Separation of Concerns for Dependable Software Design
Total Page:16
File Type:pdf, Size:1020Kb
Separation of Concerns for Dependable Software Design Daniel Jackson and Eunsuk Kang MIT Computer Science and Artificial Intelligence Laboratory 32 Vassar Street, Cambridge, MA 02139 [email protected] ABSTRACT tiously includes collection of detailed statistics and explicit mechanisms for adjusting the process accordingly. For ‘mixed-criticality’ systems that have both critical and non-critical functions, the greatest leverage on dependabil- Testing is used for two very different purposes. On the one ity may be at the design level. By designing so that each hand, it is used to find bugs. Structural tests exploit knowl- critical requirement has a small trusted base, the cost of the edge of the structure of the software to identify bugs in analysis required for a dependability case might be dra- known categories. A mutation test, for example, might fo- matically reduced. An implication of this approach is that cus on the possibility that the wrong operator was selected conventional object-oriented design may be a liability, be- for an expression; a regression test is designed to detect the cause it leads to ‘entanglement’, and an approach based on reoccurrence of a particular flaw. For this kind of testing, a separating services may be preferable. successful test is one that fails, and thus identifies a bug. Categories and Subject Descriptors On the other hand, testing can be used to provide evidence D.2.2 [Software Engineering]: Design Tools and Tech- of dependability. In this case, tests focused on particular niques; D.2.4 Software/Program Verification; D.2.10 De- known bug categories are less useful (since a failure might sign. come from a category that has not been identified). Instead, tests are drawn randomly from the ‘operational profile’ – General Terms the expected profile of use – and statistical inferences are Design, Reliability, Languages, !eory, Verification. made about the likelihood of failure in the field based on the sampling carried out in the tests. For this kind of test- Keywords ing, a successful test is one that succeeds, since a failing test Dependability, software design, separation of concerns, case might not only require a bug fix (which sets the testing object-orientation, formal methods, trusted bases, decou- effort back to square one, since the target of the testing is pling, entanglement, mixed-criticality systems. now a new program on which old results no longer obtain), but provides direct evidence of low quality, thus altering 1. WHY CURRENT APPROACHES FAIL the tester’s assumptions and raising the bar for demonstrat- Today’s software developers rely on two techniques to ing dependability. make their software more dependable: process and testing. For modest levels of dependability, process and testing have In any large development, a defined software process is been found to be effective, and they are widely regarded to essential; without it, standards are hard to enforce, issues be necessary components of any serious development. Ar- fall through cracks, and the organization cannot learn from guments remain about exactly what form process and test- past mistakes. At minimum, a process might include pro- ing should take: whether the process should follow an in- cedures for version control, bug tracking and regression cremental or a more traditional waterfall approach, or testing; typically, it also includes standard structures for whether unit testing or subsystem testing should predomi- documents and guidelines for meetings (eg, for require- nate, for example. But few would argue that process and ments gathering, design and code review); and most ambi- testing are bad ideas. For the high levels of dependability that are required in Permission to make digital or hard copies of all or part of this work for critical applications, however, process and testing – while personal or classroom use is granted without fee provided that copies necessary – do not seem to be sufficient. Despite many are not made or distributed for pro!t or commercial advantage and years of experience in organizations that adhere to burden- that copies bear this notice and the full citation on the !rst page. To some processes and perform extensive testing, there is little copy otherwise, or republish, to post on servers or to redistribute to compelling evidence that these efforts ensure the levels of lists, requires prior speci!c permission and/or a fee. Conference’10, Month 1–2, 2010, City, State, Country. dependability required. Although it seems likely that the Copyright 2010 ACM 1-58113-000-0/00/0010…$10.00. adoption of rigorous processes has an indirect impact on dependability (by encouraging a culture of risk avoidance testing). For this reason, the claim that software is ‘free and attention to detail), evidence of a direct link is missing. from runtime errors’ should be taken with a grain of salt. While it is certainly useful to know that a program will not !e effectiveness of statistical testing lies at the core of the suffer from an arithmetic overflow or exceed the bounds of difficulty, since the most likely way a process might estab- an array, such knowledge does not provide any direct evi- lish dependability would be via testing – in the same way dence that the software will not lead to a catastrophic fail- that industrial manufacturing processes achieve quality by ure. Indeed, the construction of a dependability case may measuring samples as they come off the assembly line. Un- reveal that the risk of runtime errors is not the weakest link fortunately, even if the operational profile can be sampled in the chain. appropriately, and all other statistical assumptions hold, the number of tests that is required to establish confidence is rarely feasible. To claim a failure rate of one in R executions 3. THE COST OF BUILDING A CASE or ‘demands’ to a confidence of 99% requires roughly 5R A great attraction of statistical testing is that its cost does tests to be executed [5]; similarly, a rate of one failure in R not depend on the size of the software being checked. Un- hours requires testing for 5R hours. To meet the oft-stated fortunately, for the analyses that are more likely to be used avionics standard of 109 failure per hour, for example, as the elements of a dependability case, and which rely on would require testing for 5.109 hours – almost a million examining the text of the software, cost increases at least years. linearly with size. !is underlines the importance of designing for simplicity. 2. A DIRECT APPROACH !e smaller and simpler the code, the lower the cost of In the last few years, a different approach has been advo- constructing the case for its correctness; the additional cated, drawing on experience in the field of system safety. upfront cost of a cleaner design will likely prove to be a !e idea, in short, is that instead of relying on indirect evi- good investment. But even if Hoare is right, and ‘inside dence of dependability from process or testing, the devel- every large program there is a small one trying to get out’, it oper provides direct evidence, by presenting an argument may not be possible to find that small program, especially that connects the software to the dependability claim. the first time around. !is argument, which is known as a dependability case, A more realistic aim is to reduce not the size of the entire takes as premises the code of the software system, and as- program, but rather the size of the subprogram that must sumptions about the domains with which it interacts (such be considered to argue that a critical property holds. !is as hardware peripherals, the physical environment and subprogram, the trusted base for the critical property, must human operators), and from these premises, establishes include not only the code that directly implements the rele- more or less formally some particular critical properties. vant functionality, but any other code that might poten- tially undermine the property. !e credibility of a dependability case, like the credibility of any argument, will rest on a variety of social and technical One might think that identifying trusted bases for proper- factors. When appropriate, it may include statistical argu- ties in this way helps only because it allows the rest of the ments, although logical arguments are likely to play a program to be ignored. But an advantage may be gained greater role. To argue that a component has a failure rate of even if the trusted bases cover the entire program. less than one in 109 demands, it may be possible to test the Suppose the dependability case must establish k properties component exhaustively, but if not, testing to achieve suffi- of the system, and that each property has a trusted base of cient statistical confidence is likely to be too expensive, and size B. !e analysis cost is likely to be superlinear; a reason- formal verification will be a more viable option. able guess is that it will be quadratic, to account for the Formal methods will therefore likely play a key role in de- interactions between parts. In that case, the total cost pendability cases, since there are no other approaches that would be kB2. Now if the trusted bases cover the entire can provide comparable levels of confidence at reasonable program (but do not overlap), the size of the total codebase cost. Note, however, that just as rigorous process does not is kB. For the same codebase, but without a factoring into guarantee dependability, the use of formal methods does trusted bases, the cost of the analysis would be k(kB)2, not either. A formal verification is only useful to the extent which is larger by a factor of k2.