Uploads Contact
/
Login Upload
QuickCheck:ALightweightToolforRandomTestingofHaskellProgramsKoenClaess QuickCheck:ALightweightToolforRandomTestingofHaskellProgramsKoenClaess

QuickCheck:ALightweightToolforRandomTestingofHaskellProgramsKoenClaess - PDF document

alida-meadow
alida-meadow . @alida-meadow
Follow
365 views
Uploaded On 2016-06-21
About Share Download

QuickCheck:ALightweightToolforRandomTestingofHaskellProgramsKoenClaess - PPT Presentation

tstorealsystemsandwehaefoundittoworkwreportexperiencepaperandpointoutpitfallstoapaperintroducestheconceptofwritingpropertiesandcthemusingSectionshowshowtodenetestdatageneratorsforuserdenedtypes ID: 371865

tstorealsystemsandwehaefoundittoworkwreportexperiencepaperandpointoutpitfallstoapaperintroducestheconceptofwritingpropertiesandcthemusingSectionshowshowtodenetestdatageneratorsforuserdenedtypes

Share:

Link:

Embed:

Download Presentation from below link

Download Pdf The PPT/PDF document "QuickCheck:ALightweightToolforRandomTest..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

QuickCheck:ALightweightToolforRandomTestingofHaskellProgramsKoenClaessenChalmersUniversityofTechnologykoen@cs.chalmers.seJohnHughesChalmersUniversityofTechnologyrjmh@cs.chalmers.seABSTRACTisatoolwhichaidstheHaskellprogrammerinulatingandtestingpropertiesofprogramsPropertiesdescribedcallytestedonrandominputbutitisalsopossibletodenecustomtestdatageneratorsepresentanberoftoolalsopointoutsomepitfallstoaRandomtestingisespeciallysuitableforfunctionalprogramsbecausepropertiescanbestatedatanegrainWhenafunctionisbuiltfromseparatelytestedcomponentsthenrandomtestingsucestoobtaingoodcoerageofthedenitionundertest1.INTRODUCTIONensuringsoftItiserylabouruptothecostDespiteanecdotalevidencethatfunctionalprogramsrequiresomewhatlesstesting Onceittypecksitusuallyworks inpracticeitisstillamajorpartoffunctionalprogramdevThecostoftestingmotivatese ortstoautomateitwhollyorpartlyAutomatictestingtoolsenabletheprogrammertocompletetestinginashortertimeortotestmorethoroughlyintheaailabletimeandtheymakeiteasytorepeattestsaftereachmodicationtoaprogramInthispaperwdescribetoolelopedtestingHaskellprogramsunctionalprogramsarewellsuitedtoautomatictestingItisgenerallyacceptedthatpurefunctionsaremheasierbecausebeforeimperativelanguageevenifwholeprogramsareoftenpurefunctionsfrominputtooutputtheproceduresfromwhictheyarebuiltareusuallynotusrelativfunctionsaboundinHaskellonlycomputationsintheIOPermissiontomakedigitalorhardcopiesofallorpartofthisworkforpersonalorclassroomuseisgrantedwithoutfeeprovidedthatcopiesarenotmadeordistributedforprotorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitationontherstpage.Tocopyotherwise,torepublish,topostonserversortoredistributetolists,requirespriorspecipermissionand/orafee.ICFP’00,Montreal,Canada.Copyright2000ACM1-58113-202-6/00/0009..monadarehardtoandsocanbeatanegrainAtestingtoolmustbeabletodeterminewhetheratestispassedorfailedthehumantestermustsupplyanautoablecriteriondoingsoehatouseformalspecicationsforthispurposeehaedesignedasimpledomainspeciclanguageoftestablesphthetesterusestodeneexpectedpropertiesofthefunctionsundertestthencksthatthepropertiesholdinalargeberofThespecicationlanguageisembeddedinHaskellusingtheclasssystemPropertiesarenormallywritteninthesamemoduleasthefunctionstheytestwheretheyservealsoascabledoctationofthebehaviourofthecodeAtestingtoolmustalsobeabletogeneratetestcasesauehahosenthesimplestmethodrandomcompetessystematicmethodsinpracticeeritismeaninglesstotalkaboutrandomtestingwithoutdiscussingthedistributionoftestdataRandomtestingismoste ectivewhenthedistributionoftestdatafollowsthatofactualdatabutwhentestingreuseablecodeunitsasopposedtowholesyspossibledatainallsubsequentreusesisnotknoAuniformdishoosearandomclosedtermwithauniformdistributionforexampleehahosentoputdistributionundertheumantester salsoembeddedinHaskell andawytoobservdistributionoftestcasesByprogrammingathetestercannotonlythedistributioncomplexinAnimportantdesigngoalwasthatshouldbemoduleofabouthisinpracticemainlyusedfromtheHugsinehaealsowritlittleaboutHaskellsyntaxandconsequentlysupportsthefulllanguageanditsextensionsItisnotdependentonanparticularHaskellsystemAcostthatcomeswiththisdecisionisthatwecanonlytestpropertiesthatareexpressibleandobservmethodisindetectingfaultserwehaeusedinavyofapplicationsrangingfromsmallexper tstorealsystemsandwehaefoundittoworkwreportexperiencepaperandpointoutpitfallstoapaperintroducestheconceptofwritingpropertiesandcthemusingSectionshowshowtodenetestdatageneratorsforuserdenedtypesSectionbrieydiscussestheimplemenSectionpresentsanberofcasestudiesthatshowtheusefulnessofthetoolSection2.DEFININGPROPERTIES2.1ASimpleExampleAsarstexamplewetakethestandardfunctionhreversesalistThissatisesanberofusefullahasInfactthersttoofthesecNotethattheselawsholdonlyfornitetotalpaperspecicallyeitmorelikelythatthepropertiesarecomputableInordertocktheselawsusingerepretthemasHaskellfunctionsuswedenewifthesefunctionsreturnforeverypossibleargutthenthepropertiesholdeloadthemintotheHugseHaskellinterpreterandcallforexampleThefunctionesalawasaparameterandappliesittoalargenberofrandomlygeneratedargumeninfactreportingOKiftheresultiserycasereportsorexampleifwemistakenlydenethenckingthelawmightproducewherethecountermodelcanbeextractedbytakingand