David Coppit

The Galileo fault tree analysis tool

We present Galileo, a dynamic fault tree modeling and analysis tool that combines the innovative DIF-Tree analysis methodology with a rich user interface built using package-oriented programming. DIFTree integrates binary decision diagram and Markov methods under the common notation of dynamic fault trees, allowing the user to exploit the benefits of both techniques while avoiding the need to learn additional notations and methodologies. Package-oriented programming (POP) is a software architectural style in which large-scale software packages are used as components, exploiting their rich functionality and familiarity to users. Galileo can be obtained for free under license for evaluation, and can be downloaded from the World-Wide Web.

Large team projects in software engineering courses

A key goal of educators teaching software engineering is to provide students with useful experience that will benefit them after graduation. A key component of this experience is usually a class project that is meant to expose students to the issues associated with real software development efforts. Unfortunately, educators rarely have the time required to manage software projects in addition to their normal pedagogical duties. As a result, many software engineering courses compromise the project experience by reducing the team sizes, project scope, and risk. In this paper, we present an approach to teaching a one-semester software engineering course in which approximately 30 students work together to construct a moderately sized (22 KLOC) software system. This approach provides a more realistic project experience for the students, without incurring significant managerial overhead for the instructor. We present our experiences using the approach for the spring 2004 software engineering course at The College of William and Mary.

Software assurance by bounded exhaustive testing

Bounded exhaustive testing (BET) is a verification technique in which software is automatically tested for all valid inputs up to specified size bounds. A particularly interesting case of BET arises in the context of systems that take structurally complex inputs. Early research suggests that the BET approach can reveal faults in small systems with inputs of low structural complexity, but its potential utility for larger systems with more complex input structures remains unclear. We set out to test its utility on one such system. We used Alloy and TestEra to generate inputs to test the Galileo dynamic fault tree analysis tool, for which we already had both a formal specification of the input space and a test oracle. An initial attempt to generate inputs using a straightforward translation of our specification to Alloy did not work well. The generator failed to generate inputs to meaningful bounds. We developed an approach in which we factored the specification, used TestEra to generate abstract inputs based on one factor, and passed the results through a postprocessor that reincorporated information from the second factor. Using this technique, we were able to generate test inputs to meaningful bounds, and the inputs revealed nontrivial faults in the Galileo implementation, our specification, and our oracle. Our results suggest that BET, combined with specification abstraction and factoring techniques, could become a valuable addition to our verification toolkit and that further investigation is warranted.

Understanding concerns in software: insights gained from two case studies

Much of the complexity of software arises from the interactions between disparate concerns. Even in well-designed software, some concerns can not always be encapsulated in a module. Research on separation of concerns seeks to address this problem, but we lack an understanding of how programmers conceptualize the notion of a concern and then identify that concern in code. In this work, we have conducted two exploratory case studies to better understand these issues. The case studies involved programmers identifying concerns and associated code in existing, unfamiliar software: GNUs sort.c and the game Minesweeper. Based on our experiences with these two case studies, we have identified several types of concerns and have detailed a number of factors that impact programmer identification of concerns. Based on these insights, we have created two sets of guidelines: one to help programmers identify relevant concerns and another to help programmers identify code relating to concerns.

yagg: an easy-to-use generator for structured test inputs

Automated testing typically uses specifications to drive the generation of test inputs and/or the checking of program outputs. Many software systems have structurally complex inputs that cannot be adequately described using simple formalisms such as context-free grammars. In order to generate such inputs, many automated testing environments require the user to express the structure of the input using an unfamiliar formal notation. This raises the cost of employing automated testing, thereby offsetting the benefits gained. We present yagg (yet another generator-generator), a tool that allows the programmer to specify the input using a syntax very similar to that of LEX and YACC, widely used scanner and parser generators. yagg allows the user to bound the input space using several different techniques, and generates an input generator that systematically enumerates inputs. We evaluate the ease of use and performance of the tool relative to a model checker-based generator used in previous research. Our experiences indicate that yagg generators can be somewhat slower, but that the ease-of-use afforded by the familiar syntax may be attractive to users.

Developing a high-quality software tool for fault tree analysis

Sophisticated dependability analysis techniques are being developed in academia and research labs, but few have gained wide acceptance in industry. To be valuable, such techniques must be supported by usable, dependable software tools. We present our approach to addressing these issues in developing a dynamic fault tree analysis tool called Galileo. Galileo is designed to support efficient system-level analysis by automatically decomposing fault trees into modules that are solved separately using appropriate techniques. Usability is addressed by a software architecture based on a component-based design technique that we call package-oriented programming. We integrate multiple, volume-priced mass-market software packages to provide the bulk of the tool superstructure. To address tool dependability, we are developing natural language and partial formal specifications of fault tree elements, and we exploit the inherent redundancy associated with multiple analysis techniques as an aid in testing.

Spotlight: A Prototype Tool for Software Plans

Software evolution is made difficult by the need to integrate new features with all previously implemented features in the system. We present Spotlight, a prototype editor for software plans that seeks to address this problem by providing the programmer a principled way to separately develop and incrementally integrate independent features.

Implementing Large Projects in Software Engineering Courses.

In software engineering education, large projects are widely recognized as a useful way of exposing students to the real-world difficulties of team software development. But large projects are difficult to put into practice. First, educators rarely have additional time to manage software projects. Second, classrooms have inherent limitations that threaten the realism of large projects. Third, quantitative evaluation of individuals who work in groups is notoriously difficult. As a result, many software engineering courses compromise the project experience by reducing the team sizes, project scope, and risk. In this paper, we present an approach to teaching a one-semester software engineering course in which 20 to 30 students work together to construct a moderately sized (15 KLOC) software system. The approach combines carefully coordinated lectures and homeworks, a hierarchical project management structure, modern communication technologies, and a web-based project tracking and individual assessment system. Our approach provides a more realistic project experience for the students, without incurring significant additional overhead for the instructor. We present our experiences using the approach the last 2 years for the software engineering course at The College of William and Mary. Although the approach has some weaknesses, we believe that they are strongly outweighed by the pedagogical benefits.

Sound methods and effective tools for engineering modeling and analysis

Modeling and analysis is indispensable in engineering. To be safe and effective, a modeling method requires a language with a validated semantics; feature-rich, easy-to-use, dependable tools; and low engineering costs. Today we lack adequate means to develop such methods. We present a partial solution combining two techniques: formal methods for language design, and package-oriented programming for function and usability at low cost. We have evaluated the approach in an end-to-end experiment. We deployed an existing reliability method to NASA in a package-oriented tool and surveyed engineers to assess its usability. We formally specified, improved, and validated the language. To assess cost, we built a package-based tool for the new language. Our data show that the approach can enable cost-effective deployment of sound methods by effective tools.

A model for software plans

Even in well-designed software, some concerns can not be easily encapsulated due to their dependence on surrounding context. Such concerns are intermingled with each other and the context code, making it difficult for developers to reason independently about them. We have introduced software plans as an editor-based approach for addressing the tangling of context-dependent concerns. Software plans provide programmers with partial views of the overall software which present only that code related to concerns of current interest. The problem we address is that the traditional sequence-of-characters representation for code is poorly suited for software plans. It lacks the ability to accurately model the concerns associated with a code block, the relationships between code blocks, and the notion of multiple independent plans. In this paper, we present a formally-defined code/concern model that supports these capabilities and more. Using this model, we were able to implement a prototype editing tool that supports software plans.