P1252428568HcMrO

1

• Algorithmic Testing

Doron Peled, University of Warwick
2
Why testing?

• Reduce design/programming errors.
• Can be done during development,
  beforeproduction/marketing.
• Practical, simple to do.
• Check the real thing, not a model.
• Scales up reasonably.
• Being state of the practice for decades.

3
Part 1 Testing of black box finite state machine

• Wants to know
• In what state we started?
• In what state we are?
• Transition relation
• Conformance
• Satisfaction of a temporal property

• Know
• Transition relation
• Size or bound on size

4
Finite automata (Mealy machines)

• S - finite set of states. (size n)
• S set of inputs. (size d)
• O set of outputs, for each transition.
• (s0 ? S - initial state).
• ? S ? S ? S - transition relation.
• ? ? S ? S ?O output on edge.

5
Why deterministic machines?

• Otherwise no amount of experiments would
  guarantee anything.
• If dependent on some parameter (e.g.,
  temperature), we can determinize, by taking
  parameter as additional input.
• We still can model concurrent system. It means
  just that the transitions are deterministic.
• All kinds of equivalences are unified into
  language equivalence.
• Also connected machine (otherwise we may never
  get to the completely separate parts).

6
Determinism

• When the black box is nondeterministic, we might
  never test some choices.

7
Preliminaries separating sequences
b/1
s1
s2
a/0
b/1
b/0
a/0
s3
a/0
Start with one block containing all states s1,
s2, s3.
8
A separate to blocks of states with different
output.
b/1
s1
s2
a/0
b/1
b/0
a/0
s3
a/0
Two sets, separated using the string b s1, s3,
s2.
9
Repeat B Separate blocks based on moving to
different blocks.
b/1
s1
s2
a/0
b/1
b/0
a/0
s3
a/0
Separate first block using b to three singleton
blocks.Separating sequences b, bb.Max rounds
n-1, sequences n-1, length n-1.For each pair
of states there is a separating sequence.
10
Want to know the state of the machine (at end).
Homing sequence.

• Depending on output, would know in what state we
  are.
• Algorithm Put all the states in one block
  (initially we do not know what is the state).
• Then repeatedly partitions blocks of states, as
  long as they are not singletons, as follows
• Take a non singleton block, append a
  distinguishing sequence ? that separates at least
  two states.
• Update all blocks to the states after executing
  ?.
• Max length (n-1)2 (Lower bound
  n(n-1)/2.)

11
Example (homing sequence)
s1, s2, s3
b
0
1
1
s1, s2 s3
b
1
1
0
s1 s2 s3
On input b and output 1, still dont know if was
in s1 or s3, i.e., if currently in s2 or s1.So
separate these cases with another b.
12
Synchronizing sequence

• One sequence takes the machine to the same final
  state, regardless of the initial state or the
  outputs.
• Not every machine has a synchronizing sequence.
• Can be checked whether exists and can be found in
  polynomial time.

13
State identification

• Want to know in which state the system has
  started (was reset).
• Can be a preset distinguishing sequence (fixed),
  or a tree (adaptive).
• May not exist (PSPACE complete to check if preset
  exists, polynomial for adaptive).
• Best known algorithm exponential length for
  preset,polynomial for adaptive LY.

14
Sometimes cannot identify initial state
Start with ain case of being in s1 or s3 well
move to s1 and cannot distinguish.Start with
bIn case of being in s1 or s2 well move to s2
and cannot distinguish.
The kind of experiment we do affects what we can
distinguish. Much like the Heisenberg principle
in Physics.
15
Conformance testing

• Unknown deterministic finite state system B.
• Known n states and alphabet ?.
• An abstract model C of B. C satisfies all the
  properties we want from B. C has m states.
• Check conformance of B and C.
• Another version only a bound n on the number of
  states l is known.

?
16
Check conformance with a given state machine

• Black box machine has no more states than
  specification machine (errors are mistakes in
  outputs, mistargeted edges).
• Specification machine is reduced, connected,
  deterministic.
• Machine resets reliably to a single initial state
  (or use homing sequence).