isaratherarbitrarynbersoourlibraryprovidesaytospecifythisasaparameterInfacttheprogrammermustprovidealittlemoreinforthefunctionisactuallyoerloadedinordertobeablehandlelawswithavaryingnberofvablesandtheoerloadingcannotberesolvedifthelawitselfhasapolymorphictypeasintheseexamplesThustheprogrammermustspecifyaxedtypeatwhichthelawistobeSowesimplygivypesignatureforeachlawforOfcoursethepropertholdspolymorphicallyspecifytobequiteimportantintheorexample isassociativeforthetypebutnotforarguethatapropertyholdspolymorphically2.2Functionsearealsoabletoformulatepropertiesthatquantifyokforexamplethatfunctioncompositionisassociativewerstdeneextensionalequalitandthenwriteypesthatfunctioncompositioniscomme thenthefunctionvaluesareprintedjustasInthiscaseediscoerthatthe law weareckingisfalsebutnot2.3ConditionalLawswswhicharesimpleequationsarecontlyrepretedbybooleanfunctionaswehaeseenbutingeneralylawsholdonlyundercertainconditionsvidesanimplicationcombinatortorepresentsuchconditionallaorexamplethelacanberepresentedbythedenitionthelaNotethattheresultypeofthepropertyischangedfrombecausepropertyforrandomtestcasesetryckingittestcasesacandidatetestcasedoesnotsatifytheconditionitisdiscardedandanewtestcaseistriedkingthelaasusualbutsometimesckingaconditionallawproducestheoutput IfthepreconditionofalawisseldomsatisedthenwemighgeneratemanytestcaseswithoutndinganywhereitholdsInsuchcasesitishopelesstosearchforcasesinwhicthepreconditionholdsRatherthanallowtestcasegenerationtorunforeverwegenerateonlyalimitednberofcandidatetestcasesthedefaultis IfwedonotndvalidtestcasesamongthosecandidatesthenwesimreportberofperformIntheexampleweknowthatthelawpassedthetestinItisthenuptotheprogrammertodecidewhetherthisisenoughorwhetheritshouldbetestedmorethoroughly2.4MonitoringTestDataitseemsthatwetestedthethoroughlyenoughtoestablishitscredibiliterwustbecarefulLetusmodifyasfollokingthelawnowproducesthemessagebinatordoesnotchangethemeaningofawbutitclassiessomeofthetestcasesinthiscasethoseistheemptylistwereclassiedastrivialeseethatalargeproportionofthetestcasesonlytestedinsertionintoanemptylistecangetmoreinformationthanjustlabellingsometestThecomgatherallvaluesthatarepassedtoitandprintoutahistogramofthesevorexampleifwewriteemightgetasaresultSoweseethatonlycasestestedinsertionintoalistwithfairlystrongevidencethatthelawholdsitisworryingthateryshortlistsdominatethetestcasessostronglyallitiseasytodeneanerroneousversionoferthelessworksforlistswithatmostoneelemenThereasonforthisbehaviourofcourseisthatthepreisorderedbutonlyofthelistsoflengtharetestcaseswithlongerlistsaremorelikelytoberejectedb isHaskell sinxfunctionapplicationthepreconditionThereisariskofthiskindofproblemeverytimeweuseconditionallawssoitisalwysimportanproportionactuallytestedThebestsolutionthoughistoreplacetheconditionwithacustomtestdatageneratorfororderedlistsewritespeciesthetestdatageneratorkingthelawnoesaswouldexpectvidessupportfortheprogrammertodenehisorherowntestdatawithcontroloerthedistributionoftestdatawhicewilllookatinthenext2.5InniteStructuresellfunctionesanonemptylistreturnsalistthatrepeatsthecontsofthatlistinnitelywtakealookatthefollowinglawformulatedinAlthoughinelythesincewearecomparingtoinnitelistsusingcomputablewhichdoesnotterminateInsteadwecanreforulatethepropertyasalogicallyequivtonebyusingthattinnitelistsniteinitialtsareequalAnotherissuerelatedtoinnitestructuresisquanpropertiesthatforexampleholdforallinnitelistsbutingeneralitisnotclearhowtoformulateandexecutepropertiesaboutstructurescontainingbottom3.DEFININGGENERATORS3.1ArbitraryThewegeneraterandomtestdataofcoursedependsypetroducedypeofwhicypeisaninstanceifwecangeneratearbitraryelementsinitisanabstracttyperepresentingageneratorfortypeTheprogrammercaneitherusethegeneratorsbuiltinasinstancesofthisclassorsupplyacustomgeneratorusingthebinatorwhicesawintheprevioussectionornowwedenethetype Notethatleavingtheconditionoutresultsinanerrorbecauseisnotdenedforemptylists isarandomnberseedageneratorisjustafunctionwhichcanmanufactureaninapseudorandomButwewilltreatasanypesowedeneaprimitivegeneratortochoosearandomnberinaninalandweprogramothergeneratorsintermsofitfromsimpleronestodosowedeclaretobeaninstancemethodsofthetherstoneofwhichcontructsathesecondonebeingthemonadicsequencingoperatorwhicgeneratesanandpassesittoitssecondargumenttogendenitionofneedstorandomnberseedstoitstoargumentsandisonlypassedoneseedbutluckilytheHaskellrandomnberlibraryprovidesanoperationtosplitoneseedintotypeswhichisdenedintermsofeageneratorthatappliesthepairingoperatorhdeclarationsformostofHaskell