software architecture and engineering · the software architecture as a composition of sub-systems...
TRANSCRIPT
![Page 1: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/1.jpg)
Software Architectureand Engineering
Modeling and Specifications
Peter MüllerChair of Programming Methodology
Spring Semester 2016
![Page 2: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/2.jpg)
2
Mastering Complexity
The technique of mastering complexity has been known since ancient times: Divide et impera(Divide and Rule). [ Dijkstra, 1965 ]
Benefits of decomposition- Partition the overall development effort- Support independent testing and analysis- Decouple parts of a system so that changes to one part
do not affect other parts- Permit system to be understood as a composition of
mind-sized chunks with one issue at a time- Enable reuse of components
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications
![Page 3: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/3.jpg)
3
Main Activities of Software Development
Peter Müller – Software Architecture and Engineering
Validation
RequirementsElicitation
Implementation
Design
3. Modeling and Specifications
![Page 4: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/4.jpg)
4
Main Activities of Software Development
Peter Müller – Software Architecture and Engineering
Validation
RequirementsElicitation
Implementation
3. Modeling and Specifications
System Design
Detailed Design
![Page 5: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/5.jpg)
5
System Design
System design determines the software architecture as a composition of sub-systems
Components: Computational units with specified interface- Filters, databases, layers
Connectors: Interactions between components- Method calls, pipes, events
Peter Müller – Software Architecture and Engineering
Validation
RequirementsElicitation
Implementation
3. Modeling and Specifications
System Design
Detailed Design
![Page 6: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/6.jpg)
6
Detailed Design
Detailed design chooses among different ways to implement the system design and provides the basis for the implementation
Data structures Algorithms Subclass hierarchies
Peter Müller – Software Architecture and Engineering
Validation
RequirementsElicitation
Implementation
3. Modeling and Specifications
System Design
Detailed Design
![Page 7: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/7.jpg)
7
Detailed Design: Map Example
Is null permitted as a value in the hash map?
Is it possible to iterate over the map?- Is the order of elements
stable?
Is the implementation thread-safe?
Peter Müller – Software Architecture and Engineering
package java.util;class HashMap<K,V> … {V get( Object key ) { … }V put( K key, V value ) { … }…
}
HashMap<String, String> m = new HashMap<String, String>( );
m.put( "key", null );String r1 = m.get( "key“ );String r2 = m.get( "no key“ );
3. Modeling and Specifications
![Page 8: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/8.jpg)
8
Map Example: Some Design Alternatives
Permit null-valuesIf key is not present, get- returns null (Java)- throws an exception (.NET)- indicates this via a
second result value (for instance, an out-parameter in C#)
Do not permit null-values:If null-value is passed, put- throws an exception- does nothing
Peter Müller – Software Architecture and Engineering
HashMap<String, String> m = new HashMap<String, String>( );
m.put( "key", null );String r1 = m.get( "key“ );String r2 = m.get( "no key“ );
3. Modeling and Specifications
![Page 9: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/9.jpg)
9
Detailed Design: Initialization Example
Initialize the fields of an object when the object is created or when the fields are accessed for the first time?
Peter Müller – Software Architecture and Engineering
class ImageFile {String file;Image image; ImageFile( String f ) { file = f;
}Image getImage( ) {if( image == null ) {// load the image
}return image;
}}
class ImageFile {String file;Image image; ImageFile( String f ) { file = f; // load the image
}Image getImage( ) {return image;
}}
3. Modeling and Specifications
![Page 10: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/10.jpg)
10
Detailed Design: List Example
Do mutating operations perform destructive updates or create a new list?
Peter Müller – Software Architecture and Engineering
void demo( List<String> l ) {int len = l.length;foo( l );bar( l );if( l.length != len )throw new Exception( );
}
3. Modeling and Specifications
![Page 11: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/11.jpg)
11
Detailed Design: List Example
Do mutating operations perform destructive updates or create a new list?
Peter Müller – Software Architecture and Engineering
void demo( List<String> l ) {int len = l.length;foo( l );bar( l );if( l.length != len )throw new Exception( );
}May foo and bar modify l?
3. Modeling and Specifications
![Page 12: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/12.jpg)
12
Detailed Design: List Example
Do mutating operations perform destructive updates or create a new list?
Peter Müller – Software Architecture and Engineering
void demo( List<String> l ) {int len = l.length;foo( l );bar( l );if( l.length != len )throw new Exception( );
}May foo and bar modify l?
May foo and bar execute
concurrently?
3. Modeling and Specifications
![Page 13: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/13.jpg)
13
Detailed Design: List Example
Do mutating operations perform destructive updates or create a new list?
Peter Müller – Software Architecture and Engineering
void demo( List<String> l ) {int len = l.length;foo( l );bar( l );if( l.length != len )throw new Exception( );
}May foo and bar modify l?
May foo and bar execute
concurrently?What is the
run-time and memory
consumption?
3. Modeling and Specifications
![Page 14: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/14.jpg)
14
List Example: Side Effects
Peter Müller – Software Architecture and Engineering
class List<E> {E[ ] elems;int len;void set( int index, E e ) { elems[ index ] = e; }List<E> clone( ) {List<E> r = new List<E>( );r.elems = elems.clone( );r.len = len;return r;
}}
3. Modeling and Specifications
![Page 15: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/15.jpg)
15
List Example: Side Effects
Peter Müller – Software Architecture and Engineering
class List<E> {E[ ] elems;int len;void set( int index, E e ) { elems[ index ] = e; }List<E> clone( ) {List<E> r = new List<E>( );r.elems = elems.clone( );r.len = len;return r;
}} void foo( List<String> p ) {
p.set( 0, “Hello” );p.set( 1, “World” );
}
void bar( List<String> p ) {… p.itemAt( 0 ) …… p.itemAt( 1 ) …
}
void demo( List<String> l ) {int len = l.len;foo( l );bar( l );if( l.length != len )throw new Exception( );
}
3. Modeling and Specifications
![Page 16: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/16.jpg)
16
List Example: Side Effects
Peter Müller – Software Architecture and Engineering
class List<E> {E[ ] elems;int len;void set( int index, E e ) { elems[ index ] = e; }List<E> clone( ) {List<E> r = new List<E>( );r.elems = elems.clone( );r.len = len;return r;
}} void foo( List<String> p ) {
p.set( 0, “Hello” );p.set( 1, “World” );
}
void bar( List<String> p ) {… p.itemAt( 0 ) …… p.itemAt( 1 ) …
}
void demo( List<String> l ) {int len = l.len;foo( l );bar( l );if( l.length != len )throw new Exception( );
}
Side effects become visible
3. Modeling and Specifications
![Page 17: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/17.jpg)
17
List Example: Side Effects
Peter Müller – Software Architecture and Engineering
class List<E> {E[ ] elems;int len;void set( int index, E e ) { elems[ index ] = e; }List<E> clone( ) {List<E> r = new List<E>( );r.elems = elems.clone( );r.len = len;return r;
}} void foo( List<String> p ) {
p.set( 0, “Hello” );p.set( 1, “World” );
}
void bar( List<String> p ) {… p.itemAt( 0 ) …… p.itemAt( 1 ) …
}
void demo( List<String> l ) {int len = l.len;foo( l );bar( l );if( l.length != len )throw new Exception( );
}
Side effects become visible
Concurrency may lead to data races
3. Modeling and Specifications
![Page 18: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/18.jpg)
18
List Example: Side Effects
Peter Müller – Software Architecture and Engineering
class List<E> {E[ ] elems;int len;void set( int index, E e ) { elems[ index ] = e; }List<E> clone( ) {List<E> r = new List<E>( );r.elems = elems.clone( );r.len = len;return r;
}} void foo( List<String> p ) {
p.set( 0, “Hello” );p.set( 1, “World” );
}
void bar( List<String> p ) {… p.itemAt( 0 ) …… p.itemAt( 1 ) …
}
void demo( List<String> l ) {int len = l.len;foo( l );bar( l );if( l.length != len )throw new Exception( );
}
Side effects become visible
Concurrency may lead to data races
Conservative cloning is expensive
3. Modeling and Specifications
![Page 19: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/19.jpg)
19
class List<E> {E[ ] elems;int len;List( E[ ] e, int l ) {elems = e; len = l;
}List<E> set( int index, E e ) {E[ ] els = elems.clone( );els[ index ] = e;return new List<E>( els, len );
}}
List Example: Functional Implementation
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications
![Page 20: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/20.jpg)
20
class List<E> {E[ ] elems;int len;List( E[ ] e, int l ) {elems = e; len = l;
}List<E> set( int index, E e ) {E[ ] els = elems.clone( );els[ index ] = e;return new List<E>( els, len );
}}
List Example: Functional Implementation
Peter Müller – Software Architecture and Engineering
void demo( List<String> l ) {int len = l.len;foo( l );bar( l );if( l.length != len )throw new Exception( );
}
void foo( List<String> p ) {p.set( 0, “Hello” );p.set( 1, “World” );
}
void bar( List<String> p ) {… p.itemAt( 0 ) …… p.itemAt( 1 ) …
}
3. Modeling and Specifications
![Page 21: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/21.jpg)
21
class List<E> {E[ ] elems;int len;List( E[ ] e, int l ) {elems = e; len = l;
}List<E> set( int index, E e ) {E[ ] els = elems.clone( );els[ index ] = e;return new List<E>( els, len );
}}
List Example: Functional Implementation
Peter Müller – Software Architecture and Engineering
void demo( List<String> l ) {int len = l.len;foo( l );bar( l );if( l.length != len )throw new Exception( );
}No side
effects on l
void foo( List<String> p ) {p.set( 0, “Hello” );p.set( 1, “World” );
}
void bar( List<String> p ) {… p.itemAt( 0 ) …… p.itemAt( 1 ) …
}
3. Modeling and Specifications
![Page 22: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/22.jpg)
22
class List<E> {E[ ] elems;int len;List( E[ ] e, int l ) {elems = e; len = l;
}List<E> set( int index, E e ) {E[ ] els = elems.clone( );els[ index ] = e;return new List<E>( els, len );
}}
List Example: Functional Implementation
Peter Müller – Software Architecture and Engineering
void demo( List<String> l ) {int len = l.len;foo( l );bar( l );if( l.length != len )throw new Exception( );
}No side
effects on l
Concurrency is safe
void foo( List<String> p ) {p.set( 0, “Hello” );p.set( 1, “World” );
}
void bar( List<String> p ) {… p.itemAt( 0 ) …… p.itemAt( 1 ) …
}
3. Modeling and Specifications
![Page 23: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/23.jpg)
23
class List<E> {E[ ] elems;int len;List( E[ ] e, int l ) {elems = e; len = l;
}List<E> set( int index, E e ) {E[ ] els = elems.clone( );els[ index ] = e;return new List<E>( els, len );
}}
List Example: Functional Implementation
Peter Müller – Software Architecture and Engineering
void demo( List<String> l ) {int len = l.len;foo( l );bar( l );if( l.length != len )throw new Exception( );
}No side
effects on l
Concurrency is safe
void foo( List<String> p ) {p.set( 0, “Hello” );p.set( 1, “World” );
}
void bar( List<String> p ) {… p.itemAt( 0 ) …… p.itemAt( 1 ) …
}Significant run-time and space
overhead
3. Modeling and Specifications
![Page 24: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/24.jpg)
24
class List<E> {E[ ] elems;int len;List( E[ ] e, int l ) {elems = e; len = l;
}List<E> set( int index, E e ) {E[ ] els = elems.clone( );els[ index ] = e;return new List<E>( els, len );
}}
List Example: Functional Implementation
Peter Müller – Software Architecture and Engineering
void demo( List<String> l ) {int len = l.len;foo( l );bar( l );if( l.length != len )throw new Exception( );
}No side
effects on l
Concurrency is safe
Conservative cloning is
unnecessary
void foo( List<String> p ) {p.set( 0, “Hello” );p.set( 1, “World” );
}
void bar( List<String> p ) {… p.itemAt( 0 ) …… p.itemAt( 1 ) …
}Significant run-time and space
overhead
3. Modeling and Specifications
![Page 25: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/25.jpg)
25
List Example: Reference Counting
Peter Müller – Software Architecture and Engineering
class List<E> {ListRep<E> rep; int len;List( ListRep<E> r, int l ) { rep = r; len = l; }List<E> set( int index, E e ) {if( rep.shared ) {ListRep<E> r = new ListRep<E>( rep );r.elems[ index ] = e;return new List<E>( r, len );
} else {rep.elems[ index ] = e;return this;
}}
}
class ListRep<E> {E[ ] elems;boolean shared;ListRep( ListRep<E> o ) {elems = o.elems.clone( )shared = false;
}}
3. Modeling and Specifications
List<E> clone( ) {rep.shared = true;return new List<E>( rep, len );
}
![Page 26: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/26.jpg)
26
List Example: Reference Counting (cont’d)
void foo( List<String> p ) {p = p.set( 0, “Hello” );p = p.set( 1, “World” );
}
void bar( List<String> p ) {… p.itemAt( 0 ) …… p.itemAt( 1 ) …
}
void demo( List<String> l ) {int len = l.len;foo( l );bar( l );if( l.length != len )throw new Exception( );
}
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications
![Page 27: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/27.jpg)
27
List Example: Reference Counting (cont’d)
void foo( List<String> p ) {p = p.set( 0, “Hello” );p = p.set( 1, “World” );
}
void bar( List<String> p ) {… p.itemAt( 0 ) …… p.itemAt( 1 ) …
}
void demo( List<String> l ) {int len = l.len;foo( l );bar( l );if( l.length != len )throw new Exception( );
}
Side effects may become
visible
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications
![Page 28: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/28.jpg)
28
List Example: Reference Counting (cont’d)
void foo( List<String> p ) {p = p.set( 0, “Hello” );p = p.set( 1, “World” );
}
void bar( List<String> p ) {… p.itemAt( 0 ) …… p.itemAt( 1 ) …
}
void demo( List<String> l ) {int len = l.len;foo( l );bar( l );if( l.length != len )throw new Exception( );
}
Side effects may become
visible
Concurrency may lead to data races
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications
![Page 29: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/29.jpg)
29
List Example: Reference Counting (cont’d)
void foo( List<String> p ) {p = p.set( 0, “Hello” );p = p.set( 1, “World” );
}
void bar( List<String> p ) {… p.itemAt( 0 ) …… p.itemAt( 1 ) …
}
void demo( List<String> l ) {int len = l.len;foo( l );bar( l );if( l.length != len )throw new Exception( );
}
Side effects may become
visible
Concurrency may lead to data races
Conservative cloning is
cheap
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications
![Page 30: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/30.jpg)
30
List Example: Reference Counting (cont’d)
void foo( List<String> p ) {p = p.set( 0, “Hello” );p = p.set( 1, “World” );
}
void bar( List<String> p ) {… p.itemAt( 0 ) …… p.itemAt( 1 ) …
}
void demo( List<String> l ) {int len = l.len;foo( l );bar( l );if( l.length != len )throw new Exception( );
}
Side effects may become
visible
Concurrency may lead to data races
Conservative cloning is
cheap
Low run-time and space overhead
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications
![Page 31: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/31.jpg)
31
Peter Müller – Software Architecture and Engineering
3. Modeling and Specification
3.1 Code Documentation3.2 Informal Models3.3 Formal Models
3. Modeling and Specifications – Code Documentation
![Page 32: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/32.jpg)
32
Design Documentation
Design decisions determine how code should be written- During the initial development- When extending code through inheritance- When writing client code- During code maintenance
Design decisions must be communicated among many different developers- Does source code convey design decisions
appropriately?
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Code Documentation
![Page 33: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/33.jpg)
33
Example: Using HashMap
Peter Müller – Software Architecture and Engineering
HashMap<String,String> m;m = SomeLibrary.foo( );String s = m.get( “key” );// can s be null?
