I have installed PHPUnit via Pear.
While I try testing via PHPUnit,even after giving the test file path it shows error:
The system cannot find the path specified.
I have tried Sample code in :
https://netbeans.org/kb/docs/php/phpunit.html?print=yes#installing-phpunit
<?php
class Calculator
{
/**
* #assert (0, 0) == 0
* #assert (0, 1) == 1
* #assert (1, 0) == 1
* #assert (1, 1) == 2
* #assert (1, 2) == 4
*/
public function add($a, $b)
{
return $a + $b;
}
}
?>
Not sure what your source file is called, but there are not any tests written in for the class. You used the generator, which has created the #asserts. Now, you need to generate the test class to use those. The PHPUnit Manual Skeleton Generator is then needed to run to produce the actual tests.
With your code, you have the sample #assert annotations for what should be simple to generate test cases. Therefore, you need to generate the test cases.
phpunit-skelgen --test Calculator
or for Namespaces (where Project is the name space)
phpunit-skelgen --test -- "project\Calculator" Calculator.php
Then you can see tests generated
/**
* Generated from #assert (0, 0) == 0.
*/
public function testAdd() {
$o = new Calculator;
$this->assertEquals(0, $o->add(0, 0));
}
Finally, you can execute your tests:
phpunit --bootstrap Calculator.php --verbose CalculatorTest
Related
The following is an attempt to produce my problem with the minimum code (it is not intended to be a useful program).
My problem is that I want to make a precondition on a public function dependent on a private variable. I have to declare my function before the "private" indicator and my variables after that indicator. This means that I get the compilation error
problem.ads:10:16: "secondPrivateVariable" is undefined
problem.ads:10:40: "firstPrivateVariable" is undefined
I have tried putting placeholder definitions above the function, but then I get compilation errors about conflicting definitions.
package Problem is
pragma Elaborate_Body (Problem);
function publicAPI(which : Positive) return Natural with
Pre => secondPrivateVariable > firstPrivateVariable;
-- should only be called when second > first
private
-- the following variables are used by many procedures and
-- should be kept private
firstPrivateVariable : Natural := 7;
secondPrivateVariable : Natural := 465;
end Problem;
Any assistance would be welcomed.
You could wrap the check in a function:
function Call_Permitted return Boolean;
function publicAPI(which : Positive) return Natural with
Pre => Call_Permitted;
private
firstPrivateVariable : Natural := 7;
secondPrivateVariable : Natural := 465;
function Call_Permitted return Boolean is
(secondPrivateVariable > FirstPrivateVariable);
If Call_Permitted is only to be used locally and only to generate object code if assertions are enabled, you could say
function Call_Permitted return Boolean with Ghost;
(this is a SPARK-related feature, probably only available in GNAT)
I'm currently discovering frama-c's features, and especially WP & Value's analysis tools. My final goal is to be able to use frama-c on larger codes that involves several layers with:
a lot of function calls
use of complex data structures
static and/or global variables
So far I've been trying to apply a bottom-up method i.e starting specifying functions that does not includes any function calls and analyze their behaviors by isolating them thanks to -lib-entry and -main kernel options. By doing that I make sure that if pre conditions are assumed to be true, then the whole function contract is verified. As soon as I tried to specify upper layers that invokes those functions, things gets complicated. First I often have to specify the behavior of the called functions which is not always easy because those functions may deal with variables/functions out of the scope of the current function.
Let me give you an easy example:
Let's say that in file1.h we define a data structure "my_struct" that contains a field number and a field parity.
In file1.c I have two functions:
A first function "check_parity" that just tests if the parity field of the static variable _sVar is correct.
A second function "correct_parity" that calls the first function, and corrects the parity if the field was not correct.
