6.3.4 Definite Faults

Let us consider the following program, which is obtained from the program discussed in Section 6.3.1 by changing c1 into c1 , as discussed above:

#include <iostream> … … … // line 1 void count (charq[]) {int let, dig, other, I, l; char c;

// 2 i=o; let=0; dig=0; other=0; l=strlen(q);

/* init */ // 3

6.3 CONTINGENT FAULTS AND DEFINITE FAULTS 115 c=q[i];

/* b0 */ // 5 if (‘A’≤c && ‘Z’≥c) let=+2;

/* c1’, b1*/ // 6 else

// 7 if (‘a’≤c && ‘z’≥c) let=+1;

/* c2, b2 */ // 8 else

// 9 if (‘0’≤c && ‘9’≥c) dig=+1;

/* c3, b3 */ // 10 else

// 11 other+=1;

/* b4 */ // 12 i++;}

/* inc */ // 13 printf(“%d %d %d\n”, let, dig, other);} /* print */ // 14

If we are interested to make this program correct with respect to specification R, defined by

R = s,s q list char os = os # A q # 0 q # # q, we can do so by changing b1 into b1 defined as (let+=1;). But we can also correct it

by changing b2 into b2 defined as (let+=2), and changing print into print defined as (printf(“%d %d %d\n”, let/2, dig, other);). Alternatively, we can correct it by changing b2 into b2 and adding a statement between lines 13 and 14 that divides let be 2. Our point is that there is some degree of discretion in designating faults: often, a statement can be considered faulty only if we resolve, arbitrarily, to assume that other parts of the program are not; this is why we refer to this type of faults as contingent faults. Yet there are cases where we do not get the luxury to decide which parts of the program to question and which parts to absolve; whence the following definition.

Definition: Definite Fault We let R be a specification on space S and we let p

be a program on space S, which is written at some level of granularity as p=Cp 1 ,p 2 ,p 3 ,…, p i ,…, p n . We say that p i is a definite fault in program p with respect to specification R if and only if for all p 1 ,p 2 , ..p i −1 ,p i+1 , …p n , the program

p defined as C p 1 ,p 2 ,p 3 ,…,p i ,…,p n is not correct with respect to R. In other words, component p i is single-handedly precluding program p from being

correct: assuming that the program structure (defined by C) is not in question (only the components of the structure are), no change to the program that preserves p i can make the program correct with respect to R. We consider two simple situations where definite faults are easy to characterize; we briefly review them in turn, below. In both cases, we do not present any theory but rather content ourselves with offering a simple illustrative example; also in both cases we take a simple sequential structure for program p.

6.3.4.1 Loss of Injectivity Let S be the set of natural numbers and let R be the specification defined on space S by:

116 FAILURES, ERRORS, AND FAULTS

We let p be a program of the form p = p 1 ;p 2 and we consider a number of pos- sibilities for p 1 :

• p 1 = {s = s % 6;}. Then p 2 may be {s=s+5;}. • p 1 = {s = s+6;}. Then p 2 may be {s = 5 + s % 6;}. • p 1 = {s = s+5;}. Then p 2 may be {s = 5 + (s–5) % 6;}

• p 1 = {s = s % 12;}. Then p 2 may be {s = 5 + s % 6;}. But if we choose p 1 = {s = s % 3}, then no function p 2 can salvage the state of the

program and produce a correct outcome; knowing the value of (s mod 3) does not inform us on the value of (s mod 6), yet we need this information to ensure a successful

execution. Hence component p1 is definitely faulty because program p cannot be cor-

rect with respect to R unless p 1 is changed.

6.3.4.2 Loss of Surjectivity We consider space S defined as the set of naturals and we let R be the following relation on S:

R= s,s s=s 2 mod6

We let p be a program of the form p = p 1 ;p 2 and we consider a number of pos- sibilities for p 2 :

• p 2 = {s = s % 6;}. Then p 1 may be {s=s*s;}. • p 2 = {s = (s+5) % 6;}. Then p 1 may be {s = s*s–5;}.

But if we choose p 2 = {s = s % 3}, then there is nothing that function p 1 can do to make up for the loss of surjectivity inflicted by p 2 . Unlike the first two examples, the third example of p 2 has caused a loss of surjectivity beyond what R can tolerate (the range of R is the interval [0..5] whereas the range of P 2 is [0..2]). We say that p 2 is a definite fault because there is nothing that p 1 can do to ensure that p = p 1 ;p 2 is cor- rect with respect to R.