3. Modeling and Specifications – Code Documentation
![Page 34: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/34.jpg)
34
V get( Object key ) {if( key == null )return getForNullKey( );
int hash = hash( key.hashCode() );for( Entry<K,V> e = table[ indexFor(hash, table.length) ];
e != null; e = e.next ) {Object k;if( e.hash == hash &&
( (k = e.key) == key || key.equals(k) ) )return e.value;
}return null;
}
Example: Using HashMap
Peter Müller – Software Architecture and Engineering
HashMap<String,String> m;m = SomeLibrary.foo( );String s = m.get( “key” );// can s be null?
3. Modeling and Specifications – Code Documentation
![Page 35: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/35.jpg)
35
V get( Object key ) {if( key == null )return getForNullKey( );
int hash = hash( key.hashCode() );for( Entry<K,V> e = table[ indexFor(hash, table.length) ];
e != null; e = e.next ) {Object k;if( e.hash == hash &&
( (k = e.key) == key || key.equals(k) ) )return e.value;
}return null;
}
Example: Using HashMap
Peter Müller – Software Architecture and Engineering
HashMap<String,String> m;m = SomeLibrary.foo( );String s = m.get( “key” );// can s be null?
Iterate over all entries for this key’s
hash code
3. Modeling and Specifications – Code Documentation
![Page 36: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/36.jpg)
36
V get( Object key ) {if( key == null )return getForNullKey( );
int hash = hash( key.hashCode() );for( Entry<K,V> e = table[ indexFor(hash, table.length) ];
e != null; e = e.next ) {Object k;if( e.hash == hash &&
( (k = e.key) == key || key.equals(k) ) )return e.value;
}return null;
}
Example: Using HashMap
Peter Müller – Software Architecture and Engineering
HashMap<String,String> m;m = SomeLibrary.foo( );String s = m.get( “key” );// can s be null?
Iterate over all entries for this key’s
hash codekey was not found
3. Modeling and Specifications – Code Documentation
![Page 37: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/37.jpg)
37
V get( Object key ) {if( key == null )return getForNullKey( );
int hash = hash( key.hashCode() );for( Entry<K,V> e = table[ indexFor(hash, table.length) ];
e != null; e = e.next ) {Object k;if( e.hash == hash &&
( (k = e.key) == key || key.equals(k) ) )return e.value;
}return null;
}
Example: Using HashMap (cont’d)
Peter Müller – Software Architecture and Engineering
HashMap<String,String> m;m = SomeLibrary.foo( );if( m.containsKey( “key” ) ) {String s = m.get( “key” );// can s be null?…
}
3. Modeling and Specifications – Code Documentation
![Page 38: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/38.jpg)
38
V get( Object key ) {if( key == null )return getForNullKey( );
int hash = hash( key.hashCode() );for( Entry<K,V> e = table[ indexFor(hash, table.length) ];
e != null; e = e.next ) {Object k;if( e.hash == hash &&
( (k = e.key) == key || key.equals(k) ) )return e.value;
}return null;
}
Example: Using HashMap (cont’d)
Peter Müller – Software Architecture and Engineering
HashMap<String,String> m;m = SomeLibrary.foo( );if( m.containsKey( “key” ) ) {String s = m.get( “key” );// can s be null?…
}
Is [ hash, null ] a valid entry?Need to find and check all ways of
entering information into table
3. Modeling and Specifications – Code Documentation
![Page 39: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/39.jpg)
39
Example: Maintaining ImageFile
Peter Müller – Software Architecture and Engineering
class ImageFile {String file;Image image;…boolean equals( Object o ) {if( o.getClass( ) != getClass( ) ) return false;return file.equals( ( (ImageFile) o ).file );
}int hashcode( ) {if( image == null )return file.hashcode( );
elsereturn image.hashcode( ) + file.hashcode( );
}}
3. Modeling and Specifications – Code Documentation
![Page 40: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/40.jpg)
40
Example: Maintaining ImageFile
Peter Müller – Software Architecture and Engineering
class ImageFile {String file;Image image;…boolean equals( Object o ) {if( o.getClass( ) != getClass( ) ) return false;return file.equals( ( (ImageFile) o ).file );
}int hashcode( ) {if( image == null )return file.hashcode( );
elsereturn image.hashcode( ) + file.hashcode( );
}}
Is this a suitable implementation of hashcode?
3. Modeling and Specifications – Code Documentation
![Page 41: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/41.jpg)
41
class ImageFile {String file;Image image;…boolean equals( Object o ) {if( o.getClass( ) != getClass( ) ) return false;return file.equals( ( (ImageFile) o ).file );
}int hashcode( ) {if( image == null )return file.hashcode( );
elsereturn image.hashcode( ) + file.hashcode( );
}}
Example: Maintaining ImageFile (cont’d)
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Code Documentation
![Page 42: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/42.jpg)
42
class ImageFile {String file;Image image;…boolean equals( Object o ) {if( o.getClass( ) != getClass( ) ) return false;return file.equals( ( (ImageFile) o ).file );
}int hashcode( ) {if( image == null )return file.hashcode( );
elsereturn image.hashcode( ) + file.hashcode( );
}}
Example: Maintaining ImageFile (cont’d)
Peter Müller – Software Architecture and Engineering
Need to determine whether file may
be null
3. Modeling and Specifications – Code Documentation
![Page 43: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/43.jpg)
43
class ImageFile {String file;Image image;…boolean equals( Object o ) {if( o.getClass( ) != getClass( ) ) return false;return file.equals( ( (ImageFile) o ).file );
}int hashcode( ) {if( image == null )return file.hashcode( );
elsereturn image.hashcode( ) + file.hashcode( );
}}
Example: Maintaining ImageFile (cont’d)
Peter Müller – Software Architecture and Engineering
Need to determine whether image
may be modified
Need to determine whether file may
be null
3. Modeling and Specifications – Code Documentation
![Page 44: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/44.jpg)
44
class ImageFile {String file;Image image;…boolean equals( Object o ) {if( o.getClass( ) != getClass( ) ) return false;return file.equals( ( (ImageFile) o ).file );
}int hashcode( ) {if( image == null )return file.hashcode( );
elsereturn image.hashcode( ) + file.hashcode( );
}}
Example: Maintaining ImageFile (cont’d)
Peter Müller – Software Architecture and Engineering
void demo( HashMap<ImageFile,String> m,ImageFile f ) {
m.put( f, “Hello” );Image i = f.getImage( );int l = m.get( f ).length( );…
}
Need to determine whether image
may be modified
Need to determine whether file may
be null
3. Modeling and Specifications – Code Documentation
![Page 45: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/45.jpg)
45
class ImageFile {String file;Image image;…boolean equals( Object o ) {if( o.getClass( ) != getClass( ) ) return false;return file.equals( ( (ImageFile) o ).file );
}int hashcode( ) {if( image == null )return file.hashcode( );
elsereturn image.hashcode( ) + file.hashcode( );
}}
Example: Maintaining ImageFile (cont’d)
Peter Müller – Software Architecture and Engineering
void demo( HashMap<ImageFile,String> m,ImageFile f ) {
m.put( f, “Hello” );Image i = f.getImage( );int l = m.get( f ).length( );…
}
Need to determine whether image
may be modified
With lazy initialization, getter may change
hash code
Need to determine whether file may
be null
3. Modeling and Specifications – Code Documentation
![Page 46: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/46.jpg)
46
class ImageFile {String file;Image image;…boolean equals( Object o ) {if( o.getClass( ) != getClass( ) ) return false;return file.equals( ( (ImageFile) o ).file );
}int hashcode( ) {return getImage( ).hashcode( ) +
file.hashcode( );}
}
Example: Maintaining ImageFile (cont’d)
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Code Documentation
![Page 47: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/47.jpg)
47
class ImageFile {String file;Image image;…boolean equals( Object o ) {if( o.getClass( ) != getClass( ) ) return false;return file.equals( ( (ImageFile) o ).file );
}int hashcode( ) {return getImage( ).hashcode( ) +
file.hashcode( );}
}
Example: Maintaining ImageFile (cont’d)
Peter Müller – Software Architecture and Engineering
Need to determine whether file may
be null
3. Modeling and Specifications – Code Documentation
![Page 48: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/48.jpg)
48
class ImageFile {String file;Image image;…boolean equals( Object o ) {if( o.getClass( ) != getClass( ) ) return false;return file.equals( ( (ImageFile) o ).file );
}int hashcode( ) {return getImage( ).hashcode( ) +
file.hashcode( );}
}
Example: Maintaining ImageFile (cont’d)
Peter Müller – Software Architecture and Engineering
Need to determine whether the result of getImage may
be modifiedNeed to determine whether file may
be null
3. Modeling and Specifications – Code Documentation
![Page 49: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/49.jpg)
49
class ImageFile {String file;Image image;…boolean equals( Object o ) {if( o.getClass( ) != getClass( ) ) return false;return file.equals( ( (ImageFile) o ).file );
}int hashcode( ) {return getImage( ).hashcode( ) +
file.hashcode( );}
}
Example: Maintaining ImageFile (cont’d)
Peter Müller – Software Architecture and Engineering
void demo( HashMap<ImageFile,String> m,ImageFile f ) {
m.put( f, “Hello” );Image i = f.getImage( );int l = m.get( f ).length( );…
}
Need to determine whether the result of getImage may
be modifiedNeed to determine whether file may
be null
3. Modeling and Specifications – Code Documentation
![Page 50: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/50.jpg)
50
class ImageFile {String file;Image image;…boolean equals( Object o ) {if( o.getClass( ) != getClass( ) ) return false;return file.equals( ( (ImageFile) o ).file );
}int hashcode( ) {return getImage( ).hashcode( ) +
file.hashcode( );}
}
Example: Maintaining ImageFile (cont’d)
Peter Müller – Software Architecture and Engineering
void demo( HashMap<ImageFile,String> m,ImageFile f ) {
m.put( f, “Hello” );Image i = f.getImage( );int l = m.get( f ).length( );…
}
Need to determine whether the result of getImage may
be modified
Hash code is not affected by lazy
initialization
Need to determine whether file may
be null
3. Modeling and Specifications – Code Documentation
![Page 51: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/51.jpg)
51
Example: Extending List
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {// reduce array size if the array// is not fully used
}}
3. Modeling and Specifications – Code Documentation
![Page 52: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/52.jpg)
52
Example: Extending List
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {// reduce array size if the array// is not fully used
}}
Is this an optimization or does it change the behavior?
3. Modeling and Specifications – Code Documentation
![Page 53: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/53.jpg)
53
Extending List: List with Side Effects
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( elems, 0, tmp, 0, len );elems = tmp;
}}
}
3. Modeling and Specifications – Code Documentation
![Page 54: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/54.jpg)
54
Extending List: List with Side Effects
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( elems, 0, tmp, 0, len );elems = tmp;
}}
}
Is this an optimization or does it change the behavior?
3. Modeling and Specifications – Code Documentation
![Page 55: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/55.jpg)
55
Extending List: List with Side Effects
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( elems, 0, tmp, 0, len );elems = tmp;
}}
}
elems:2len:
list1array
Is this an optimization or does it change the behavior?
3. Modeling and Specifications – Code Documentation
![Page 56: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/56.jpg)
56
Extending List: List with Side Effects
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( elems, 0, tmp, 0, len );elems = tmp;
}}
}
elems:2len:
list1
array
array
Is this an optimization or does it change the behavior?
3. Modeling and Specifications – Code Documentation
![Page 57: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/57.jpg)
57
Extending List: List with Side Effects
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( elems, 0, tmp, 0, len );elems = tmp;
}}
}
elems:2len:
list1
array
array
Is this an optimization or does it change the behavior?
3. Modeling and Specifications – Code Documentation
![Page 58: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/58.jpg)
58
Extending List: List with Side Effects
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( elems, 0, tmp, 0, len );elems = tmp;
}}
}
elems:2len:
list1
array
Is this an optimization or does it change the behavior?
3. Modeling and Specifications – Code Documentation
![Page 59: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/59.jpg)
59
Extending List: List with Side Effects
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( elems, 0, tmp, 0, len );elems = tmp;
}}
}
elems:2len:
list1array
Is this an optimization or does it change the behavior?
3. Modeling and Specifications – Code Documentation
![Page 60: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/60.jpg)
60
Extending List: List with Side Effects
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( elems, 0, tmp, 0, len );elems = tmp;
}}
}
elems:2len:
list1
elems:4len:
list2
array
Is this an optimization or does it change the behavior?
3. Modeling and Specifications – Code Documentation
![Page 61: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/61.jpg)
61
Extending List: List with Side Effects
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( elems, 0, tmp, 0, len );elems = tmp;
}}
}
elems:2len:
list1
elems:4len:
list2
array
array
Is this an optimization or does it change the behavior?
3. Modeling and Specifications – Code Documentation
![Page 62: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/62.jpg)
62
Extending List: List with Side Effects
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( elems, 0, tmp, 0, len );elems = tmp;
}}
}
elems:2len:
list1
elems:4len:
list2
array
array
Is this an optimization or does it change the behavior?
Need to determine whether the elems
array may be shared
3. Modeling and Specifications – Code Documentation
![Page 63: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/63.jpg)
63
Extending List: Reference Counting
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( rep.elems, 0, tmp, 0, len );rep.elems = tmp;
}}
}
3. Modeling and Specifications – Code Documentation
![Page 64: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/64.jpg)
64
Extending List: Reference Counting
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( rep.elems, 0, tmp, 0, len );rep.elems = tmp;
}}
}
Is this an optimization or does it change the behavior?
3. Modeling and Specifications – Code Documentation
![Page 65: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/65.jpg)
65
Extending List: Reference Counting
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( rep.elems, 0, tmp, 0, len );rep.elems = tmp;
}}
}
Is this an optimization or does it change the behavior?
rep:2len:
list1
rep:4len:
list2
array
elems:trueshared:
rep
3. Modeling and Specifications – Code Documentation
![Page 66: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/66.jpg)
66
Extending List: Reference Counting
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( rep.elems, 0, tmp, 0, len );rep.elems = tmp;
}}
}
Is this an optimization or does it change the behavior?
rep:2len:
list1
rep:4len:
list2
array
array
elems:trueshared:
rep
3. Modeling and Specifications – Code Documentation
![Page 67: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/67.jpg)
67
Extending List: Reference Counting
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( rep.elems, 0, tmp, 0, len );rep.elems = tmp;
}}
}
Is this an optimization or does it change the behavior?
rep:2len:
list1
rep:4len:
list2
array
array
elems:trueshared:
rep
3. Modeling and Specifications – Code Documentation
![Page 68: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/68.jpg)
68
Extending List: Reference Counting
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( rep.elems, 0, tmp, 0, len );rep.elems = tmp;
}}
}
Is this an optimization or does it change the behavior?
rep:2len:
list1
rep:4len:
list2
array
array
elems:trueshared:
rep
Need to determine whether the list representation may
be shared
3. Modeling and Specifications – Code Documentation
![Page 69: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/69.jpg)
69
Extending List: Reference Counting
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( rep.elems, 0, tmp, 0, len );rep.elems = tmp;
}}
}
Is this an optimization or does it change the behavior?
