DOCSLIB.ORG

Performance Assurance Via Software Rejuvenation: Monitoring, Statistics and Algorithms

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Performance Assurance Via Software Rejuvenation: Monitoring, Statistics and Algorithms Performance Assurance via Software Rejuvenation: Monitoring, Statistics and Algorithms Alberto Avritzer,∗ Andre Bondi,∗ Michael Grottke,† Kishor S. Trivedi,† and Elaine J. Weyuker‡ Abstract a large complex industrial e-commerce system for which a severe fault that led to significant performance degrada- We present three algorithms for detecting the need for tion eluded detection for several months. This happened software rejuvenation by monitoring the changing values of because the metric of greatest interest to the customer, re- a customer-affecting performance metric, such as response sponse time, was not being monitored, while metrics of less time. Applying these algorithms can improve the values interest including CPU utilization and memory usage were of this customer-affecting metric by triggering rejuvenation being tracked. More detail about the fault can be found before performance degradation becomes severe. The algo- in [4]. rithms differ in the way they gather and use sample values Motivated by this experience, we developed software re- to arrive at a rejuvenation decision. Their effectiveness is juvenation algorithms to track the customer-affecting met- evaluated for different sets of control parameters, includ- ric, in this case response time (RT). In this paper we propose ing sample size, using simulation. The results show that three new algorithms for software rejuvenation that use dif- applying the algorithms with suitable choices of control pa- ferent sampling approaches to determine whether the RT rameters can significantly improve system performance as has severly degraded. Our first algorithm, called static soft- measured by the response time. ware rejuvenation with averaging, is a variant of the static software rejuvenation algorithm introduced in [1]. In this 1 Introduction new algorithm, the observed values of the RT are averaged over a fixed sample size. Our second algorithm, called static The increasing complexity of large industrial systems software rejuvenation with averaging and sample acceler- has created a need for sophisticated software monitoring to ation, reduces the sample size requirement when a degra- ensure performance and availability. We have introduced dation in performance is detected. For this algorithm, the in [1] and [2] a new software rejuvenation approach that time to compute the average of the RT is proportional to can ensure stable performance of degradable systems. Our the sample size and so the overall time required to trigger a approach was designed to distinguish between performance software rejuvenation is reduced when a significant perfor- degradation that occurs as a result of burstiness in the ar- mance degradation is detected. rival process and software degradation that occurs as a re- Our third algorithm is a direct application of the cen- sult of software aging. This is done by frequently monitor- tral limit theorem. Whenever the average of the samples ing the metric of greatest interest to the customer and trig- exceeds the target quantile of the normal distribution, this gering software rejuvenation whenever severe degradation algorithm will trigger a software rejuvenation. In this pa- is detected. We will refer to this metric as the customer- per we evaluate the domain of applicability of the three al- affecting metric. Software aging has been observed in com- gorithms by simulating their performance using the large plex systems and has been described extensively in the lit- e-commerce system mentioned above. erature [3, 8, 9, 15]. We will describe a case study using The outline of our paper is as follows. Section 2 pro- ∗Alberto Avritzer and Andre Bondi are with Siemens Corpo- vides a survey of related work. In Section 3 we present our rate Research, Princeton, NJ 08540. E-mail: {alberto.avritzer, model of software rejuvenation which has been designed to andre.bondi}@siemens.com †Michael Grottke and Kishor Trivedi are with Duke University, Depart- identify performance degradation using observations of the ment of Electrical and Computer Engineering, Durham, NC 27708-0291. RT. In Section 4 we present three new software rejuvenation E-mail: {grottke,kst}@ee.duke.edu. This work was supported by a fel- algorithms and the analytical motivation for our algorithms. lowship within the Postdoc Program of the German Academic Exchange Section 5 presents simulation results for the e-commerce Service. ‡Elaine Weyuker is with AT&T Labs - Research, 180 Park Avenue, system, while Section 6 contains our conclusions and sug- Florham Park, NJ 07932. E-mail: [email protected] gestions for future research. In Proc. International Conference on Dependable Systems and Networks 2006, pages 435-444, 2006. °c IEEE 435 2 Related work with a Java virtual machine (JVM) heap size of 3 GB. The maximum acceptable RT is 10 seconds, and the system must Avritzer and Weyuker [3] introduced an approach to be able to handle up to 1.6 transactions/second. The two restoring degraded software to full