Docstoc

1 357

Document Sample
1 357 Powered By Docstoc
					Special Issue on ICIT 2009 Conference - Bioinformatics and Image




                          TESTING OF PROGRAM CORRECTNES
                                 IN FORMAL THEORY

                                                 Ivana Berkovic
                    University of Novi Sad, Technical Faculty “Mihajlo Pupin”, Zrenjanin, Serbia
                                               berkovic@tf.zr.ac.yu

                                                Branko Markoski
                    University of Novi Sad, Technical Faculty “Mihajlo Pupin”, Zrenjanin, Serbia
                                              markoni@uns.ns.ac.yu

                                                  Jovan Setrajcic
                            University of Novi Sad, Faculty of Sciences, Novi Sad, Serbia
                                                 bora@if.ns.ac.yu

                                                 Vladimir Brtka
                    University of Novi Sad, Technical Faculty “Mihajlo Pupin”, Zrenjanin, Serbia
                                                vbrtka@tf.zr.ac.yu

                                                Dalibor Dobrilovic
                    University of Novi Sad, Technical Faculty “Mihajlo Pupin”, Zrenjanin, Serbia
                                               ddobrilo@tf.zr.ac.yu


                                                      ABSTRACT
                 Within software’s life cycle, program testing is very important, since quality of
                 specification demand, design and application must be proven. All definitions related
                 to program testing are based on the same tendency and that is to give answer to the
                 question: does the program behave in the requested way? One of oldest and best-
                 known methods used in constructive testing of smaller programs is the symbolic
                 program execution. One of ways to prove whether given program is written correctly
                 is to execute it symbolically. Ramified program may be translated into declarative
                 shape, i.e. into a clause sequence, and this translation may be automated. Method
                 comprises of transformation part and resolution part.This work gives the description
                 of the general frame for the investigation of the problem regarding program
                 correctness, using the method of resolution invalidation.. It is shown how the rules
                 of program logic can be used in the automatic resolution procedure. The examples of
                 the realization on the LP prolog language are given (without limitation to Horn's
                 clauses and without final failure).. The process of Pascal program execution in the
                 LP system demonstrator is shown.

                 Keywords: program correctness, resolution, test information, testing programs


    1. INTRODUCTION                                            testers (persons performing tests) in case when test
                                                               finds no errors. Conflict between these two goals in
       The program testing is defined as a process of          visible when a testing process finds no error. In
    program execution and comparison of observed               absence of other information, this may mean that
    behaviour to behaviour requested. The primary goal         the software is either of very high or very poor
    of testing is to find software flaws [1], and              quality.
    secondary goal is to improve self-confidence in                Program testing is, in principle, complicated




UbiCC Journal – Volume 4 No. 3                                                                                        618
Special Issue on ICIT 2009 Conference - Bioinformatics and Image



    process that must be executed as systematically as           According to [5] testing may be descriptive and
    possible in order to provide adequate reliability and    prescriptive. In descriptive testing, testing of all test
    quality certificate.                                     items is not necessary. Instead, in testing log is
        Within software lifespan, program testing is one     written whether software is hard to test, is it stable
    of most important activities since fulfillment of        or not, number of bugs, etc... Prescriptive testing
    specification requirements, design and application       establishes operative steps helping software control,
    must be checked out. According to Mantos [2], big        i.e. dividing complex modules in several more
    software producers spend about 40% of time for           simple ones. There are several tests of complex
    program testing. In order to test large and              software measurements. Important criterion in
    complicated programs, testing must be as                 measurement selection is equality (harmony) of
    systematic as possible. Therefore, from all testing      applications. It is popular in commercial software
    methods, only one that must not be applied is ad         application because it guarantees to user a certain
    hoc testing method, since it cannot verify quality       level of testing, or possibility of so-called internal
    and correctness regarding the specification,             action [6]. There is a strong connection between
    construction or application. Testing firstly certifies   complexity and testing, and methodology of
    whether the program performs the job it was              structural testing makes this connection explicit [6].
    intended to do, and then how it behaves in different     Firstly, complexity is the basic source of software
    exploitation conditions. Therefore, the key element      errors. This is possible in both abstract and concrete
    in program testing is its specification, since, by       sense. In abstract sense, complexity above certain
    definition, testing must be based on it. Testing         point exceeds ability of the human mind to do an
    strategy includes a set of activities organized in       exact mathematical manipulation. Structural
    well-planned sequence of steps, which finally            programming techniques may push these barriers,
    confirms (or refutes) fulfillment of required            but may not remove them completely. Other
    software quality. Errors are made in all stages of       factors, listed in [7], claim that when module is
    software development and have a tendency to              more complex, it is more probable that it contains
    expand. A number of errors revealed may rise             an error. In addition, above certain complexity
    during designing and then increase several times         threshold, probability of the error in the module is
    during the coding. According to [3], program-            progressively rising. On the basis of this
    testing stages cost three to five times more than any    information, many software purchasers define a
    other stages in a software life span.                    number of cycles (software module cyclicity,
        In large systems, many errors are found at the       McCabe [8] 1) in order increase total reliability. On
    beginning of testing process, with visible decline in    the other hand, complexity may be used directly to
    error percent during mending the errors in the           distribute testing attempts in input data by
    software itself. There are several different             connecting complexity and number of errors, in
    approaches to program testing. One of our                order to aim testing to finding most probable errors
    approaches is given in [4]. Testing result may not       ("lever" mechanism, [9]). In structural testing
    be predicted in advance. On the basis of testing         methodology, this distribution means to precisely
    results it may be concluded how much more errors         determine number of testing paths needed for every
    are present in the software.                             software module being tested, which exactly is the
        The usual approach to testing is based on            cyclic complexity. Other usual criteria of "white
    requests analyse. Specification is being converted       box" testing has important flaw that may be
    into test items. Apart of the fact that incorrigible     fulfilled with small number of tests for arbitrary
    errors may occur in programs, specification              complexity (using any possible meaning of the
    requests are written in much higher level than           "complexity") [10].
    testing standards. This means that, during testing,          The program correctness demonstration and the
    attention must be paid to much more details than it      programming of correct programs are two similar
    is listed in specification itself. Due to lack of time   theoretical problems, which are very meaningful in
    or money, only parts of the software are being           practice [11]. The first is resolved within the
    tested, or the parts listed in specification.            program analysis and the second within the
    Structural testing method belongs to another             program synthesis, although because of the
    strategy of testing approaches, so-called "white         connection that exists between the program analysis
    box"" (some authors call it transparent or glass         and the program synthesis it is noticed the
    box). Criterion of usual "white box" is to execute       reciprocal interference of the two processes.
    every executive statement during the testing and to      Nevertheless, when it is a mater of the automatic
    write every result during testing in a testing log.      methods that are to prove the correctness and of the
    The basic force in all these testings is that complete
    code is taken into account during testing, which
    makes easier to find errors, even when software          1
    details are unclear or incomplete.                         McCabe, measure based on a number and
                                                             structure of the cycle.