rep:2len:
list1
rep:4len:
list2
array
array
elems:trueshared:
rep
Need to determine whether the list representation may
be sharedNeed to determine whether the elems
array may be shared
3. Modeling and Specifications – Code Documentation
![Page 70: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/70.jpg)
70
Extending List: Reference Counting (cont’d)
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( rep.elems, 0, tmp, 0, len );if( rep.shared ) rep = new ListRep<E>( );rep.elems = tmp;
}}
} rep:
2len:
list1
rep:4len:
list2
array
elems:trueshared:
rep
3. Modeling and Specifications – Code Documentation
![Page 71: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/71.jpg)
71
Extending List: Reference Counting (cont’d)
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( rep.elems, 0, tmp, 0, len );if( rep.shared ) rep = new ListRep<E>( );rep.elems = tmp;
}}
} rep:
2len:
list1
rep:4len:
list2
array
elems:trueshared:
rep
Assume that the elems array is
not shared
3. Modeling and Specifications – Code Documentation
![Page 72: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/72.jpg)
72
Extending List: Reference Counting (cont’d)
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( rep.elems, 0, tmp, 0, len );if( rep.shared ) rep = new ListRep<E>( );rep.elems = tmp;
}}
} rep:
2len:
list1
rep:4len:
list2
array
array
elems:trueshared:
rep
Assume that the elems array is
not shared
3. Modeling and Specifications – Code Documentation
![Page 73: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/73.jpg)
73
Extending List: Reference Counting (cont’d)
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( rep.elems, 0, tmp, 0, len );if( rep.shared ) rep = new ListRep<E>( );rep.elems = tmp;
}}
} rep:
2len:
list1
rep:4len:
list2
array
array
elems:trueshared:
rep
elems:falseshared:
rep
Assume that the elems array is
not shared
3. Modeling and Specifications – Code Documentation
![Page 74: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/74.jpg)
74
Extending List: Reference Counting (cont’d)
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( rep.elems, 0, tmp, 0, len );if( rep.shared ) rep = new ListRep<E>( );rep.elems = tmp;
}}
} rep:
2len:
list1
rep:4len:
list2
array
array
elems:trueshared:
rep
elems:falseshared:
rep
Assume that the elems array is
not shared
3. Modeling and Specifications – Code Documentation
![Page 75: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/75.jpg)
75
Extending List: Reference Counting (cont’d)
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( rep.elems, 0, tmp, 0, len );if( rep.shared ) rep = new ListRep<E>( );rep.elems = tmp;
}}
} rep:
2len:
list1
rep:4len:
list2
array
array
elems:trueshared:
rep
elems:falseshared:
rep
Assume that the elems array is
not shared
3. Modeling and Specifications – Code Documentation
![Page 76: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/76.jpg)
76
Extending List: Reference Counting (cont’d)
Peter Müller – Software Architecture and Engineering
class SmallList extends List {void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( rep.elems, 0, tmp, 0, len );if( rep.shared ) rep = new ListRep<E>( );rep.elems = tmp;
}}
} rep:
2len:
list1
rep:4len:
list2
array
array
elems:trueshared:
rep
elems:falseshared:
rep
Assume that the elems array is
not shared
Need to determine whether the shared
array may be modified
3. Modeling and Specifications – Code Documentation
![Page 77: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/77.jpg)
77
Source Code is Insufficient
Developers require information that is difficult to extract from source code- Possible result values of a method, and when they occur- Possible side effects of methods- Consistency conditions of data structures- How data structures evolve over time- Whether objects are shared among data structures
Details in the source code may be overwhelming
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Code Documentation
![Page 78: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/78.jpg)
78
Source Code is Insufficient (cont’d)
Source code does not express which properties are stable during software evolution- Which details are essential and which are incidental?
Peter Müller – Software Architecture and Engineering
int find( int[ ] array, int v ) {for( int i = 0; i < array.length; i++ )if( array[ i ] == v ) return i;
return -1;}
3. Modeling and Specifications – Code Documentation
![Page 79: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/79.jpg)
79
Source Code is Insufficient (cont’d)
Source code does not express which properties are stable during software evolution- Which details are essential and which are incidental?
Peter Müller – Software Architecture and Engineering
int find( int[ ] array, int v ) {for( int i = 0; i < array.length; i++ )if( array[ i ] == v ) return i;
return -1;}
Can we rely on the result r being the
smallest index such that array[ r ] == v?
3. Modeling and Specifications – Code Documentation
![Page 80: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/80.jpg)
80
Source Code is Insufficient (cont’d)
Source code does not express which properties are stable during software evolution- Which details are essential and which are incidental?
Peter Müller – Software Architecture and Engineering
int find( int[ ] array, int v ) {for( int i = 0; i < array.length; i++ )if( array[ i ] == v ) return i;
return -1;}
int find( int[ ] array, int v ) {if( 256 <= array.length ) {// perform parallel search and// return first hit
} else {// sequential search like before
}}Can we rely on the
result r being the smallest index such that array[ r ] == v?
3. Modeling and Specifications – Code Documentation
![Page 81: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/81.jpg)
81
Peter Müller – Software Architecture and Engineering
3. Modeling and Specification
3.1 Code Documentation3.1.1 What to Document3.1.2 How to Document
3.2 Informal Models3.3 Formal Models
3. Modeling and Specifications – Code Documentation
![Page 82: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/82.jpg)
82
Documentation
Essential properties must be documented explicitly
Documentation should focus on what the essential properties are, not how they are achieved- “Whenever a ListRep object’s shared-field is false, it is
used as representation of at most one List object”Rather than- “When creating a new List object with an existing ListRep
object, the shared-field is set to true”
Peter Müller – Software Architecture and Engineering
For clients:How to use the code?
Document the interface
For implementors:How does the code work?
Document the implementation
3. Modeling and Specifications – Code Documentation
![Page 83: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/83.jpg)
83
Interface Documentation
The client interface of a class consists of- Constructors- Methods- Fields- Supertypes
We focus on methods here- Constructors are analogous- Fields can be viewed as getter and setter methods
Peter Müller – Software Architecture and Engineering
For clients:How to use the code?
Document the interface
3. Modeling and Specifications – Code Documentation
![Page 84: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/84.jpg)
84
Method Documentation: Call
Clients need to know how to call a method correctly
Peter Müller – Software Architecture and Engineering
class InputStreamReader {int read( char cbuf[ ], int offset, int len ) throws IOException…
}
Parameter values- cbuf is non-null- offset is non-negative- len is non-negative- offset + len is at most
cbuf.length
Input state- The receiver is open
3. Modeling and Specifications – Code Documentation
![Page 85: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/85.jpg)
85
Method Documentation: Results
Clients need to know how what a method returns
Peter Müller – Software Architecture and Engineering
class InputStreamReader {int read( char cbuf[ ], int offset, int len ) throws IOException…
}
Result values- The method returns -1 if the end of the stream has been
reached before any characters are read- Otherwise, the result is between 0 and len, and
indicates how many characters have been read from the stream
3. Modeling and Specifications – Code Documentation
![Page 86: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/86.jpg)
86
Method Documentation: Effects
Clients need to know how a method affects the state
Peter Müller – Software Architecture and Engineering
Heap effects- “result” characters have
been consumed from the stream and stored in cbuf, from offset onwards
- If the result is -1, no characters are consumed and cbuf is unchanged
Other effects- The method throws an
IOException if the stream is closed or an I/O error occurs
- It does not block
3. Modeling and Specifications – Code Documentation
![Page 87: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/87.jpg)
87
Method Documentation: Another Example
The method returns a shallow copy of its receiver- The list is copied, but not its contents
The result is a fresh object The method requires constant time and space
Peter Müller – Software Architecture and Engineering
class List<E> {… List<E> clone( ) {rep.shared = true;return new List<E>( rep, len );
}}
3. Modeling and Specifications – Code Documentation
![Page 88: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/88.jpg)
88
Interface Documentation: Global Properties
Some implementations have properties that affect all methods- Properties of the data structure, that is, guarantees that
are maintained by all methods together- Requirements made by all methods
Peter Müller – Software Architecture and Engineering
Consistency: properties of states- Example: a list is sorted- Gives guarantees for various methods- Client-visible invariants
int a = list.first( );int b = list.itemAt( 1 );int c = list.last( );// a <= b <= c
3. Modeling and Specifications – Code Documentation
![Page 89: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/89.jpg)
89
Interface Document.: Global Properties (cont’d)
Evolution: properties of sequences of states- Example: a list is immutable- Gives guarantees for various methods- Invariants on sequences of states
Peter Müller – Software Architecture and Engineering
int a = list.first( );// arbitrary operationsint b = list.first( );// a == b
3. Modeling and Specifications – Code Documentation
![Page 90: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/90.jpg)
90
Interface Document.: Global Properties (cont’d)
Evolution: properties of sequences of states- Example: a list is immutable- Gives guarantees for various methods- Invariants on sequences of states
Abbreviations: requirements or guarantees for all methods- Example: a list is not thread-safe
Clients must ensure they have exclusive access to the list, for instance, because the execution is sequential, the list is thread-local, or they have acquired a lock
Peter Müller – Software Architecture and Engineering
int a = list.first( );// arbitrary operationsint b = list.first( );// a == b
3. Modeling and Specifications – Code Documentation
![Page 91: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/91.jpg)
91
For implementors:How does the code work?
Document the implementation
Implementation Documentation
Method documentation is similar to interfaces- Often more details, for instance, effects on fields- Includes hidden methods
Data structure documentation is more prominent- Properties of fields, internal sharing, etc.- Implementation invariants
Documentation of the algorithms inside the code- For instance, justification of assumptions
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Code Documentation
![Page 92: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/92.jpg)
92
Implementation Documentation: Example1. elems is non-null2. elems is pointed to by only one object3. When the shared-field is true then
shared, elems, and all elements of elems are immutable
4. When the shared-field is false, the ListRep object is used as representation of at most one List object
5. rep is pointed to only by List objects6. rep is non-null7. 0 <= len <= rep.elems.length
Peter Müller – Software Architecture and Engineering
class ListRep<E> {E[ ] elems;boolean shared;…
}
class List<E> {ListRep<E> rep; int len;…
}
3. Modeling and Specifications – Code Documentation
![Page 93: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/93.jpg)
93
Impl. Documentation: Example (cont’d)
Peter Müller – Software Architecture and Engineering
/* This method reduces the memory footprint of the list if it is uses at most* 50% of its capacity, and does nothing otherwise. It optimizes the * memory consumption if the underlying array is not shared or if it is * shared but will be copied several times after shrinking. The list content * remains unchanged. */void shrink( ) {// perform array copy only if array size can be reduced by 50%if( len <= rep.elems.length / 2 ) {E[ ] tmp;tmp = new E[ rep.elems.length / 2 ];System.arraycopy( rep.elems, 0, tmp, 0, len );if( rep.shared ) rep = new ListRep<E>( );// rep is not shared, so we may update its arrayrep.elems = tmp;
}}
3. Modeling and Specifications – Code Documentation
![Page 94: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/94.jpg)
94
Impl. Documentation: Example (cont’d)1. elems is non-null2. elems is pointed to by only one object3. When the shared-field is true then
shared, elems, and all elements of elems are immutable
4. When the shared-field is false, the ListRep object is used as representation of at most one List object
5. rep is pointed to only by List objects6. rep is non-null7. 0 <= len <= rep.elems.length
Peter Müller – Software Architecture and Engineering
void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp;tmp = new E[ l ];System.arraycopy( … );if( rep.shared ) rep = new ListRep<E>( );
rep.elems = tmp;}
}
3. Modeling and Specifications – Code Documentation
![Page 95: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/95.jpg)
95
Impl. Documentation: Example (cont’d)1. elems is non-null2. elems is pointed to by only one object3. When the shared-field is true then
shared, elems, and all elements of elems are immutable
4. When the shared-field is false, the ListRep object is used as representation of at most one List object
5. rep is pointed to only by List objects6. rep is non-null7. 0 <= len <= rep.elems.length
Peter Müller – Software Architecture and Engineering
void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp;tmp = new E[ l ];System.arraycopy( … );rep.elems = tmp;
}}
3. Modeling and Specifications – Code Documentation
![Page 96: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/96.jpg)
96
Impl. Documentation: Example (cont’d)1. elems is non-null2. elems is pointed to by only one object3. When the shared-field is true then
shared, elems, and all elements of elems are immutable
4. When the shared-field is false, the ListRep object is used as representation of at most one List object
5. rep is pointed to only by List objects6. rep is non-null7. 0 <= len <= rep.elems.length
Peter Müller – Software Architecture and Engineering
void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp;tmp = new E[ l ];System.arraycopy( … );rep.elems = tmp;
}}
3. Modeling and Specifications – Code Documentation
![Page 97: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/97.jpg)
97
Impl. Documentation: Example (cont’d)1. elems is non-null2. elems is pointed to by only one object3. When the shared-field is true then
shared, elems, and all elements of elems are immutable
4. When the shared-field is false, the ListRep object is used as representation of at most one List object
5. rep is pointed to only by List objects6. rep is non-null7. 0 <= len <= rep.elems.length
Peter Müller – Software Architecture and Engineering
void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp;tmp = new E[ l ];System.arraycopy( … );rep.elems = tmp;
}}
3. Modeling and Specifications – Code Documentation
![Page 98: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/98.jpg)
98
Documentation: Key Properties
Methods and constructors- Arguments and input state- Results and output state- Effects
Data structures- Value and structural invariants- One-state and temporal invariants
Algorithms- Behavior of code snippets (analogous to methods)- Explanation of control flow- Justification of assumptions
Peter Müller – Software Architecture and Engineering
For clients:How to use the code?
Document the interface
For implementors:How does the code work?