capacity that was tai- primary factors that were found to impact performance were lored particularly for telecommunications or other similar the variability that occurred when garbage collections took systems that are characterized by predictably periodic traf- place, and kernel overhead. fic. It is common for telecommunications operating com- The system model used to generate the experimental re- panies to collect detailed traffic pattern data, thereby al- sults is a slightly modified version of the one used in [4]. lowing them to identify system degradations and the sub- sequent restoration of their systems to full capacity by exe- 1. Whenever a thread arrives at the JVM, a new thread cuting software procedures that will free allocated memory, arrival is scheduled with an exponentially distributed release database locks, and reinitialize other operating sys- inter-arrival time (with arrival rate λ), and the number tem tables. of active threads is incremented by one. Bobbio et al. [5] presented a method for the quantitative analysis of software rejuvenation policies. Their approach 2. The thread queues for a CPU. assumed that it was possible to quantify system degradation by monitoring a metric that was correlated with it. They 3. The CPU processing time of the thread is sampled µ = defined a maximum degradation threshold level and intro- from an exponential distribution with service rate 0.2 duced two rejuvenation policies based on this threshold. A transactions/second. risk-based approach was used for their first policy, defining 4. If the number of threads executing in parallel is greater a confidence level for the metric. Rejuvenation was per- than the specified threshold of 50 threads, an overhead formed with a probability proportional to this confidence is incurred. In order to account for this, the processing level. They also introduced a deterministic policy for which time of the thread is multiplied by a factor of 2.0. rejuvenation was performed as soon as the threshold level was reached. The approach we study in this paper is closely 5. As soon as one of the 16 CPUs is obtained, the thread related to this second policy but uses multiple threshold lev- attempts to allocate 10 MB of memory. els so that we can distinguish between bursts of arrivals and soft failures. When a soft failure occurs, the system remains 6. If the remaining memory heap size is less than the operational, but in a degraded mode with the available sys- memory threshold of 100 MB, a full garbage collection tem capacity greatly reduced. event is scheduled and all running threads are delayed In [1], a software rejuvenation approach for single server by 60 seconds, the amount of time needed to perform systems that tracks the value of the RT to determine the a full garbage collection on a 3 GB Heap. best times to perform software rejuvenation was introduced. 7. When a thread completes service, the total RT of the In [2], it was extended by evaluating the applicability of the related job, consisting of the waiting time plus the pro- algorithms to clusters of hosts. The three rejuvenation al- cessing time, is computed. gorithms that we consider in this paper base the decision to trigger rejuvenation on averages of several observations, 8. Based on the observed RTs, an algorithm decides rather than on the value of the RT itself. whether software rejuvenation should be carried out. A comparison of analytical models using Markov regen- We will discuss several versions of a rejuvenation al- erative processes and measurement approaches using time gorithm in the next section. When the system is reju- series analysis, trend detection and estimation for software venated, all threads in execution are terminated and all rejuvenation was presented in [15]. This paper provides resources held by threads are released. This includes motivation for the development of practical policies based both the JVM memory heap and busy CPUs. on actual measurements. Other papers of interest include [11], in which service The goal of our software rejuvenation algorithms is to mon- failures were identified by monitoring the RT, and [6], itor the RT and do a capacity restoration whenever the RT which described the methodology used by IBM Director has severely deteriorated. During rejuvenation, all CPU software for proactive software rejuvenation using statisti- and memory queues are cleared. The cost is defined to be cal estimation of resource exhaustion. the percentage of transactions lost during the rejuvenation event. 3 The system and the simulation model We assume that the RT can be sampled frequently and that the average and standard deviation of the RT when The subject of our case studies is a multi-tier distributed the system is operating without performance degradation, e-commerce system written in Java. It consists of 16 CPUs serves as the basis for the system performance requirement. In Proc. International Conference on Dependable Systems and Networks 2006, pages 435-444, 2006. °c IEEE 436 4 The rejuvenation algorithms 4.1 Analytical motivation Rejuvenation must be carried out often enough to avoid severe performance slowdowns, yet not unnecessarily, since rejuvenation incurs costs such as lost transactions.