UbiCC Journal – Volume 4 No. 3                                                                                           619
Special Issue on ICIT 2009 Conference - Bioinformatics and Image



    methods of automatic program synthesis, the             single-dimension sequences and programs within a
    difference between them is evident.                     Pascal program. Number of passages through cyclic
         In reference [12] in describes the initial         structures must be fixed in advance using counter.
    possibility of automatic synthesis of simple            During the testing process of given (input) Pascal
    programs using the resolution procedure of              program both parts are involved, transformation
    automatic demonstration of theorems (ADT), more         and resolution, in a following way: Transformation
    precisely with the resolution procedure of              part
    deduction of answer to request. The demonstration             • ends function by a sequence of clauses, or
    that the request that has a form of (∃x)W(x) is the           • demands forced termination, depending
    logical consequence of the axioms that determinate                  on input Pascal program.
    the predicate W and determinate (elementary)            Impossibility of generating a sequence of clauses in
    program operators provides that the variable x in       transformation part points that a Pascal program has
    the response obtains the value that represents the      no correct syntax, i.e. that there are mistakes in
    requested composition of (elementary) operators,        syntax or in logical structure (destructive testing).
    i.e. the requested program. The works of Z. Mann,       In this case, since axiomatic base was not
    observe in detail the problems of program analysis      constructed, resolution part is not activated and user
    and synthesis using the resolution procedure of         is prompted to mend a Pascal program syntax. In
    demonstration and deduction of the response.            the case that transformation part finishes function
         The different research tendency is axiomatic       by generating a sequence of clauses, resolution part
    definition of the semantics of the program language     is activated with following possible outcomes:
    Pascal in the form of specific rules of the program           Ra) ends function giving a list of symbolic
    logic deduction, described in the works [14,15].                     outputs and corresponding Pascal
         Although the concepts of the two mentioned                      program routes, or
    approaches are different, they have the same                  Rb) ends by message that id could not generate
    characteristic. It is the deductive system on           list of outputs and routes, or
    predicate language. In fact, it is a mater of                 Rc) doesn't end function and demands forced
    realization in the special predicate computation that   termination.
    is based on deduction in formal theory. With this,        Ra) By comparing symbolic outputs and routes
    the problem of program correctness is to be related     with specification, the user may
    to automatic checkup of (existing) demonstrations                      • declare a given Pascal program as
    regarding mathematical theorems. The two                                   correct, if outputs are in
    approaches       mentioned     above    and     their                      accordance      to      specification
    modifications are based on that kind of concept.                           (constructive testing), or
                                                                           • if a discrepancy of some symbolic
    2. DESCRIPTION OF METHOD FOR ONE                                           expression to specification has
    PASSAGE SYMBOLIC TESTING PROGRAM                                           been found, this means that there
                                                                               is a semantic error in a Pascal
        The method is based on transformation of given                         program (destructive testing) at the
    Pascal program, into a sequence of prologue                                corresponding route.
    clauses, which comprise axiomatic base for                Rb) Impossibility to generate a list of symbolic
    functioning of deductive resolution mechanism in a               expressions in resolution part, which means
    BASELOG system [10] . For given Pascal program,                  that there is a logical-structural error in a
    by a single passage through resolution procedure of              Pascal program (destructive testing).
    BASELOG system, all possible outputs in Pascal            Rc) Too long function or a (unending) cycle
    program are obtained in a symbolic shape, together               means that there is a logic and/or semantic
    with paths leading to every one of them. Both parts,             error in a Pascal program (destructive
    transformation and resolution one, are completely                testing).
    automated and are naturally attached to each other.
    When a resolution part has finished, a sequence of          In this way, by using this method, user may be
    paths and symbolic outputs is reading out for given     assured in correctness of a Pascal program or in
    input Pascal program. This is a transformation of       presence of syntax and/or logic-structure semantic
    programming       structures   and    programming       errors. As opposite to present methods of symbolic
    operators into a sequence of clauses, being realized    testing of the programs, important feature of this
    by models depending on concrete programming             method is single-passage, provided by specific
    language. Automation covers branching IF-THEN           property of OL – resolution [11] with marked
    and IF-THEN-ELSE structures, as well as WHILE-          literals, at which a resolution module in BASELOG
    DO and REPEAT – UNTIL cyclic structures,                system is founded.
    which may be mutually nested in each other. This
    paper gives review of possibilities in work with




UbiCC Journal – Volume 4 No. 3                                                                                         620
Special Issue on ICIT 2009 Conference - Bioinformatics and Image



