1. 1 Chapter 26 Cleanroom Software Engineering

2. 329-272 Cleanroom Developed in early 80’s by Harlan Mills Reported very good results –reliable, high-quality software –inexpensively and quickly produced Not used very much Moderate use of formal methods

3. 329-273 Moderate? Extreme use of formal methods –prove theorems in a formal language –a program checks all proofs Moderate use of formal methods –prove theorems on a whiteboard –a group of people talk about the proof until all are satisfied

4. 329-274 Cleanroom increment Requirements gathering Box structure specification Formal design Correctness verification (proofs) Code generation Code inspection Statistical use testing Certification

5. 329-275 Testing Purpose is to estimate quality Purpose is NOT to improve quality –if there are a significant number of bugs, do it over Tests are generated based on –what users actually do –probability that event will occur

6. 329-276 Statistical use testing Make model of how the system will be used List the set of stimuli that cause the software to change its behavior Estimate the probability of each stimuli Generate tests based on probability

7. 329-277 The formal part Box structure specification Formal design Correctness verification (proofs) Goal: produce code that matches specification

8. 329-278 Box Specification BB - black box –sequence of stimuli (input events) –response –rules that map stimuli to response

9. 329-279 Black box bank account Stimuli –deposit x, withdraw y, check-balance Results –OK, BOUNCE, BALANCE z BankAccount is a function BankAccount( stimulusHistory: Seq of Stimuli, stimulus: Stimuli) -> Results

10. 329-2710 Black box bank account Define function balance(Seq of Stimuli) balance({}) = 0 balance(SS+S) = –if (S = withdraw X) and X <= balance(SS) then balance(SS) - X –if (S = deposit X) then balance(SS)+X –ottherwise, balance(SS)

11. 329-2711 Black box bank account BankAccount(stimH, s) if s = balance then BALANCE stim(H) else if s = deposit X then OK else “s = withdrawal X” if X <= balance(stimH) then OK else BOUNCE

12. 329-2712 Box specification SB - state box –single stimulus (input event) –response –state –rules that map stimulus and old state to response and new state

13. 329-2713 State box bank account Bank account has one variable: balance BankAccount(s) if s = balance then BALANCE balance else if s = deposit X then balance’ = balance + X and OK else if x = withdraw X then if X <= balance then balance’ = balance - X and OK else BOUNCE

14. 329-2714 Boxes BB: S, T => R where S is a sequence of stimuli, T is a stimulus, and R is a result SB: S, P => R, Q where S is a stimulus, P and Q are states, and R is a result. CB: Clear box can use any code to specify the function from stimuli to responses.

15. 329-2715 Design Design is the step of converting a Black Box or State Box into a Clear Box. Clear Box is usually described by pseudocode. For each step of the design, the designers prove that the step is correct. Each kind of step has a rule for proving it correct.

16. 329-2716 Code generation Once a design is expressed only as Clear Boxes, it is easy to translate into a programming language like C or Java. The programmers translate the design into code.

17. 329-2717 Advantages of Cleanroom Verification becomes a finite process Improves quality Can verify every line of design and code It results in a near zero defect level It scales up It produces better code than unit testing

18. 329-2718 Near Zero Defect Level? KLOC,error/KLOC Ericsson OS-32: 3501 1.7 improvement HP 3.51.4 IBM1072.6486 LOC/PM IBM 861.2 US Army750.84.8 improvement

19. 329-2719 Summary If reliability is very important, Cleanroom techniques should be considered Reasonably efficient of programmer time Works for groups of 70 programmers Not popular, and there are probably reasons