In file2.c, I have a function "outside_caller" that just calls correct_parity(). My objective is to be able to specify outside_caller the same way I'm specifying correct_parity. Below is the corresponding source code:
file1.h
/* parity = 0 => even ; 1 => odd */
typedef unsigned char TYP_U08;
typedef unsigned short TYP_U16;
typedef unsigned int TYP_U32;
typedef unsigned long TYP_U64;
typedef struct {
unsigned char parity;
unsigned int number;
} my_stuct;
typedef enum
{
S_ERROR = -1
,S_OK = 0
,S_WARNING = 1
} TYPE_STATUS;
/*# ghost my_stuct* g_sVar; */
/*# predicate fc_pre_is_parity_ok{Labl}(my_stuct* i_sVar) =
(
\at(i_sVar->parity, Labl) == ((TYP_U08) (\at(i_sVar->number,Labl) % 2u))
);
# predicate fc_pre_valid_parity{Labl}(my_stuct* i_sVar) =
(
(\at(i_sVar->parity,Labl) == 0) ||
(\at(i_sVar->parity, Labl) == 1)
);
# predicate fc_pre_is_parity_readable(my_stuct* i_sVar) =
(
\valid_read(&i_sVar->parity)
);
# predicate fc_pre_is_parity_writeable(my_stuct* i_sVar) =
(
\valid(&i_sVar->parity)
);
# predicate fc_pre_is_number_readable(my_stuct* i_sVar) =
(
\valid_read(&i_sVar->number)
);
# predicate fc_pre_is_number_writeable(my_stuct* i_sVar) =
(
\valid(&i_sVar->number)
);
*/
TYPE_STATUS check_parity(void);
TYPE_STATUS correct_parity(void);
file1.c
static my_stuct* _sVar;
/*# requires check_req_parity_readable:
fc_pre_is_parity_readable(_sVar);
# requires check_req_number_readable:
fc_pre_is_number_readable(_sVar);
# assigns check_assigns:
g_sVar;
# ensures check_ensures_error:
!fc_pre_valid_parity{Post}(g_sVar) ==> \result == S_ERROR;
# ensures check_ensures_ok:
(
fc_pre_valid_parity{Post}(g_sVar) &&
fc_pre_is_parity_ok{Post}(g_sVar)
) ==> \result == S_OK;
# ensures check_ensures_warning:
(
fc_pre_valid_parity{Post}(g_sVar) &&
!fc_pre_is_parity_ok{Post}(g_sVar)
) ==> \result == S_WARNING;
# ensures check_ensures_ghost_consistency:
\at(g_sVar, Post) == _sVar;
*/
TYPE_STATUS check_parity(void)
{
//# ghost g_sVar = _sVar;
TYPE_STATUS status = S_OK;
if(!(_sVar->parity == 0 || _sVar->parity == 1)) {
status = S_ERROR;
} else if ( _sVar->parity == (TYP_U08)(_sVar->number % 2u) ){
status = S_OK;
} else {
status = S_WARNING;
}
return status;
}
/*# requires correct_req_is_parity_writeable:
fc_pre_is_parity_writeable(_sVar);
# requires correct_req_is_number_readable:
fc_pre_is_number_readable(_sVar);
# assigns correct_assigns:
_sVar->parity,
g_sVar,
g_sVar->parity;
# ensures correct_ensures_error:
!fc_pre_valid_parity{Pre}(g_sVar) ==> \result == S_ERROR;
# ensures correct_ensures_ok:
(
fc_pre_valid_parity{Pre}(g_sVar) &&
fc_pre_is_parity_ok{Pre}(g_sVar)
) ==> \result == S_OK;
# ensures correct_ensures_warning:
(
fc_pre_valid_parity{Pre}(g_sVar) &&
!fc_pre_is_parity_ok{Pre}(g_sVar)
) ==> \result == S_WARNING;
# ensures correct_ensures_consistency:
fc_pre_is_parity_ok{Post}(g_sVar);
# ensures correct_ensures_validity :
fc_pre_valid_parity{Post}(g_sVar);
# ensures correct_ensures_ghost_consistency:
\at(g_sVar, Post) == _sVar;
*/
TYPE_STATUS correct_parity(void)
{
//# ghost g_sVar = _sVar;
TYPE_STATUS parity_status = check_parity();
if(parity_status == S_ERROR || parity_status == S_WARNING) {
_sVar->parity = (TYP_U08)(_sVar->number % 2u);
/*# assert (\at(g_sVar->parity,Here) == 0) ||
(\at(g_sVar->parity, Here) == 1);
*/
//# assert \at(g_sVar->parity, Here) == (TYP_U08)(\at(g_sVar->number,Here) % 2u);