    3. DEDUCTION IN FORMAL THEORY AND                           According to The basic presumptions of
    PROGRAM CORRECTNESS                                     programming logic are given in [14]. The basic
                                                            relation {P}S{Q}is a specification for program S
         The program verification may lean on               with following meaning: if predicate P at input is
    techniques for automatic theorem proving. These         fulfilled (correct) before execution of program S,
    techniques embody principles of deductive               then predicate Q at the output is fulfilled (correct)
    reasoning, same ones that are used by programmers       after execution of program S. In order to prove
    during program designation. Why not use same            correctness of program S, it is necessary to prove
    principles in the automatic synthesis system, which     relation {P}S{Q}, where input values of variables
    may construct program instead of merely proving         must fulfill predicate P and output variable values
    its correctness? Designing the program demands          must fulfill predicate Q. Since it is not proven that
    more originality and more creativity than proving       S is terminating, and that this is only presumption,
    its correctness, but both tasks demand the same way     then we may say that partial correctness of the
    of thinking. [13]                                       program is defined. If it is proven that S terminates
         Structural programming itself helped the           and that relation {P}S{Q} is fulfilled, we say that S
    automatic synthesis of computer programs in the         is completely correct. For program design, we use
    beginning, establishing principles in program           thus determined notion of correctness.
    development on the basis of specification. These            The basic idea is that program design should be
    principles should be guidelines for programmers. In     done simultaneously with proving correctness of
    the matter of fact, advocates of structural             the program for given specifications[15,16]. First
    programming were very pessimistic regarding             the specification {P}S{Q} is executed with given
    possibility to ever automatize their techniques.        prerequisite P and given resultant post condition Q,
    Dijkstra went so far to say that we should not          and then subspecifications of {Pi}Si{Qi} type are
    automatize programming even if we could, since          executed for components Si from which the
    this would deprive this job from all delight.           program S is built. Special rules of execution
         Proving program correctness is a theoretical       provide proof that fulfillment of relation {P}S{Q}
    problem with much practical importance, and is          follows from fulfillment of relations {Pi}Si{Qi} for
    done within program analyse. Related theoretical        component programs Si.
    problem is the design of correct programs that is           Notice that given rules in [9] are used for
    solved in another way – within program synthesis.       manual design        and manual confirmation of
    It is evident that these processes are intertwined,     program's correctness, without mention about
    since analysis and synthesis of programs are closely    possibility of automatic (resolution) confirmation
    related. Nevertheless, differences between these        methods.If we wish to prove correctness of
    problems are distinct regarding automatic method        program S, we must prove relation {P}S{Q}, where
    of proving program correctness and automatic            input values of variables must fulfill the formula P
    method of program synthesis.                            and output values of variables must fulfill the
         If we observe a program, it raises question of     formula Q. This defines only partial correctness of
    termination and correctness, and if we observe two      program S, since it is assumed that program S
    programs we have question of equivalence of given       terminates. If we prove that S terminates and that
    programs. Abstract, i.e. non-interpreted program is     relation {P}S{Q} is satisfied, we say that S is
    defined using pointed graph. From such a program,       totally correct.Thus designated principle of
    we may obtain partially interpreted program, using      correctness is used for program designation.
    interpretation of function symbols, predicate           Designation starts from specification {P}S{Q} with
    symbols and constant symbols. If we interpret free      given precondition P and given resulting
    variables into partially interpreted program, a         postcondition Q.Formula {P}S{Q} is written as
    realized program is obtained. Function of such a        K(P, S, Q), where K is a predicate symbol and
    program is observed using sequence executed.            P,S,Q are variables of first-order predicate
    Realized program, regarded as deterministic, has        calculation.
    one executive sequence, and if it does not exist at     {Pzy} z := y {P}
    all, it has no executive sequence. On the other hand,
    when the program is partially interpreted, we see       we are writing as K(t(P,Z,Y), d(Z,Y), P)...
    several executive sequences. In previously stated       where t,d are function symbols and P,Z,Y are
    program type, for every predicate interpreted it is     variables;
    known when it is correct and when not, which
                                                            ...Rules R(τ):
    would mean that depending on input variables
    different execution paths are possible. Considering     P1. . {P}S{R} , R⇒Q.
    abstract program, we conclude that it has only one
    executive sequence, where it is not known whether              {P}S{Q}.
    predicate P or his negation is correct.                 we write.. K(P,S,R) ∧ Im(R,Q) ⇒ K(P,S,Q)




UbiCC Journal – Volume 4 No. 3                                                                                      621
Special Issue on ICIT 2009 Conference - Bioinformatics and Image



