Dynamic Validation of Maude Prototypes of UML Models duran.pdf · Dynamic Validation of Maude...
Transcript of Dynamic Validation of Maude Prototypes of UML Models duran.pdf · Dynamic Validation of Maude...
Dynamic Validation ofMaude Prototypes of UML Models
Francisco Duranwith M. Roldan, A. Moreno, and J. M. Alvarez
University of Malaga, Spain
A presentation in honor ofProf. Koichi Futatsugi
Kanazawa, JapanApril 14-16, 2014
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 1 / 37
Introduction
Our aims
• In model-driven developments, particular attention should be paid tochecking crucial properties on models to guarantee software quality.
• Tool support for validating OCL constraints on UML models:
• A number of tools allows static validation of models.• Some tools allow dynamic validation on the implementation of
the system.
• We can have executable representations of UML models in Maude.
• We can dynamically validate OCL constraints on these model.
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 2 / 37
Introduction
Why OCL? [AtlanMod - [email protected]]
No serious use of UML without OCL!!!
(limited expressiveness of
ALL graphical notations)
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 3 / 37
OCL for OO designs
OCL’s basics
• OCL includes a predefined standard library:
• Primitive types: Integer, Real, Boolean and String• Collection types: Set, Bag, OrderedSet and Sequence• Operations on them
• and, or, not (Boolean),• +, −, >, < (Real and Integer),• union, size, includes, count and sum (Set).
• OCL offers predefined mechanisms for:
• Retrieving the values of an object• Navigating through a set of related objects• Iterating over collections of objects (e.g., forAll, exists, select)
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 4 / 37
OCL for OO designs
OCL for OO designs
• A formal language
• Precise and unambiguous specifications
• Used for
• To constrain or to restrict values in a model
• Constraints on all types of objects and expressions• Pre/Post conditions
• But also:
• Query expressions (Borlands ECO, OQL, and Xquery)• Derived values• Conditions• Business rules• ...
• Industry Standards
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 5 / 37
OCL for OO designs
MDE technologies
• Domain Specific Languages (DSLs)
• Notation close to the problem domain and intuitive for domainexperts
• Model transformations
• Automatically synthesize alternative model representations,source code
System’ Model Model’
Model Transformation
represents represents
DSL DSL’
System
written in written in
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 6 / 37
OCL for OO designs
MDE languages: ATL, Kermeta, ...
rule Object {from
o : MM!EObject
to
obj : Maude!RecTerm (
op <- thisModule.objectOperator,
type <- thisModule.objectSort,
args <- Sequence{thisModule.MaudeOid(o),class,sfs} ),class : Maude!Constant (
op <- o.eClass().maudeClassifierName(),
type <- thisModule.MaudeClassSort(o.eClass()) ),
...
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 7 / 37
OCL for OO designs
UML Example: A Ticket Sale System
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 8 / 37
OCL for OO designs
A ticket sale system: invariants
context Client inv non-empty-session :
session.startTime < session.endTime
context Client inv no-overlapping :
tickets->forAll(T1 |
tickets->forAll(T2 | (T1 = T2)
or (T1.session.endTime < T2.session.startTime)
or (T2.session.endTime < T1.session.startTime))))
context Session inv seats-in-session :
capacity >= tickets->size()
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 9 / 37
OCL for OO designs
A ticket sale system:pre- and post-conditions of the buyTicket operation
context Cinema::buyTicket(st:Integer, cl:Client): Ticket
pre: sessions -> select(S | S.startTime = st) -> size() = 1 .
post: (result = null)
or
(-- tickets of the session must include the result ticket
sessions -> select(S | S.startTime = st).tickets -> includes(result)
and
-- the number of tickets increases in 1 unit
((sessions -> select(S | S.startTime = st).tickets->asSet())
- (sessions -> select(S | S.startTime = st).tickets@pre->asSet()))
-> size() = 1)
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 10 / 37
OCL for OO designs
A ticket sale system: sequence diagram
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 11 / 37
OCL for OO designs
Statecharts, interaction diagrams, activity diagrams, ...
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 12 / 37
OCL for OO designs
What can we do with these models?
• Specification
• As comments, sometimes parsed or type checked
• Code generation
• Code, asserts, test cases
• Validation
• Static validation (OCL Dresde, USE, HOL-OCL, UML2Alloy, ...)• Very little on dynamic validation (USE-ASSL)• Consistency, independence, ...