Load more

Recommended publications
  • January 1993 Reason Toexpect That to Theresearchcommunity
    COMPUTING R ESEARCH N EWS The News Journal of the Computing Research Association January 1993 Vol. 5/No. 1 Membership of Congress changes significantly BY Fred W. Weingarten also was re-elected. He has proven to be attention on high-technology, the seniority for chair of that subcommit- CRA Staff an effective and well-informed chair, committee possibly will attract more tee. His attitude toward science and Although incumbents fared better in but given the turnover in the House members. But it will never have the technology is not well-known. and his rising political star, he may not attraction or political power of the the November elections than was Senate expected, the membership of Congress remain active in R&D policy. Boucher Energy and Commerce Committee, the has changed significantly. Congress has also served on the Energy and Com- Ways and Means Committee or the The Senate is stable because there 118 new members, and some key merce Subcommittee on Telecommuni- Appropriations Committee, which also was less turn-over and science is under members were defeated or retired, so cations and Finance, where he ex- will have openings. Unless they have the Commerce Committee, which is a there will be quite a bit of change in the pressed a great deal of interest in specific interests and expertise in plum. Vice President-elect Al Gore will membership of committees and stimulating the creation of a broadband, science and technology, members with be replaced as chair of the science subcommittees concerned with digital national information infrastruc- seniority and influence tend to gravitate subcommittee.
    [Show full text]
  • Testing for Trustworthiness in Scientific Software
    Testing for Trustworthiness in Scientific Software Daniel Hook Diane Kelly Queen's University Royal Military College of Canada Kingston Ontario Kingston Ontario Abstract expected – and correct – results. Weyuker notes that in Two factors contribute to the difficulty of testing many cases, an oracle is pragmatically unattainable. scientific software. One is the lack of testing oracles – With scientific software, this is almost always the case. a means of comparing software output to expected and Weyuker further comments that if the oracle is correct results. The second is the large number of tests unattainable, then “from the view of correctness testing required when following any standard testing … there is nothing to be gained by performing the technique described in the software engineering test.” For scientific software, this is a depressing and literature. Due to the lack of oracles, scientists use disturbing conclusion. However, there is instead a goal judgment based on experience to assess of trustworthiness rather than correctness that can be trustworthiness, rather than correctness, of their addressed by testing. software. This is an approach well established for In this paper, we first outline a typical development assessing scientific models. However, the problem of environment for scientific software, then briefly assessing software is more complex, exacerbated by discuss testing. This leads to a discussion of the problem of code faults. This highlights the need for correctness and trustworthiness from the view of the effective and efficient testing for code faults in scientist who develops and uses scientific software. We scientific software. Our current research suggests that then introduce new results from our analysis of a small number of well chosen tests may reveal a high samples of scientific software using mutation testing.
    [Show full text]
  • Research Booklet 2020-21
    RESEARCH BOOKLET 2020-21 TABLE OF CONTENTS CONTACT INFORMATION ............................................................................................................................................... III OVERVIEW OF RESEARCH IN COMPUTER SCIENCE AT UCF .................................................................................. V ................................................................................................................................................................................................ 0 FACULTY RESEARCH SUMMARIES ............................................................................................................................. 0 Ulas Bagci ........................................................................................................................................................................ 1 Ladislau Bölöni ................................................................................................................................................................ 1 Mainak Chatterjee ............................................................................................................................................................ 2 Guoxing Chen ................................................................................................................................................................... 2 Carolina Cruz-Neira ..........................................................................................................................................................
    [Show full text]
  • Pdf: Software Testing
    Software Testing Gregory M. Kapfhammer Department of Computer Science Allegheny College [email protected] I shall not deny that the construction of these testing programs has been a major intellectual effort: to convince oneself that one has not overlooked “a relevant state” and to convince oneself that the testing programs generate them all is no simple matter. The encouraging thing is that (as far as we know!) it could be done. Edsger W. Dijkstra [Dijkstra, 1968] 1 Introduction When a program is implemented to provide a concrete representation of an algorithm, the developers of this program are naturally concerned with the correctness and performance of the implementation. Soft- ware engineers must ensure that their software systems achieve an appropriate level of quality. Software verification is the process of ensuring that a program meets its intended specification [Kaner et al., 1993]. One technique that can assist during the specification, design, and implementation of a software system is software verification through correctness proof. Software testing, or the process of assessing the func- tionality and correctness of a program through execution or analysis, is another alternative for verifying a software system. As noted by Bowen, Hinchley, and Geller, software testing can be appropriately used in conjunction with correctness proofs and other types of formal approaches in order to develop high quality software systems [Bowen and Hinchley, 1995, Geller, 1978]. Yet, it is also possible to use software testing techniques in isolation from program correctness proofs or other formal methods. Software testing is not a “silver bullet” that can guarantee the production of high quality software systems.