    where Im (implication) is a predicate symbol, and        A(S) = R(τ) ∪A(τ). This means that derivation of
    P, S, R, Q are variables;                                theorem B within theory τ could be replaced with
                                                             derivation within special predicate calculus S,
    P2 R⇒P, {P}S{Q}
                                                             whose own axioms A(S)= R(τ) ∪A(τ).Axioms of
          {R}S{Q}. we write Im(R,P) ∧ K(P,S,Q) ⇒             special predicate calculus S are: A(S)= A(τ)
    K(R,S,Q)                                                 ∪R(τ).We assume that s is a syntax unit whose
    P3 {P}S1{R} , {R}S2{Q}                                   (partial) correctness is being proven for certain
                                                             input predicate U and output predicate V.
         {P}begin S1; S2 end {Q}
                                                                Within theory S is being proved
    K(P,S1,R) ∧ K(R,S2,Q) ⇒ K(P,s(S1,S2),Q)
    where s is a function symbol, and P, S1, S2, R, q        ... ⎥⎯ (∃P)(∃Q)K(P,s,Q)
    are variables                                                  S
                                                             where s is a constant for presentation of a given
    P4 {P∧B}S1{Q, {P∧~B}S2{Q}                                program. Program is written in functional notation
          {P}if B then S1 else S2{Q}                         with symbols: s (sequence), d (assigning), ife (if-
                                                             then-else), if (if-then), wh (while), ru (repeat-until).
    K(k(P,B),S1,Q)∧K(k(P,n(B)),S2,Q) ⇒                       To starting set of axioms A(S), negation of
    K(P,ife(B,S1,S2),Q)                                      statement is added: Result of negation using
    where k, n, ife are function symbols                     resolution procedure is as follows: /Im(Xθ,Yθ,)∨
                                                             Odgovor(Pθ,Qθ), where Xθ,Yθ,Pθ,Qθ are values for
    P5 {P∧B}S{Q} , P∧~B ⇒ Q                                  which successful negation To means that for these
                                                             values a proof is found. But this does not mean that
            {P} if B then S{Q}
                                                             given program is partially correct. It is necessary to
    K(k(P,B),S,Q) ∧ Im(k(P,n(B)),Q) ⇒                        establish that input and output predicates U, V are
    K(P,if(B,S),Q)                                           in accordance with Pθ, Qθ, and also that Im (Xθ,Yθ)
                                                             is really fulfilled for domain predicates ant
    where k, n, if are function symbols
                                                             terms.Accordance means confirmation that .. is
    P6          {P∧B} S      {P }                            valid. : U ⇒ Pθ, ∧ Qθ ⇒ V) ∧ ( Xθ ⇒ Yθ).there
                                                             are two ways to establish accordance: manually or
         {P} while B do S {P∧~B}                             by automatic resolution procedure. Realization of
    K(k(P,B),S,P) ⇒ K(P,wh(B,S),k(P,n(B)))                   these ways is not possible within theory S, but it is
                                                             possible within the new theory, which is defined by
    where k, n, wh are function symbols                      predicates and terms which are part of the program
                                                             s and input-output predicates U, V. Within this
    P7 {P}S{Q} , Q∧~B ⇒ P                                    theory U, P, Q, V, X, Y are not variables, but
                                                             formulae with domain variables, domain terms and
         {P}repeat S until B {Q∧B}                           domain predicates.This method concerns derivation
                                                             within special predicate calculus based on
    K(P,S,Q) ∧ Im(k(Q,n(B)),P) ⇒                             deduction within the formal theory. Thus the
    K(P,ru(S,B),k(Q,B))                                      program's correctness problem is associated with
    where k, n, ru are function symbols                      automatic proving of (existing) proofs of
                                                             mathematical theorems.
    Transcription of other programming logic rules is
                                                                  The formal theory τ is determined with the
    also possible.
                                                             formulation of (S(τ), F(τ), A(τ), R(τ)) where S is
                                                             the set of symbols (alphabet) of the theory τ, F is
    Axiom A(τ):
    A1 K(t(P,Z,Y),d(Z.Y),P)                                  the set of formulas (regular words in the alphabet
    assigning axiom                                          S), A is the set of axioms of the theory τ (A⊂F), R
    Formal theory τ is given by (α(τ), F(τ), A(τ), R(τ)),    is the set of rules of execution of the theory τ.
    where α is a set of symbols (alphabet) of theory τ,      Deduction (proof) of the formula B in the theory τ
    F is a set of formulae (correct words in alphabet α),    is the final sequence B1, B2, ... , Bn (Bn is B) of
    A is a set of axioms for theory τ(A⊂F), R is a set of    formulas of this theory, of that kind that for every
    derivation rules for theory τ.B is a theorem within      element Bi of that sequence it is valid: Bi is axiom,
    theory τ if and only if B is possible to derive within   or Bi is deducted with the application of some rules
    calculus k from set R(τ) ∪A(τ) (k is a first-order       of deduction Ri∈R from some preceding elements
    predicate calculus).Let S be special predicate
    calculus (first-order theory) with it's own axioms




UbiCC Journal – Volume 4 No. 3                                                                                          622
Special Issue on ICIT 2009 Conference - Bioinformatics and Image



    of that sequence. It is said that B is the theorem of       Regarding technique of        automatic theorems
    the theory τ and we write ⎯     B [17].                 proving, most investigations      have been done in
                                τ                           resolution rules of derivation.   Resolution is a very
                                                            important derivation rule         with completeness
         Suppose S(τ) is a set of symbols of predicate      property.
    computation and F(τ) set of formulas of predicate
    computation. In that case, the rules of deduction R(       Demonstrate that the mentioned sequence is
    τ) can be written in the form: Bi1∧Bi2∧ ... ∧Bik        deduction of formula B in theoryτ.
    ⇒ Bi (Ri) where Bik, Bi are formulas from F(τ).
                                                                 One way of solving this problem is to verify
    Suppose κ predicate computation of first line, than
                                                            that the given sequence corresponds to definition of
    it is valid:
                                                            deduction in theoryτ. The other way is to use (1),
                                                            i.e. (2):
    R(τ), A(τ) ⎯ B if ⎯ B                            (1)    If we demonstrate that
                    κ       τ
                                                            R(τ), A(τ) ⎯ B ∧ B2 ∧ ... ∧ Bn                     (3)
    B is theorem in the theory τ if and only if B is                      κ
    deductible in computation κ from the set R(τ) ∪
    A(τ).                                                   that is sufficient for conclusion that B1, B2, ... , Bn
                                                            is deduction in τ .
    Suppose S is a special predicate computation
    (theory of first line) with its own axioms:             And also it is sufficient to demonstrate that R(τ),
     A(S) = R(τ) ∪ A(τ) , (rules of deduction in S are
                                                            A(τ) ⎯ Bi , for i = 1,2,...,n, with this it is
    rules of deduction of computation κ) then it is valid            κ
    A(S) ⎯ B if ⎯ B , so that (1) can be written:           demonstrated (3).
          κ      S                                              Demonstration for (3) can be deducted with the
                                                            resolution invalidation of the set
                                                             R(τ)∪A(τ)∪{~B1∨~B2∨ ... ∨~Bn}, or with n
     ⎯ B if ⎯ B                                      (2)
       S        τ                                           invalidations of sets R(τ)∪A(τ)∪{~Bi}.