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 13 / 37
OCL for OO designs
Our approach: mOdCL (Maude + OCL)
• We translate the UML/OCL models into the algebraic specificationlanguage and system Maude.
• Specifically, using mOdCL
• invariants are represented by state predicates,• operations by Maude rules, and• pre- and postconditions by predicates as well.
• An execution strategy controls the rules execution and checks theconstraints.
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 14 / 37
The Maude system
The Maude system• Formal notation and system
• high-level language and a high-performance interpreter andcompiler in the OBJ algebraic specification family
• supports MEL and RL specification and programming
• Supported by a formal toolkit
• execution of specifications• reachability analysis• model-checking• theorem proving• etc.
• Used in many different areas
• Models of computation• Semantics of programming languages and software analysis• Modeling and analysis of networks and distributed systems
• Distributed architectures and components• Specification and analysis of communication protocols• Modeling and analysis of security protocols
• ...F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 15 / 37
UML models in mOdCL
The mOdCL representation of the system structure
• User-defined classes are represented as Maude classes. Attributesand associations are represented as constants of the mOdCL sortAttributeName.
s o r t Cinema .sub so r t Cinema < Cid .op Cinema : −> Cinema [ ctor ] .ops name bank session : −> AttributeName [ ctor ] .
• Associations with multiplicity 1 are represented as attributes of sortOid and associations with multiplicity * as attributes of sort Set (forOid sets).
• An operation op(arg1:type1,. . .,argn:typen):type is represented asan OpName constant op and Arg constants arg1, . . ., argn.
op buyticket : −> OpName [ ctor ] .ops startTime aClient : −> Arg [ ctor ] .
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 16 / 37
UML models in mOdCL
Representation of class diagrams
op @MPNs@ : -> @Metamodel .
op MPNs : -> @Package .
sort MPN . subsort MPN < @Class . op MPN : -> MPN . op els : -> @Reference .
sort PositionedEl . subsort PositionedEl < @Class . op PositionedEl : -> PositionedEl . op xPos : -> @Attribute . op yPos : -> @Attribue .
sort Phone . subsort Phone < PositionedEl . op Phone : -> Phone . op contacts : -> @Reference . op dialedCalls : -> @Reference . op receivedCalls: -> @Reference . op on : -> @Attribute . op battery : -> @Attribute . …
eq isAbstract(Phone) = false . ... eq type(contacts) = Phone . eq opposite(contacts) = null . eq lowerBound(contacts) = 0 . eq upperBound(contacts) = * . … eq type(on) = @Bool . eq lowerBound(on) = 1 . eq upperBound(on) = 1 .
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 17 / 37
UML models in mOdCL
Representation of object diagrams
xSize = 80 ySize = 50
mpn
xPos = 25 yPos = 35
xPos = 55 yPos = 15
battery = 100 xPos = 5 yPos = 45
battery = 50 xPos = 45 yPos = 35
battery = 50 xPos = 65 yPos = 25
battery = 100 xPos = 15 yPos = 15
111
222
333
444
a1
a2
MPN { < ’mpn : MPN | els : Set{a ; ’p1 ; ’p2 ; ’p3} # xSize : 80 # ySize : 50 > < ’a : Antenna | xPos : 100 # yPos : 50 > < ’p1 : Phone | dialedCalls : OrderedSet{} # receivedCalls : OrderedSet{} # contacts : OrderedSet{’p2, ’p3, ’p4} # number : 111 # on : false # battery : 100 # coverage : 0 # bps : 1 # xPos : 5 # yPos : 45 # xDir : 1 # yDir : 0 > < ’p2 : Phone | dialedCalls : OrderedSet{} # receivedCalls : OrderedSet{} # contacts : OrderedSet{’p1 ; ’p3 ; ’p4} # number : 222 # on : false # battery : 50 # coverage : 0 # bps : 1 # xPos : 45 # yPos : 35 # xDir : 0 # yDir : -1 > < ’p3 : Phone | dialedCalls : OrderedSet{} # receivedCalls : OrderedSet{} # contacts : OrderedSet{’p1 ; ’p2 ; ’p4} # number : 333 # on : false # battery : 100 # coverage : 0 # bps : 1 # xPos : 15 # yPos : 15 # xDir : 0 # yDir : 1 > … }
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 18 / 37
UML models in mOdCL OCL constraints
OCL expressions in mOdCL: invariants
• OCL expressions are represented as terms of sort OclExp.
ops seats−in−session no−overlapping : −> OclExp .
eq seats−in−session= context Session inv : capacity >= ticket −> size ( ) .
eq no−overlapping= context Client inv :
ticket −> forAll ( T1 | ticket −> forAll ( T2 |( T1 = T2 )or ( T1 . session . endTime < T2 . session . startTime )or ( T2 . session . endTime < T1 . session . startTime ) ) ) )
• A constant inv is defined for invariants.
op inv : −> OclExp .
eq inv = seats−in−session and no−overlapping .