    [Show full text]
  • Experience Doing Software Fault Prediction in an Industrial Environment)
    UCF Dept. of Computer Science and the College of Engineering and Computer Science I Know Where You're Hiding! (Experience Doing Software Fault Prediction in an Industrial Environment) When validating a software system, it would obviously be very valuable to know in advance which files in the next release ofa large software system are most likely to contain the largest numbers of faults. To accomplish this, we developed negative binomial regression models and used them to predict the expected number of faults in each file of the next release of large industrial software systems. The predictions are based on code char- acteristics and fault and modification history data. This talk will discuss what we have learned from applying the modelsev to eral large industrial systems, each with multiple years of field exposure. I will also discuss our success in making accurate predictions and some of the issues that had to be considered. University Distinguished Professor, College of Engineering and Computer Science, University of Central Florida Elaine Weyuker is a University Distinguished Professor, College of Engineering and Computer Science, University of Central Florida. Before joining UCF, Elaine was a Fellow and Distinguished Member of the Technical Staff at AT&T Labs and Bell Labs, a Professor of Computer Science at the Courant Institute of Mathematical Sciences of New York Universi- ty, a Lecturer at the City University of New York, a Systems Engineer at IBM, and a programmer at Texaco, as well as having served as a consultant for several large international companies. Her research expertise includes techniques and tools to improve the quality of software systems through systematic validation activities, including the development of testing, assessment and software faultprediction models.
    [Show full text]
  • Coverage Testing in a Production Software Development Environment Kent Bortz Regis University
    Regis University ePublications at Regis University All Regis University Theses Fall 2006 Coverage Testing in a Production Software Development Environment Kent Bortz Regis University Follow this and additional works at: https://epublications.regis.edu/theses Part of the Computer Sciences Commons Recommended Citation Bortz, Kent, "Coverage Testing in a Production Software Development Environment" (2006). All Regis University Theses. 416. https://epublications.regis.edu/theses/416 This Thesis - Open Access is brought to you for free and open access by ePublications at Regis University. It has been accepted for inclusion in All Regis University Theses by an authorized administrator of ePublications at Regis University. For more information, please contact [email protected]. Regis University School for Professional Studies Graduate Programs Final Project/Thesis Disclaimer Use of the materials available in the Regis University Thesis Collection (“Collection”) is limited and restricted to those users who agree to comply with the following terms of use. Regis University reserves the right to deny access to the Collection to any person who violates these terms of use or who seeks to or does alter, avoid or supersede the functional conditions, restrictions and limitations of the Collection. The site may be used only for lawful purposes. The user is solely responsible for knowing and adhering to any and all applicable laws, rules, and regulations relating or pertaining to use of the Collection. All content in this Collection is owned by and subject to the exclusive control of Regis University and the authors of the materials. It is available only for research purposes and may not be used in violation of copyright laws or for unlawful purposes.
    [Show full text]
  • Database Test Data Generation
    Test Data Generation for Relational Database Applications David Chays Department of Computer and Information Science Technical Report TR-CIS-2005-01 01/12/2005 TEST DATA GENERATION FOR RELATIONAL DATABASE APPLICATIONS DISSERTATION Submitted in Partial Fulfillment of the Requirements for the Degree of DOCTOR OF PHILOSOPHY (Computer & Information Science) at the POLYTECHNIC UNIVERSITY by D. Chays January 2004 Approved : Department Head Copy No. Approved by the Guidance Committee : Major : Computer & Information Science Phyllis Frankl Professor of Computer & Information Science Gleb Naumovich Assistant Professor of Computer & Information Science Filippos Vokolos Assistant Professor of Computer & Information Science Minor : Electrical Engineering Shivendra Panwar Professor of Electrical Engineering Microfilm or other copies of this dissertation are obtainable from UMI Dissertations Publishing Bell & Howell Information and Learning 300 North Zeeb Road P.O. Box 1346 Ann Arbor, Michigan 48106-1346 iv VITA David Chays was born in Brooklyn, New York in November 1972. He received his B.S. degree in Computer Science from Brooklyn College of the City University of New York in 1995 and his M.S. degree in Computer Science from Polytechnic University in Brooklyn, New York, in 1998. After pass- ing the Ph.D. Qualifying Exam at Polytechnic University in 1999, he began working on the database application testing project leading to his thesis, under the supervision of Phyllis Frankl. His research interests are in the areas of software testing, database systems, and computer security. The work presented in this thesis was supported by teaching fellowships from the department of Computer and Information Science at Polytechnic University and grants from the National Science Foundation and the Department of Education.