spredenedtypes3.2GeneratorsforUser-DenedTypesforeacypethenwustrelyontheusertoprovideinstancesforuserdenedtypesInprinciplewcouldtrytogeneratetheseautomaticallyinapreprocessorpolytypicprogrammingbutwsteadtoleaethistasktotheuserThisispartlybecausetobealighttooleasytoimpletandeasytouseinastandardprogrammingentwedon twttoobligeuserstoruntheirprogramsthroughapreprocessorbeteeneditingthemandtestingButanotherstrongreasonisthatitseemstobevhardtoconstructageneratorforatypewithoutknosomethingaboutthedesireddistributionoftestcasesproducingvidecombinatorstoenableaprogrammertodenehisogeneratorseasilyThesimplestcalledjustmakesahoiceamongalistofalternativegeneratorswithauniformforexampleifthetypeisdenedbthenasuitablegeneratorcanbedenedbAsanotherexamplewecouldgeneratearbitrarylistsusingwhereweusetoapplytheconsoperatortoanarbitraryheadandtailerthisdenitionisnotreallyitproduceslistswithanproducedspecifythefrequencywithwhicheachalternativeiscedenetochoosetheconscasefourtimesasoftenasthenilcaseleadingtoanaeragelistlengthoffourelemenmoregeneraldatatypesitturnsouteneedevennercontroloerthedistributionofgeneratedSupposeypettoaoidchoosingatoooftenhencetheusethisdenitiononlyhasachanceoftermiThereasonisthatforthegenerationofaegenerationsmustterminateIftherstfewrecursionschooseesthengenerationterminatesonlyifverymanyrecursivegenerationsallterminateandthechanceofthisissmallenwhengenerationterttoaoidthissinceweperformalargenberoftestswteachtesttobesmallandquicButthenotionofasizeishardeventodeneingeneralforypetiontypesanethereforegivetheresponsibilitforlimitingsizestotheprogrammerdeningthetestdatahangetherepresentationofgeneratorstowherethenewparameteristobeinterpretedassomekindofsizeboundedeneanewcomboundgeneratesanypassingthecurrentsizeboundtopretthesizeboundinsomereasonablewyduringtestdata boundberofnodesinthegeneratedtreeswhichisquitereasonablewthatwehaeintroducedthenotionofasizeboundecanuseitsensiblyinthegeneratorsforothertypessuctegersandlistssothattheabsolutevaluerespectivlengthisboundedbythesize Sothedenitionswepretedearlierneedtobemodiedaccordinglyestressthatthesizeboundissimplyanextraglobalparameterwhicheverytestdatageneratormayaccesseveryuseofseesthesameboundedoto dividethesizeboundamongthegenerators sothatforexamplealongergeneratedlistwouldhaesmallerelemeneepingtheoerallsizeofthestructurethesameThereasonisthatwewishtoaoidcorrelationsbeteenthesizesofdi erentpartsofthetestdatawhichmightdistortthetestresultsedovarythesizebeteendi erenttestcasesebeginpropertboundesforagreatervyoftestcaseswhichbothmaktestingmoree ectiveandimproesourchancesofndingenoughtestcasessatisfyingthepreconditionofconditionalpropertiesItalsomakesitmorelikelythatwewillndasmallcounterexampletoapropertifthereisone3.3GeneratingFunctionspropertiesariablesthenwustbeabletogeneratearbitraryfuncderstandhownoticethatafunctiongeneratoroftypeisrepresentedbyafunctionoftypeIntRandabByreorderingparametersthisisequivttotheypeIntRandbhrepresenaGenecanthusdeneanduseittoproduceageneratorforafunctiontypeprovidedwecanconstructageneratorfortheresulttypewhicwdependsontheargumenetakecareofthisdependencebydeninganewclasswhosemethodmodiesageneratorinawdependingonitsrstparameterewillthinkofproducingenthisclasswecandenehgeneratesanarbitaryfunctionthatusesitsargumentomodifythegenerationofitsresultInordertodeneinstancesofeneedawtoconstructgeneratortransformersethereforedenethe constructsageneratorwhichtransformstherandomnberseeditispassedinawydependingonbeforepassingittoThisfunctionmustbedenedvsothatallthegeneratorsweconstructusingitareindependenenanylistofincanconstructageneratortransformerrisetoindependentgeneratortransformerswithaveryhighecandeneinstancesofthatchoosebeteengeneratortransformersdependingontheargumenorexamplethebooleaninstancetransformsageneratorinindependenysforandforthegeneratorscoarbitraryTruegFalsegwillbeindependenInasimilarwecandenesuitableinstancesformanyothertypesorexampletheintegerinstancejustconertsitsintegerargumentinasequenceofbitswhicharethenusedasgeneratortransformersinturnInstancesofforrecursivedatatypescanbedenedaccordingtoastandardpatternorexamplethelistinstanceisjustthatdi erentlistsmappedtoindependenpingeachconstructortoanindependenttransformercomposingthesewithtransformersderivedfromeachcomponenypessamewSincetheprogrammerisresponsibleformakingthesedenitionsforuserdenedtypesitisimportantthattheybestraighecaneveninterpretfunctionsasgeneratortransformerswithaninstanceoftheformTheideaisthatweapplythegivenfunctiontoanarbitrarytandusetheresulttotransformthegivengenerInthiswofunctionswhicharedi erentwillgivrisetodi erentgeneratortransformersNotethatifwehadtriedtoaoidneedingtosplitrandomberseedsbydeningthemonadasastatetransformerontherandomseedratherthanastatereaderthenbeentionandwouldnothaebeenabletogeneraterandom4.IMPLEMENTINGQUICKCHECKpropertieswithavaryingnberofargumentsanddi