    That means that the deduction of theorem B in           Notice that for the conclusion that B1, B2, ..., Bn is
    theory τ can be replaced with deduction in special      deduction in τ it is not enough to demonstrate R(τ),
    predicate computation S, that has its own axioms        A(τ) ⎯ (B1 ∧ B 2 ∧ ... ∧ Bn - 1 ⇒ Bn ) ,i.e. it is
    A(S) = R(τ) ∪ A(τ).                                                             κ
    Now we can formulate the following task:                not enough to realize resolution invalidation of the
                                                            set R(τ)∪A(τ)∪{B1, B2, ... , Bn-1}∪{~Bn},
    The sequence of formulas has been given B1, B2, ...     because this demonstrate only that Bn is deductible
    , Bn (Bn is B, Bi different from B for i<n) of theory
                                                            in τ supposing that in τ is deductible B1∧B2∧...∧
    τ.                                                      Bn-1 .
        Implementation of programs for proving                  Always when B1, B2, ..., Bn is really deduction
    theorems was in the beginning only in mathematics
    area. When it was seen that other problems could        in τ, (B1∧B2∧...∧Bn-1 ⇒ Bn) will be correct, but
    be presented as possible theorems which need to be      vice versa is not always valid. It can happen that
    proven, application possibilities were found for        (B1∧B2∧...∧Bn-1 ⇒ Bn) is deductible in τ, but
    areas as program correctness, program generating,       that B1∧B2∧...∧Bn-1 is not deductible in τ, (see
    question languages over relation databases,             example 1’).
    electronic circuits design.
                                                               And also, the demonstration for R(τ), A(τ)
        As for formal presentation where theorem is
    being proven, it could be statement calculus, first-
    order predicate calculus, as well as higher-order       ⎯ Bn , that can be realized with resolution
    logic. Theorems in statement calculus are simple           κ
    for contemporary provers, but statement calculus is     invalidation of the set R(τ)∪A(τ)∪{~Bn}, means
    not expressional enough. Higher-order logic is          that Bn is theorem in τ, i.e. that Bn is deductible in
    extremely expressional, but they have a number of
    practical problems. Therefore a first-order predicate   τ, but this is not enough for the conclusion that B1,
    calculus is probably the most used one.                 B2, ..., Bn is deduction in τ (except for the case that




UbiCC Journal – Volume 4 No. 3                                                                                        623
Special Issue on ICIT 2009 Conference - Bioinformatics and Image



    in the invalidation appears invalidation of each Bi,      7.sode, 1.lateral :
    see example 1”).                                             =(S(2),3)&
        Finally, here it is necessary to underline that not   LEVEL=5;resolvent:
    correspondence to set R(τ)∪A(τ)∪{~Bn} does not            ~r(3,1)~r(4,2)/~r(5,3)~r(X1,2)~=(S(X1),5)&
    mean not correspondence to formula ~Bn as it is,          9.side, 1.lateral :
                                                                 =(S(4),5)&
    but only in the presence of R(τ)∪A(τ).
                                                              LEVEL= 6; resolvent:
                                                                 ~r(3,1)~r(4,2)&
    Example 1. Suppose A(τ) is: {r(1,1), r(1,3)} and R(       4.side, 4.lateral :
    τ) contains three rules of deduction:                     ~r(X1,Y1)~=(S(X1),U1)~=(S(Y1),V1)r(U1,V1)&
    α:r(m,n)⇒r(n,m); β: r(m,n)⇒r(m+1,n+1) ;           γ       LEVEL= 7; resolvent:
    :r(m,n)∧r(n,p)⇒r(n,p)
    symmetry correspondence with the next one                 ~r(3,1)/~r(4,2)~r(X1,Y1)~=(S(X1),4)~=(S(Y1),2)&
    transitivity                                              6.side, 1.lateral :
    Demonstrate that the sequence J is: r(3,1), r(4,2),           =(S(1),2)&
    r(5,3), r(5,1) , r is predicate symbol, one correct       LEVEL= 8; resolvent:
    deduction of formula r(5,1) in theory τ.
                                                                  ~r(3,1)/~r(4,2)~r(X1,1)~=(S(X1),4)&
                                                              8.side, 1.lateral :
    It is sufficient to demonstrate:
                                                                  =(S(3),4)&
    {α,β,γ}, A(τ) ⎯ J .                                       LEVEL= 9; resolvent:
                      κ                                           ~r(3,1)&
       In the next demonstration x+1 is signed with           2.side, 1.lateral :
    S(x) and axioms for ‘the next one’ are added:                 r(3,1)&
                                                              LEVEL= 10; resolvent:
    1                                                             &
    ~r(3,1)~r(4,2)~r(5,3)~r(5,1)&                             DEMONSTRATION IS PRINTED
    9                                                         Example 2
    r(1,1)&                                                   begin
    r(3,1)&                                                   p:=x;
    ~r(X1,Y1)r(Y1,X1)&                                        i:=0;
    ~r(X1,Y1)~=(S(X1),U1)~=(S(Y1),V1)r(U1,V1)&                while i<=n do
    ~r(X1,Y1)~r(Y1,Z1)r(X1,Z1)&                               begin
    =(S(1),2)&                                                          i:=i+1;
    =(S(2),3)&                                                          p:=p*i;
    =(S(3),4)&                                                end;
    =(S(4),5)&                                                end.
    Demonstration with invalidation:                          Given program is written:
    number of generated resolvents = 934                      s(s(d(p,x),d(i,0)),w(i<=n,s(d(i,i+1),d(p,p*i))))
    maximum level = 10                                        Constant b is a mark for predicate i<=n
    DEMONSTRATION IS PRINTED                                  constant t1 is i+1, constant t2 is term p*i
    level on which empty composition is generated =           thus we obtain
    10                                                         s(s(d(p,x),d(i,0)),w(b,s(d(i,t1),d(p,t2))))
     LEVEL=1;              central         composition
    :~r(3,1)~r(4,2)~r(5,3)~r(5,1)&                            1
    5.side, 3.lateral :                                       /O(X1,V1)~K(X1,s(h,g),Y1)~K(Y1,w(b,s(d(i,t1),d(
       ~r(X1,Y1)~r(Y1,Z1)r(X1,Z1)&                            p,t2))),V1)&
    LEVEL= 2; resolvent:                                      8
       ~r(3,1)~r(4,2)~r(5,3)/~r(5,1)~r(5,Y1)~r(Y1,1)&         ~K(Y1,d(p,x),V1)K(Y1,h,V1)& /reserve for
    2.side, 1.lateral :                                       shortening the note
       r(3,1)&                                                ~K(Y1,d(i,0),V1)K(Y1,g,V1)& /reserve for
    LEVEL= 3; resolvent:                                      shortening the note
       ~r(3,1)~r(4,2)~r(5,3)&                                 ~K(X1,Y1,U1)~K(U1,Y2,V1)K(X1,s(Y1,Y2),V1)
    4.side, 4.lateral :                                       & /sequence rule
                                                              ~K(k(X1,V2),U0,X1)K(X1,w(V2,U0),k(X1,ng(V2)
    ~r(X1,Y1)~=(S(X1),U1)~=(S(Y1),V1)r(U1,V1)&                ))& /rule for while
    LEVEL= 4; resolvent:                                      K(t(X1,Z1,Y1),d(Z1,Y1),X1)& /assigning axiome
       ~r(3,1)~r(4,2)/~r(5,3)~r(X1,Y1)~=(S(X1),5)~=           ~IM(X2,Y1)~K(Y1,U0,V1)K(X2,U0,V1)&
    (S(Y1),3)&                                                /consequence rule




