensive calculation in the process thereby making it a more viable method.
"Made up/misattributed quote that makes me look smart. I am on
I got a football signed by Fran Tarkenton (he was CEO of one of the startup companies fielding a software generating workbench).
... than Need It and Not Have It.
"That's Incredible!"
(Boy am I showing my age...)
--
It's Better to Have It and Not Need It
.. remain the same: describing the problem in the first place. Alloy (or any other set of design programs) can only analyze the information that it's provided. It may be able to flag problems that would have been missed by a human analyst, but it can't possibly deal with real world systems which will invariably produce conditions that weren't considered in the first place. Patching never produces a system as reliable as one that might have been described thoroughly in the first place (a practical impossibility).
Heard any good sigs lately?
It's basically a nifty, graphical declarative programming language. Anyone familiar with Prolog and set theory will breeze through the docs, only to ask "Why?" at the end.
One of the tutorials, for example, is a way to get Alloy to create a set of actions for the river crossing problem, and list them. Thus, alloy has saved the poor farmer's chicken. It's actually quite a cool set of toys for set theory, and it generates all possible permutations of a system with rules and facts based on how many total entities there are in the system, and checks the system for consistency. There are doubtless uses for this, but software development is, at the moment, not one of them.
The other tutorial is about how to set up the concept of a file system. The tutorial sets up a false assertion (assertion = something for Alloy to test), which fails. Here is the reasoning, with summary to follow for disinterested:
Basically this says that in a 2-node scenario, i.e. a root directory with one subdirectory, they delete the subdirectory with their delete function. The way they defined the delete function basically meant that the 'deleted' node could, in theory, be the root of the file system after the deletion operation occured, since there was no constraint on which node of the file system was root after the change. They basically said under these constraints, it was possible to define a 'delete' function that deletes the subdirectory in a 2-node filesystem and then makes that same subdirectory the root of the filesystem.
Good thing we built a model, indeed! A bug in the programming of your model is by no means a valid use for spending a significant amount of effort modeling a concept in set theory. The best part is that all of your effort amounts to mental masturbation--there are no tools for turning this into a programming contract, test cases, or anything. Some projects are in the works in the links area, but they aren't there yet, and only for Java. I don't see how the amount of effort that would be required to model a large scale, realistic project in this obtuse set notation would be worth it for absolutely no concrete programming payoff. Writing HR's latest payroll widget, or even their entire payroll system, is just not going to get any benefit from this.
All that aside, it's concievable that this sort of model programming could find use in complicated systems in which high reliability is paramount. The usual suspects, such as satellites, space, deep sea robots or whatever come to mind--this system could prove, for example, that a given system for firmware upgrades cannot leave a robot in mars in an inoperable state, unable to download new, non-buggy firmware.
But it still can't prove the implementation works. *slaps forehead*
nobody
Although you should design at this level, many problems hit LONG before design. The big problems I've seen have been in the analysis stage where you gather customer requirements and translate them into a very detailed requirements document.
If your non-trivial project lacks such a document, it will probably fail.
The only way to overcome a lack of requirements is to have a heroic effort by one or more engineers, and even then you end up with many of the same problems.
The problems will stem from missing a few requirements in the up-front design and therefore requires patches and modifications the code was never designed to handle.
As software engineers we MUST try to examine our problem space and come up with the most generic solution possible--the fewest screens, procedures, interfaces and objects to handle the widest variety of problems.
This means that when we have the design "Locked in" we have to make any "New" problems fit the design, often molding the desired presentation or functionality just a little. If your marketing research team did their jobs (I've NEVER seen this happen), you won't run into any problems that don't fit the design. Again, never happens.
When the problem is just a little to, umm, chunky to mold to our fit our current design, we have to modify the design. This is where all the flakeyness enters the process. After a few of these, you have to throw away your design and start over. Nobody ever does that, so the project fails.
Yeah, it's hard to come up with a detailed (enough) set of requirements--Really Hard--and apparently very few marketeers are up to the task. Often engineers help, but even then, this is a HARD TASK. It can take years to properly develop a set of requirements, and it cannot be done properly in under a month.
If a company is dedicated to this and then enforces a few simple procedures (like requiring automated testing of every requirement) your project will almost certainly not fail.
I'm not saying that a good software design isn't necessary (I disagree with the XP crowd there), but you could succeed without the kind of architecture they are talking about in this article. On the other hand, no architecture can make up for a lack of requirements.
FTA: More recently, researchers have adopted a very different approach, one that harnesses the power of today's faster processors to test every possible scenario. This method, known as model checking, is now used extensively to verify integrated-circuit designs.