17
Conformance testing Ch,V
a/1
?
b/1
a/1
b/1
?
b/1
a/1
Cannot distinguish if reduced or not.
18
Conformance testing (cont.)
?
b
b
a
a
a
?
a
b
b
a
a
b
Need bound on number of states of B.
19
PreparationConstruct a spanning tree
20
How the algorithm works?
Reset or homing

• According to the spanning tree, force a sequence
  of inputs to go to each state.
• From each state, perform the distinguishing
  sequences.
• From each state, make a single transition, check
  output, and use distinguishing sequences to check
  that in correct target state.

Reset or homing
s1
b/1
a/1
s2
s3
Distinguishing sequences
21
Comments

1. Checking the different distinguishing sequences
   (m-1 of them) means each time resetting and
   returning to the state under experiment.
2. A reset can be performed to a distinguished state
   through a homing sequence. Then we can perform a
   sequence that brings us to the distinguished
   initial state.
3. Since there are no more than m states, and
   according to the experiment, no less than m
   states, there are m states exactly.
4. Isomorphism between the transition relation is
   found, hence from minimality the two automata
   recognize the same languages.

22
Combination lock automaton

• Assume accepting states.
• Accepts only words with a specific suffix (cdab
  in the example).

b
d
c
a
s1
s2
s3
s4
s5
Any other input
23
When only a bound on size of black box is known

• Black box can pretend to behave as a
  specification automaton for a long time, then
  upon using the right combination, make a mistake.

Pretends to be S1
a/1
b/1
a/1
b/1
s1
s2
b/1
a/1
a/1
s3
Pretends to be S3
b/0
24
Conformance testing algorithm VC

• The worst that can happen is a combination lock
  automaton that behaves differently only in the
  last state. The length of it is the difference
  between the size n of the black box and the
  specification m.
• Reach every state on the spanning tree and check
  every word of length n-m1 or less. Check that
  after the combination we are at the state we are
  supposed to be, using the distinguishing
  sequences.
• No need to check transitions already included in
  above check.
• Complexity m2 n dn-m1 Probabilistic complexity
  Polynomial.

Reset or homing
Reset or homing
s1
b/1
a/1
s2
s3
Words of length ?n-m1
Distinguishing sequences
25
Model Checking

• Finite state description of a system B.
• LTL formula ?. Translate ?? into an automaton P.
• Check whether L(B) ? L(P)?.
• If so, S satisfies ?. Otherwise, the intersection
  includes a counterexample.
• Repeat for different properties.

?
?
26
Buchi automata (w-automata)

• S - finite set of states. (B has l ? n states)
• S0 ? S - initial states. (P has m states)
• S - finite alphabet. (contains p letters)
• d ? S ? S ? S - transition relation.
• F ? S - accepting states.
• Accepting run passes a state in F infinitely
  often.

System automata FS, deterministic, one initial
state. Property automaton not necessarily
deterministic.
27
Example check ?a
a
ltgt?a
?a
?a, a
28
Example check ltgt?a
?ltgt?a
29
Example check ? ltgta
?a, a
ltgt??a
?a
?a
Use automatic translation algorithms, e.g.,
Gerth,Peled,Vardi,Wolper 95
30
System
31
Every element in the product is a counter example
for the checked property.
a
a
?ltgt?a
s1
s2
q1
?a
c
b
a
?a
s3
q2
a
s1,q1
s2,q1
Acceptance isdetermined byautomaton P.
b
a
s1,q2
s3,q2
c
32
Model Checking / Testing

• Given Finite state system B.
• Transition relation of B known.
• Property represent by automaton P.
• Check if L(B) ? L(P)?.
• Graph theory or BDD techniques.
• Complexity polynomial.

• Unknown Finite state system B.
• Alphabet and number of states of B or upper bound
  known.
• Specification given as an abstract system C.
• Check if B ?C.
• Complexity polynomial if number states known.
  Exponential otherwise.

33
Black box checking PVY

• Property represent by automaton P.
• Check if L(B) ? L(P)?.
• Graph theory techniques.

• Unknown Finite state system B.
• Alphabet and Upper bound on Number of states of B
  known.
• Complexity exponential.

??
?
34
Experiments
35
Simpler problem deadlock?

• Nondeterministic algorithmguess a path of
  length ? n from the initial state to a deadlock
  state.Linear time, logarithmic space.
• Deterministic algorithmsystematically try paths
  of length ?n, one after the other (and use
  reset), until deadlock is reached.Exponential
  time, linear space.