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 19 / 37
Validating with mOdCL
Validating with mOdCL: an object diagram
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 20 / 37
Validating with mOdCL
The mOdCL representation of the object diagram
mod CINEMA-TEST ispr CINEMA . --- Cinema model definitionpr CINEMA-CONSTRAINTS . --- Constraints for the Cinema model
op state : -> Configuration .eq state= < cn : Cinema | bank : bbva, sessions : Set{s1, s2, s3} >< s1 : Session | startTime : 1100, endTime : 1150, capacity : 10,
price : 5, ticket : Set{1, 3} >< s2 : Session | startTime : 1200, endTime : 1250, capacity : 10,
price : 8, ticket : Set{2} >< s3 : Session | startTime : 1300, endTime : 1350, capacity : 10,
price : 5, ticket : Set{} >< juan : Client | cinemas : Set{cn}, ticket : Set{1, 2}, debitCard : 111 >< ana : Client | cinemas : Set{cn}, ticket : Set{2}, debitCard : 222 >< luis : Client | cinemas : Set{cn}, ticket : Set{}, debitCard : 333 >< bbva : Bank | cards : qas(111, acc1) $$ qas(222, acc2) $$ qas(333, acc3) >< acc1 : Account | bal : 100 >< acc2 : Account | bal : 1000 >< acc3 : Account | bal : 10000 >< 1 : Ticket | seat : 1, session : s1, client : juan >< 2 : Ticket | seat : 1, session : s2, client : juan >< 3 : Ticket | seat : 2, session : s1, client : ana > .
endm
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 21 / 37
Validating with mOdCL
Static validation
• mOdCL offers an eval function to evaluate an OCL expression.
op eval : OclExp Configuration −> OclType .
E.g., we can validate the state object diagram.
Maude> red in CINEMA−TEST : eval ( seats−in−season , state ) .r e s u l t : true
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 22 / 37
Validating with mOdCL
Concurrent rewriting
• Concurrent states are represented as configurations of objects andmessages
• that evolve by concurrent rewriting
• using rules that describe the effects of the communication events ofobjects and messages.
crl [r] :
< O1 : C1 | atts1 > ... < On : Cn | attsn >
M1 ... Mm=> < Oi1 : C′i1 | atts
′i1 > ... < Oik : C′ik | atts
′ik>
< Q1 : C′′1 | atts′′1 > ... < Qp : C′′p | atts′′p >
M′1 ... M′qif Cond .
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 23 / 37
UML models and OCL expressions in mOdCL System structure
OCL expressions in mOdCL: pre- and post-conditions
• pre and post operators must be defined for each method.
ops pre post : OpName −> OclExp .
eq pre ( buyTicket )= session −> select ( S | S . startTime = startTime ) −> size ( ) = 1 .
eq post ( buyTicket )= ( r e s u l t = null )or( session −> select ( S | S . startTime = startTime ) . ticket−> includes ( r e s u l t ) .
and( ( session −> select ( S | S . startTime = startTime ) . ticket )
−> asSet ( ) −( session −> select ( S | S . startTime = startTime )
. ticket @pre ) −> asSet ( ) )−> size ( ) = 1) .
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 24 / 37
UML models and OCL expressions in mOdCL System behavior
WS-RF standard for resource use modelling
[K. Czajkowski et al, The WS-Resource Framework Version 1.0, (2004).]
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 25 / 37
UML models and OCL expressions in mOdCL System behavior
Running example: sequence diagram
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 26 / 37
UML models and OCL expressions in mOdCL System behavior
The mOdCL representation of the system behavior
• mOdCL expects that methods are invoked with a message
call(<method−name>, <addressee>, <argument−list>)
and upon their completion they send a return message of the form
return(<return−value>)
• When a method m calls a given operation m’ the rules representingthe m method block until the completion of m’. A resume messagemust be used to block such rules and to get the result.
resume (m ’ , <return−value>)
send call message
wait for resume message
create Context object
send return message
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 27 / 37
UML models and OCL expressions in mOdCL System behavior
Infrastructure for operation calls
• The infrastructure of mOdCL will intercept and process thesemessages.