The problem with this is that algorithmic software does not work like ICs. The only way to solve the crisis is to abandon the algorithmic software model and embrace a non-algorithmic, signal-based, synchronous model. This is the model used in hardware design. It all started with lady Ada and her table of instructions for Babbage's analytical engine but the writing is on the wall. 150 years of algorithmic computing has run its course and it's now time for a change. We must radically change our way of programming and we must do so at the fundamental level. We must design software like we design hardware. We must also redesign our cental processors so that they are optimized for the new paradigm, not for the old algorithmic model as they are now. Until then, we will continue to pay a heavy price for buggy software systems.
Isn't "coding by intent" an Eiffiel thing?
Program testing can be used to show the presence of bugs, but never to show their absence! - Edsger Wybe Dijkstra It remains an art.
A tool not listed is autotest http://se.inf.ethz.ch/people/leitner/auto_test/ which makes use of Eiffels contracts. I did use it to some degree and it can realy help to find some errors.
Do or do not, there is no try.
The interesting thing about this story is that it shows the neverending battle to get ones and zeros to do what we want. And yet biological computers don't have stories written about tool so and so amoung a long list of tools that'll make your biological computer finally do what you want it to do. It does what it needs to do regardless of sceptic, or convert.
One can generate code from OCL constraints and check them at runtime.
But why does the specification have to be a one-to-one mapping into the algorithm? Couldn't the specification be of the form of an assertion? An assertion is a form a runtime test case, and test cases are never exhaustive with regards to what a program does -- otherwise you could form test cases as the specification and automatically generate code from that, although there seems to be a programming style of generate the test cases first and have code monkeys pound on typewriters until they pass the test cases.
So instead of a traditional assertion -- a runtime test case written into the code -- you have a compile time assertion. The assertion could be that for int i, int j, at a certain point in the code i = j, and the result could be true, false, or undecidable. There is a little of that built into compilers today -- warning messages about assigning a value to a variable and never using it, catching uninitialized variables (some of the time), and the like.
Microsoft sells collaboration software and project management software. And its products are not shipping any faster.
These guys are touting alloy and tools, sounds like a old CASE wine in new bottle. Did they use these tools to design the tools? Atleast would they use these tools and alloy to create the next version? Could they demonstrate that these tools can handle a project of that complexity? And produce provably better code with no bugs?
Please forgive me if I am underwhlemed.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Someone who doesn't see it as an all or nothing proposition.
Tools that make sure programs are self-consistent are good!
What's the point of having testing and real world trials if you're programming doesn't even agree with itself?
The point of these tools, is to simply verify the consistency of a design, not to execute or examine existing source code. The steps involved are:
1) Come up with software design
2) Implement software design in one of these tools (model it in Z, or as a state machine using fsp/ltsa)
3) Use said tool to verify the consistency of the design.
Now, this activity, of course, takes a lot of time, and is unlikely to ever be of any use to your average J2EE/Ajax/Enterprise application. Areas where they CAN be of use are in things such as life-critical systems. For instance medical devices, or air plane control systems. Using something like FSP/LTSA you can model, check, and verify that your design does not every allow the system to enter into an invalid state. Now, remember, this says nothing about the final code, there is a separate issue of the code not matching the design, but it is possible to verify that the design does not ever lead to invalid states.
...science of abstraction physics.
yes the software industry is still playing with magic potients and introductary alchemy.
Why is a simple answer to give.
money, job security and social status.
Someone posted that they were warned that their jobs would become extinct upon automated software development.
but the fact is.... who but those who have their job to risk....are in a position to employ such tools?
snake oil software development is a self supported dependancy... far from genuine computer software science (of which we haven't really seen since the US government held the money carrot up for code breakers during WWII.
Alloy is a cool tool, if it does something you want done. But nobody should be fooled into thinking that you can just run Alloy and suddenly your code is perfect. Alloy just helps you check out a model based on set theory, etc... it's a long distance from models like that to the actual code.
- David A. Wheeler (see my Secure Programming HOWTO)
even before there is code written there is failure of developing a design science
There is no magic in this world.....
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
The list of languages and tools was quite incomplete. A famous code checker: The Stanford code checker, was not listed. Not listed too, were Purify, and (the open source adjunct to Purify, Valgrind (For Linux on X86 and X86-64 systems). These tools also include cache checkers, heap checkers, memory leak testers, race checkers (for checking for logic races in multi-threaded applications), and all of the checkers I've mentioned work on the C language --the language of the Gods and operating systems builders (at least all of the Unix, Linux, Apple, and Microsoft Operating Systems ever built).
