OCLR: A More Expressive, Pattern-Based Temporal Extension of OCL

OCLR: A More Expressive, Pattern-Based

Temporal Extension of OCL

Wei Dou, Domenico Bianculli, and Lionel Briand SnT Centre — University of Luxembourg

.lusoftware verification & validationVVS

CONTEXT

CTIE Centre des Technologies de l'Information de l'Etat

Model-driven Run-time Verification of eGovernment

Business Processes

Specification

TEMPORAL PROPERTIES

“If the registration at the conference is

successful, then a confirmation

email will be sent out.”

Temporal Properties

“The registration reminder will be sent at least twice before the conference registration is closed.”

Number of Occurrences

Temporal Properties

TEMPORAL LOGICS

Temporal Logics

LTL CTL MTL

ITL MITL …

Temporal Logics Practitioners

Background in Formal MethodsLimited Tool Support

Model-driven Engineering

MDE PERSPECTIVE

How to support temporal properties with OCL ?

STATE OF THE ART

State Of The Art

Features:Timestamped event

always, sometime Real-time deadline, timeout

FME 2003

Features:

Past- and future-time Time bounds

SEFM 2004

State Of The Art

Features:Linear Temporal Logic

Dwyer’s Pattern System Timeout

ECEASST 2008

State Of The Art

Features:Linear Temporal Logic

Dwyer’s Pattern System Bounded existence

SLE 2012

State Of The Art

What is missing?

Specific occurrence of an event

“A password reset email will be sent to the user after the third incorrect login attempt”

Time distance from a boundary

“A speaker should be ready at most 10 minutes after the second keynote.”

(No) Tool support

OUR PROPOSAL

OCLR An Expressive, Pattern-Based Temporal Extension of OCL

Dwyer’s Pattern SystemPatterns in Property Specifications

for Finite-State Verification* Matthew B. Dwyer George S. Avrunin James C. Corbett

Kansas State University University of Massachusetts University of Hawai'i Department of Computing Department of Mathematics Department of Information and Information Sciences and Statistics and Computer Science

Manhattan, KS 66506-2302 Amherst, MA 01003-4515 Honolulu, HI 96822 +1 413 545 4251

dwyer@cis.ksu.edu avrunin@mat h. umass. edu corbett @hawaii.edu +1 785 532 6350 +1 808 956 6107

ABSTRACT Model checkers and other finite-state verification tools allow developers to detect certain kinds of errors au- tomatically. Nevertheless, the transition of this tech- nology from research to practice has been slow. While there are a number of potential causes for reluctance to adopt such formal methods, we believe that a primary cause is that practitioners are unfamiliar with specification processes, notations, and strategies. In a recent paper, we proposed a pattern-based approach to the presentation, codification and reuse of property specifications for finite-state verification. Since then, we have carried out a survey of available specifications, collect- ing over 500 examples of property specifications. We found that most are instances of our proposed patterns. Furthermore, we have updated our pattern system to accommodate new patterns and variations of existing patterns encountered in this survey. This paper reports the results of the survey and the current status of our pattern system.

Keywords Patterns, finitestate verification, formal specification, concurrent systems

1 INTRODUCTION Although formal specification and verification methods offer practitioners some significant advantages over the current state-of-the-practice, they have not been widely adopted. Partly this is due to a lack of definitive ev- idence in support of the cost-saving benefits of formal methods, but a number of more pragmatic barriers to adoption of formal methods have been identified [22], including the lack of such things as good tool support, appropriate expertise, good training materials, and pro-

'This work was partially supported by NSF grants CCR- 9407182, CCR-9633388, CCR-9703094, and CCR-9708184 and by NASA grant NAG-02-1209.

Permission to make digilal or hard copies of all or part ol'this work tbr personal or classroom usc is granted without fee provided that copies are ,lot lnade or distributed fflr profit or coinmercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, 10 republish, to post on servers or to redistribule to lists. requires prior specific permission andior a fee. LCSE '99 Los Angeles CA Copyn'ght ACM 1999 1-581 13-074-0/99/05 ... $5.00

cess support for formal methods.

We believe that the recent availability of tool support for finite-state verification provides an opportunity to overcome some of these barriers. Finite-state verification refers to a set of techniques for proving properties of finite-state models of computer systems. Properties are typically specified with temporal logics or regular expressions, while systems are specified as finite-state transition systems of some kind. Tool support is available for a variety of verification techniques including, for example, techniques based on model checking [19], bisimulation [4], language containment [14], flow anal- ysis [lo], and inequality necessary conditions [l]. In contrast to mechanical theorem proving, which often requires guidance by an expert, most finite-state verification techniques can be fully automated, relieving the user of the need to understand the inner workings of the verification process. Finite-state verification techniques are especially critical in the development of concurrent systems, where non-deterministic behavior makes test- ing especially problematic.