Document the implementation
3. Modeling and Specifications – Code Documentation
![Page 99: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/99.jpg)
99
Peter Müller – Software Architecture and Engineering
3. Modeling and Specification
3.1 Code Documentation3.1.1 What to Document3.1.2 How to Document
3.2 Informal Models3.3 Formal Models
3. Modeling and Specifications – Code Documentation
![Page 100: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/100.jpg)
100
Comments
Simple, flexible way of documenting interfaces and implementations
Tool support is limited- HTML generation- Not present in
executable code- Relies on conventions
Javadoc- Textual descriptions- Tags
Peter Müller – Software Architecture and Engineering
/*** Returns the value to which the * specified key is mapped, or * {@code null} if this map contains no * mapping for the key.** @param key the key whose associated* value is to be returned* @return the value to which the * specified key is mapped, or* {@code null} if this map contains* no mapping for the key* @throws NullPointerException if the * specified key is null and this map* does not permit null keys*/
V get( Object key );
3. Modeling and Specifications – Code Documentation
![Page 101: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/101.jpg)
101
Types and Modifiers
Types document typically syntactic aspects of inputs, results, and invariants
Peter Müller – Software Architecture and Engineering
HashMap<String,String> m;m = SomeLibrary.foo( );String s = m.get( “key” );
from SomeLibrary import foom = foo( )s = m[ 'key' ] Python
3. Modeling and Specifications – Code Documentation
![Page 102: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/102.jpg)
102
Types and Modifiers
Types document typically syntactic aspects of inputs, results, and invariants
Modifiers can express some specific semantic properties
Peter Müller – Software Architecture and Engineering
HashMap<String,String> m;m = SomeLibrary.foo( );String s = m.get( “key” );
from SomeLibrary import foom = foo( )s = m[ 'key' ] Python
class HashMap<K,V> … {final float loadFactor;…
}
3. Modeling and Specifications – Code Documentation
![Page 103: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/103.jpg)
103
Types and Modifiers
Types document typically syntactic aspects of inputs, results, and invariants
Modifiers can express some specific semantic properties
Tool support- Static checking- Run-time checking- Auto-completion
Peter Müller – Software Architecture and Engineering
HashMap<String,String> m;m = SomeLibrary.foo( );String s = m.get( “key” );
from SomeLibrary import foom = foo( )s = m[ 'key' ] Python
class HashMap<K,V> … {final float loadFactor;…
}
3. Modeling and Specifications – Code Documentation
![Page 104: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/104.jpg)
104
Effect Systems
Effect systems are extensions of type systems that describe computational effects- Read and write effects- Allocation and de-allocation- Locking- Exceptions
Tool support- Static checking
Trade-off between overhead and benefitPeter Müller – Software Architecture and Engineering
class InputStreamReader {int read( ) throws IOException…
}
try {int i = isr.read( );
} catch( IOException e ) {…
}
3. Modeling and Specifications – Code Documentation
![Page 105: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/105.jpg)
105
Metadata
Annotations allow one to attach additional syntactic and semantic information to declarations
Tool support- Type checking of
annotations- Static processing through
compiler plug-ins- Dynamic processing
Peter Müller – Software Architecture and Engineering
@interface NonNull{ }
@NonNull Image getImage( ) {if( image == null ) {// load the image
}return image;
}
@interface UnderConstruction { String owner( );
}
@UnderConstruction( owner = “Busy Guy” )
class ResourceManager { … }
3. Modeling and Specifications – Code Documentation
![Page 106: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/106.jpg)
106
Assertions
Assertions specify semantic properties of implementations- Boolean conditions that
need to hold
Tool support- Run-time checking- Static checking- Test case generation
Peter Müller – Software Architecture and Engineering
void shrink( ) {int l = rep.elems.length / 2;if( len <= l ) {E[ ] tmp = new E[ l ];System.arraycopy( … );if( rep.shared ) rep = new ListRep<E>( );
assert !rep.shared;rep.elems = tmp;
}}
3. Modeling and Specifications – Code Documentation
![Page 107: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/107.jpg)
107
Contracts Contracts are stylized
assertions for the documentation of interfaces and implementations- Method pre and
postconditions- Invariants
Tool support- Run-time checking- Static checking- Test case generation
Peter Müller – Software Architecture and Engineering
class ImageFile {String file;invariant file != null;Image image; invariant old( image ) != null ==>
old( image ) == image;ImageFile( String f ) requires f != null;
{ file = f; }Image getImage( ) ensures result != null;
{if( image == null ) { // load the image }return image;
}}
3. Modeling and Specifications – Code Documentation
![Page 108: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/108.jpg)
108
Documentation: Techniques
Trade-off between overhead, expressiveness, precision, and benefit- Formal techniques require more overhead, but enable
better tool support- In practice, a mix of the different techniques is useful
It is better to simplify than to describe complexity!- If you have a procedure with ten parameters, you
probably missed some. [ Alan J. Perlis ]
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Code Documentation
![Page 109: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/109.jpg)
109
Peter Müller – Software Architecture and Engineering
3. Modeling and Specification
3.1 Source Code3.2 Informal Models3.3 Formal Models
3. Modeling and Specifications – Informal Models
![Page 110: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/110.jpg)
110
Underspecification
Software is typically designed iteratively
Each iteration adds details and reflects design decisions that have been left open in the previous iteration- Choice of data structures- Choice of algorithms- Details of control and
data flow
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Informal Models
![Page 111: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/111.jpg)
111
Underspecification
Software is typically designed iteratively
Each iteration adds details and reflects design decisions that have been left open in the previous iteration- Choice of data structures- Choice of algorithms- Details of control and
data flow
Peter Müller – Software Architecture and Engineering
class Student {Program major;…
}
class University {Set<Student> students;…
}
3. Modeling and Specifications – Informal Models
![Page 112: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/112.jpg)
112
Underspecification
Software is typically designed iteratively
Each iteration adds details and reflects design decisions that have been left open in the previous iteration- Choice of data structures- Choice of algorithms- Details of control and
data flow
Peter Müller – Software Architecture and Engineering
class Student {Program major;…
}
class University {Map<Student, Program> enrollment;…
}
class University {Set<Student> students;…
}
class Student {…
}
3. Modeling and Specifications – Informal Models
![Page 113: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/113.jpg)
113
Underspecification (cont’d)
Dispatch an event to all observers
Peter Müller – Software Architecture and Engineering
class Subject {Set<Observer> observers;
/* This method calls update* on each registered observer* in an unspecified order. */void notify( ) {for( Observer o : observers )o.update( );
}}
3. Modeling and Specifications – Informal Models
![Page 114: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/114.jpg)
114
Underspecification (cont’d)
Dispatch an event to all observers
Open bank account if all conditions are met
Peter Müller – Software Architecture and Engineering
class Subject {Set<Observer> observers;
/* This method calls update* on each registered observer* in an unspecified order. */void notify( ) {for( Observer o : observers )o.update( );
}}
abstract class Account {boolean open;abstract boolean
allConditions( … );void open( … ) { if( allConditions( … ) )open = true;
elsethrow …;
}}
3. Modeling and Specifications – Informal Models
![Page 115: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/115.jpg)
115
Views
Many software engineering tasks require specific views on the design
Examples- Software architecture: Is it possible for an app to be
terminated without prior notification?- Test data generation: What are all the possible object
configurations for a data structure?- Security review: What is the communication protocol
between a client and the server?- Deployment: Which software component runs on which
hardware?
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Informal Models
![Page 116: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/116.jpg)
116
Design Specifications
Source code provides very limited support for leaving design choices unspecified- Often because code is executable- In some cases, subclassing can be used
Some relevant design information is not represented in the program or difficult to extract- Source code and documentation are too verbose- Tools can extract some information like control or data
flow graphs Design specifications are models of the software
system that provide suitable abstractions
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Informal Models
![Page 117: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/117.jpg)
117
Peter Müller – Software Architecture and Engineering
What is Modeling?
Building an abstraction of reality- Abstractions from things, people, and processes- Relationships between these abstractions
Abstractions are simplifications- They ignore irrelevant details- What is relevant or irrelevant depends on the purpose of
the model Draw complicated conclusions in the reality with
simple steps in the model Modeling is a means for dealing with complexity
3. Modeling and Specifications – Informal Models
![Page 118: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/118.jpg)
118
Peter Müller – Software Architecture and Engineering
Example 1: Street Map3. Modeling and Specifications – Informal Models
![Page 119: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/119.jpg)
119
Peter Müller – Software Architecture and Engineering
Example 2: Atom Models in Physics
Bohr model- Nucleus surrounded by
electrons in orbit- Explains, e.g., spectra
Quantum physics - Position of electrons described
by probability distribution- Takes into account
Heisenberg’s uncertainty principle
3. Modeling and Specifications – Informal Models
![Page 120: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/120.jpg)
120
Peter Müller – Software Architecture and Engineering
The Unified Modeling Language UML
UML is a modeling language- Using text and graphical notation- For documenting specification,
analysis, design, and implementation
Importance- Recommended OMG (Object Management Group)
standard notation- De facto standard in industrial software development
3. Modeling and Specifications – Informal Models
![Page 121: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/121.jpg)
121
Peter Müller – Software Architecture and Engineering
UML Notations
Use case diagrams – requirements of a system Class diagrams – structure of a system Interaction diagrams – message passing
- Sequence diagrams- Collaboration diagrams
State and activity diagrams – actions of an object Implementation diagrams
- Component model – dependencies between code- Deployment model – structure of the runtime system
Object constraint language (OCL)
3. Modeling and Specifications – Informal Models
![Page 122: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/122.jpg)
122
Peter Müller – Software Architecture and Engineering
3. Modeling and Specification
3.1 Code Documentation3.2 Informal Models
3.2.1 Static Models3.2.2 Dynamic Models3.2.3 Contracts3.2.4 Mapping Models to Code
3.3 Formal Models
3. Modeling and Specifications – Informal Models
![Page 123: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/123.jpg)
123
Peter Müller – Software Architecture and Engineering
Classes
A class includes state (attributes) and behavior(operations)- Each attribute has a type- Each operation has a signature
The class name is the only mandatory information
TarifSchedulezone2price: Table getZones( ): Enumeration getPrice( z: Zone ): Price
NameType
Signature Operations
Attributes
3. Modeling and Specifications – Informal Models
![Page 124: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/124.jpg)
124
Peter Müller – Software Architecture and Engineering
More on Classes
Valid UML class diagrams
Corresponding BON diagram- No distinction between attributes
and operations (uniform access principle)
TarifSchedulezone2pricegetZones( )getPrice( )
TarifSchedule
TarifSchedulegetZonesgetPrice
NONEzone2price
3. Modeling and Specifications – Informal Models
![Page 125: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/125.jpg)
125
Peter Müller – Software Architecture and Engineering
Instances (Objects)
nightTarif:TarifSchedulezone2price = {(‘1’, 1.60),(‘2’, 2.40),(‘3’, 3.20)
}
Name of an instance is underlined
Attributes are represented
with their values
Name of an instance can contain the class of the
instance
:TarifSchedulezone2price = {(‘1’, 1.60),(‘2’, 2.40),(‘3’, 3.20)
}
Name of an instance is
optional
3. Modeling and Specifications – Informal Models
![Page 126: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/126.jpg)
126
Peter Müller – Software Architecture and Engineering
Associations
A link represents a connection between two objects- Ability of an object to send a message to another object - Object A has an attribute whose value is B - Object A creates object B- Object A receives a message with object B as argument
Associations denote relationships between classes
Person Companyworks for
Optional label
employee employer
Optional rolesOptional roles
3. Modeling and Specifications – Informal Models
![Page 127: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/127.jpg)
127
Peter Müller – Software Architecture and Engineering
Multiplicity of Associations
The multiplicity of an association end denotes how many objects the source object can reference- Exact number: 1, 2, etc. (1 is the default)- Arbitrary number: * (zero or more)- Range: 1..3, 1..*
1-to-(at most) 1 association
1-to-many association
City Country
Polygon Point
1 0..1
3..*
is capital of
3. Modeling and Specifications – Informal Models
![Page 128: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/128.jpg)
128
Peter Müller – Software Architecture and Engineering
Navigability
Associations can be directed
Person Company*
Person Company*
Person Company*
Person knows about Company
Company knows about Person
Person and Company know about each other
3. Modeling and Specifications – Informal Models
![Page 129: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/129.jpg)
129
Peter Müller – Software Architecture and Engineering
Composition
Composition expresses an exclusive part-of (“has-a”) relationship- Special form of association- No sharing
Composition can be decorated like other associations- Multiplicity, label, roles
3. Modeling and Specifications – Informal Models
Point
Polygon
3..*
Circle
1center
Aggregate
Aggregate
Component
0..1
0..1
![Page 130: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/130.jpg)
130
Peter Müller – Software Architecture and Engineering
Generalization and Specialization
Generalization expresses a kind-of (“is-a”) relationship
Generalization is implemented by inheritance- The child classes inherit the
attributes and operations of the parent class
Generalization simplifies the model by eliminating redundancy
Polygon
Rectangle
Superclass
Subclass
3. Modeling and Specifications – Informal Models
![Page 131: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/131.jpg)
131
Example: Underspecification
The class diagram leaves the choice of data structure unspecified
Peter Müller – Software Architecture and Engineering
class Student {Program major;…
}
class University {Map<Student, Program> enrollment;…
}
class University {Set<Student> students;…
}
class Student {…
}
University
Student
Program
*
*
3. Modeling and Specifications – Informal Models
![Page 132: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/132.jpg)
132
Example: Views
The class diagram represents only the structure of the system, not the dynamic behavior
Some relevant invariants are represented
Peter Müller – Software Architecture and Engineering
Collection
RefCountListlen: int
ArrayListlen: int
Array
Array
ListRepshared: bool
*
3. Modeling and Specifications – Informal Models
![Page 133: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/133.jpg)
133
Peter Müller – Software Architecture and Engineering
3. Modeling and Specification
3.1 Code Documentation3.2 Informal Models
3.2.1 Static Models3.2.2 Dynamic Models3.2.3 Contracts3.2.4 Mapping Models to Code
3.3 Formal Models
3. Modeling and Specifications – Informal Models
![Page 134: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/134.jpg)
134
Peter Müller – Software Architecture and Engineering
Dynamic Models
Static models describe the structure of a system
Dynamic models describe its behavior
Sequence diagrams describe collaboration
between objects
State diagramsdescribe the lifetime of a
single object
3. Modeling and Specifications – Informal Models
![Page 135: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/135.jpg)
135
Peter Müller – Software Architecture and Engineering
UML Sequence Diagrams
:Client :Terminal
insertCard( )
insertPIN( )
Actors and objects: columns
Lifelines: dashed lines
Activations: narrow
rectangles
Messages: arrowsTime
3. Modeling and Specifications – Informal Models
![Page 136: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/136.jpg)
136
Peter Müller – Software Architecture and Engineering
Nested Messages
The source of an arrow indicates the activation which sent the message
An activation is as long as all nested activations
:Client :Terminal
insertCard( )
:ClientData
check( data )
ok / nok
:Display
displayMessage( text )
Data flow
3. Modeling and Specifications – Informal Models
![Page 137: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/137.jpg)
137
Peter Müller – Software Architecture and Engineering
Creation and Destruction
Creation is denoted by a message arrow pointing to the object
:Terminal
:Sessionstart( )
log( )
close( )
Creation
3. Modeling and Specifications – Informal Models
![Page 138: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/138.jpg)
138
Peter Müller – Software Architecture and Engineering
Creation and Destruction
Creation is denoted by a message arrow pointing to the object
In garbage collection environments, destruction can be used to denote the end of the useful life of an object
:Terminal
:Sessionstart( )
Destructionlog( )
close( )
Creation
3. Modeling and Specifications – Informal Models
![Page 139: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/139.jpg)
139
Peter Müller – Software Architecture and Engineering
Example: Underspecification and Viewss : Subject o1: Observer o2: Observer
setState( … )
notify( )
update( )
getState( )
update( )
getState( )
par
3. Modeling and Specifications – Informal Models
![Page 140: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/140.jpg)
140
Peter Müller – Software Architecture and Engineering
State
An abstraction of the attribute values of an object
A state is an equivalence class of all those attribute values and links that do not need to be distinguished for the control structure of the class
Example: State of an account- An account is open, closed, or pending- Omissions: account number, owner, etc.- All open accounts are in the same equivalence class,
independent of their number, owner, etc.
3. Modeling and Specifications – Informal Models
![Page 141: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/141.jpg)
141
UML State Diagrams
Objects with extended lifespan often have state-dependent behavior
Modeled as state diagram (also called state chart)
Peter Müller – Software Architecture and Engineering
State 1
do / activityentry / actionexit / action
State 2
do / activityentry / actionexit / action
Event( par ) [ condition ] / action
States: rounded
rectanglesTransitions:
arrowsStart
markerEnd
marker
3. Modeling and Specifications – Informal Models
![Page 142: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/142.jpg)
142
Peter Müller – Software Architecture and Engineering
Events, Actions, and Activities
Event: Something that happens at a point in time- Examples: Receipt of a message, change event for a
condition, time event
Action: Operation in response to an event- Example: Object performs a computation upon receipt of
a message
Activity: Operation performed as long as object is in some state- Example: Object performs a computation without external
trigger
3. Modeling and Specifications – Informal Models
![Page 143: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/143.jpg)
143
abstract class Account {boolean open;abstract boolean allConditions( … );void open( … ) { if( allConditions( … ) ) open = true;else throw …;
}}
Example: Underspecification
Peter Müller – Software Architecture and Engineering
Closed
Open
open( )
3. Modeling and Specifications – Informal Models
Pendingentry / review( )
[ all conditions met ]open( )
[ condition violated ]
![Page 144: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/144.jpg)
144
Peter Müller – Software Architecture and Engineering
Example: Views
Not Running Foregroundlaunch( )
BackgroundSuspended
other appis launched / free memory
Notified[ low memory ]
3. Modeling and Specifications – Informal Models
after 10s
notify( )
resume( )
event( )
resume( )
![Page 145: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/145.jpg)
145
Peter Müller – Software Architecture and Engineering
Practical Tips for Dynamic Modeling
Construct dynamic models only for classes with significant dynamic behavior
Consider only relevant attributes- Use abstraction if necessary
Look at the granularity of the application when deciding on actions and activities
3. Modeling and Specifications – Informal Models
![Page 146: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/146.jpg)
146
Peter Müller – Software Architecture and Engineering
3. Modeling and Specification
3.1 Code Documentation3.2 Informal Models
3.2.1 Static Models3.2.2 Dynamic Models3.2.3 Contracts3.2.4 Mapping Models to Code
3.3 Formal Models
3. Modeling and Specifications – Informal Models
![Page 147: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/147.jpg)
147
Peter Müller – Software Architecture and Engineering
Diagrams are not Enough
Person
marry( )
spouse
0..1
“is married to”
3. Modeling and Specifications – Informal Models
![Page 148: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/148.jpg)
148
Peter Müller – Software Architecture and Engineering
Diagrams are not Enough
Carol is married to Alice, Alice is married to Bob, and Bob is not married at all
A valid instantiation of the class diagram! Associations describe relations between classes
Person
marry( )
spouse
0..1Carol: Person
Alice: PersonBob: Person
spouse
spouse“is married to”
3. Modeling and Specifications – Informal Models
![Page 149: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/149.jpg)
149
Peter Müller – Software Architecture and Engineering
Diagrams are not Enough (cont’d)
Carol is married to Alice, who is only eleven A valid instantiation of the class diagram! Class diagrams do not restrict values of attributes
Person
age
spouse
0..1
Alice: Person
spouse
spouse
age = 11
Carol: Person
age = 18
3. Modeling and Specifications – Informal Models
![Page 150: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/150.jpg)
150
Peter Müller – Software Architecture and Engineering
Diagrams are not Enough (cont’d)
Carol is married to Alice, who is only eleven A valid instantiation of the class diagram! Class diagrams do not restrict values of attributes
Person
age
spouse
0..1
Married persons are at least 16 years old Alice: Person
spouse
spouse
age = 11
Carol: Person
age = 18
3. Modeling and Specifications – Informal Models
![Page 151: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/151.jpg)
151
Peter Müller – Software Architecture and Engineering
Object Constraint Language – OCL
The contract language for UML
Used to specify- Invariants of objects- Pre- and postconditions of operations- Conditions (for instance, in state diagrams)
Special support for- Navigation through UML class diagram- Associations with multiplicities
3. Modeling and Specifications – Informal Models
![Page 152: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/152.jpg)
152
Peter Müller – Software Architecture and Engineering
Form of OCL Invariants
Constraints can mention- self: the contextual
instance- Attributes and role names- Side-effect free methods
(stereotype <<query>>)- Logical connectives- Operations on integers,
reals, strings, sets, bags, sequences
- Etc.