UbiCC Journal – Volume 4 No. 3                                                                                   624
Special Issue on ICIT 2009 Conference - Bioinformatics and Image



    ~IM(Y1,V1)~K(X1,U0,Y1)K(X1,U0,V1)& /
    consequence rule                                        /~IM(k(V1,b),t(t(V1,p,t2),i,t1))/O(X2,k(V1,ng(b)))/
    ~O(X1,V1)& / negation addition                          ~K(X2,s(h,g),V1)~K(X2,h,U1)~K(U1,g,V1)&
    0                                                       2.lateral, 2.literal :
    0                                                          ~K(Y1,d(i,0),V1)K(Y1,g,V1)&
                                                            LEVEL= 8; resolvent:
    LP system generates next negation
    number of resolvents generated = 10                     /~IM(k(V0,b),t(t(V0,p,t2),i,t1))/O(X2,k(V0,ng(b)))/
    maximal obtained level = 11                             ~K(X2,s(h,g),V0)~K(X2,h,Y1)/~K(Y1,g,V0)~K(Y
    DEMONSTRATION IS PRINTED                                1,d(i,0),V0)&
    level where the empty item is generated = 11            5.lateral, 1.literal :
     LEVEL=1; central item                                     K(t(X1,Z1,Y1),d(Z1,Y1),X1)&
    :/O(X1,V1)~K(X1,s(h,g),Y1)~K(Y1,w(b,s(d(i,t1),d         LEVEL= 9; resolvent:
    (p,t2))),V1)&
    4.lateral, 2.literal :                                  /~IM(k(X1,b),t(t(X1,p,t2),i,t1))/O(X2,k(X1,ng(b)))/
                                                            ~K(X2,s(h,g),X1)~K(X2,h,t(X1,i,0))&
    ~K(k(X1,V2),U0,X1)K(X1,w(V2,U0),k(X1,ng(V2)             1 lateral, 2.literal :
    ))&                                                        ~K(Y1,d(p,x),V1)K(Y1,h,V1)&
    LEVEL= 2; resolvent:                                    LEVEL= 10; resolvent:

    /O(X1,k(X0,ng(b)))~K(X1,s(h,g),X0)/~K(X0,w(b,s          /~IM(k(X1,b),t(t(X1,p,t2),i,t1))/O(Y1,k(X1,ng(b)))/
    (d(i,t1),d(p,t2))),k(X0,ng(b)))~K(k(X0,b),s(d(i,t1),d   ~K(Y1,s(h,g),X1)/~K(Y1,h,t(X1,i,0))~K(Y1,d(p,x),
    (p,t2)),X0)&                                            t(X1,i,0))&
    3.lateral, 3.literal :                                  5.lateras, 1.literal :
                                                                K(t(X1,Z1,Y1),d(Z1,Y1),X1)&
    ~K(X1,Y1,U1)~K(U1,Y2,V1)K(X1,s(Y1,Y2),V1)               LEVEL= 11; resolvent:
    &                                                       /O(Y1,k(X1,ng(b)))/~K(Y1,s(h,g),X1)/~K(Y1,h,t(X
    LEVEL= 3; resolvent:                                    1,i,0))~K(Y1,d(p,x),t(X1,i,0))&
                                                            5. lateral, 1.literal :
    /O(X1,k(V1,ng(b)))~K(X1,s(h,g),V1)/~K(V1,w(b,s              K(t(X1,Z1,Y1),d(Z1,Y1),X1)&
    (d(i,t1),d(p,t2))),k(V1,ng(b)))/~K(k(V1,b),s(d(i,t1),   LEVEL= 11; resolvent:
    d(p,t2)),V1)~K(k(V1,b),d(i,t1),U1)~K(U1,d(p,t2),V       DEMONSTRATION IS PRINTED
    1)&                                                     Now we need to prove compliance, i.e. that there is
    5.lateral, 1.literal :                                  in effect:
       K(t(X1,Z1,Y1),d(Z1,Y1),X1)&                          ( Xθ ⇒ YθZθTθ ) ∧ (U ⇒ Pθ, ∧ Qθ ⇒ V) that is at
    LEVEL= 4; resolvent:                                    LEVEL= 12; resolvent:
                                                            /IM(k(X1,b),t(t(X1,i,t1),p,t2))O(t(t(X1,i,0),p,x),k(X
    /O(X1,k(X0,ng(b)))~K(X1,s(h,g),X0)/~K(X0,w(b,s          1,ng(b)))&
    (d(i,t1),d(p,t2))),k(X0,ng(b)))/~K(k(X0,b),s(d(i,t1),   By getting marks to domain level we obtain:
    d(p,t2)),X0)~K(k(X0,b),d(i,t1),t(X0,p,t2))&             (X1 ∧ (i<=n) ⇒ X1ii+1 pp/i)i (U⇒X1i 0 px) ∧ (X1 ∧
                                                            ¬
    6.lateral, 3.literal :                                    (i<=n) ⇒ V)7
       ~IM(X2,Y1)~K(Y1,U0,V1)K(X2,U0,V1)&                                              i
    LEVEL= 5; resolvent:                                    Putting   X1:    p = x ⋅ ∏ ( j − 1)     we    obtain
                                                                                      j =0
    /O(X1,k(X0,ng(b)))~K(X1,s(h,g),X0)/~K(X0,w(b,s          following correct implications:
    (d(i,t1),d(p,t2))),k(X0,ng(b)))/~K(k(X0,b),s(d(i,t1),
    d(p,t2)),X0)/~K(k(X0,b),d(i,t1),t(X0,p,t2))~IM(k(X
    0,b),Y1)~K(Y1,d(i,t1),t(X0,p,t2))&
    5. lateral, 1.literal :
        K(t(X1,Z1,Y1),d(Z1,Y1),X1)&
    LEVEL= 6; resolvent:

    /~IM(k(X0,b),t(t(X0,p,t2),i,t1))/O(X1,k(X0,ng(b)))
    ~K(X1,s(h,g),X0)&
    3.lateral, 3.literal :

    ~K(X1,Y1,U1)~K(U1,Y2,V1)K(X1,s(Y1,Y2),V1)
    &
    LEVEL= 7; resolvent:




UbiCC Journal – Volume 4 No. 3                                                                                      625
Special Issue on ICIT 2009 Conference - Bioinformatics and Image



              i                                              program development. Software producers would
     p = x ⋅ ∏ ( j − 1) =>                                   like to predict number of errors in software systems
             j =0                                            before the application, so they could estimate
                          i                                  quality of product bought and difficulties in
     p ⋅ i = x ⋅ i ⋅ ∏ ( j − 1) =>                           maintenance process [18]. Testing often takes 40%
                         j =0                                of time needed for development of software
                                 i                           package, which is the best proof that it is a very
     p ⋅ i = x ⋅ (i − 1 + 1) ⋅ ∏ ( j − 1) =>                 complex process. Aim of testing is to establish
                                j =0
                                                             whether software is behaving in the way envisaged
                                                             by specification. Therefore, primary goal of
                  i +1
     p ⋅ i = x ⋅ ∏ ( j − 1)
                                                             software testing is to find errors. Nevertheless, not
                                                             all errors are ever found, but there is a secondary
                  j =0
                                                             goal in testing, that is to enable a person who
                                                             performs testing (tester) to trust the software system
    For i = 0 we obtain:                                     [19]. From these reasons, it is very important to
                  i                                          choose such a testing method that will, in given
      p = x ⋅ ∏ ( j − 1) =>                                  functions of software system, find those fatal errors
               j =0                                          that bring to highest hazards. In order to realize
                  0
                                                             this, one of tasks given to programmers is to
      p = x ⋅ ∏ ( j − 1) =>                                  develop software that is easy to test ("software is
               j =0
                                                             designed for people, not for machines") [20].
                                                                 Program testing is often equalized to looking for
      p=x                                                    any errors [20]. There is no point in testing for
                                                             errors that probably do not exist. It is much more
    By this the compliance is proven, which is enough        efficient to think thoroughly about kind of errors
    to conclude that a given program is (partially)          that are most probable (or most harmful) and then
    correct (until terminating).                             to choose testing methods that will be able to find
                                                             such errors. Success of a set of test items is equal to
    5. INTERPRETATION   RELATED  TO                          successful execution of detailed test program. One
    DEMONSTRATION     OF    PROGRAM                          of big issues in program testing is the error
    CORRECTNESS                                              reproduction (testers find errors and programmers
                                                             remove bugs) [21]. It is obvious that there must be
        Interpret the sequence J: B1, ... , Bn as program    some      coordination     between       testers   and
    S. Interpret the elements A(τ) as initial elements for   programmers. Error reproduction is the case when
    the composition of program S, and the elements R(        it would be the vest to do a problematic test again
                                                             and to know exactly when and where error
    τ) as rules for the composition of program               occurred. Therefore, there is no ideal test, as well as
    constructions.                                           there is no ideal product.[22] .Software producers
        Vice versa, if we consider program S as              would like to anticipate the number of errors in
    sequence J, initial elementary program operators as      software systems before their application in order to
    elements A(τ) and rules for composition of               estimate the quality of acquired program and the
    program structures as elements R(τ), with this the       difficulties in the maintenance. This work gives the
    problem of verification of the correctness of the        summary and describes the process of program
    given program is related to demonstration of             testing, the problems that are to be resolved by
    correctness of deduction in corresponding formal         testers and some solutions for the efficacious
    theory. It is necessary to represent axioms, rules       elimination of errors[23]. The testing of big and
    and program with predicate formulas.                     complex programs is in general the complicated
        With all that is mentioned above we defined the      process that has to be realized as systematically as
    general frame for the composition of concrete            possible, in order to provide adequate confidence
    proceedings for demonstration of program                 and to confirm the quality of given application [24].
    correctness with the deductive method. With the          The deductions in formal theories represent general
    variety of choices regarding axioms, rules and           frame for the development of deductive methods
    predicate registration for the different composition     for the verification of program correctness. This
    proceedings are possible.                                frame gives two basic methods (invalidation of
                                                             added predicate formula and usage of rules of
                                                             program logic) and their modifications.
    6. CONCLUSION                                                The work with formula that is added to the
                                                             given program implies the presence of added
        Software testing is the important step in            axioms and without them, the invalidation cannot




