evaluation of ocl for large-scale modelling

1

Evaluation of OCL for Large-Scale Modelling

A Different View of the Mondex Smart Card Application

Emine G. Aydal, Richard F. Paige, Jim WoodcockUniversity of York

3

Alloy (MIT) Event-B (University of Southampton) OCL (University of Bremen) Perfect Developer (Escher Technologies) RAISE (Uni. of UN Macao and TUD) Z (University of York)Based on the monograph that outlined the specifications, refinement and proof details of Mondex in Z (Stepney and Woodcock)

Motivation MONDEX : Global e-payment scheme that offers

immediate transfer of value without signature or PIN in currencies allowed.

First Step in Grand Challenge Program Contribution of this study

Model the system from informal requirements by using semi-formal techniques

Perform model-based testing on formally-verified versions of Mondex

Assess the value added

Motivation | Goal | Modelling Mondex | Modelling Issues | Validation | Test case generation| Conclusion

5

Goal

Model Mondex by using UML and OCL Diagrams Invariants Pre/post-conditions

Validate the model through scenarios Explore the relationship between test case

generation and assertion-based scenarios


6

Modelling Mondex

No. Module Name

M1 Payment

M2 Logging

M3 Recovery

M4 Currency Management

M5 Operational Control

M6 Data Display and Customisation


7

Modelling Mondex

Modelling Language : UML enriched with OCL expressions

Tool : UML Specification Environment (USE)

Use case diagrams and use scenarios


8

Modelling Mondex

8 Classes 30 Invariants 31 Operations 197 Pre/post-conditions Traceability Matrix


9

Modeling issues

Constants Derived Parameters

May be fixed at a later stage in the development or during application loading

Currently no support for constants Example:inv iNoLanguages:

self.languages->size() <= cNoLanguages

Prefixed with ‘/’ in UML (‘_’ in USE) Supported by OCL Not integrated into the OCL tools Workaround : create invariants ensuring the correct

calculation of the derived attributesinv iNoUnusedException :

_NumberOfUnusedExceptions =

cNoException - exceptionlogs->size()


10

Modeling issues

Constants Derived Parameters Invariants Pre/post-conditions (assertions) No consistency check

Restricting invariants No tool support yet (OCL Compiler v2.0)


11

Modeling issues

Pre/Post-conditions State Checking

Self.OclInState(Unlocked)

Self.LockingState = ‘Unlocked’

Messaging: HasSent Operator (‘^’)post ChangePersonalCodePost1:

%Personal Code changes successfully

or

(PersonalCode = PersonalCode@pre

and Self^ChangeTheStateToLockedOut

and result = false)


12

Modeling issues

Pre/Post-conditions Frame Variables Set (FVS)

Distinct set of variables read/written by each operation Determination of these variables Management of the post values of these variables Assumption : All the variables not included in FVS of

an operation stay unchanged after the execution of that operation

No tool support


13

Validation of the model


Overall Objective: The model behaves as expected when an instance of the model is executed under certain conditions. There is at least one instance of the model that

satisfies all the invariants. There is at least one instance of the model that

allows each operation to run successfully, i.e. preconditions and postconditions of the operation are satisfied and the instance does not conflict with any of the invariants.

14



Scenario: An instance of the model that serves a purpose, i.e. that satisfies a property.

Base object model : An initial, stable instance of the model that satisfies all the invariants.

Scenario structure Setting/creation of FVS Access the operation (Precondition check) Modification/Deletion of FVS Exit the operation (Postcondition check)

15



Creation of scenarios that validate operations Execution of scenarios Immediate feedback by the tool Drawback: Finding the set of frame variables

and their values in order to satisfy assertions of a certain operation

16

Test Case Generation


Assertions ensure the correct functioning of operations. So why not using these critical points in test case generation?

Idea: Find scenarios that violates each assertion of each operation.

17



Existing research: In order to validate a model, generate automatic snapshots of a model by using ASSL (A Snapshot and Sequence Language) in USE [Gogolla,2003]

Based on invariant conflict. Each invariant is addressed separately by feeding the

system with its reverse.

18



Additional information Scenarios that violate 197 assertions are already

created manually.

Future work Apply the technique described in [Gogolla,2003] for

invariants to assertions . Automate the generation of such scenarios Compare the results of manual and automatic

scenario generation Concretise scenarios into test scripts

19

Conclusion

Motivation | Goal | Modelling Mondex | Modeling Issues | Validation | Test case generation | Conclusion

Modeled a real life application by using OCL. The large number of invariants and assertions

provided us ideas in terms of features that needs to be added into OCL tools.

The scenarios are a way of validating your model. The fact that scenarios use artifacts of the model supports the validation process.

Test case generation and Validation are two processes that may have common grounds.

evaluation of ocl for large-scale modelling

Documents

proof details of mondex

ocl expressionstool

evaluation of ocl

variables readwritten

variables assumption

ocl compiler v2

tudz university of yorkbased

post values