context Person inv: self.age >= 0
The context is an instance of a class in the UML diagram
Declares an invariant
A boolean constraint
3. Modeling and Specifications – Informal Models
![Page 153: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/153.jpg)
153
Peter Müller – Software Architecture and Engineering
OCL Invariants
A savings account has a non-negative balance
Checking accounts are owned by adults
context SavingsAccount inv: self.balance >= 0
Accountbalance
CheckingAccountSavingsAccount
Customerage
* owner
context CheckingAccount inv: self.owner.age >= 18
Role name
3. Modeling and Specifications – Informal Models
![Page 154: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/154.jpg)
154
OCL Pre- and Postconditions
Peter Müller – Software Architecture and Engineering
context Account::Withdraw( a: int )pre: a >= 0post: GetBalance( ) = GetBalance@pre( ) - a
Context specifies method signature
Suffix @pre is used to refer to prestate values
3. Modeling and Specifications – Informal Models
![Page 155: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/155.jpg)
155
Peter Müller – Software Architecture and Engineering
3. Modeling and Specification
3.1 Code Documentation3.2 Informal Models
3.2.1 Static Models3.2.2 Dynamic Models3.2.3 Contracts3.2.4 Mapping Models to Code
3.3 Formal Models
3. Modeling and Specifications – Informal Models
![Page 156: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/156.jpg)
156
Peter Müller – Software Architecture and Engineering
Implementation of UML Models in Java
Personage: int
class Person {private int age;
public void setAge( int a ) { age = a; }
public int getAge( ) { return age; }
}Programmer
writeCode( )class Programmer extends Person {public void writeCode( ) { … }
}
3. Modeling and Specifications – Informal Models
![Page 157: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/157.jpg)
157
Peter Müller – Software Architecture and Engineering
Model-Driven Development: Idea
Work on the level of design models Generate code automatically
Advantages- Supports many implementation platforms- Frees programmers from recurring activities- Leads to uniform code- Useful to enforce coding conventions
(e.g., getters and setters) - Models are not mere documentation
3. Modeling and Specifications – Informal Models
![Page 158: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/158.jpg)
158
Peter Müller – Software Architecture and Engineering
Problem: Abstraction Mismatch
UML models may use different abstractions than the programming language
Model should not depend on implementation language
Models cannot always be mapped directly to code
Personage: int
Programmer
writeCode( )
Subject
notify( )
How to mapmultiple inheritance?
3. Modeling and Specifications – Informal Models
![Page 159: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/159.jpg)
159
Peter Müller – Software Architecture and Engineering
Problem: Specifications are Incomplete
class App {private State state;public App( ) { state = NOT_RUNNING; }
public void launch( )requires state == NOT_RUNNING;{ state = FOREGROUND; }
public void event( ) requires state == FOREGROUND;{ }
}
Not Running Foregroundlaunch( )
event( )
3. Modeling and Specifications – Informal Models
![Page 160: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/160.jpg)
160
Peter Müller – Software Architecture and Engineering
Problem: Specifications are Incomplete
class App {private State state;public App( ) { state = NOT_RUNNING; }
public void launch( )requires state == NOT_RUNNING;{ state = FOREGROUND; }
public void event( ) requires state == FOREGROUND;{ }
}
Where is the interesting behavior?
Not Running Foregroundlaunch( )
event( )
3. Modeling and Specifications – Informal Models
![Page 161: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/161.jpg)
161
Peter Müller – Software Architecture and Engineering
Problem: Specifications may be Informal
public void open( ) requires state == CLOSED;requires “all conditions met” || “condition violated”;
{if ( “all conditions met” ) state = OPEN;else { state = PENDING; review( ); }
}
Closed
Open
open( )
Pendingentry / review( )
[ all conditions met ]open( )
[ condition violated ]
3. Modeling and Specifications – Informal Models
![Page 162: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/162.jpg)
162
Peter Müller – Software Architecture and Engineering
Problem: Specifications may be Informal
public void open( ) requires state == CLOSED;requires “all conditions met” || “condition violated”;
{if ( “all conditions met” ) state = OPEN;else { state = PENDING; review( ); }
}How to map
informal specifications?
Closed
Open
open( )
Pendingentry / review( )
[ all conditions met ]open( )
[ condition violated ]
3. Modeling and Specifications – Informal Models
![Page 163: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/163.jpg)
163
Peter Müller – Software Architecture and Engineering
Problem: Switching between Models and Code
Code has to be changed manually- Add interesting behavior- Clarify informal specifications- Implement incomplete specifications
Modification of code requires complicated synchronization between code and models
3. Modeling and Specifications – Informal Models
![Page 164: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/164.jpg)
164
Peter Müller – Software Architecture and Engineering
Model-Driven Development: Reality
Works in specific domains (e.g., business process modeling)
Code generation works for basic properties Interesting code is still implemented manually Problems
- Maintaining code that has no models (reverse-engineering)
- Once code has been modified manually, going back to the model is difficult (or impossible)
3. Modeling and Specifications – Informal Models
![Page 165: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/165.jpg)
165
Peter Müller – Software Architecture and Engineering
Mapping Classes and Inheritance
Classes may be split into interfaces and implementation classes
Attributes should be non-public- Generate getters and setters with appropriate visibility
Methods are straightforward Inheritance can be mapped to inheritance or
subtyping plus aggregation and delegationPerson
Programmer
Subject Person
Programmer
ISubject
Subject
3. Modeling and Specifications – Informal Models
![Page 166: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/166.jpg)
166
Mapping Associations
Associations are typically mapped to fields
or separate objects (collections)
Peter Müller – Software Architecture and Engineering
class Student {Program major;… }
class University {Map<Student, Program> enrollment;… }
class University {Set<Student> students;… }
class Student {… }
University Student Program**
3. Modeling and Specifications – Informal Models
![Page 167: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/167.jpg)
167
Peter Müller – Software Architecture and Engineering
Mapping Sequence Diagrams
:Client :Terminal
insertCard( )
:ClientData
check( data )
ok / nok
:Display
displayMessage( text )
public void insertCard( ) {boolean res = clientData.check( data );display.displayMessage( text );
}
3. Modeling and Specifications – Informal Models
![Page 168: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/168.jpg)
168
Peter Müller – Software Architecture and Engineering
Mapping Sequence Diagrams
:Client :Terminal
insertCard( )
:ClientData
check( data )
ok / nok
:Display
displayMessage( text )
public void insertCard( ) {boolean res = clientData.check( data );display.displayMessage( text );
}
Synchronous messages are
implemented by method calls
3. Modeling and Specifications – Informal Models
![Page 169: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/169.jpg)
169
Peter Müller – Software Architecture and Engineering
Mapping State Diagrams
Closed
Open
open( )
Pendingentry / review( )
[ all conditions met ]open( )
[ condition violated ]
open( )
3. Modeling and Specifications – Informal Models
![Page 170: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/170.jpg)
170
Peter Müller – Software Architecture and Engineering
Mapping State Diagrams (cont’d)
public void open( ) throws … {switch( state ) {case CLOSED: if ( “all conditions met” ) state = OPEN;
else { state = PENDING; review( );
}break;
case PENDING: break;
default: throw new UnexpectedStateException( );
}}
3. Modeling and Specifications – Informal Models
![Page 171: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/171.jpg)
171
Peter Müller – Software Architecture and Engineering
Mapping State Diagrams (cont’d)
public void open( ) throws … {switch( state ) {case CLOSED: if ( “all conditions met” ) state = OPEN;
else { state = PENDING; review( );
}break;
case PENDING: break;
default: throw new UnexpectedStateException( );
}}
Introduce state variable for
current state
3. Modeling and Specifications – Informal Models
![Page 172: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/172.jpg)
172
Peter Müller – Software Architecture and Engineering
Mapping State Diagrams (cont’d)
public void open( ) throws … {switch( state ) {case CLOSED: if ( “all conditions met” ) state = OPEN;
else { state = PENDING; review( );
}break;
case PENDING: break;
default: throw new UnexpectedStateException( );
}}
Introduce state variable for
current state
Check condition of transition
3. Modeling and Specifications – Informal Models
![Page 173: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/173.jpg)
173
Peter Müller – Software Architecture and Engineering
Mapping State Diagrams (cont’d)
public void open( ) throws … {switch( state ) {case CLOSED: if ( “all conditions met” ) state = OPEN;
else { state = PENDING; review( );
}break;
case PENDING: break;
default: throw new UnexpectedStateException( );
}}
Introduce state variable for
current state
Transition
Check condition of transition
3. Modeling and Specifications – Informal Models
![Page 174: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/174.jpg)
174
Peter Müller – Software Architecture and Engineering
Mapping State Diagrams (cont’d)
public void open( ) throws … {switch( state ) {case CLOSED: if ( “all conditions met” ) state = OPEN;
else { state = PENDING; review( );
}break;
case PENDING: break;
default: throw new UnexpectedStateException( );
}}
Introduce state variable for
current state
Transition
Check condition of transition
Perform action
3. Modeling and Specifications – Informal Models
![Page 175: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/175.jpg)
175
Peter Müller – Software Architecture and Engineering
Mapping State Diagrams (cont’d)
public void open( ) throws … {switch( state ) {case CLOSED: if ( “all conditions met” ) state = OPEN;
else { state = PENDING; review( );
}break;
case PENDING: break;
default: throw new UnexpectedStateException( );
}}
Introduce state variable for
current state
Transition
Check condition of transition
Perform action
Illegal state or message
3. Modeling and Specifications – Informal Models
![Page 176: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/176.jpg)
176
Informal Modeling: Summary
Strengths Describe particular
views on the overall system
Omit some information or specify it informally
Graphical notation facilitates communication
Weaknesses Precise meaning of
models is often unclear
Incomplete and informal models hamper tool support
Many details are hard to depict visually
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Informal Models
![Page 177: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/177.jpg)
177
Peter Müller – Software Architecture and Engineering
3. Modeling and Specification
3.1 Source Code3.2 Informal Models3.3 Formal Models
3. Modeling and Specifications – Formal Models
![Page 178: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/178.jpg)
178
Formal Modeling
Notations and tools are based on mathematics, hence precise
Typically used to describe some aspect of a system
Peter Müller – Software Architecture and Engineering
Carol: Person
Alice: PersonBob: Person
spouse
spouse
context SavingsAccount inv: self.amount >= 0
Formal models enable automatic analysis- Finding ill-formed
examples
- Checking properties
3. Modeling and Specifications – Formal Models
![Page 179: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/179.jpg)
179
Alloy
Alloy is a formal modeling language based on set theory
An Alloy model specifies a collection of constraints that describe a set of structures
The Alloy Analyzer is a solver that takes the constraints of a model and finds structures that satisfy them- Generate sample structures- Generate counterexamples for invalid properties- Visualize structures
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Formal Models
![Page 180: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/180.jpg)
180
Alloy Documentation and Download
Documentation- Useful tutorials available at
alloy.mit.edu- Book by Daniel Jackson
Download- Get latest version at
alloy.mit.edu/alloy/download.html- Requires JRE 6
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Formal Models
![Page 181: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/181.jpg)
181
Peter Müller – Software Architecture and Engineering
3. Modeling and Specification
3.1 Source Code3.2 Informal Models3.3 Formal Models
3.3.1 Static Models3.3.2 Dynamic Models3.3.3 Analyzing Models
3. Modeling and Specifications – Formal Models
![Page 182: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/182.jpg)
182
Signatures
A signature declares a set of atoms- Think of signatures as classes- Think of atoms as immutable
objects- Different signatures declare
disjoint sets
Extends-clauses declare subsets relations- File and Dir are disjoint
subsets of FSObject
Peter Müller – Software Architecture and Engineering
sig FSObject { }
sig File extends FSObject { }sig Dir extends FSObject { }
3. Modeling and Specifications – Formal Models
![Page 183: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/183.jpg)
183
Operations on Sets
Standard set operators- + (union)- & (intersection)- - (difference)- in (subset)- = (equality)- # (cardinality)- none (empty set)- univ (universal set)
Comprehensions
Peter Müller – Software Architecture and Engineering
sig File extends FSObject { }sig Dir extends FSObject { }
#{ f: FSObject | f in File + Dir } >= #Dir
#( File + Dir ) >= #Dir
3. Modeling and Specifications – Formal Models
![Page 184: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/184.jpg)
184
More on Signatures
Signature can be abstract- Like abstract classes
Peter Müller – Software Architecture and Engineering
abstract sig FSObject { }sig File extends FSObject { }sig Dir extends FSObject { }
3. Modeling and Specifications – Formal Models
![Page 185: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/185.jpg)
185
More on Signatures
Signature can be abstract- Like abstract classes- Closed world assumption: the
declared set contains exactly the elements of the declared subsets
Peter Müller – Software Architecture and Engineering
abstract sig FSObject { }sig File extends FSObject { }sig Dir extends FSObject { }
FSObject = File + Dir
3. Modeling and Specifications – Formal Models
![Page 186: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/186.jpg)
186
More on Signatures
Signature can be abstract- Like abstract classes- Closed world assumption: the
declared set contains exactly the elements of the declared subsets
Signatures may constrain the cardinalities of the declared sets- one: singleton set- lone: singleton or empty set- some: non-empty set
Peter Müller – Software Architecture and Engineering
abstract sig FSObject { }sig File extends FSObject { }sig Dir extends FSObject { }
one sig Root extends Dir { }
FSObject = File + Dir
3. Modeling and Specifications – Formal Models
![Page 187: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/187.jpg)
187
Fields
A field declares a relation on atoms- f is a binary relation with
domain A and range given by expression e
- Think of fields as associations
Peter Müller – Software Architecture and Engineering
sig A {f: e
}
3. Modeling and Specifications – Formal Models
![Page 188: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/188.jpg)
188