UbiCC Journal – Volume 4 No. 3                                                                                         626
Special Issue on ICIT 2009 Conference - Bioinformatics and Image



    be realized. The added axioms describe                 [15] Hoare C.A.R. “Proof of a program” Find
    characteristics of domain predicates and operations         Communications of the ACM 14, 39-45.
    and represent necessary knowledge that is to be             1971.
    communicated to the deductive system. The              [16] Hoare C.A.R, Wirth N., “An axiomatic
    existing results described above imply that kind of         definition of the programming language
    knowledge, but this appears to be notable difficulty        Pascal “, Acta Informatica 2, pp. 335-355.
    in practice.                                                1983
                                                           [17] Markoski B., Hotomski P., Malbaski D.,
               ACKNOWELDGEMENTS                                 Obradovic D. “Resolution methods in proving
       The work presented in the paper was developed            the program correctness “, YUGER, An
    within      the      IT       Project       “WEB            international journal dealing with theoretical
    portals for data analysis and consulting,” No.              and computational aspects of operations
    13013,          supported          by           the         research, systems science and menagement
    government of Republic of Serbia, 2008. – 2010.             science, Beograd, Serbia, 2007,
                                                           [18] Myers G.J., “The Art of Software Testing, New
    7. REFERENCES                                               York ” , Wiley, 1979.
                                                           [19] Chan, F., T. Chen, I. Mak and Y. Yu,
    [1] Marks, David M. “Testing very big systems”              “Proportional sampling strategy: Guidelines
          New York:McGraw-Hill, 1992                            for software test practitioners “, Information
    [2] Manthos A., Vasilis C., Kostis D.                       and Software Technology, Vol. 38, No. 12,
          “Systematicaly Testing a Real-Time Operating          pp. 775-782, 1996.
          System“ IEEE Trans. Software Eng., 1995          [20] K. Beck, “Test Driven Development: By
    [3] Voas J., Miller W. “Software Testability: The           Example”, Addison-Wesley, 2003
          New Verification“ IEEE Software 1995             [21] P. Runeson, C. Andersson, and M. Höst, “Test
    [4] Perry William E. “Year 2000 Software Testing“           Processes in Software Product Evolution—A
          New York: John Wiley& SONS 1999                       Qualitative Survey on the State of Practice”,
     [5] Whittaker J.A., Whittaker, Agrawal K.                  J. Software Maintenance and Evolution, vol.
         “A case study in software reliability                  15, no. 1, 2003, pp. 41–59.
          measurement“ Proceedinga of Quality Week,        [22] G. Rothermel et al., “On Test Suite
          paper no.2A2, San Francisko, USA 1995                 Composition and Cost-Effective Regression
    [6] Zeller A. “Yesterday, my program worked,                Testing”, ACM Trans. Software Eng. and
          Today, it does not. Why?”Passau Germany,              Methodology, vol. 13, no. 3, 2004, pp. 277–33
          2000                                             [23] N. Tillmann and W. Schulte, “Parameterized
    [7] Markoski B., Hotomski P., Malbaski D.,                  Unit Tests”, Proc. 10th European Software
          Bogicevic N. “Testing the integration and the         Eng. Conf., ACM Press, 2005, pp. 253–262.
          system“, International ZEMAK symposium,          [24] Nathaniel Charlton “Program verification
          Ohrid, FR Macedonia, 2004.                            with interacting analysis plugins” Formal
    [8] McCabe, Thomas J, &Butler, Charles W.                   Aspects of Computing. London: Aug 2007.
          “Design Complexity Measurement and Testing            Vol. 19, Iss. 3; p. 375
          “Communications of the ACM 32, 1992
    [9] Markoski B., Hotomski P., Malbaski D.
          “Testing the complex software“, International
          ZEMAK symposium, Ohrid, FR Macedonia,
          2004.
    [10] Chidamber, S. and C. Kemerer, “Towards a
          Metrics Suite for Object Oriented Designe”,
          Proceedings of OOPSLA, July 2001
    [11] J.A. Whittaker, “What is Software Testing?
          And Why Is It So Hard?” IEEE Software, vol.
          17, no. 1, 2000,
    [12] Nilsson N., “Problem-Solving Methods in
          Artificial Intelligence “, McGraw-Hill, 1980
    [13] Manna Z., “Mathematical Theory of
          Computation “, McGraw-Hill, 1978
    [14] Floyd. R.W., “Assigning meanings to
          programs “, In: Proc. Sym. in Applied
          Math.Vol.19, Mathematical Aspects of
          Computer Science, Amer. Math. Soc., pp. 19-
          32., 1980.




UbiCC Journal – Volume 4 No. 3                                                                                   627

				
DOCUMENT INFO
Shared By:
Categories:
Tags: UbiCC, Journal
Stats:
views:4
posted:6/17/2010
language:English
pages:10
Description: UBICC, the Ubiquitous Computing and Communication Journal [ISSN 1992-8424], is an international scientific and educational organization dedicated to advancing the arts, sciences, and applications of information technology. With a world-wide membership, UBICC is a leading resource for computing professionals and students working in the various fields of Information Technology, and for interpreting the impact of information technology on society.
UbiCC Journal UbiCC Journal Ubiquitous Computing and Communication Journal www.ubicc.org
About UBICC, the Ubiquitous Computing and Communication Journal [ISSN 1992-8424], is an international scientific and educational organization dedicated to advancing the arts, sciences, and applications of information technology. With a world-wide membership, UBICC is a leading resource for computing professionals and students working in the various fields of Information Technology, and for interpreting the impact of information technology on society.