    [Show full text]
  • Empirical Software Engineering at Microsoft Research
    Software Analytics Harlan D. Mills Award Acceptance Speech Nachi Nagappan © Microsoft Corporation About Me • My name is Nachiappan. I also go by Nachi. • https://nachinagappan.github.io/ • Graduated with a PhD with Laurie Williams. • I read a lot of Franco-Belgian comics (Bande dessinées) • Attend Comic conventions • Miniature railroad modeling (HO and G). © Microsoft Corporation 3 © Microsoft Corporation 4 © Microsoft Corporation Courtney Miller Jenna Butler Danielle Gonzalez Rangeet Pan Yu Huang Jazette Johnson Paige Rodeghero Rini Chattopadhyay 5 © Microsoft Corporation Courtney Miller Jenna Butler Danielle Gonzalez Rangeet Pan Yu Huang Jazette Johnson Paige Rodeghero Rini Chattopadhyay 6 © Microsoft Corporation What metrics are the If I increase test coverage, will that best predictors of failures? actually increase software quality? What is the data quality level Are there any metrics that are indicators of used in empirical studies and failures in both Open Source and Commercial how much does it actually domains? matter? I just submitted a bug report. Will it be fixed? Should I be writing unit tests in my software How can I tell if a piece of software will have vulnerabilities? project? Is strong code ownership good or Do cross-cutting concerns bad for software quality? cause defects? Does Distributed/Global software Does Test Driven Development (TDD) development affect quality? produce better code in shorter time? 7 © Microsoft Corporation History of Software Analytics 1976: Thomas McCabe code complexity 1971: Fumio Akiyama 1981:
    [Show full text]
  • Software Systems Engineering Programmes a Capability Approach
    The Journal of Systems and Software 125 (2017) 354–364 Contents lists available at ScienceDirect The Journal of Systems and Software journal homepage: www.elsevier.com/locate/jss R Software Systems Engineering programmes a capability approach ∗ Carl Landwehr a, Jochen Ludewig b, Robert Meersman c, David Lorge Parnas d, , Peretz Shoval e, Yair Wand f, David Weiss g, Elaine Weyuker h a Cyber Security Policy and Research Institute, George Washington University, Washington, DC, USA b Institut für Software, Universität Stuttgart, Stuttgart, Germany c Institut für Informationssysteme und Computer Medien (IICM), Fakultät für Informatik, TU Graz, Graz, Austria d Middle Road Software, Ottawa, Ontario, Canada e Ben-Gurion University, Be’er-Sheva, Israel f Sauder School of Business, University of British Columbia, Vancouver, BC, Canada g Iowa State University, Ames Iowa, USA h Mälardalen University, Västerås, Sweden and University of Central Florida, Orlando, FL USA a r t i c l e i n f o a b s t r a c t Article history: This paper discusses third-level educational programmes that are intended to prepare their graduates for Received 24 May 2016 a career building systems in which software plays a major role. Such programmes are modelled on tradi- Revised 22 November 2016 tional Engineering programmes but have been tailored to applications that depend heavily on software. Accepted 19 December 2016 Rather than describe knowledge that should be taught, we describe capabilities that students should Available online 23 December 2016 acquire in these programmes. The paper begins with some historical observations about the software Keywords: development field. Engineering ©2016 Elsevier Inc.