36
Deadlock complexity

• Nondeterministic algorithmLinear time,
  logarithmic space.
• Deterministic algorithmExponential (p n-1)
  time, linear space.
• Lower bound Exponential time (usecombination
  lock automata).
• How does this conform with what we know about
  complexity theory?

37
Modeling black box checking

• Cannot model using Turing machines not all the
  information about B is given. Only certain
  experiments are allowed.
• We learn the model as we make the experiments.
• Can use the model of games of incomplete
  information.

38
Games of incomplete information

• Two players -player, ?-player (here,
  deterministic).
• Finitely many configurations C.
  IncludingInitial Ci , Winning W and W- .
• An equivalence relation _at_ on C (the -player
  cannot distinguish between equivalent states).
• Labels L on moves (try a, reset, success, fail).
• The -player has the moves labeled the same from
  configurations that are equivalent.
• Deterministic strategy for the -player will
  lead to a configuration in W ? W-. Cannot
  distinguish between equivalent configurations.
• Nondeterministic strategy Can distinguish
  between equivalent configurations..

39
Modeling BBC as games

• Each configuration contains an automaton and its
  current state (and more).
• Moves of the -player are labeled withtry a,
  reset... Moves of the ?-player withsuccess,
  fail.
• c1 _at_ c2 when the automata in c1 and c2 would
  respond in the same way to the experiments so far.

40
A naive strategy for BBC

• Learn first the structure of the black box.
• Then apply the intersection.
• Enumerate automata with ?n states (without
  repeating isomorphic automata).
• For a current automata and new automata,
  construct a distinguishing sequence. Only one of
  them survives.
• Complexity O((n1)p (n1)/n!)

41
On-the-fly strategy

• Systematically (as in the deadlock case), find
  two sequences v1 and v2 of length ltm n.
• Applying v1 to P brings us to a state t that is
  accepting.
• Applying v2 to P brings us back to t.
• Apply v1 v2 n to B. If this succeeds,there is a
  cycle in the intersection labeled with v2, with t
  as the P (accepting) component.
• Complexity O(n2p2mnm).

v1
v2
42
Learning an automaton

• Use Angluins algorithm for learning an
  automaton.
• The learning algorithm queries whether some
  strings are in the automaton B.
• It can also conjecture an automaton Mi and asks
  for a counterexample.
• It then generates an automaton with more states
  Mi1 and so forth.

43
A strategy based on learning

• Start the learning algorithm.
• Queries are just experiments to B.
• For a conjectured automaton Mi , check if Mi ? P
  ?
• If so, we check conformance of Mi with B (VC
  algorithm).
• If nonempty, it contains some v1 v2w . We test B
  with v1 v2n. If this succeeds error, otherwise,
  this is a counterexample for Mi .

44
Complexity

• l - actual size of B.
• n - an upper bound of size of B.
• d - size of alphabet.
• Lower bound reachability is similar to deadlock.
• O(l 3 d l l 2mn) if there is an error.
• O(l 3 d l l 2 n dn-l1 l 2mn) if there is no
  error.
• If n is not known, check while time allows.
• Probabilistic complexity polynomial.

45
Some experiments

• Basic system written in SML (by Alex Groce, CMU).
• Experiment with black box using Unix I/O.
• Allows model-free model checking of C code with
  inter-process communication.
• Compiling tested code in SML with BBC program as
  one process.

46
Part 2 Software testing

• Testing is not about showing that there are no
  errors in the program.
• Testing cannot show that the program performs its
  intended goal correctly.
• So, what is software testing?
• Testing is the process of executing the program
  in order to find errors.
• A successful test is one that finds an error.

47
Some software testing stages

• Unit testing the lowest level, testing some
  procedures.
• Integration testing different pieces of code.
• System testing testing a system as a whole.
• Acceptance testing performed by the customer.
• Regression testing performed after updates.
• Stress testing checking the code under extreme
  conditions.
• Mutation testing testing the quality of the
  test suite.

48
Some drawbacks of testing

• There are never sufficiently many test cases.
• Testing does not find all the errors.
• Testing is not trivial and requires considerable
  time and effort.
• Testing is still a largely informal task.

49
Black-Box (data-driven, input-output) testing

• The testing is not based on the structure of the
  program (which is unknown).
• In order to ensure correctness, every possible
  input needs to be tested - this is impossible!
• The goal to maximize the number of errors found.