Fields
A field declares a relation on atoms- f is a binary relation with
domain A and range given by expression e
- Think of fields as associations Range expressions may
denote multiplicities- one: singleton set (default)- lone: singleton or empty set- some: non-empty set- set: any set
Peter Müller – Software Architecture and Engineering
abstract sig FSObject {parent: lone Dir
}
sig A {f: e
}
sig Dir extends FSObject { contents: set FSObject
}
3. Modeling and Specifications – Formal Models
![Page 189: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/189.jpg)
189
Operations on Relations
Standard operators- -> (cross product)- . (relational join)- ~ (transposition)- ^ (transitive closure)- * (reflexive, transitive closure)- <: (domain restriction)- >: (range restriction)- ++ (override)- iden (identity relation)- [ ] (box join: e1[ e2 ] = e2.e1)
Peter Müller – Software Architecture and Engineering
abstract sig FSObject {parent: lone Dir
}
sig Dir extends FSObject { contents: set FSObject
}
one sig Root extends Dir { }
FSObject in Root.*contents
3. Modeling and Specifications – Formal Models
![Page 190: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/190.jpg)
190
Operations on Relations
Standard operators- -> (cross product)- . (relational join)- ~ (transposition)- ^ (transitive closure)- * (reflexive, transitive closure)- <: (domain restriction)- >: (range restriction)- ++ (override)- iden (identity relation)- [ ] (box join: e1[ e2 ] = e2.e1)
Peter Müller – Software Architecture and Engineering
abstract sig FSObject {parent: lone Dir
}
sig Dir extends FSObject { contents: set FSObject
}
one sig Root extends Dir { }
FSObject in Root.*contents
All file system objects are contained in the
root directory
3. Modeling and Specifications – Formal Models
![Page 191: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/191.jpg)
191
Relational Join: Example
Consider a structure with four FSObjectatoms- r: Root, d1, d2: Dir,
f: Fileand contents relation
The reflexive, transitive closure *contents is
The relational join Root.*contents is
Peter Müller – Software Architecture and Engineering
(r)(r,d1) (d1,d2) (d2,f)
(r,d1) (d1,d2) (d2,f)(d1,f) (r,d2) (r,f)
(r,r) (d1,d1) (d2,d2) (f,f)
(r,d1)(d1,d2)(d2,f)(d1,f)(r,d2)(r,f)(r,r)
(d1,d1)(d2,d2)
(f,f)
(d1)(d2)(f)(r)
. =
*contents
Root
3. Modeling and Specifications – Formal Models
![Page 192: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/192.jpg)
192
Relational Join: Example
Consider a structure with four FSObjectatoms- r: Root, d1, d2: Dir,
f: Fileand contents relation
The reflexive, transitive closure *contents is
The relational join Root.*contents is
Peter Müller – Software Architecture and Engineering
(r)(r,d1) (d1,d2) (d2,f)
(r,d1) (d1,d2) (d2,f)(d1,f) (r,d2) (r,f)
(r,r) (d1,d1) (d2,d2) (f,f)
(r,d1)(d1,d2)(d2,f)(d1,f)(r,d2)(r,f)(r,r)
(d1,d1)(d2,d2)
(f,f)
(d1)(d2)(f)(r)
. =
*contents
Root
3. Modeling and Specifications – Formal Models
![Page 193: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/193.jpg)
193
Relational Join: Example
Consider a structure with four FSObjectatoms- r: Root, d1, d2: Dir,
f: Fileand contents relation
The reflexive, transitive closure *contents is
The relational join Root.*contents is
Peter Müller – Software Architecture and Engineering
(r)(r,d1) (d1,d2) (d2,f)
(r,d1) (d1,d2) (d2,f)(d1,f) (r,d2) (r,f)
(r,r) (d1,d1) (d2,d2) (f,f)
(r,d1)(d1,d2)(d2,f)(d1,f)(r,d2)(r,f)(r,r)
(d1,d1)(d2,d2)
(f,f)
(d1)(d2)(f)(r)
. =
*contents
Root
3. Modeling and Specifications – Formal Models
![Page 194: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/194.jpg)
194
Relational Join: Example
Consider a structure with four FSObjectatoms- r: Root, d1, d2: Dir,
f: Fileand contents relation
The reflexive, transitive closure *contents is
The relational join Root.*contents is
Peter Müller – Software Architecture and Engineering
(r)(r,d1) (d1,d2) (d2,f)
(r,d1) (d1,d2) (d2,f)(d1,f) (r,d2) (r,f)
(r,r) (d1,d1) (d2,d2) (f,f)
(r,d1)(d1,d2)(d2,f)(d1,f)(r,d2)(r,f)(r,r)
(d1,d1)(d2,d2)
(f,f)
(d1)(d2)(f)(r)
. =
*contents
Root
3. Modeling and Specifications – Formal Models
![Page 195: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/195.jpg)
195
Relational Join: Example
Consider a structure with four FSObjectatoms- r: Root, d1, d2: Dir,
f: Fileand contents relation
The reflexive, transitive closure *contents is
The relational join Root.*contents is
Peter Müller – Software Architecture and Engineering
(r)(r,d1) (d1,d2) (d2,f)
(r,d1) (d1,d2) (d2,f)(d1,f) (r,d2) (r,f)
(r,r) (d1,d1) (d2,d2) (f,f)
(r,d1)(d1,d2)(d2,f)(d1,f)(r,d2)(r,f)(r,r)
(d1,d1)(d2,d2)
(f,f)
(d1)(d2)(f)(r)
. =
*contents
Root
3. Modeling and Specifications – Formal Models
![Page 196: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/196.jpg)
196
Relational Join: Example
Consider a structure with four FSObjectatoms- r: Root, d1, d2: Dir,
f: Fileand contents relation
The reflexive, transitive closure *contents is
The relational join Root.*contents is
Peter Müller – Software Architecture and Engineering
(r)(r,d1) (d1,d2) (d2,f)
(r,d1) (d1,d2) (d2,f)(d1,f) (r,d2) (r,f)
(r,r) (d1,d1) (d2,d2) (f,f)
(r,d1)(d1,d2)(d2,f)(d1,f)(r,d2)(r,f)(r,r)
(d1,d1)(d2,d2)
(f,f)
(d1)(d2)(f)(r)
. =
*contents
Root
3. Modeling and Specifications – Formal Models
![Page 197: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/197.jpg)
197
Relational Join: Example
Consider a structure with four FSObjectatoms- r: Root, d1, d2: Dir,
f: Fileand contents relation
The reflexive, transitive closure *contents is
The relational join Root.*contents is
Peter Müller – Software Architecture and Engineering
(r)(r,d1) (d1,d2) (d2,f)
(r,d1) (d1,d2) (d2,f)(d1,f) (r,d2) (r,f)
(r,r) (d1,d1) (d2,d2) (f,f)
(r,d1)(d1,d2)(d2,f)(d1,f)(r,d2)(r,f)(r,r)
(d1,d1)(d2,d2)
(f,f)
(d1)(d2)(f)(r)
. =
*contents
Root
3. Modeling and Specifications – Formal Models
![Page 198: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/198.jpg)
198
Relational Join: Example
Consider a structure with four FSObjectatoms- r: Root, d1, d2: Dir,
f: Fileand contents relation
The reflexive, transitive closure *contents is
The relational join Root.*contents is
Peter Müller – Software Architecture and Engineering
(r)(r,d1) (d1,d2) (d2,f)
(r,d1) (d1,d2) (d2,f)(d1,f) (r,d2) (r,f)
(r,r) (d1,d1) (d2,d2) (f,f)
(r,d1)(d1,d2)(d2,f)(d1,f)(r,d2)(r,f)(r,r)
(d1,d1)(d2,d2)
(f,f)
(d1)(d2)(f)(r)
. =
*contents
Root
3. Modeling and Specifications – Formal Models
![Page 199: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/199.jpg)
199
Relational Join: Example
Consider a structure with four FSObjectatoms- r: Root, d1, d2: Dir,
f: Fileand contents relation
The reflexive, transitive closure *contents is
The relational join Root.*contents is
Peter Müller – Software Architecture and Engineering
(r)(r,d1) (d1,d2) (d2,f)
(r,d1) (d1,d2) (d2,f)(d1,f) (r,d2) (r,f)
(r,r) (d1,d1) (d2,d2) (f,f)
(r,d1)(d1,d2)(d2,f)(d1,f)(r,d2)(r,f)(r,r)
(d1,d1)(d2,d2)
(f,f)
(d1)(d2)(f)(r)
. =
*contents
Root
3. Modeling and Specifications – Formal Models
![Page 200: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/200.jpg)
200
Relational Join: Example
Consider a structure with four FSObjectatoms- r: Root, d1, d2: Dir,
f: Fileand contents relation
The reflexive, transitive closure *contents is
The relational join Root.*contents is
Peter Müller – Software Architecture and Engineering
(r)(r,d1) (d1,d2) (d2,f)
(r,d1) (d1,d2) (d2,f)(d1,f) (r,d2) (r,f)
(r,r) (d1,d1) (d2,d2) (f,f)
(r,d1)(d1,d2)(d2,f)(d1,f)(r,d2)(r,f)(r,r)
(d1,d1)(d2,d2)
(f,f)
(d1)(d2)(f)(r)
. =
*contents
Root
FSObject in Root.*contents
3. Modeling and Specifications – Formal Models
![Page 201: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/201.jpg)
201
More on Fields
Fields may range over relations Relation declarations may include multiplicities on
both sides- one, lone, some, set (default)
Range expressions may depend on other fields
Peter Müller – Software Architecture and Engineering
sig University { enrollment: Student set -> one Program
}
sig University { students: set Student,enrollment: students set -> one Program
}
3. Modeling and Specifications – Formal Models
![Page 202: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/202.jpg)
202
Constraints
Boolean operators- ! or not (negation)- && or and (conjunction)- || or or (disjunction)- => or implies (implication)- else (alternative)- <=> or iff (equivalence)
Four equivalent constraints
Quantified expressions- some e
e has at least one tuple- no e
e has no tuples- lone e
e has at most one tuple- one e
e has exactly one tuple
Peter Müller – Software Architecture and Engineering
F => G else HF implies G else H
(F && G) || ((!F) && H)(F and G) or ((not F) and H)
no Root.parent
3. Modeling and Specifications – Formal Models
![Page 203: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/203.jpg)
203
Alloy supports five different quantifiers- all x: e | F
F holds for every x in e- some x: e | F
F holds for at least one x in e- no x: e | F
F holds for no x in e- lone x: e | F
F holds for at most one x in e- one x: e | F
F holds for exactly one x in e
Quantification
Quantifiers may have the following forms- all x: e | F- all x: e1, y: e2 | F- all x, y: e | F- all disj x, y: e | F
contents-relation isacyclic
Peter Müller – Software Architecture and Engineering
no d: Dir | d in d.^contents
3. Modeling and Specifications – Formal Models
![Page 204: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/204.jpg)
204
Predicates and Functions
Predicates are named, parameterized formulas
Functions are named, parameterized expressions
Peter Müller – Software Architecture and Engineering
fun f[ x1: e1, …, xn: en ]: e { E }
pred p[ x1: e1, ..., xn: en ] { F }
pred isLeave[ f: FSObject ] {f in File || no f.contents
}
fun leaves[ f: FSObject ]: set FSObject {{ x: f.*contents | isLeave[ x ] }
}
3. Modeling and Specifications – Formal Models
![Page 205: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/205.jpg)
205
Exploring the Model
The Alloy Analyzer can search for structures that satisfy the constraints M in a model
Peter Müller – Software Architecture and Engineering
fun f[ x1: e1, …, xn: en ]: e { E }
pred p[ x1: e1, ..., xn: en ] { F }
run p
run f
Find instance of a predicate- A solution to
M && some x1: e1, …, xn: en | F
Find instance of a function- A solution to
M && some x1: e1, …, xn: en, res: e | res = E
3. Modeling and Specifications – Formal Models
![Page 206: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/206.jpg)
206
Exploring the Model: Scopes
The existence of a structure that satisfies the constraints in a model is in general undecidable
The Alloy Analyzer searches exhaustively for structures up to a given size- The problem becomes finite and, thus, decidable
Peter Müller – Software Architecture and Engineering
run isLeaverun isLeave for 5
run isLeave for 5 Dir, 2 Filerun isLeave for exactly 5 Dirrun isLeave for 5 but 3 Dir
run isLeave for 5 but exactly 3 Dir
3. Modeling and Specifications – Formal Models
![Page 207: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/207.jpg)
207
Exploring the Model: Example
Peter Müller – Software Architecture and Engineering
abstract sig FSObject {parent: lone Dir
}
sig Dir extends FSObject { contents: set FSObject
}
one sig Root extends Dir { }
3. Modeling and Specifications – Formal Models
![Page 208: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/208.jpg)
208
Exploring the Model: Example
Peter Müller – Software Architecture and Engineering
abstract sig FSObject {parent: lone Dir
}
sig Dir extends FSObject { contents: set FSObject
}
one sig Root extends Dir { }Root should not have a parent
3. Modeling and Specifications – Formal Models
![Page 209: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/209.jpg)
209
Exploring the Model: Example
Peter Müller – Software Architecture and Engineering
abstract sig FSObject {parent: lone Dir
}
sig Dir extends FSObject { contents: set FSObject
}
one sig Root extends Dir { }Root should not have a parent
A directory should not
contain itself
3. Modeling and Specifications – Formal Models
![Page 210: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/210.jpg)
210
Exploring the Model: Example
Peter Müller – Software Architecture and Engineering
abstract sig FSObject {parent: lone Dir
}
sig Dir extends FSObject { contents: set FSObject
}
one sig Root extends Dir { }Root should not have a parent
A directory should not
contain itself
contents and parent should be inverse relations
3. Modeling and Specifications – Formal Models
![Page 211: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/211.jpg)
211
Adding Constraints
Facts add constraints that always hold- run searches for solutions that satisfy all constraints
Facts express value and structural invariants of the model
Peter Müller – Software Architecture and Engineering
fact { F }fact f { F }
sig S { … } { F }
3. Modeling and Specifications – Formal Models
![Page 212: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/212.jpg)
212
Adding Constraints: Example
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Formal Models
![Page 213: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/213.jpg)
213
Adding Constraints: Example
Peter Müller – Software Architecture and Engineering
Root should not have a parent
fact { no Root.parent }
3. Modeling and Specifications – Formal Models
![Page 214: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/214.jpg)
214
Adding Constraints: Example
Peter Müller – Software Architecture and Engineering
Root should not have a parent
contents and parent should be inverse relations
fact { no Root.parent }
fact { all d: Dir, o: d.contents | o.parent = d }
3. Modeling and Specifications – Formal Models
![Page 215: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/215.jpg)
215
Adding Constraints: Example
Peter Müller – Software Architecture and Engineering
Root should not have a parent
A directory should not
contain itself
contents and parent should be inverse relations
fact { no Root.parent }
fact { no d: Dir | d in d.^contents }
fact { all d: Dir, o: d.contents | o.parent = d }
3. Modeling and Specifications – Formal Models
![Page 216: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/216.jpg)
216
Checking the Model
Exploring models by manually inspecting instances is cumbersome for non-trivial models
The Alloy Analyzer can search for structures that violate a given property- Counterexample to an assertion- The search is complete for the given scope
Peter Müller – Software Architecture and Engineering
assert a { F }
check a scope
For a model with constraints M, find a solution to M && !F
3. Modeling and Specifications – Formal Models
![Page 217: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/217.jpg)
217
Finding a counterexample
Proving a property
Checking the Model: Example
Peter Müller – Software Architecture and Engineering
pred isLeave[ f: FSObject ] {f in File || no f.contents
}
assert nonEmptyRoot { !isLeave[ Root ] }check nonEmptyRoot for 3
assert acyclic { no d: Dir | d in d.^contents }check acyclic for 5
3. Modeling and Specifications – Formal Models
![Page 218: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/218.jpg)
218
Finding a counterexample
Proving a property
Checking the Model: Example
Peter Müller – Software Architecture and Engineering
pred isLeave[ f: FSObject ] {f in File || no f.contents
}
assert nonEmptyRoot { !isLeave[ Root ] }check nonEmptyRoot for 3
assert acyclic { no d: Dir | d in d.^contents }check acyclic for 5
Validity is checked only within the given scope
3. Modeling and Specifications – Formal Models
![Page 219: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/219.jpg)
219
Under and Over-Constrained Models
Missing or weak facts under-constrain the model- They permit undesired structures- Under-constrained models are typically easy to detect
during model exploration (using run) and assertion checking (using check)
Unnecessary facts over-constrain the model- They exclude desired structures
Inconsistencies are an extremecase of over-constraining- They preclude the existence
of any structure- All assertion checks will succeed!