ertresulttypesoimplementthisweintroducethetypeandwecreatethetypeclass yperepresentspredicatesthatcanbecytestingmeansthatitneedstobeableaterandominputandnallyproductatestresultSoaisacomputationinthemonadendinginanabstracttypewhiceepstrackofthebooleanresultofthetestingtheclassicationsoftestdataandthetsusedinthetestcaseLetustakealookatsomeinstancesofAneasyypetockisofcourseurtherfunctionsforwhicenthepropertypeitselfisaninstancesothatecannestpropertycomUsingthefunctionitbecomeseasytodenetheItstypeisMoredetailsoftheimplementationcanbefoundintheappendix5.SOMECASESTUDIES5.1UnicussauncationalgorithmwhicehaedevelopedalongwithaspecicationThiswasquiterevbothasregardstheimpactthathasonprogrammingandthepitfallsthatmustbeaItistoolargetindetailjustdiscussthelessons5.1.1ImpactonTypeDeFirstofalltheuseofhadanimpactonthedesignofthetypesintheprogramedenedthetypeoftermstobeuniedasratherthantheequivouldprobablyhahosenotherwiseThetypeeuseddistinguishesbeteenastringusedasaconstructorandastringusedinotherconandbeteenanaturalnberusedasavariablenameandanintegerusedinotherconypesforexamplethanforstringsHadwstringsthenitisveryunlikelythatwouldevergenerateitissameconstructornametInsteadwhosetogenerateconstructornamesusinghgivesusagoodchancethatgeneratedtermswillbeatleastpartiallyuniableewisewelimitedunicationariablesintestdatatoasmallsetOfcoursewecouldhaeusedthesecondypeaboandspeciedacustomtestdatageneratorwithanexplicitineachpropertButitismoreconttolettestdatabeautomaticallygeneratedusingsooneisypesareotheradvtagestodoingsoalsoitpermitsthetypeertodetectmoreerrorsSousingtroducingnewtypesinprograms5.1.2CheckingFunctionalPropertiesAunierneedstomanagethecurrentsubstitutionandalsothepossibilityoffailuresinrecursivecallsAconytodosoistouseamonadedenedaunicationrepresentedbyafunctionwithoperationstodenean extensionalequality operatoronmonadicaluesandckboththemonadlawsandpropertiessuc5.1.3ErrorsFoundreportfoundalargenberoferrorsinthisexampleInfactnoerrorsatallwerefoundintheunieritselfThisisprobablymoreareectiononthenberoftimestheauthorshaprogrammedunierspreviouslythanonthee ectivenessofeknowhowtodoitquitesimplyOntheotherhandwedidnderrorsintheorexampleedenedasubstitutionfunctionhrepeatedlysubstitutesuntilnovariablesinthedomainofthesubstitutionremainandstatedtheobviouspropertealedthispropertytobefalseitholdsonlyforacyclicsubstitutionsotherwiseaninnitetermisgeneratedandtheequalitytestloops Thiserrorwusingthefunctionhprintsouttheartstoeverytestcasebeforeitcksitereobligedtocorrectthespecicationtomadeusthinkharderaboutthepropertiesofourcodeanddocumentthemcorrectly OnthedoulatingthespecicationcorrectlyperhapswritingtheimplemenThiswaspartlybecausepredicatessuchasarenontrivialtodeneagoodsettheorylibrarywouldhaehelpedhere5.1.4AFalseSenseofSecurityexperiasthefalsesenseofsecuritythatcanbeengenderedwhenone sprogrampassesalargenberoftestsintrivialehaealreadyproblemwhenwdiscussedconditionalpropertiesinthisexampleitbituspropertiestheformsinceourunierreturnswhenitfailsWithalitfairlylikelytobeuniablesincevariablesoccurquiteoftenandifeithertermisavariablethenunicationwillalmostcertainlysucceedOntheotherhandifneithertermisaariablethentheprobabilitthattheywillunifyissmallusthecasewhereonetermisavariableisheavilyotedamongthetestcasesthatsatisfythepreconditionwefoundthatoeroftestcaseshadthisproppropertecanhardlyconsiderthattheywerethoroughlyThesolutionwastouseacustomtestdatageneratoregeneratedygeneratingrandomtermandreplacingrandomsubtermsbintodi erenThisusuallygeneratesuniabletermsalthoughmayfailtowhenvariablesareusedinconsisteninthetotermsWiththismodicationtheproportionoftrivialcasesfelltoareasonableThisexperienceunderlinestheimportanceofindistributionofpropertiesareused5.2CircuitProperties5.2.1LavainaNutshell"isatooltodescribesimulateandformallyvifyhardwaisasocalleddlanguagewhicpropertiesexpressedinanexistingprogramminglanguageinthiscaseTheideaistoviewahardwarecircuitasafunctionfromvidesprimitivecircuitssuchasandMorecomplicatedcircuitsaredenedbycombiningthesevidesinputsandtheoutputsarecalculatedurthermoretheLaasystemdenescombinatorsforcircompositionpositionreplicatesitinacolumnofcircuitsconnectingthev5.2.2PropertiesinLavaPropertiesofcircuitscanbedenedinasimilarwexampletodenethepropertythatacertaincircuitiscomewesaypestainingsignalsinthiscaseapairPropertiescanbeformallyvedothisbyproinputstothecircuitorpropertandcalculatingaconcreteexpressioninaHaskelldatatyperepresenthecircuitexternaltheoremproAllthisisdonebytheoafunctionHereishoecanuseittovthatasocalledhalfaddercomponentiscommTheLaasystemprovidesanberoffunctionsandcomnatorstocontlyexpresspropertiesandformallyvinLavaThoughweareabletoverifypropertiesaboutcircuitsinbenettoollikTherearetomainreasonsforthatrstonethatcallinganexternaltheoremproeryheatprocessWhenvatheoremprovingarequitebigandweoftenhaetowaitforalongtimetogetananswSoatypicaldevtcycleistowritedownthespecicationofthecircuitrstthenmakeanimplemenitforobviousbugsandlastlycalltheexternaltheoremproerforverifyingthecorrectnessHereisanexampleofhowtouseinLaAddingthistestingmethodologytoLaaturnedouttobequitestraighardbecauseLaaalreadyhadanotionofpropertiesestingcanbedoneforallcircuitypestialcircuitscontaininglatcesimplyckthecircuitpropertyforasequenceofinputs5.2.4HigherOrderTestingThesecondreasonforusingtestinginLaaissimplythatpropertiescanonlydealwithatmostrstorderlogicsandtheLasystemisonlyabletogenerateformulasofthattypeSometimeswouldliketoverifypropertiesaboutorexampleprovingthatdistributeso