50
testing

• White Box

• Is based on the internal structure of the
  program.
• There are several alternative criterions for
  checking enough paths in the program.
• Even checking all paths (highly impractical) does
  not guarantee finding all errors (e.g., missing
  paths!)

51
Some testing principles

• A programmer should not test his/her own program.
• One should test not only that the program does
  what it is supposed to do, but that it does not
  do what it is not supposed to.
• The goal of testing is to find errors, not to
  show that the program is errorless.
• No amount of testing can guarantee error-free
  program.
• Parts of programs where a lot of errors have
  already been found are a good place to look for
  more errors.
• The goal is not to humiliate the programmer!

52
Inspections and Walkthroughs

• Manual testing methods.
• Done by a team of people.
• Performed at a meeting (brainstorming).
• Takes 90-120 minutes.
• Can find 30-70 of errors.

53
Code Inspection

• Team of 3-5 people.
• One is the moderator. He distributes materials
  and records the errors.
• The programmer explains the program line by line.
• Questions are raised.
• The program is analyzed w.r.t. a checklist of
  errors.

54
Checklist for inspections

• Data declaration
• All variables declared?
• Default values understood?
• Arrays and strings initialized?
• Variables with similar names?
• Correct initialization?

• Control flow
• Each loop terminates?
• DO/END statements match?
• Input/output
• OPEN statements correct?
• Format specification correct?
• End-of-file case handled?

55
Walkthrough

• Team of 3-5 people.
• Moderator, as before.
• Secretary, records errors.
• Tester, play the role of a computer on some test
  suits on paper and board.

56
Selection of test cases (for white-box testing)

• The main problem is to select a good coverage
• criterion. Some options are
• Cover all paths of the program.
• Execute every statement at least once.
• Each decision has a true or false value at least
  once.
• Each condition is taking each truth value at
  least once.
• Check all possible combinations of conditions in
  each decision.

57
Cover all the paths of the program
Infeasible. Consider the flow diagram on the
left. It corresponds to a loop. The loop body has
5 paths. If the loops executes 20 times there are
520 different paths! May also be unbounded!
58
How to cover the executions?

• IF (Agt1)(B0) THEN XX/A
  END
• IF (A2)(Xgt1) THEN XX1
  END
• Choose values for A,B,X.
• Value of X may change, depending on A,B.
• What do we want to cover? Paths? Statements?
  Conditions?

59
Statement coverageExecute every statement at
least once

• By choosing
• A2,B0,X3
• each statement will be chosen.
• The case where the tests fail is not checked!

• IF (Agt1)(B0) THEN XX/A
  END
• IF (A2)(Xgt1) THEN XX1
  END

Now x1.5
60
Decision coverageEach decision has a true and
false outcome at least once.

• Can be achieved using
• A3,B0,X3
• A2,B1,X1
• Problem Does not test individual conditions.
  E.g., when Xgt1 is erroneous in second decision.

• IF (Agt1)(B0) THEN XX/A
  END
• IF (A2)(Xgt1) THEN XX1
  END

61
Decision coverage

• A3,B0,X3?

• IF (Agt1)(B0) THEN XX/A
  END
• IF (A2)(Xgt1) THEN XX1
  END

Now x1
62
Decision coverage

• A2,B1,X1 ?
• The case where A?1 and the case where xgt1 where
  not checked!

• IF (Agt1)(B0) THEN XX/A
  END
• IF (A2)(Xgt1) THEN XX1
  END

63
Condition coverageEach condition has a true and
false value at least once.

• IF (Agt1)(B0) THEN XX/A
  END
• IF (A2)(Xgt1) THEN XX1
  END

• For example
• A1,B0,X3
• A2,B1,X0
• lets each condition be true and false once.
• Problemcovers only the path where the first test
  fails and the second succeeds.

64
Condition coverage

• IF (Agt1) (B0) THEN XX/A
  END
• IF (A2) (Xgt1) THEN XX1
  END

• A1,B0,X3 ?

65
Condition coverage

• IF (Agt1)(B0) THEN XX/A
  END
• IF (A2)(Xgt1) THEN XX1
  END

• A2,B1,X0 ?
• Did not check the first THEN part at all!!!
• Can use conditiondecision coverage.