}
return parity_status;
}
file2.c
/*# requires out_req_parity_writable:
fc_pre_is_parity_writeable(g_sVar);
# requires out_req_number_writeable:
fc_pre_is_number_readable(g_sVar);
# assigns out_assigns:
g_sVar,
g_sVar->parity;
# ensures out_ensures_error:
!fc_pre_valid_parity{Pre}(g_sVar) ==> \result == S_ERROR;
# ensures out_ensures_ok:
(
fc_pre_valid_parity{Pre}(g_sVar) &&
fc_pre_is_parity_ok{Pre}(g_sVar)
) ==> \result == S_OK;
# ensures out_ensures_warning:
(
fc_pre_valid_parity{Pre}(g_sVar) &&
!fc_pre_is_parity_ok{Pre}(g_sVar)
) ==> \result == S_WARNING;
# ensures out_ensures_consistency:
fc_pre_is_parity_ok{Post}(g_sVar);
# ensures out_ensures_validity:
fc_pre_valid_parity{Post}(g_sVar);
*/
TYPE_STATUS outside_caller(void)
{
TYPE_STATUS status = correct_parity();
//# assert fc_pre_is_parity_ok{Here}(g_sVar) ==> status == S_OK;
/*# assert !fc_pre_is_parity_ok{Here}(g_sVar) &&
fc_pre_valid_parity{Here}(g_sVar) ==> status == S_WARNING; */
//# assert !fc_pre_valid_parity{Here}(g_sVar) ==> status == S_ERROR;
return status;
}
Here the main issue is that in order to specify outside_caller(), I need to access _sVar which is out of scope in file2.c. That implies to deal with a ghost variable (g_sVar) that is declared in file1.h and updated in correct_parity function. In order to make the caller (correct_parity) able to use the callee's contracts, the ghost variable g_sVar must be used inside the contracts of the callees.
Here are the results of WP analysis:
(1) check_parity()
frama-c -wp src/main.c src/test.c -cpp-command 'gcc -C -E -Isrc/'
-main 'check_parity' -lib-entry -wp-timeout 1 -wp-fct check_parity -wp-rte -wp-fct check_parity -then -report
[rte] annotating function check_parity
[wp] 14 goals scheduled [wp] Proved goals: 14 / 14
Qed: 9 (4ms)
Alt-Ergo: 5 (8ms-12ms-20ms) (30)
(2) correct_parity()
frama-c -wp src/main.c src/test.c -cpp-command 'gcc -C -E -Isrc/' -main 'correct_parity' -lib-entry -wp-timeout 1 -wp-fct correct_parity -wp-rte -wp-fct correct_parity -then -report
[rte] annotating function correct_parity
[wp] 18 goals scheduled
[wp] Proved goals: 18 / 18
Qed: 12 (4ms)
Alt-Ergo: 6 (4ms-37ms-120ms) (108)
(3) outside_caller()
frama-c -wp src/main.c src/test.c -cpp-command 'gcc -C -E -Isrc/' -main 'outside_caller' -lib-entry -wp-timeout 1 -wp-fct outside_caller -wp-rte -wp-fct outside_caller -then -report
[rte] annotating function outside_caller
[wp] 14 goals scheduled
[wp] [Alt-Ergo] Goal typed_outside_caller_assign_exit : Unknown (Qed:4ms) (515ms)
[wp] [Alt-Ergo] Goal typed_outside_caller_call_correct_parity_pre_correct_req_is_par___ : Unknown (636ms)
[wp] [Alt-Ergo] Goal typed_outside_caller_assert : Timeout
[wp] [Alt-Ergo] Goal typed_outside_caller_assign_normal_part1 : Timeout
[wp] [Alt-Ergo] Goal typed_outside_caller_call_correct_parity_pre_correct_req_is_num___ : Unknown (205ms)
[wp] Proved goals: 9 / 14
Qed: 9 (4ms)
Alt-Ergo: 0 (interrupted: 2) (unknown: 3)
==> WP : GUI Output
In this configuration, the callees are specified with g_sVar ghost variable, except for requires and assings clauses for 2 reasons:
I need to check _sVar R/W accesses with \valid & \valid_read since its a pointer
When I tried to specify assigns clauses of the callees with g_sVar, I was not able to verify the corresponding clause.
