A Static Approach to Consistency Verification of UML Models Andrea Baruzzo [email protected]...
18
A Static Approach to Consistency Verification of UML Models Andrea Baruzzo [email protected] Department of Computer Science University of Udine MoDeV 2 a 2006 Workshop
-
Upload
louisa-fleming -
Category
Documents
-
view
214 -
download
0
Transcript of A Static Approach to Consistency Verification of UML Models Andrea Baruzzo [email protected]...
A Static Approach to Consistency Verification of UML Models
Andrea Baruzzo
Department of Computer Science University of Udine
MoDeV2a 2006 Workshop
The context
The problems to address
The goals
The method
The method at work
Future works
Agenda
Model-Driven Development
Model elaboration (possibly manual but typically automatic)
Build the right model! …early validation!
Model-Driven Architecture development [Mellor, Warmer, OMG]
UML alone is not enough precise to build software and to verify it The need of a formal specification embedded in UML models
(OCL) Tools for model-based debugging and testing
[AICA05] Andrea Baruzzo, Executable Models: Formal Specifications Embedded in Software Models,
Congresso annuale AICA, Udine, 5-7 ottobre 2005
The Context
Requirements
Models
Code
ConsistencyCorrectness
model precisio
n Codecorrectness
Due to the complexity of large software systems, preserving model consistency is an issue
Model-based verification is often achieved by means of dynamic checking of OCL constraints … …but the generation of suitable code which checks them
slows down performance can alter the behavior it does not ensure to reveal a bug generation of just a significative finite subset of the possible
runs is not so feasible too Static Model-based verification (very difficult)
Static Verification of UML model consistency (a first step)
What is inconsistency all about? A discrepancy between the entire model and the code (difficult)
A discrepancy between the specification and the model views (a first step)
Problems to address
Verify the dynamic view of the system against the static view and its constraints (“software contracts”)
Identify and refine specifications too strong
Identify new constraints (specifications too weak?)
Build precise UML models Class diagrams Sequence diagrams Statechart diagrams (OCL) specifications (the software contract)
Independence from the specification language (OCL, Promela, Alloy,…)
Short-term Goals
Verification Verify the code of the system against the entire model and
its constraints (“software contracts”)
Specification synthesis From existing code
Tool Integrations Integration between the static approach (it cannot be
complete) e the dynamic approach Manipulation of the models hierarchy (MDA)
Long-term Goals
Precise semantics of OCL and UML [Gogolla&Richter01]
Syntax of Object Models Set of classes (or types) Set of attributes for each class Set of associations with role names and multiplicities Generalization hierarchy over classes
M={CLASS, ATTc, OPc, ASSOC, associates, roles, multiplicities, <}
Interpretation of Object Models System state: objects, links and attribute values constitute
the state of a system at a particular moment in time σ(M)= (σCLASS, σATT, σASSOC)
The semantics of an object model is the set of all possible system states σ(M)
[Gogolla&Richter01] Martin Gogolla and Mark Richter, OCL: Syntax, Semantics, and Tools, LNCS 2263, Object Modeling with the OCL, 2001
The notion of class correctness
But what happens when this does not hold? Faulty Program or Inconsistent Specification?
[Meyer92] Bertrand Meyer, Applying Design by Contract, ACM Computer, Volume 25, Issue 10, 1992
Due to the size of most systems, bugs in assertions are not so unlikely!
Andrea Baruzzo
This notion clearly states what has to happen when we call a method in a statewhich satisfies Prem [x/e] ^ InvC, but what happens when this does not hold?As already said, failure to meet any of the responsibilities stated in the contractresults in a break of the contract, and indicates the existence of a bug somewherein the design or implementation of the software or in the assertions themselves.Due to the size of most systems, the latter chance is not so unlikely. In thispaper we want to focus on this situation,
Andrea Baruzzo
cita apprezzamenti meyer
The method – The process (BEDAV)
Build the UML model of the system Build the structure view Build the dynamic (behavioral) view
Enrich the model with the (OCL) specifications
Decompose sequence diagrams in blocks
Annotate each block with formulas to be imposed and to be checked
Verify sequence diagrams against the formulas of each block
The method at work – the model
sd Employee dynamics
andrea :EmployeeACME :Company
Client
{salary= 800}{age > 40}
{salary > 1000}
hire(andrea)
getAge()
age
[age > 30]: raiseSalary(700)
salary
salary
The method at work – the (OCL) specifications
The method at work - decomposition
Andrea Baruzzo
per ciascuno di questi blocchi costruiamo delle formule che ci garantiscano che l'esecuzione del blocco preservi gli invarianti delle classi e sia consistente con le pre e post condizioni di ciascun metodo
The method at work – decomposition
The method at work – validation (equations checked)
Andrea Baruzzo
If we add in the diagram an initial constraint specifying thatCompany.employee −> excludes(Andrea) then we can prove the new (i) andthen the diagram becomes consistent.
… now the diagram becomes consistent!
{Company.employee −> excludes(Andrea)}
Work in progress, future works
Work in progress Tool implementation Assistant to write OCL constraints (some will be code
independent, others not) Development of the method for Static Model-based verification
(with code)
Future works Support for concurrency Support for temporal logic (in general, any temporal
constraint)
Support for class diagram consistency in itself (i.e. consistency of cardinality constraints in associations)
THANK YOU!
The method at work – validation (equations imposed)