66
Multiple Condition CoverageTest all combinations
of all conditions in each test.

• Agt1,B0
• Agt1,B?0
• A?1,B0
• A?1,B?0
• A2,Xgt1
• A2,X?1
• A?2,Xgt1
• A?2,X?1

• IF (Agt1)(B0) THEN XX/A
  END
• IF (A2)(Xgt1) THEN XX1
  END

67
A smaller number of cases

• A2,B0,X4
• A2,B1,X1
• A1,B0,X2
• A1,B1,X1
• Note the X4 in the first
• case it is due to the fact
• that X changes before
• being used!

• IF (Agt1)(B0) THEN XX/A
  END
• IF (A2)(Xgt1) THEN XX1
  END

Further optimization not all combinations.For C
/\ D, check (C, D), (?C, D), (C, ?D).For C \/ D,
check (?C, ?D), (?C, D), (C, ?D).
68
PreliminaryRelativizing assertions

• ?(B) x1 y1 x2 y2 /\ y2 gt 0
• Relativize ??B) w.r.t. the assignment becomes
  ??B) Y\g(X,Y)
• (I.e., ?( B) expressed w.r.t. variables at A.)
• ? ?(B)A ?x10 x2 x1 /\ x1gt0
• Think about two sets of variables,beforex, y,
  z, afterx,y,z.
• Rewrite ?(B) using after, and the assignment as a
  relation between the set of variables. Then
  eliminate after.
• Here x1y1 x2 y2 /\ y2gt0 /\x1x1 /\
  x2x2 /\ y10 /\ y2x1now eliminate x1, x2,
  y1, y2.

A
Yg(X,Y)
(y1,y2)(0,x1)
B
A
(y1,y2)(0,x1)
B
69
Verification conditions tests
B
T
F

• ??C) ? ??B) t(X,Y) /\ ??C)
• ??D) ? ??B)?t(X,Y) /\ ??D)
• ??B) ??D) /\ ?y2?x2

t(X,Y)
C
D
B
F
T
y2gtx2
D
C
70
How to find values for coverage?

• Put true at end of path.
• Propagate path backwards.
• On assignment, relativize expression.
• On yes edge of decision, add decision as
  conjunction.
• On no edge, add negation of decision as
  conjunction.
• Can be more specific when calculating condition
  with multiple condition coverage.

Agt1 B0
no
yes
XX/A
A2 Xgt1
true
no
yes
XX1
true
71
How to find values for coverage?
(A?2 /\ X/Agt1) /\ (Agt1 B0)
Agt1 B0
A?2 /\ X/Agt1
no
yes
Need to find a satisfying assignment A3, X6,
B0 Can also calculate path condition forwards.
XX/A
A?2 /\ Xgt1
A2 Xgt1
true
no
yes
XX1
true
72
How to cover a flow chart?

• Cover all nodes, e.g., using search strategies
  DFS, BFS.
• Cover all paths (usually impractical).
• Cover each adjacent sequence of N nodes.
• Probabilistic testing. Using random number
  generator simulation. Based on typical use.
• Chinese Postman minimize edge traversalFind
  minimal number of times time to travel each edge
  using linear programming or dataflow
  algorithms.Duplicate edges and find an Euler
  path.

73
Test cases based on data-flow analysis

• Partition the program into pieces of code with a
  single entry/exit point.
• For each piece find which variables are
  set/used/tested.
• Various covering criteria
• from each set to each use/test
• From each set to some use/test.

X3
tgty
xgty
zzx
74
Test case design for black box testing

• Equivalence partition
• Boundary value analysis
• Cause-effect graphs

75
Equivalence partition

• Goals
• Find a small number of test cases.
• Cover as much possibilities as you can.
• Try to group together inputs for which the
  program is likely to behave the same.

76
Example A legal variable

• Begins with A-Z
• Contains A-Z0-9
• Has 1-6 characters.

Valid equivalence class
Specification condition
Invalid equivalence class
Starting char
Starts A-Z
Starts other
1
2
Chars
A-Z0-9
Has others
3
4
1-6 chars
0 chars, gt6 chars
Length
5
6
7
77
Equivalence partition (cont.)

• Add a new test case until all valid equivalence
  classes have been covered. A test case can cover
  multiple such classes.
• Add a new test case until all invalid equivalence
  class have been covered. Each test case can cover
  only one such class.