But by doing so, I somehow made the specification of the caller invalid, as you can see on WP's output.
Why does it seems the more functions calls I have, the more it becomes complicated to prove the behavior of the functions? Is there a proper way to deal with multiple function calls and static variables?
Thank you a lot in advance!
PS: I'm working with Magnesium-20151002 version, on a VM running with Ubuntu 14.04, 64-bit machine. I know that getting started with WhyML and Why3 could help me a lot but so far I haven't been able to install Why3 ide neither on windows nor on Ubuntu following each step of this tutorial.
First of all, please note that -main and -lib-entry aren't that useful for WP (you mentioned that you are also interested in EVA/Value Analysis, but your question is directed towards WP).
Your issue with static variables is a known one, and the easiest way to deal with it is indeed to declare a ghost variable in the header. But then you must express your contracts in terms of the ghost variable and not the static one.
Otherwise, the callers will not be able to make use of these contracts, since they do not know anything about _sVar. As a rule of thumb, it is better to put the contract in the header: this way, you're bound to only use identifiers that are visible outside of the translation unit.
Regarding function calls, the main point is that any function that is called by the function you're trying to prove with WP must come with a contract that at least contain an assigns clause (and possibly more precise specifications, depending on how much the effects of the callee are relevant for the property that you want to prove on the caller). The important thing to remember here is that, from WP's point of view, after the call, only what is explicitly stated in the callee's contract through ensures is true, plus the fact that any location not in the assigns clause has been left unchanged.
I have following Groovy script:
mymap = ['key': 'value']
println mymap
v = mymap.get('notexistkey', 'default')
println v
println mymap
When I run it I get following console output:
[key:value]
default
[key:value, notexistkey:default]
I'm surprised that after calling mymap.get('notexistkey', 'default') where second parameter is a default value returned when given key does not exist, the key notexistkey is added to the map I've called the method on. Why? Is that expected behaviour? How can I prevent this mutation?
Use Java's Map.getOrDefault(key, value) instead:
mymap = ['key': 'value']
println mymap
v = mymap.getOrDefault('notexistingkey', 'default')
println v
println mymap
Output:
[key:value]
default
[key:value]
Groovy SDK adds Map.get(key, default) via DefaultGroovyMethods.get(map, key, default) and if you take a look what Javadoc says you will understand that this behaviour is expected:
Looks up an item in a Map for the given key and returns the value - unless there is no entry for the given key in which case add the default value to the map and return that.
And this is what implementation of this method looks like:
/**
* Looks up an item in a Map for the given key and returns the value - unless
* there is no entry for the given key in which case add the default value
* to the map and return that.
* <pre class="groovyTestCase">def map=[:]
* map.get("a", []) << 5
* assert map == [a:[5]]</pre>
*
* #param map a Map
* #param key the key to lookup the value of
* #param defaultValue the value to return and add to the map for this key if
* there is no entry for the given key
* #return the value of the given key or the default value, added to the map if the
* key did not exist
* #since 1.0
*/
public static <K, V> V get(Map<K, V> map, K key, V defaultValue) {
if (!map.containsKey(key)) {
map.put(key, defaultValue);
}
return map.get(key);
}
it's pretty old concept (since Groovy 1.0). However I would recommend not using it - this .get(key, default) operation is neither atomic, nor synchronized. And problems start when you use it on ConcurrentMap which is designed for concurrent access - this method breaks its contract, because there is no synchronization between containsKey, put and final get call.