• The processing of a call operator results in the execution of amethod, for which a context object, representing the executioncontext, is generated.
< Ctx : Context | op : M , self : Id , args : Args >
• A return(<return-value>) message will be replaced by a resumemessage of the form
resume(<return−value>)
• To manage the chaining of method invocations the validator uses anexecution stack in which the necessary information is stored.
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 28 / 37
UML models and OCL expressions in mOdCL System behavior
The execution stack
• The stack infrastructure is built around CALL and RETURN rules. Wemake use of this in the metaOCLRewrite strategy to locate the stateswhere some constraints must be validated.
rl [CALL] :call(op-nm, self, args-list)stack(... contents of the stack ...)=> < context : Context | ... > --- new execution contextstack(... new contents of the stack ...) .
rl [RETURN] :return(R:OclType)< context : Context | ... > --- old execution contextstack(< new-context : Context | ...>
... rest of the contents of the stack ...)=> resume(op-nm, R:OclType)< new-context : Context | ... > --- new execution contextstack(... new contents of the stack ...) .
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 29 / 37
UML models and OCL expressions in mOdCL An example
An example: the goCinema method
• A message call activates its execution.
call ( goCinema , Self , ( arg ( cinema , Cn ) , arg ( startTime , St ) )
• First rule. A call to buyTicket.
rl [GO-CINEMA-1] :< ctx : Context | op : goCinema, self : Self,
args : arg(cinema, Cn), arg(startTime, St))< Self : Client | cinema : Set{C, LC}, Atts1 >< C : Cinema | name : Cn, session : Set{S, LS}, Atts2 >< S : Session | startTime : St, Atts3 >=> < Self : Client | cinema : Set{C, LC}, Atts1 >< C : Cinema | name : Cn, session : Set{S, LS}, Atts2 >< S : Session | startTime : St, Atts3 >< ctx : Context | op : goCinema, self : Self,
args : arg(cinema, Cn), arg(startTime, St))call(buyTicket, C, (arg(startTime, St), arg(client, Self))) .
• It blocks and waits for a resume message from buyTicket.rl [GO-CINEMA-2-FAIL] :resume(buyTicket, null)=> return(false) .
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 30 / 37
UML models and OCL expressions in mOdCL An example
An example: the buyTicket method
• Last rule of the buyTicket method (no free seats).
crl [BUY-TICKET-1-NO-FREE-SEATS] :< ctx : Context | op : buyTicket, self : Self,
args : arg(startTime, St), arg(client, Cl))< Self : Cinema | session : Set{S, LS}, Atts1 >< S : Session | startTime : St, ticket : TS, capacity : C, Atts2 >=> < Self : Cinema | session : Set{S, LS}, Atts1 >< S : Session | startTime : St, ticket : TS,
capacity : C, Atts2 >< ctx : Context | op : buyTicket, self : Self,
args : arg(startTime, St), arg(client, Cl))return(null)
if size(TS) >= C .
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 31 / 37
Validating with mOdCL
Dynamic validation
• We provide the validate command to validate the OCL constraintsof an UML during its execution.
Maude> (validate in TEST-CINEMA with CINEMA-CONSTRAINTS from state .)result Configuration:< cn : Cinema | name : "Coronet", bank : bbva, sessions : Set{s1, s2, s3} >< bbva : Bank | cards : (qas(111, acc1) $$ qas(222, acc2) $$ qas(333, acc3)) >< s1 : Session | startTime : 1100, endTime : 1150, capacity : 10,
price :5, ticket : Set{1, 2} >< s2 : Session | startTime : 1200, endTime : 1250, capacity : 10, price : 8,
ticket : Set{3, 4} >< s3 : Session | startTime : 1300, endTime : 1350, capacity : 10, price : 5,
ticket : Set{5} >< juan : Client | ticket : Set{1, 3}, cinemas : Set{cn}, debitCard : 111 >< ana : Client | ticket : Set{2, 4}, cinemas : Set{cn}, debitCard : 222 >< luis : Client | ticket : Set{5},cinemas : Set{cn}, debitCard : 333 >< acc1 : Account | bal : 87 >< acc2 : Account | bal : 987 >< acc3 : Account | bal : 9995 >< 1 : Ticket | seat : 0, session : s1, client : juan >< 2 : Ticket | seat : 0, session : s1, client : ana >< 3 : Ticket | seat : 0, session : s2, client : juan >< 4 : Ticket | seat : 0, session : s2, client : ana >< 5 : Ticket | seat : 0, session : s3, client : luis >next-goCinema-call(6)next-ticket(6)
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 32 / 37
Validating with mOdCL
Dynamic validation
• In case of error we inform about the kind of error and the erroneousstate.