Valid equivalence class
Invalid equivalence class
Specification condition
78
Example

• AB36P (1,3,5)
• 1XY12 (2)
• A17X (4)

• (6)
• VERYLONG (7)

Valid equivalence class
Specification condition
Invalid equivalence class
Starting char
Starts A-Z
Starts other
1
2
Chars
A-Z0-9
Has others
3
4
1-6 chars
0 chars, gt6 chars
Length
5
6
7
79
Boundary value analysis

• In every element class, select values that are
  closed to the boundary.
• If input is within range -1.0 to 1.0, select
  values -1.001, -1.0, -0.999, 0.999, 1.0, 1.001.
• If needs to read N data elements, check with
  N-1, N, N1. Also, check with N0.

80
Test case generation based on LTL specification
81
Goals

• Verification of software.
• Compositional verification. Only a unit of code.
• Parametrized verification.
• Generating test cases.
• A path found with some truth assignment
  satisfying the path condition. In deterministic
  code, this assignment guarantees to derive the
  execution of the path.
• In nondeterministic code, this is one of the
  possibilities.Can transform the code to force
  replying the path.

82
Divide and Conquer

• Intersect property automaton with theflow chart,
  regardless of the statements and program
  variables expressions.
• Add assertions from the property automaton to
  further restrict the path condition.
• Calculate path conditions for sequences found in
  the intersection.
• Calculate path conditions on-the-fly. Backtrack
  when condition is false.Thus, advantage to
  forward calculation of path conditions
  (incrementally).

83
Specat l2U (at l2/\? at l2/\(at l2U at l2))
l2xxz
at l2
X

at l2
l3xltt
at l2
l2xxz
at l2
84
Spec at l2U (at l2/\ x?y /\ ?(at l2/\(at
l2U at l2 /\ x?2?y )))
x?y
l2xxz
at l2
X

at l2/\ x?y
l3xltt
x?2?y
at l2
l2xxz
at l2/\ x?2?y
85
Example GCD
l0
l1xa
l2yb
l3zx rem y
l4xy
l5yz
l6z0?
yes
no
l7
86
Example GCD
l0
l1xa
l2yb
Oopswith an error (l4 and l5 were switched).
l3zx rem y
l4yz
l5xy
l6z0?
yes
no
l7
87
Why use Temporal specification

• Temporal specification for sequential software?
• Deadlock? Liveness? No!
• Captures the testers intuition about the
  location of an errorI think a problem may
  occur when the program runs through the main
  while loop twice, then the if condition holds,
  while tgt17.

88
Example GCD
l0
l1xa
l2yb
agt0/\bgt0/\at l0 /\?at l7
l3zx rem y
at l0/\agt0/\bgt0
l4yz
l5xy
l6z0?
yes
no
at l7
l7
89
Example GCD
l0
l1xa
l2yb
agt0/\bgt0/\at l0/\?at l7
l3zx rem y
Path 1 l0l1l2l3l4l5l6l7agt0/\bgt0/\a rem
b0 Path 2 l0l1l2l3l4l5l6l3l4l5l6l7
agt0/\bgt0/\a rem b?0
l4yz
l5xy
l6z0?
yes
no
l7
90
Potential explosion
Bad point potential explosion Good point may be
chopped on-the-fly
91
(No Transcript)
92
(No Transcript)
93
(No Transcript)
94
(No Transcript)
95
(No Transcript)
96
(No Transcript)
97
(No Transcript)
98
(No Transcript)
99
(No Transcript)
100
(No Transcript)
101
(No Transcript)
102
(No Transcript)
103
(No Transcript)
104
(No Transcript)
105
Drivers and Stubs
l0
l1xa

• Driver represents the program or procedure that
  called our checked unit.
• Stub represents a procedure called by our
  checked unit.
• In our approach replace both of them with a
  formula representing the effect the missing code
  has on the program variables.
• Integrate the driver and stub specification into
  the calculation of the path condition.

l2yb
l3zx rem y /\xx/\yx
l4yz
l5xy
l6z0?
yes
no
l7
106
Conclusions

• Black box testing Know transition relation,or
  bound on number of states, want to find
  initialstate, structure, conformance, temporal
  property.
• Software testingUnit testing, code inspection,
  coverage, test case generation.
• Model checking and testing have a lot in
  commonCAV 2004ISSTA 2004 together, in Boston,
  MA.