Peter Müller – Software Architecture and Engineering
assert nonSense { 0 = 1 }check nonSense
fact acyclic { no d: Dir | d in d.*contents
}
3. Modeling and Specifications – Formal Models
![Page 220: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/220.jpg)
220
Guidelines to Avoid Over-Constraining
Simulate model to check consistency- Use run to ensure that structures exist- Create predicates with desired configurations and use
run to ensure they exist
Prefer assertions over facts- When in doubt, check whether current model already
ensures a desired property before adding it as a fact
Peter Müller – Software Architecture and Engineering
pred show { }run show
fact acyclic { no d: Dir | d in d.*contents }
3. Modeling and Specifications – Formal Models
![Page 221: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/221.jpg)
221
Implementation Documentation: Example1. elems is non-null2. elems is pointed to by only one object3. When the shared-field is true then
shared, elems, and all elements of elems are immutable
4. When the shared-field is false, the ListRep object is used as representation of at most one List object
5. rep is pointed to only by List objects6. rep is non-null7. 0 <= len <= rep.elems.length
Peter Müller – Software Architecture and Engineering
class ListRep<E> {E[ ] elems;boolean shared;…
}
class List<E> {ListRep<E> rep; int len;…
}
3. Modeling and Specifications – Code Documentation
![Page 222: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/222.jpg)
222
Reference Counting List: Alloy Model (1)
Peter Müller – Software Architecture and Engineering
open util/boolean
sig E { }
sig Array {length: Int,data: { i: Int | 0 <= i && i < length } -> lone E
}{ 0 <= length }
sig ListRep {elems: Array,shared: Bool
}
fact inv2 { all disj lr1, lr2: ListRep | lr1.elems != lr2.elems }
3. Modeling and Specifications – Formal Models
![Page 223: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/223.jpg)
223
Reference Counting List: Alloy Model (1)
Peter Müller – Software Architecture and Engineering
open util/boolean
sig E { }
sig Array {length: Int,data: { i: Int | 0 <= i && i < length } -> lone E
}{ 0 <= length }
sig ListRep {elems: Array,shared: Bool
}
fact inv2 { all disj lr1, lr2: ListRep | lr1.elems != lr2.elems }
Use library mode for booleans
3. Modeling and Specifications – Formal Models
![Page 224: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/224.jpg)
224
Reference Counting List: Alloy Model (1)
Peter Müller – Software Architecture and Engineering
open util/boolean
sig E { }
sig Array {length: Int,data: { i: Int | 0 <= i && i < length } -> lone E
}{ 0 <= length }
sig ListRep {elems: Array,shared: Bool
}
fact inv2 { all disj lr1, lr2: ListRep | lr1.elems != lr2.elems }
Use library mode for booleans
Encode generic type parameter
3. Modeling and Specifications – Formal Models
![Page 225: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/225.jpg)
225
Reference Counting List: Alloy Model (1)
Peter Müller – Software Architecture and Engineering
open util/boolean
sig E { }
sig Array {length: Int,data: { i: Int | 0 <= i && i < length } -> lone E
}{ 0 <= length }
sig ListRep {elems: Array,shared: Bool
}
fact inv2 { all disj lr1, lr2: ListRep | lr1.elems != lr2.elems }
Use library mode for booleans
Encode generic type parameter
Introduce array signature to model potential sharing
3. Modeling and Specifications – Formal Models
![Page 226: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/226.jpg)
226
Reference Counting List: Alloy Model (1)
Peter Müller – Software Architecture and Engineering
open util/boolean
sig E { }
sig Array {length: Int,data: { i: Int | 0 <= i && i < length } -> lone E
}{ 0 <= length }
sig ListRep {elems: Array,shared: Bool
}
fact inv2 { all disj lr1, lr2: ListRep | lr1.elems != lr2.elems }
Use library mode for booleans
Encode generic type parameter
Introduce array signature to model potential sharing
Array elements may be null
3. Modeling and Specifications – Formal Models
![Page 227: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/227.jpg)
227
Reference Counting List: Alloy Model (1)
Peter Müller – Software Architecture and Engineering
open util/boolean
sig E { }
sig Array {length: Int,data: { i: Int | 0 <= i && i < length } -> lone E
}{ 0 <= length }
sig ListRep {elems: Array,shared: Bool
}
fact inv2 { all disj lr1, lr2: ListRep | lr1.elems != lr2.elems }
Use library mode for booleans
Encode generic type parameter
Introduce array signature to model potential sharing
Array elements may be null
A fact guaranteed by the Java semantics
3. Modeling and Specifications – Formal Models
![Page 228: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/228.jpg)
228
Reference Counting List: Alloy Model (1)
Peter Müller – Software Architecture and Engineering
open util/boolean
sig E { }
sig Array {length: Int,data: { i: Int | 0 <= i && i < length } -> lone E
}{ 0 <= length }
sig ListRep {elems: Array,shared: Bool
}
fact inv2 { all disj lr1, lr2: ListRep | lr1.elems != lr2.elems }
Use library mode for booleans
Encode generic type parameter
Introduce array signature to model potential sharing
Array elements may be null
A fact guaranteed by the Java semantics
elems is non-null (inv1)
3. Modeling and Specifications – Formal Models
![Page 229: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/229.jpg)
229
Reference Counting List: Alloy Model (1)
Peter Müller – Software Architecture and Engineering
open util/boolean
sig E { }
sig Array {length: Int,data: { i: Int | 0 <= i && i < length } -> lone E
}{ 0 <= length }
sig ListRep {elems: Array,shared: Bool
}
fact inv2 { all disj lr1, lr2: ListRep | lr1.elems != lr2.elems }
Use library mode for booleans
Encode generic type parameter
Introduce array signature to model potential sharing
Array elements may be null
A fact guaranteed by the Java semantics
elems is non-null (inv1)
elems is not shared (inv2)
3. Modeling and Specifications – Formal Models
![Page 230: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/230.jpg)
230
Reference Counting List: Alloy Model (2)
Peter Müller – Software Architecture and Engineering
sig List {rep: ListRep, len: Int
}
fact inv4 { all lr: ListRep | isFalse[ lr.shared ] => lone l: List | l.rep = lr }
fact inv7 { all l: List | 0 <= l.len && l.len <= l.rep.elems.length }
3. Modeling and Specifications – Formal Models
![Page 231: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/231.jpg)
231
Reference Counting List: Alloy Model (2)
Peter Müller – Software Architecture and Engineering
sig List {rep: ListRep, len: Int
}
fact inv4 { all lr: ListRep | isFalse[ lr.shared ] => lone l: List | l.rep = lr }
fact inv7 { all l: List | 0 <= l.len && l.len <= l.rep.elems.length }
shared conservatively tracks sharing (inv4)
3. Modeling and Specifications – Formal Models
![Page 232: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/232.jpg)
232
Reference Counting List: Alloy Model (2)
Peter Müller – Software Architecture and Engineering
sig List {rep: ListRep, len: Int
}
fact inv4 { all lr: ListRep | isFalse[ lr.shared ] => lone l: List | l.rep = lr }
fact inv7 { all l: List | 0 <= l.len && l.len <= l.rep.elems.length }
shared conservatively tracks sharing (inv4)
rep is non-null (inv6)
3. Modeling and Specifications – Formal Models
![Page 233: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/233.jpg)
233
Reference Counting List: Alloy Model (2)
Peter Müller – Software Architecture and Engineering
sig List {rep: ListRep, len: Int
}
fact inv4 { all lr: ListRep | isFalse[ lr.shared ] => lone l: List | l.rep = lr }
fact inv7 { all l: List | 0 <= l.len && l.len <= l.rep.elems.length }
shared conservatively tracks sharing (inv4)
rep is non-null (inv6)
len is between zero and array size (inv7)
3. Modeling and Specifications – Formal Models
![Page 234: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/234.jpg)
234
Invariants Revisited1. elems is non-null2. elems is pointed to by only one object3. When the shared-field is true then
shared, elems, and all elements of elems are immutable
4. When the shared-field is false, the ListRep object is used as representation of at most one List object
5. rep is pointed to only by List objects6. rep is non-null7. 0 <= len <= rep.elems.length
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Formal Models
![Page 235: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/235.jpg)
235
Invariants Revisited1. elems is non-null2. elems is pointed to by only one object3. When the shared-field is true then
shared, elems, and all elements of elems are immutable
4. When the shared-field is false, the ListRep object is used as representation of at most one List object
5. rep is pointed to only by List objects6. rep is non-null7. 0 <= len <= rep.elems.length
Peter Müller – Software Architecture and Engineering
Alloy does not allow the model to
constrain fields not declared in the model
Alloy does not allow the model to
constrain fields not declared in the model
3. Modeling and Specifications – Formal Models
![Page 236: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/236.jpg)
236
Invariants Revisited1. elems is non-null2. elems is pointed to by only one object3. When the shared-field is true then
shared, elems, and all elements of elems are immutable
4. When the shared-field is false, the ListRep object is used as representation of at most one List object
5. rep is pointed to only by List objects6. rep is non-null7. 0 <= len <= rep.elems.length
Peter Müller – Software Architecture and Engineering
So far, our model does not contain dynamic behavior
Alloy does not allow the model to
constrain fields not declared in the model
Alloy does not allow the model to
constrain fields not declared in the model
3. Modeling and Specifications – Formal Models
![Page 237: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/237.jpg)
237
Example: Underspecification
Peter Müller – Software Architecture and Engineering
class Student {Program major;…
}
class University {Map<Student, Program> enrollment;…
}
class University {Set<Student> students;…
}
class Student {…
}
sig Student { }sig Program { }sig University { }sig State {enrollment: University -> Student -> one Program
}
The Alloy model leaves the choice of data structure unspecified
3. Modeling and Specifications – Formal Models
![Page 238: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/238.jpg)
238
sig E { }sig Array {length: Int,data: { i: Int | 0 <= i && i < length } -> lone E
}{ 0 <= length }sig ListRep {elems: Array,shared: Bool
}fact inv2 { all disj lr1, lr2: ListRep | lr1.elems != lr2.elems
}
Example: Views
The Alloy model represents only the structure of the system, not the dynamic behavior
Some relevant invariants are represented
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Formal Models
![Page 239: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/239.jpg)
239
Peter Müller – Software Architecture and Engineering
3. Modeling and Specification
3.1 Source Code3.2 Informal Models3.3 Formal Models
3.3.1 Static Models3.3.2 Dynamic Models3.3.3 Analyzing Models
3. Modeling and Specifications – Formal Models
![Page 240: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/240.jpg)
240
Dynamic Behavior
Alloy has no built-in model of execution- No notion of time or mutable state
State or time have to be modeled explicitly
Peter Müller – Software Architecture and Engineering
sig Array {length: Int,data: { i: Int | 0 <= i && i < length } -> lone E
}
pred update[ a, a’: Array, i: Int, e: E ] {a’.length = a.length &&a’.data = a.data ++ i -> e
}
3. Modeling and Specifications – Formal Models
![Page 241: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/241.jpg)
241
Describing Mutation via Different Atoms
Alloy models describe operations declaratively- Relating the atoms before and after the operation
Peter Müller – Software Architecture and Engineering
pred update[ a, a’: Array, i: Int, e: E ] {a’.length = a.length &&a’.data = a.data ++ i -> e
}
3. Modeling and Specifications – Formal Models
![Page 242: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/242.jpg)
242
Describing Mutation via Different Atoms
Alloy models describe operations declaratively- Relating the atoms before and after the operation
Peter Müller – Software Architecture and Engineering
pred update[ a, a’: Array, i: Int, e: E ] {a’.length = a.length &&a’.data = a.data ++ i -> e
}A regular identifier
3. Modeling and Specifications – Formal Models
![Page 243: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/243.jpg)
243
Describing Mutation via Different Atoms
Alloy models describe operations declaratively- Relating the atoms before and after the operation
Peter Müller – Software Architecture and Engineering
pred update[ a, a’: Array, i: Int, e: E ] {a’.length = a.length &&a’.data = a.data ++ i -> e
}Equality, not assignment
A regular identifier
3. Modeling and Specifications – Formal Models
![Page 244: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/244.jpg)
244
Describing Mutation via Different Atoms
Alloy models describe operations declaratively- Relating the atoms before and after the operation
Modeling mutations via different atoms is cumbersome if atoms occur in several relations
Peter Müller – Software Architecture and Engineering
pred update[ a, a’: Array, i: Int, e: E ] {a’.length = a.length &&a’.data = a.data ++ i -> e
}
pred removeAll[ d, d': Dir ] {d’.parent = d.parent &&d’.contents = none
}
Equality, not assignment
A regular identifier
3. Modeling and Specifications – Formal Models
![Page 245: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/245.jpg)
245
Describing Mutation via Different Atoms
Alloy models describe operations declaratively- Relating the atoms before and after the operation
Modeling mutations via different atoms is cumbersome if atoms occur in several relations
Peter Müller – Software Architecture and Engineering
pred update[ a, a’: Array, i: Int, e: E ] {a’.length = a.length &&a’.data = a.data ++ i -> e
}
pred removeAll[ d, d': Dir ] {d’.parent = d.parent &&d’.contents = none
}
d’ is not automatically in
d.parent.contents
Equality, not assignment
A regular identifier
3. Modeling and Specifications – Formal Models
![Page 246: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/246.jpg)
246
Abstract Machine Idiom
Move all relations and operations to a global state
Operations modify the global state
Peter Müller – Software Architecture and Engineering
sig State { … }pred op1[ s, s’: State, … ] { … }pred opn[ s, s’: State, … ] { … }
3. Modeling and Specifications – Formal Models
![Page 247: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/247.jpg)
247
Abstract Machine: Example
Peter Müller – Software Architecture and Engineering
sig FileSystem {live: set FSObject,root: Dir & live,parent: (live - root) -> one (Dir & live),contents: (Dir & live) -> live
}{contents = ~parentlive in root.*contents
}
abstract sig FSObject { }sig File, Dir extends FSObject { }
3. Modeling and Specifications – Formal Models
![Page 248: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/248.jpg)
248
Abstract Machine: Example
Peter Müller – Software Architecture and Engineering
sig FileSystem {live: set FSObject,root: Dir & live,parent: (live - root) -> one (Dir & live),contents: (Dir & live) -> live
}{contents = ~parentlive in root.*contents
}
abstract sig FSObject { }sig File, Dir extends FSObject { }
FileSystem is the global state
3. Modeling and Specifications – Formal Models
![Page 249: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/249.jpg)
249
Abstract Machine: Example
Peter Müller – Software Architecture and Engineering
sig FileSystem {live: set FSObject,root: Dir & live,parent: (live - root) -> one (Dir & live),contents: (Dir & live) -> live
}{contents = ~parentlive in root.*contents
}
abstract sig FSObject { }sig File, Dir extends FSObject { }
FileSystem is the global state root is a
directory in this file system
3. Modeling and Specifications – Formal Models
![Page 250: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/250.jpg)
250
Abstract Machine: Example
Peter Müller – Software Architecture and Engineering
sig FileSystem {live: set FSObject,root: Dir & live,parent: (live - root) -> one (Dir & live),contents: (Dir & live) -> live
}{contents = ~parentlive in root.*contents
}
abstract sig FSObject { }sig File, Dir extends FSObject { }
FileSystem is the global state root is a
directory in this file system
Every object except root has
exactly one parent
3. Modeling and Specifications – Formal Models
![Page 251: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/251.jpg)
251
Abstract Machine: Example (cont’d)
Peter Müller – Software Architecture and Engineering
pred removeAll[ s, s': FileSystem, o: FSObject ] {o in s.live - s.root &&s'.live = s.live - o.*(s.contents) &&s'.parent = s'.live <: s.parent
}
3. Modeling and Specifications – Formal Models
![Page 252: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/252.jpg)
252
Abstract Machine: Example (cont’d)
Peter Müller – Software Architecture and Engineering
pred removeAll[ s, s': FileSystem, o: FSObject ] {o in s.live - s.root &&s'.live = s.live - o.*(s.contents) &&s'.parent = s'.live <: s.parent
}
Precondition: o is a live objectother than root
3. Modeling and Specifications – Formal Models
![Page 253: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/253.jpg)
253
Abstract Machine: Example (cont’d)
Peter Müller – Software Architecture and Engineering
pred removeAll[ s, s': FileSystem, o: FSObject ] {o in s.live - s.root &&s'.live = s.live - o.*(s.contents) &&s'.parent = s'.live <: s.parent
}
Precondition: o is a live objectother than root
Remove o and everything it (transitively)
contains
3. Modeling and Specifications – Formal Models
![Page 254: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/254.jpg)
254
Abstract Machine: Example (cont’d)
Peter Müller – Software Architecture and Engineering
pred removeAll[ s, s': FileSystem, o: FSObject ] {o in s.live - s.root &&s'.live = s.live - o.*(s.contents) &&s'.parent = s'.live <: s.parent
}
Precondition: o is a live objectother than root
Remove o and everything it (transitively)
contains Restrict domain of
parent relation
3. Modeling and Specifications – Formal Models
![Page 255: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/255.jpg)
255
Abstract Machine: Example (cont’d)
Peter Müller – Software Architecture and Engineering
sig FileSystem {live: set FSObject,root: Dir & live,parent: (live - root) -> one (Dir & live),contents: (Dir & live) -> live
}{contents = ~parentlive in root.*contents
}
pred removeAll[ s, s’: FileSystem, o: FSObject ] {o in s.live - s.root &&s’.live = s.live - o.*(s.contents) &&s’.parent = s’.live <: s.parent
}
3. Modeling and Specifications – Formal Models
![Page 256: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/256.jpg)
256
Abstract Machine: Example (cont’d)
Peter Müller – Software Architecture and Engineering
sig FileSystem {live: set FSObject,root: Dir & live,parent: (live - root) -> one (Dir & live),contents: (Dir & live) -> live
}{contents = ~parentlive in root.*contents
}
pred removeAll[ s, s’: FileSystem, o: FSObject ] {o in s.live - s.root &&s’.live = s.live - o.*(s.contents) &&s’.parent = s’.live <: s.parent
}
What about s’.root and
s’.contents?