isveryhardtoverifyinLaallfactsuchpropertiesarehardtoverifyautomaticallyingeneralwecandoitforsmallxedsizeshoButsincethesekindofpropertiesforarbitrarycircuitsAdrakisthatwehaetoxthetypesofthesecirpropertiesaboutthemarepolymorphicinthecircuits inputandoutputtypes5.2.5ErrorsFoundTheauthorsusedthelibrarywhiledevarithmeticcircuitsalreadyusedinthedevtprocessbutonlyinavlimitedandadhocwwmhmorethoroughtestingaspossibleokindsefounderrorsthatourformalvtionmethodwouldhaefoundaswlogicalerrorsintheButsecondlyealsofounderrorsduetothefactthatrandominputalsomeansrandominputorexampleforanbitadderweonlyuseandformallyspecicinputsizesRandomtestingthatwehadforgottentodeneoneofthesecases!5.3PropositionalTheoremProvingorteachingpurposesweimplementedtodi erenmethodspropositionalmethodsvisPutnammethodwhichusesbackingtogenmodelsmethodmethodtonthedilemmaproofsystemtogatherinformationabouttheliteralsintheclausesetfunctiontakesanextraargumentanhisthesocalledsaturationlevelaparameterwhiclimitsthedepthoftheproofsandusuallyliesbeteenandIftheresultofitmeansthatthereasaconIftheresultisitmeansthaterymodeloftheclausesetshouldhaasasubmodelismhmorestraighardtoimpropertystatedaboNotethatwsomestatisticsdictionwhentheresultwandthesizeofthecaseofealsoexpressedthatwedisqualifyatestcasewhenWiththehelpofthispropertfoundbugs!Thesebugswereduetoimplicitunjustiedassumptionswaboutbothrithmsassumedthatnoclausesintheinputcouldconthesameliteraltwiceandthefunctionassumedthatnoneoftheinputclauseswasempthniquesasinsectionpropertytookaboutandfromtheoutputwcouldseethedistributionofasabout$5.4PrettyPrintingAndyGillreportedaninterestingstoryaboutusingtousHeuseditindevelopingavtofWtedhisvtfunctionallyusingHaskstillusingHaskellheusedastatemonadwithexceptionstoelopanimperativeimplementationofthesamelibraryTheideawasthatthesecondimplementationmodelswhatgoesoninaJaaimplemenThenheexpressedtherelationshipbeteenthetodifpropertiesThisquicklypointsoutwheremyrasoningisfaultyandprovidesgratteststocatchthecornersoftheimplemeneproblemswerefoundthethirdofwhichshowethatIhadmertwocinmyimplementationthatIshouldnothave urthermorehemadeanimprotinthewreportsexamplesfoundareverylargeanditisdiculttogobactothepropertyandunderstandwhyitisacounterexampleerwhenthecounterexampleisanelementofatreeshapeddatatypetheproblemcanoftenbelocatedinoneofthesubtreesofthecounterexamplefoundGillextendedclasswithanewmethodtoitstforInsomecasesmhsmallercounterexampleswtinglibrarywasportingthestateandexceptionmonadmodelinHaskelltoJaHethenusedtogenbercodeordertockthattheJaaimplementationwasequivtothetoHaskellmodels5.5EdisonChrisOkisalibraryofecientdatastructuressuitableforimplementationanduseinfunctionalprogramminglanguagesHehasusedtostateandtestpropertiesofthelibraryerydatastructureinthebeenhasincludedseveralextramodulesespeciallyforformpropertiesaboutthesedatastructuresHereportsMyexehasmostlybenthatofaverysatiseduser letsmeEdisonwithpr  maybofthee ortofmyprevioustestsuiteanddoesamuchbjobtobasakialsomentionsadrakhavingtodowiththeellmodulesystemHeoftenusesonespecicationofAnaturalwytodothisistoplacethespecicationinonemoduleandeachimplementationinaseperatemoduleButsincethespecicationreferstotheimplementationthenthespecicationmoduleustimportthetationonetlyundertestasakiwasobligedtoeditthespecicationmodulebyhandbeforeeachtestsoastoimporttherightimplemenhpreferablewouldbetoparameterisethespecicationonanimplementationmoduleylefunctorswouldbereallyhelpfulhere!6.DISCUSSION6.1OnRandomTestingerynaiveapproacSystematicmethodsareoftenpreingeneralatestadequacycriterionisdenedandproceedsadequacycriterionorexampleasimplecriterionisthatwpathwithexceptionsforloops befolloedinatleastonetestAwidevyofadequacycriterahaebeenproposedarecentsurveyisehahosennottobaseonsuchanadequacycriterionInpartthisisbecausemanycriteriawneedreinterpretationbeforetheycouldbeappliedtoHaskprogramsitismhlessclearforexamplewhataconwpathisinalanguagewithhigherorderfunctionsandlazyevInpartsuchacriterionwouldforceustousemhmoreheatmethodsevenmeasuringpatherageforexamplewouldrequirecompilermodicationsandthustietoaparticularimplementationofellnamelytheonewemodiedtocollectpathinforGeneratingtestdatatoexerciseaparticularpathrequiresconstraintsolvingonemustndinputvalueswhicetheseriesoftestsalongthegivenpathproducespeciedresultsWhilesuchconstraintsolvingmaybefeasibleforarithmeticdatafortherichsymbolicdatatypesfoundinHaskellprogramsitisadicultresearchprobleminitswnrigherapartfromthedicultyofautomatingsystematictestingmethodsforHaskellthereisnoclearreasontobelievbetterDuranandNtafoscomparedthefaultdetectionprobabilitofrandomtestingwithpartitiontestinganddiscoeredthatthedi