I am writing closure externs for WebAssembly.
For function WebAssembly.instantiate, it has 2 function signatures.
Promise<{module:WebAssembly.Module, instance:WebAssembly.Instance}>
instantiate(BufferSource bytes [, importObject])
Promise<WebAssembly.Instance> instantiate(moduleObject [, importObject])
How to declare both rules in closure externs?
Reference:
https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyinstantiate
You can specify that argument and result are union of two different types. See https://github.com/google/closure-compiler/wiki/Annotating-JavaScript-for-the-Closure-Compiler about how to specify types.
Here is a simple example of such a function:
/**
* #param {string|number} value
* #return {string|number}
*/
ambiguous = function(value) {
if (typeof value == 'string') {
return value+' is string';
} else if (typeof value == 'number') {
return value+1;
} else throw new Error();
};
For your WebAssembly.instantiate function you will of course have more complex types than string and number. I don't know how you would specify the Promise types, I don't recognize the syntax shown for those, and I doubt closure compiler will parse that as-is. The extern then looks something like this (with bogus types for the Promises).
/**
#param (!BufferSource|!WebAssembly.Module) arg1 either a BufferSource or a module
#param Object= importObject optional object to import
#return (!PromiseType1|!PromiseType2)
*/
WebAssembly.instantiate = function(arg1, importObject) {};
The ! symbol is used to indicate a non-null object. If these can be null then leave that out. The = symbol after Object= means it can be undefined.
When using the results of this function you will need to test what type of thing you got using instanceof or some other method. Otherwise the compiler only knows the result is one of the two possible types. If not using instanceof, you can use type casting to tell the compiler that you know what the type is, see end of that page referenced above.
An example of a function from closure-library that has a union type in both its argument and its result is goog.array.find. The source for goog.array.find is available. Note that the angle brackets <> are used for the template type feature of the compiler.
I am trying to find an example about the LTL operator _ F_ which means fatally with Aorai but i can't figure out exactly what this operator aims and there are no examples in the repository "tests" of Aorai
For example, i wrote this formula
CALL(main) && _X_ (CALL(a) && _X_(RETURN(a) && _F_ (RETURN(b) && _X_ (RETURN(main)) ) ))
which says that in my program main, i have to call the function a() and after this i don't understand what happens with the operator fatally but it seems that it takes and accepts whatever we call after the function a() with no warning or error from Aorai. If anybody could help me or could give a right example about it.
For example, i have this program below which i would like to test with this formula above
void a()
{}
void b()
{}
int main()
{ a();
a();
b();
b();
a();
return 0;}
I type frama-c -aorai-ltl test.ltl test.c
Normally, there should be an error or warning from Aorai. No?
Your question is more about temporal logic than Frama-C/Aorai itself, but the meaning of this formula is that main must call a, then do whatever it wants, before calling b and returning just after that.
NB: note that Aorai only traces call and return events, so that e.g. "just after" here means that main cannot not call any function after its last call to b, but can still perform some actions, such as x++;.
Update
I've run your complete example on Frama-C. Indeed a post-condition is missing in the contract for main generated by Aorai, namely that the state of the generated automaton at the end of main (T0_S4) is supposed to be accepting, which is not the case here. This is a bug. If you write explicitely an equivalent automaton in the ya language, as
%init: S0;
%accept: Sf;
S0: { CALL(main) } -> S1;
S1: { [ a() ] } -> S2;
S2: { RETURN(b) } -> S3
| other -> S2;
S3: { RETURN(main) } -> Sf;
Sf: -> Sf;
Then the generated contract for main contains a requires \false;, which indeed indicates that the function is not conforming to the automaton, and Aoraï warns about that.
Please note however that in the general case, Aoraï will not emit any warning. It generates contracts that, if fulfilled, imply that the whole program is conforming to the automaton. The proof of the contract must be done by another plugin (e.g. WP or Value Analysis)