Maude> (validate in TEST-CINEMA with CINEMA-CONSTRAINTS from state-1 .)result Error:error("Precondition violation",
... name of operation ...session -> select(S | S . startTime = startTime) -> size() = 1,... here the erroneous state ...)
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 33 / 37
The mOdCL validator architecture
Architecture: the mOdCL evaluator
• Sorts definitionsubsort Int Float String Bool Oid < BasicType .subsort Set Bag OrderedSet Sequence < Collection .subsort BasicType Collection < OclType .
• Syntax for OCLvars E1 E1 : OclExp .var C : Configuration .
op _-> includes(_) : OclExp OclExp -> OclExp .eq eval(E1 -> includes(E2), C) = eval(E1, C) in eval(E2, C) .
• The eval functionop eval : OclExp Configuration -> OclType .op eval : OclExp Configuration Configuration -> OclType .
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 34 / 37
The mOdCL validator architecture
Architecture: the metaOCLRewrite strategy
• metaOCLRewrite controls the execution of the Maude rules specifyingthe UML model.
• It is implemented at the metalevel, and using the eval function toevaluate a given OclExp at a given state.
ceq metaOCLRewrite(M, T) = metaOCLRewriteAux(M, T, iterator(M))if I := metaReduce(M, ’inv.OclExp)∧ metaReduce(M, ’eval[I, T]) = ’true.Bool .
ceq metaOCLRewriteAux(M, T, C) = T if not hasNext(C) .ceq metaOCLRewriteAux(M, T, C)= if T’ :: Termthen (if L == ’CALL
then checkCall(M, T’)else (if L == ’RETURN
then checkReturn(M, T, T’)else metaOCLRewriteAux(M, T’, iterator(M))fi)
fi)else metaOCLRewriteAux(M, T, next(C))fi
if L := getLabel(C) ∧ T’ := metaXapply(M, T, L)[owise] .
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 35 / 37
The mOdCL validator architecture
The checkCall and checkReturn functions
They check whether a given state satisfies given constraints representedas inv, pre and post terms.
ceq checkCall(M, T)= if metaReduce(M, ’eval[P, T]) == ’true.Boolthen metaOCLRewriteAux(M, T, iterator(M))else ’error[’"Precondition failed"]fi
if opN := metaReduce(M, ’getOpName[T])/\ P := metaReduce(M, ’pre[opN]) .
ceq checkReturn(M, T, T’)= if metaReduce(M, ’eval[Q, T]) == ’true.Boolthen (if metaReduce(M, ’eval[I, T]) == ’true.Bool
then metaOCLRewriteAux(M, T’, iterator(M))else ’error[’"Invariant failed"]fi)
else ’error[’"Postcondition failed"]fi
if opN := metaReduce(M, ’getOpName[T])/\ Q := metaReduce(M, ’post[opN])/\ I := metaReduce(M, ’inv.OclExp) .
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 36 / 37
Conclusions and future work
Conclusions [http://maude.lcc.uma.es/mOdCL/]
• UML dynamics is represented as Maude rules.
• mOdCL allows both static and dynamic validation on UML models
• mOdCL follows the OCL 2.3.1 Standard [OCL2.3.1-2012-01-01]• successfully tested with the OCL benchmark [KHGB2012]
• mOdCL has already been used for
• Validating OCL constraints on objects diagrams• Dynamically validating OCL constraints during the execution of
Maude prototypes of UML models• Evaluating OCL expressions from Maudeling [RV2008]• Evaluating OCL expressions from e-Motions [RDV2009]• Giving semantics to transformation languages
• ATL [TV2011]• Kermeta [A2013]
• The Maude formal environment open many possibilities
• Consistency and independence of OCL constraints
F. Duran et al. (University of Malaga) Dynamic Validation of UML Models SAS 2014 37 / 37