erencesine ectivenessweresmallHamletandylorrepeatedtheirstudymoreextensivandcorroboratedtheoriginalresultsAlthoughpartitiontestingistlymoree ectiveatexposingfaultstoquoteHamlet stsurveyBytaking morointsinardomtestanyadvantageartitiontestmighthavehadisdout orsmallprogramsinparticularitislikelythatrandomtestcaseswillindeedexerciseallpathsforexamplesothatgoodyankpropertiesofindividualfunctionsbutthefunctionstheycallaretestedindependenSoevenwhenisusedtotestalargeprogramwealwystestasmallpartatatimeThereforewemayexpectrandomtestingtowparticularlywhgreaterautomatingsystematictestingforHaskellourchoiceofrandomtestingisclear6.2CorrectnessCriteriaTheproblemofdeterminingwhetheratestispassedornotisknownastheacleprOnesolutionistocompareprogramoutputwiththatofanotherversionoftheproperhapsanolderorperhapsabut obviouslycorrect vanexecutablespecicationmightplaythesamer%Thiskindoforaclecaneasilybeexpressedasapropertalthoughourpropertiesaremhmoregeneraleroftenonecanckthataprogram soutputiscorrectmhmoreecientlythanonecancomputetheoutBlumandKannanexploitthisintheirworkonprogramwhichclassiestheprogram soutputascorrectorwithahighprobabilityofclassifyingcorrectlyanddoessowithstrictlyloercomplexitTheydistinguishprofromprogramtheirproposalisthatprogramsshouldalwktheiroutputandindeedinfurtherworkBlumetaledhowprogramswhichusuallyproducecorrectanswerscanevwrongoutputinparticulardomains Ofcourseresultcerscanalsobeexpressedaspropertiesalthoughweusethemfortestingratherthanasapartofthenalprogram spropertylanguageishoermoregeneralthanresultcViaconditionalpropertiesorspecictestdatageneratorswecanexpresspropertieswhichholdonlyforasubsetofallpossibleinputsThuswoidtestingfunctionsincaseswhichleadtoruntimeerrorsorcasesinedonotcareabouttheresultorexamplewedonottestinsertionintoanunorderedlistthereisnopoinindoingsoetaresultcermustverifythataprogramproducesthe correct outputinallcaseseventhosewhicareuninpropertiesarenotlimitedtockingtheresultofanindividualfunctioncallthepropertythatanoperatorisassociativeforexamplecannotreallybesaidtocktheresultofanyindividualuseoftheoperatorbutstillexpressesauseful global propertthatcanbecedbytestingpropertiesspecicationrectlywasusedintheDAISTSsystemfortestingabstractdatatypeswhichcompiledequationalpropertiesintestingcodealthoughtestcaseshadtobesuppliedbythekingautomatictestcasegenerationDAISTSdidnotneedequivtsofourconditionalandquantiedpropAlthoughthelanguageusedwasimperativeabstractdatatypeoperationshadtobeforbiddentosidee ecttheirtsthustheprogramstobetestedwereessenbefunctionalyandHamletdescribeatechniquefortestingC classesagainstanalgebraicspecicationwhichiserthespecicationlanguagemustberestrictedinordertoguaranteethatspecicationsbeanimatedThereseemstobenopublishedworkonautomatictestingofprogramsagainstspecicationsesimply ethatfunctionalprogramsandpropertybasedspecicationsareaverygoodmatcecanusethegivenpropertiesdirectlyfortestingerembeddingthespecicationlanguageinHaskellpermitsustowriteverypoandexiblepropertiesumof6.3TestDataGenerationtoolslimiteddomainswiththegoalofmatchingthedistributionofactualdataforthesystemundertestthesocalledationalprInthiscasestatisticalinferencesaboutthemeantimebeteensystemfailurescanbedrawnfromthetestresultsInordertomorecomplexdataitispopuhtoitwpressallthedesiredpropertiesoftestdataforexamplerandomprogramThereforethegrammarswereenhancedwithactionsorextendedtoattributegrammarsThisapproachasbeenmostusedfortestingcompilersalthoughMaurerarguesforitsuseinmanycontextsGrammarshaebeenusedforsystematictestingforexamplethegeneratedtestdataisrequiredtoexerciseproductionybeandnotedtheterminationproblemforrecursivegrammarsHissolutionthoughwasjusttoincreasetheprobabilitiesofgeneratingleaessothatevtualterminationisguaranOurexperienceisthatthisresultsinfartoohighaproportionoftrivialtestcasesandthereforeinecienttestingustbeproperlyebelieveourmethodofcontrollingsizesismhsuperiorItseemsthattheneedtolearnacomplexlanguageofextendedgrammarshashinderedtheadoptionofthesemethodsbeddingainHaskellweprovideatleast thesamecapabilitiesbutsparetheprogrammertheneedtolearnmorethanafewnewoperatorstthesametimeweprovideallthepoerandyneededtogeneratetestdatasatisfyingcomplexintsinalanguagetheprogrammeralreadyknolinkinggeneratorstotypesviaHaskell sclasssystemwereetheprogrammeroftheneedtospecifygeneratorsatallinmanycasesandwheretheymustbespeciedtheprogrammer