Despite the automation, users of finite-state verification tools still must be able to specify the system require- ments in the specification language of the tool. This is more challenging than it might at first appear. For example, consider the following requirement for an elevator: Between the time an elevator is called at a poor and the time at opens its doors at that floor, the elevator can arrive at that floor at most twice. To verify this property with a linear temporal logic (LTL) model checker, a developer would have to translate this infor- mal requirement into the following LTL formula:

D((cal1 A Oopen) + ((Tatfloor A lopen) U

(open V ((atfloor A lopen) U (open V ((Tatfloor A Yopen) U

(open V ((atfloor A Topen) U (open v (Tatfloor U OPe.))))))))))

Not only is this formula difficult to read and understand, it is even more difficult to write correctly without some expertise in the idioms of the specification language.

Dwyer’s Pattern System

Pattern

{Globally

Before

Between-and

After-until

{Globally

Before

Between-and

After-until

{Before

Between-and

After-until

Globally

{Globally

Before

Between-and

After-until

Between-and vs. After-until

Q P P Q Q Q P

Q P P PQ Q Q P

Pattern

{Universality

Existence

Absence

Response

Precedence

Pattern

{Universality

Existence

Absence

Response

Precedence

Pattern

{Universality

Existence

Absence

Response

Precedence

Pattern

{Universality

Existence

Absence

Response

Precedence

OCLR Syntax Excerpt

OCLR: a More Expressive, Pattern-based Temporal Extension of OCL 5

3.1 Syntax

The syntax of OCLR (also inspired by the one of Temporal OCL [12]) is shownin Fig. 1: non-terminals are enclosed in angle brackets, terminals are enclosed insingle quotes, and underlined italic words are non-terminals defined in the OCLgrammar [11]. An hOCLR blocki comprises a set of conjuncted hTemporalClausesibeginning with the keyword ‘temporal’. Each temporal clause contains a tempo-ral expression that consists of a hscopei and a hpatterni; the scope specifies thetime slot(s) during which the property described by the pattern should hold.

hOCLRBlocki ::= ‘temporal’ hTemporalClausei+hTemporalClausei ::= [hsimpleNameCSi] ‘:’ [hQuantif i] hTemporalExpihQuantif i ::= ‘let’ hVariableDeclarationCSi ‘in’hTemporalExpi ::= hScopei hPatternihScopei ::= ‘globally’

| ‘before’ hBoundary1 i| ‘after’ hBoundary1 i| ‘between’ hBoundary2 i ‘and’ hBoundary2 i| ‘after’ hBoundary2 i ‘until’ hBoundary2 i

hPatterni ::= ‘always’ hEventi| ‘eventually’ hRepeatableEventExpi| ‘never’ [‘exactly’ hIntegerLiteratureExpCSi] hEventi| hEventChainExpi ‘preceding’ [hTimeDistanceExpi]

hEventChainExpi| hEventChainExpi ‘responding’ [hTimeDistanceExpi]

hEventChainExpihBoundary1 i ::= [hIntegerLiteratureExpCSi] hSimpleEventi

[hTimeDistanceExpi]hBoundary2 i ::= [hIntegerLiteratureExpCSi] hSimpleEventi

[‘at least’ IntegerLiteratureExpCS ‘tu’]hEventChainExpi ::= hEventi (‘,’ [‘#’ hTimeDistanceExpi] hEventi)*hTimeDistanceExpi ::= hComparingOpi hIntegerLiteratureExpCSi ‘tu’hRepeatableEventExpi ::= [hComparingOpi hIntegerLiteratureExpCSi] hEventihComparingOpi ::= ‘at least’ | ‘at most’ | ‘exactly’hEventi ::= (hSimpleEventi | hComplexEventi) [‘|’ Event]hComplexEventi ::= ‘isCalled’ ‘(’ ‘anyOp’

[‘,’ ‘pre:’ hOCLExpressionCSi][‘,’ ‘post:’ hOCLExpressionCSi] ‘)’ [‘\’ hEventi]

hSimpleEventi ::= hSimpleCallEventi | hSimpleChangeEventihSimpleChangeEventi ::= ‘becomesTrue’ ‘(’ hOCLExpressionCSi ‘)’hSimpleCallEventi ::= ‘isCalled’ ‘(’ hOperationCallExpCSi

[‘,’ ‘pre:’ hOCLExpressionCSi][‘,’ ‘post:’ hOCLExpressionCSi] ‘)’

Fig. 1. Grammar of OCLR

OCLR - <Event>