Related to proofing the correctness of software design, is the research field that focus on one particular area: Rule Verification. It is similar to the SAT solvers; however the focus is on the conditions in a rule and its inferred actions. Verification examines the technical aspects of an expert system (a.k.a. rule based system) in order to determine whether the expert system is built correctly. Verifying the expert system involves examining consistency, completeness and correctness of the knowledge by detecting errors such as redundancy, contradiction and circularity. Acumen Business has developed a tool to detect these rule-anomalies. At the moment it supports Microsoft Biztalk XML rule documents and Computer Associates, Aion rule documents. Rule policies can be imported by the tool and analyzed on contradictions, redundancies, circular reasoning etc. The tool (Policy Verificator, free after registration) ships with 2 example rule policies (no need for Biztalk of Aion), and you can see the generated rule conflict networks. The networks can be generated as images or as Scalable Vector Graph (SVG). Firefox users can open these files directly Have a look at some screenshots, documentation, etc. I hope you don't get scared away from the registration request in order to download the product. The registration is just in place so I can assist these early adaptors of the tool better. I'm still working on good examples and updating the help files. What is 100% functional is when the rules are using terms from Xml documents, Vocabulary Terms, or Database. For .NET components it's a bit more complicated, because the assembly must be loaded by the verification algorithm. But still all possible.
I hope anybody find it useful. I love to hear feedback
Regards,
Marco Ensing
Disclaimer: As you probably can tell, I am Acumen Business.
I'm not surprised the Computer Society is publishing articles on how to debug a spreadsheet.
Their "Computer" magazine tends stay away from actual programming techniques and sadly focuses only on (human) management. It's crap.
Otherwise your salespeople would already be creating applications in Java. There's certainly no shortage of components there.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
There are different means of checking software; the article describes a technique wherein a specification language is used to describe the essential features of an application which is then checked using theorem-proving techniques. The power of Alloy seems to be based in part on its ability to efficiently process the multitude of variations in program execution by establishing the equivalency of many internal states. There are other methods which the article does mention, albeit briefly.
i ca/ allows the developer to annotate bits of code with assertions regarding its validity. For instance, you can tag a function as having been formally proved correct, or you can tag another as having been inspected by a fellow programmer. This flexibility seems to address many of the concerns regarding the role of formal verification in software design.
Floyd (whose early papers make for excellent reading of CS, and whose name should be every bit as familiar to the CS crowd as Knuth) and then Hoare explored the idea of using assertions to prove the correctness of functions. This work was adapted by Meyer and is the basis of the Design-By-Contract features of Eiffel. Eiffel allows one to specify pre-, post-, and invariant conditions. Unlike the work cited in the article, this is not fed to a model checker, but is instead monitored during program execution. Constraint failures cause exceptions to be thrown. Some debate the overall utility of this approach, as contract checking can be resource intensive. Still, over the past couple of decades there has been a steady increase in DBC research, including several preprocessor and reflection/library implementations for Java and also Spec#, a strong research effort at Microsoft.
There is research project at OGI that features what seems to be a novel approach.
http://www.cse.ogi.edu/PacSoft/projects/programat
Another interesting approach is that taken by Praxis, which uses a syntactically reduced version of Ada called 'Spark'. This version is much more amenable to automated analysis. They do the sort of full program-correctness analysis mentioned in the article. Oh, and they are, according to reports, very, very good with respect to their defect rate. I imagine they don't work for peanuts, either.
Other efforts have attempted static analysis of the code base. Some work appears to be simply performing type-checking or simple analysis of the code, i.e. confirming that all statements are reachable, while others, like Alloy, concentrate on theorem proving techniques, either by use of alternate descriptions, e.g. Z, or by direct analysis on the implementation code base.
A variation on this them will be familiar to readers of the Linux kernel mailing list: researchers at Stanford used a combination approach - a variant of gcc and a proprietary language named Metal - to describe the set of potential faults to examine. That is, rather than prove the correction of a body of code, they established that the code in question didn't exhibit particular defects. This approach is, of course, subject to false positives and is limited by capabilities of the fault description language. Still, it has been effective in uncovering many previously undisclosed errors.
I believe that even Meyer has stated that one of the ultimate goals of SE is theorem-proving of large bodies of software. Perhaps choosing when to use one of these tools will eventually become part of the software development process? The success of these tools may alter the manner in which development is performed not only because of the ultimate ramifications of the establishing correctness, but also because of the discipline or precision necessary to utilize them.
jbgreer
The Norton Anthology of English Literature, 4th Ed., Vol 2