sworkisusuallylimitedtospecifyinggeneratorsforhisorherownnewtypes6.4OnRandomnessehaeencounteredsomeinterestingproblemsinreasoningaboutprogramswhichuserandomnbergenerationInparticularthemonadwhicisbasedonisnotamonadatall!ConsidertherstmonadlaSinceourimplementationofbindsplitsitsrandomnberoperandseedsonthetosidesoftheequationandythereforeproducedi erentresultsSothelawsimplydoesnotholdhoerweconsiderthelawtobetruebecausethetosidesproducethesameresultseveniftheresultsdi erforanyparticularseedButwhatpreciselydowemeanby morally ecannotxtheproblemjustbyreinterpretingequalityfortheypeclaimingthetosidesarejustdi erentrepresengoodbecausewecanactuallyobservethedi erenceatothertypesysupplyingarandomnberseedsomethingwehaetobeabletodoiftheypeistobeusefulInsteadwehatoreinterpretwhatwemeanbyprogramequivalenceinthepresenceofrandomnbergenerationtheimperativeprogramismorallyequivttothesameprogramwiththeassigntsreversedinthesamesensebutofcourseproducesatresultThereissomeinterestingsemantictheorytobedonehere6.5OnLazyEvaluationehaearguedinthepastthatlazyevaluationisaninaluableprogrammingtoolthatradicallychangesthewpropertiesaconicthereaboperfectlyinnitestructuresinspecicationsprovidedthepropertieseactuallytestarecomputableforexamplewecantestthatarbitrarilylongprexesofinnitelistsareequalratherthancomparingtheliststhemselvmonadhasabindoperationbecausewesplittherandomnberoperandthentheother andsowecanfreelydenegeneratorsthatproduceinniteresultsWhatwecannotdoisterminationinatestresultSowecannottestforexamplethepropertOntheotherinaumantestercannotebeentestlazyprogramssatisfactorilybyhandsofarthenwearenotinaworsepositionifweuseetahtestercanobservethatproducesanerrormessagefromtheevaluationof withoutproducinganyotheroutputrstandcanthusinferthatthepropertyaboeholdsTheproblemisthattheHaskellstandardprovidesnowyforatomakethesameobettherearevariousextensionsofHaskellwhicdoindeedmakethispossibleSomeworkdonebyAndyGillhasshownthatgivensuchextensionswecouldformandckpropertiessuchastheoneaboeusing6.6SomeRemajoristhatitencouragesustoformulateformalspecicationsthusimprovingourunderstandingofouritisopentotheprogrammertodothisfewreallydoperhapsbecausethereislittleandperhapsbecausespecicationalueifthereisnockatallthatitcorrespondstothetedprogramaddressesboththeseisitgivesusashorttermpao viaautomatedtesting andsomereasontobelievethatpropertiesstatedinamoduleactuallyholdenlybetspecicationrstcategoryisuselesstodiscoerexceptinsofarasithelpswithfurthertesting ittellsusnothingabouttheactualThethirdcategoryisobviouslyusefulinasensethesearetheerrorswetestinordertondButthesecondcategoryisalsoimportanteveniftheydonotrevealamiseinthecodetheydorevealamisunderstandingaboutwhatitdoesCorrectingsuchmisunderstandingsimproourabilitytomakeuseofthetestedcodecorrectlylaterWhenformulatingspecicationsonerapidlydiscoerstheneedforalibraryoffunctionsthatimplementcommonmathearetionofnitesettheoryforusewithyoftheabstractionsinitaretooinecienttobeofmhuseinprogramsbutinspecicationswheretheobjectistostatepropertiesasclearlyandsimplyaspossibletheycomeintheiroBecauseofthisdi erenceinpurposethereisaneedforlibrariesspecicallytargetedatspecicationsmajorthedistributionanddecidetlymanytestshaebeenrunAlthoughweproystocollectthisinformationwecannotcompeltheprogrammertoAprogrammerwhodoesnotgainingafalsesenseofsecurityfromalargenberofinadequatetestserhapswecoulddeneadequacymeasuresjustonthegeneratedtestdataandthuswarntheuseratleastinthiskindofsituation7.CONCLUSIONSehaetakentorelativelyoldideasnamelyspecicationsasoraclesandrandomtestingandfoundwystomakthemeasilytoHaskvideanembeddedlanguageforwritingpropertiesingexpressivenesswithoutthelearningcostThelanguagetainscontfeaturessuchasquantiersconditionalsandtestdatamonitorseprovidetypebaseddefaultrandomtestdatageneratorsincludingrandomfunctionsgreatlyreducingthee ortofspecifyingthemThirdlyeprovideanembeddedlanguageforspecifyingcustomtestdatageneratorswhichcanbebasedonthedefaultgeneratorsgivinganercontroloertestdatadistributionalsointroduceanoelwyofcontrollingsizewhengeneratingrandomelementsofrecursivedatatypesoldtechniquesworksextremelywellforHaskThefunclocalpropertiessincealldependenciesofafunctionareexplicitAndpreciselyrandomtestingisknowntoworkverywellforsmallnegrainedprogramsandise ectiveinndingfaultsthetoolislighandeasytouseandprovidesashorttermpao forexplicitlystatingpropertiesoffunctionsinaprogramwhichgreatlyincreasestheunderstandingoftheprogramfortheprogrammeraswellasfordocumentationpurposesouldliketothankAndyGillChrisOkasakiandtheanonymousrefereesfortheirusefultsonthispaper8.REFERENCESSAnyandRHamletAutomaticallyckingantationagainstitsformalspecicationInIrvineSoftwareSymppagesMarchRolandBackhousePatrikJanssonJohanJeuringandLambertMeertensGenericProgrammingAntroductionInenotesinComputerSciencolumeBjesseKClaessenMSheeranandSSinghareDesigninHaskellIneonFunctionalPrBaltimoreAMBlumandSKannanDesigningprogramsthatktheirworkInc