    [Show full text]
  • Interim Report of a Review of the Next Generation Air Transportation System Enterprise Architecture, Software, Safety, and Human Factors
    This PDF is available from The National Academies Press at http://www.nap.edu/catalog.php?record_id=18618 Interim Report of a Review of the Next Generation Air Transportation System Enterprise Architecture, Software, Safety, and Human Factors ISBN Committee to Review the Enterprise Architecture, Software Development 978-0-309-29831-5 Approach, and Safety and Human Factor Design of the Next Generation Air Transportation System; Computer Science and Telecommunications 40 pages Board; Division on Engineering and Physical Sciences; National Research 8.5 x 11 2014 Council Visit the National Academies Press online and register for... Instant access to free PDF downloads of titles from the NATIONAL ACADEMY OF SCIENCES NATIONAL ACADEMY OF ENGINEERING INSTITUTE OF MEDICINE NATIONAL RESEARCH COUNCIL 10% off print titles Custom notification of new releases in your field of interest Special offers and discounts Distribution, posting, or copying of this PDF is strictly prohibited without written permission of the National Academies Press. Unless otherwise indicated, all materials in this PDF are copyrighted by the National Academy of Sciences. Request reprint permission for this book Copyright © National Academy of Sciences. All rights reserved. Interim Report of a Review of the Next Generation Air Transportation System Enterprise Architecture, Software, Safety, and Human Factors Interim Report of a Review of the Next Generation Air Transportation System Enterprise Architecture, Software, Safety, and Human Factors Committee to Review the Enterprise Architecture, Software Development Approach, and Safety and Human Factor Design of the Next Generation Air Transportation System Computer Science and Telecommunications Board Division on Engineering and Physical Sciences Copyright © National Academy of Sciences.
    [Show full text]
  • Shenkar College Report 2013.Pages
    ! ! ! ! ! ! ! ! ! Committee for the Evaluation of Software Engineering and Information Systems Engineering Study Programmes! ! ! ! Shenkar College ! Department of Software Engineering ! Evaluation Report! ! ! ! ! ! ! ! ! ! ! ! 13.04.14 !1/!33 ! ! ! Contents! ! Chapter 1: Background 3 Chapter 2: Committee Procedures 4 Chapter 3: Executive Summary 5 Chapter 4: Evaluation Criteria for System Software Engineering Programmes 7 Chapter 5: Evaluation of Software Engineering Study Programme at Shenkar College 27 Chapter 6: Summary of Recommendations and Timetable 33 Appendices Appendix 1 – Letter of Appointment !Appendix 2 - Schedule of the visit 13.04.14 !2/!33 Chapter 1: Background The Council for Higher Education (CHE) decided to evaluate the study programmes in Software Engineering and Information Systems Engineering during the 2013 academic year. Following the decision of the CHE, the Minister of Education, who serves ex officio as Chairperson of the CHE, appointed a review committee consisting of: • Prof. David Parnas (Emeritus) – Engineering, McMaster University, Canada - Committee chair • Prof. Carl Landwehr - Cyber Security Policy and Research Institute, George Washington University, USA • Prof. Jochen Ludewig - Chair of Software Engineering, Stuttgart University, Germany • Prof. Robert Meersman, Department of Computer Science, The Vrije University - Brussels, Belgium • Prof. Peretz Shoval – Department of Information Systems Engineering, Ben Gurion University, Israel • Prof. Yair Wand1 - Sauder School of Business, The University of British
    [Show full text]
  • A Specification-Based Coverage Metric to Evaluate Test Sets
    NISTIR 6403 A Specification-Based Coverage Metric to Evaluate Test Sets Paul E. Ammann George Mason University Information & Software Engineering Dept. Fairfax, VA 22033 Paul E. Black U.S. DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards and Technology 100 Bureau Drive Gaithersburg, MD 20899 (£ 100 NIST A Specification-Based Coverage Metric to Evaluate Test Sets Paul E. Ammann George Mason University Information & Software Engineering Dept. Fairfax, VA 22033 Paul E. Black U.S. DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards and Technology 100 Bureau Drive Gaithersburg, MD 20899 October 1999 /iT OF U.S. DEPARTMENT OF COMMERCE William M. Daley, Secretary TECHNOLOGY ADMINISTRATION Gary R. Bachula, Acting Under Secretary for Technology NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Raymond G. Hammer, Director A Specification-Based Coverage Metric to Evaluate Test Sets Paul E. Ammann* Paul E. Black George Mason University NIST pammann@gmu. edu paul. [email protected] Abstract Software developers use a variety of methods, including both formal methods and testing, to argue that their systems are suitable for building high as- surance applications. In this paper, we develop another connection between formal methods and testing by defining a specification-based coverage metric to evaluate test sets. Formal methods in the form of a model checker supply the necessary automation to make the metric practical. The metric gives the software developer assurance that a given test set is sufficiently sensitive to the structure of an application’s specification. In this paper, we develop the necessary foundation for the metric and then illustrate the metric on an example.
    [Show full text]