stSymposiumontheoryofComputingpages"ACMMayMBlumMLubandRRubinfeldSelftesting$correctingwithapplicationstonproblemsInc ndSymposiumontheTheoryofpages"ACMMayACelentanoSCReghizziPDellaVignaandCGhezziCompilertestingusingasenePreExp"KClaessenandDSandsObservableSharingforunctionalCircuitDescriptionInAsianComputereConferPhetThailandAMDavisandHPutnamAcomputingprocedureforticationtheoryJournaloftheAssociationforComputingMachinery" JDuranandSNtafosAnevaluationofrandomansactionsonSoftwareEngine JulyJGannonRHamletandPMcMullinDataabstractionimplementationspecicationandtestingansPrgLangandSystems DHamletRandomtestingInJMarciniakeditordiaofSoftwareEnginepages""RHamletandRTylorPartitiontestingdoesnotinspirecondenceansactionsonSoftwar DecemberJHughesWhunctionalProgrammingMattersInDTurnereditorchTopicsinFAddisonWMPJonesTheHugsdistributionCurrenailablefromMMaurerGeneratingtestdatawithenhancedtextfreegrammarsIEEESoftwar" GunnarStkASystemforDeterminingPropositionalLogicTheoremsbyApplyingValuesandRulestoTripletsthatareGeneratedfromaFSwedishPtNo""approed USPtNo"" EuropeanPNo PhilipWadlerTheoremsforfree!eonFunctionalPrammingandComputerLondonSeptemberPhilipWadlerAprettierprinterMarchDraftpaper HZhuPHallandJMaSoftareunittesterageandadequacyComputingSurveys "December"Appendix:ImplementationHereweshowtheimplementationofthecodeisaailablefrommoduleQuickCheckwhereimportMonadimportRandomGennewtypeGenaGenIntRandachooseRandomaaaGenachooseboundsGennrfstrandomRboundsrvariantIntGenaGenavariantvGenmGennrmnrandsr v randsr r randsr wherer r splitr promoteaGenbGenabpromotefGennraletGenmfainmnrsizedIntGenaGenasizedfgenGennrletGenmfgenninmnrinstanceMonadGenwherereturnaGennraGenm kGennr letr r splitr Genm km nr inm nr elementsaGenaelementsxsxs liftMchoose lengthxs vectorArbitraryaIntGenavectornsequencearbitraryi noneofGenaGenaoneofgenselementsgensidfrequencyIntGenaGenafrequencyxschoose summapfstxspickxspicknkxxsnkotherwisepicknkxsArbitraryCoarbitraryclassArbitraryawherearbitraryGenainstanceArbitraryBoolwherearbitraryelementsTrueFalseinstanceArbitraryIntwherearbitrarysizednchoosenninstanceArbitraryaArbitrarybArbitraryabwherearbitraryliftM arbitraryarbitraryinstanceArbitraryaArbitraryawherearbitrarysizednchoose nvectorinstanceArbitraryaArbitrarybArbitraryabwherearbitrarypromotecoarbitraryarbitraryclassCoarbitraryawherecoarbitraryaGenbGenbinstanceCoarbitraryBoolwherecoarbitrarybvariantifbthen else instanceCoarbitraryIntwherecoarbitrarynn variant n variant coarbitrarynotherwisevariant coarbitraryndiv instanceCoarbitraryaCoarbitrarybCoarbitraryabwherecoarbitraryabcoarbitraryacoarbitrarybinstanceCoarbitraryaCoarbitraryawherecoarbitraryvariant coarbitraryaasvariant coarbitraryacoarbitraryasinstanceArbitraryaCoarbitrarybCoarbitraryabwherecoarbitraryfgenarbitrarycoarbitrarygenfPropertynewtypePropertyPropGenResultdataResultResultokMaybeBoolstampStringargumentsStringnothingResultnothingResultokNothingstampargumentsresultResultPropertyresultresPropreturnresclassTestableawherepropertyaPropertyinstanceTestableBoolwherepropertybresultnothingokJustbinstanceTestablePropertywherepropertyproppropinstanceArbitraryaShowaTestablebTestableabwherepropertyfforAllarbitraryfevaluateTestableaaGenResultevaluateagenwherePropgenpropertyaforAllShowaTestablebGenaabPropertyforAllgenbodyPropdoagenresevaluatebodyareturnargaresargaresresargumentsshowaargumentsresTestableaBoolaPropertyapropertyaFalsearesultnothinglabelTestableaStringaPropertysaPropaddfmapevaluateawhereaddresresstampsstampresclassifyTestableaBoolStringaPropertyclassifyTruenamelabelnameclassifyFalsepropertycollectShowaTestablebabPropertycollectvlabelshowv

Related Contents


An ant zig-zags back and forth on a picnic table as shown.
An ant zig-zags back and forth on a picnic table as shown. PDF document
413 views
© 2015 Pearson Education, Inc.
© 2015 Pearson Education, Inc. PDF document
472 views
PHY132 Introduction to Physics II
PHY132 Introduction to Physics II PDF document
348 views
Section 6.3 Apparent Forces
Section 6.3 Apparent Forces PDF document
366 views
Section 3.7 Projectile Motion:
Section 3.7 Projectile Motion: PDF document
362 views
Section 14.3 Describing Simple
Section 14.3 Describing Simple PDF document
365 views
Finishing off chapter 25, Starting chapter 26..
Finishing off chapter 25, Starting chapter 26.. PDF document
404 views
Section 3.5 Relative Motion
Section 3.5 Relative Motion PDF document
343 views
Section 14.4 (cont.) © 2015 Pearson Education, Inc.
Section 14.4 (cont.) © 2015 Pearson Education, Inc. PDF document
378 views
© 2015 Pearson Education, Inc.
© 2015 Pearson Education, Inc. PDF document
456 views
Section 6.3 Apparent Forces
Section 6.3 Apparent Forces PDF document
368 views
© 2015 Pearson Education, Inc.
© 2015 Pearson Education, Inc. PDF document
348 views
Next Show more