3. Modeling and Specifications – Formal Models
![Page 257: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/257.jpg)
257
Abstract Machine: Example (cont’d)
Peter Müller – Software Architecture and Engineering
sig FileSystem {live: set FSObject,root: Dir & live,parent: (live - root) -> one (Dir & live),contents: (Dir & live) -> live
}{contents = ~parentlive in root.*contents
}
pred removeAll[ s, s’: FileSystem, o: FSObject ] {o in s.live - s.root &&s’.live = s.live - o.*(s.contents) &&s’.parent = s’.live <: s.parent
}
What about s’.root and
s’.contents?
Constraints ensure that s.root = s’.root
and thats’.contents = ~(s’.parent)
3. Modeling and Specifications – Formal Models
![Page 258: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/258.jpg)
258
Abstract Machine: Example (cont’d)
Peter Müller – Software Architecture and Engineering
sig FileSystem {live: set FSObject,root: Dir & live,parent: (live - root) -> one (Dir & live),contents: (Dir & live) -> live
}{contents = ~parentlive in root.*contents
}
pred removeAll[ s, s’: FileSystem, o: FSObject ] {o in s.live - s.root &&s’.live = s.live - o.*(s.contents) &&s’.parent = s’.live <: s.parent
}
What about s’.root and
s’.contents?
Constraints ensure that s.root = s’.root
and thats’.contents = ~(s’.parent)
In general, we also have to specify what remains unchanged
3. Modeling and Specifications – Formal Models
![Page 259: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/259.jpg)
259
Declarative Specifications
Alloy specifications are purely declarative- The describe what is done, not how it is done- Specifications abstract over irrelevant details
Peter Müller – Software Architecture and Engineering
int find( int[ ] array, int v ) {for( int i = 0; i < array.length; i++ )if( array[ i ] == v ) return i;
return -1;}
pred find[ a: Array, v: Int, res: Int ] {a.data[ res ] = v ||res = -1 && (no i: Int | a.data[ i ] = v)
}
3. Modeling and Specifications – Formal Models
![Page 260: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/260.jpg)
260
Declarative Specifications
Alloy specifications are purely declarative- The describe what is done, not how it is done- Specifications abstract over irrelevant details
Peter Müller – Software Architecture and Engineering
int find( int[ ] array, int v ) {for( int i = 0; i < array.length; i++ )if( array[ i ] == v ) return i;
return -1;}
int find( int[ ] array, int v ) {if( 256 <= array.length ) {// perform parallel search
} else {// sequential search like before
}}
pred find[ a: Array, v: Int, res: Int ] {a.data[ res ] = v ||res = -1 && (no i: Int | a.data[ i ] = v)
}
3. Modeling and Specifications – Formal Models
![Page 261: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/261.jpg)
261
Abstract Machine Idiom (cont’d)
In static models, invariants are expressed as facts
In dynamic models, invariants can be asserted as properties maintained by the operations
Peter Müller – Software Architecture and Engineering
sig State { … }pred op1[ s, s’: State, … ] { … }pred opn[ s, s’: State, … ] { … }pred init[ s’: State, … ] { … }pred inv[ s: State ] { … }
assert initEstablishes {all s’: State, … | init[ s’, … ] => inv[ s’ ]
}check initEstablishesassert opiPreserves {all s, s’: State, … |inv[ s ] && opi[ s, s’, … ] => inv[ s’ ]
}check opiPreserves
3. Modeling and Specifications – Formal Models
![Page 262: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/262.jpg)
262
Abstract Machine Example: Initialization
Peter Müller – Software Architecture and Engineering
pred inv[ s: FileSystem ] {s.contents = ~(s.parent)s.live in s.root.*(s.contents)
}
pred init[ s’: FileSystem ] {#s’.live = 1
}
assert initEstablishes {all s’: FileSystem | init[ s’ ] => inv[ s’ ]
}check initEstablishes
sig FileSystem {live: set FSObject,root: Dir & live,parent: (live - root) -> one (Dir & live),contents: (Dir & live) -> live
}
3. Modeling and Specifications – Formal Models
![Page 263: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/263.jpg)
263
Abstract Machine Example: Initialization
Peter Müller – Software Architecture and Engineering
pred inv[ s: FileSystem ] {s.contents = ~(s.parent)s.live in s.root.*(s.contents)
}
pred init[ s’: FileSystem ] {#s’.live = 1
}
assert initEstablishes {all s’: FileSystem | init[ s’ ] => inv[ s’ ]
}check initEstablishes
sig FileSystem {live: set FSObject,root: Dir & live,parent: (live - root) -> one (Dir & live),contents: (Dir & live) -> live
}
3. Modeling and Specifications – Formal Models
![Page 264: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/264.jpg)
264
Abstract Machine Example: Initialization (c’d)
Peter Müller – Software Architecture and Engineering
pred init[ s’: FileSystem ] {#s’.live = 1 && s’.contents[ s’.root ] = none
}
assert initEstablishes {all s’: FileSystem | init[ s’ ] => inv[ s’ ]
}check initEstablishes
sig FileSystem {live: set FSObject,root: Dir & live,parent: (live - root) -> one (Dir & live),contents: (Dir & live) -> live
}
pred inv[ s: FileSystem ] {s.contents = ~(s.parent)s.live in s.root.*(s.contents)
}
3. Modeling and Specifications – Formal Models
![Page 265: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/265.jpg)
265
Abstract Machine Example: Preservation
Peter Müller – Software Architecture and Engineering
pred inv[ s: FileSystem ] {s.contents = ~(s.parent)s.live in s.root.*(s.contents)
}
pred removeAll[ s, s’: FileSystem, o: FSObject ] {o in s.live - s.root &&s’.live = s.live - o.*(s.contents) &&s’.parent = s’.live <: s.parent
}
assert removeAllPreserves {all s, s’: FileSystem, o: FSObject |inv[ s ] && removeAll[ s, s’, o ] => inv[ s’ ]
}check removeAllPreserves
3. Modeling and Specifications – Formal Models
![Page 266: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/266.jpg)
266
Abstract Machine Example: Preservation
Peter Müller – Software Architecture and Engineering
pred inv[ s: FileSystem ] {s.contents = ~(s.parent)s.live in s.root.*(s.contents)
}
pred removeAll[ s, s’: FileSystem, o: FSObject ] {o in s.live - s.root &&s’.live = s.live - o.*(s.contents) &&s’.parent = s’.live <: s.parent
}
assert removeAllPreserves {all s, s’: FileSystem, o: FSObject |inv[ s ] && removeAll[ s, s’, o ] => inv[ s’ ]
}check removeAllPreserves
3. Modeling and Specifications – Formal Models
![Page 267: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/267.jpg)
267
Abstract Machine Example: Preservation
Peter Müller – Software Architecture and Engineering
pred inv[ s: FileSystem ] {s.contents = ~(s.parent)s.live in s.root.*(s.contents)
}
pred removeAll[ s, s’: FileSystem, o: FSObject ] {o in s.live - s.root &&s’.live = s.live - o.*(s.contents) &&s’.parent = s’.live <: s.parent
}
assert removeAllPreserves {all s, s’: FileSystem, o: FSObject |inv[ s ] && removeAll[ s, s’, o ] => inv[ s’ ]
}check removeAllPreserves
Constraints no longer ensure that
s’.contents = ~(s’.parent)
3. Modeling and Specifications – Formal Models
![Page 268: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/268.jpg)
268
Abstract Machine Example: Preservation (c’t)
Peter Müller – Software Architecture and Engineering
pred inv[ s: FileSystem ] {s.contents = ~(s.parent)s.live in s.root.*(s.contents)
}
pred removeAll[ s, s’: FileSystem, o: FSObject ] {o in s.live - s.root &&s’.live = s.live - o.*(s.contents) &&s’.parent = s’.live <: s.parent &&s’.contents = s.contents :> s’.live
}
assert removeAllPreserves {all s, s’: FileSystem, o: FSObject |inv[ s ] && removeAll[ s, s’, o ] => inv[ s’ ]
}check removeAllPreserves
3. Modeling and Specifications – Formal Models
![Page 269: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/269.jpg)
269
Temporal Invariants
The invariants specified and modeled so far were one-state invariants
Often, one needs to explore or check properties of sequences of states such as temporal invariants
Model sequences of execution steps of an abstract machine (execution traces)
Peter Müller – Software Architecture and Engineering
3. When the shared-field is true then shared, elems, and all elements of elems are immutable
3. Modeling and Specifications – Formal Models
![Page 270: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/270.jpg)
270
Traces of an Abstract Machine
Define a linear order on all states- First state is the initial state- Subsequent states are created by performing operations
of the abstract machine
Peter Müller – Software Architecture and Engineering
open util/ordering[ State ]…fact traces {init[ first ] &&all s: State - last |(some … | op1[ s, s.next, … ]) or… (some … | opn[ s, s.next, … ])
}
3. Modeling and Specifications – Formal Models
![Page 271: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/271.jpg)
271
Traces of an Abstract Machine
Define a linear order on all states- First state is the initial state- Subsequent states are created by performing operations
of the abstract machine
Peter Müller – Software Architecture and Engineering
open util/ordering[ State ]…fact traces {init[ first ] &&all s: State - last |(some … | op1[ s, s.next, … ]) or… (some … | opn[ s, s.next, … ])
}
Parametric library defines
linear order
3. Modeling and Specifications – Formal Models
![Page 272: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/272.jpg)
272
Traces of an Abstract Machine
Define a linear order on all states- First state is the initial state- Subsequent states are created by performing operations
of the abstract machine
Peter Müller – Software Architecture and Engineering
open util/ordering[ State ]…fact traces {init[ first ] &&all s: State - last |(some … | op1[ s, s.next, … ]) or… (some … | opn[ s, s.next, … ])
}
Parametric library defines
linear orderInitial state is the first in the
order
3. Modeling and Specifications – Formal Models
![Page 273: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/273.jpg)
273
Traces of an Abstract Machine
Define a linear order on all states- First state is the initial state- Subsequent states are created by performing operations
of the abstract machine
Peter Müller – Software Architecture and Engineering
open util/ordering[ State ]…fact traces {init[ first ] &&all s: State - last |(some … | op1[ s, s.next, … ]) or… (some … | opn[ s, s.next, … ])
}
Parametric library defines
linear orderInitial state is the first in the
order
Subsequent states are created by one of the operations
3. Modeling and Specifications – Formal Models
![Page 274: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/274.jpg)
274
Traces of an Abstract Machine
Define a linear order on all states- First state is the initial state- Subsequent states are created by performing operations
of the abstract machine
Peter Müller – Software Architecture and Engineering
open util/ordering[ State ]…fact traces {init[ first ] &&all s: State - last |(some … | op1[ s, s.next, … ]) or… (some … | opn[ s, s.next, … ])
}
Parametric library defines
linear orderInitial state is the first in the
order
Subsequent states are created by one of the operations
Existential quantifier abstracts over the arguments to the
operations
3. Modeling and Specifications – Formal Models
![Page 275: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/275.jpg)
275
Properties of Traces
One-state invariants can be asserted more conveniently- No separate initialization and preservation checks
Temporal invariants can be expressed- Use s.next, lt[ s, s’ ], or lte[ s, s’ ] to relate states
Peter Müller – Software Architecture and Engineering
assert invHolds {all s: State | inv[ s ]
}
assert invtemp {all s, s’: FileSystem | s.root = s’.root
}
3. Modeling and Specifications – Formal Models
![Page 276: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/276.jpg)
276
Peter Müller – Software Architecture and Engineering
3. Modeling and Specification
3.1 Source Code3.2 Informal Models3.3 Formal Models
3.3.1 Static Models3.3.2 Dynamic Models3.3.3 Analyzing Models
3. Modeling and Specifications – Formal Models
![Page 277: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/277.jpg)
277
Consistency and Validity
An Alloy model specifies a collection of constraints C that describe a set of structures
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Formal Models
![Page 278: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/278.jpg)
278
Consistency and Validity
An Alloy model specifies a collection of constraints C that describe a set of structures
Consistency:A formula F is consistent (satisfiable) if it evaluates to true in at least one of these structures
Peter Müller – Software Architecture and Engineering
∃s • C(s) ∧ F(s)
3. Modeling and Specifications – Formal Models
![Page 279: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/279.jpg)
279
Consistency and Validity
An Alloy model specifies a collection of constraints C that describe a set of structures
Consistency:A formula F is consistent (satisfiable) if it evaluates to true in at least one of these structures
Validity:A formula F is valid if it evaluates to true in all of these structures
Peter Müller – Software Architecture and Engineering
∃s • C(s) ∧ F(s)
∀s • C(s) ⇒ F(s)
3. Modeling and Specifications – Formal Models
![Page 280: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/280.jpg)
280
Analyzing Models within a Scope
Validity and consistency checking for Alloy is undecidable
The Alloy analyzer sidesteps this problem by checking validity and consistency within a given scope- A scope gives a finite bound on the sizes of the sets in
the model (which makes everything else in the model also finite)
- Naïve algorithm: enumerate all structures of a model within the bounds and check formula for each of them
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Formal Models
![Page 281: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/281.jpg)
281
Consistency Checking
Peter Müller – Software Architecture and Engineering
Translate constraints and formula into formula over
boolean variables
Check whether this formula has a satisfying
assignment
Formula is consistent:Translate satisfying
assignment back to model
Formula is inconsistent within the given scope
Yes
No
3. Modeling and Specifications – Formal Models
![Page 282: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/282.jpg)
282
Translation into Formula over Boolean Vars
Internally, Alloy represents all data types as relations- A relation is a set of tuples
Peter Müller – Software Architecture and Engineering
sig Node {next: lone Node
}
3. Modeling and Specifications – Formal Models
![Page 283: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/283.jpg)
283
Translation into Formula over Boolean Vars
Internally, Alloy represents all data types as relations- A relation is a set of tuples
Peter Müller – Software Architecture and Engineering
sig Node {next: lone Node
}
next is a binary relation in
Node × Node
3. Modeling and Specifications – Formal Models
![Page 284: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/284.jpg)
284
Translation into Formula over Boolean Vars
Internally, Alloy represents all data types as relations- A relation is a set of tuples
Constraints and formulas in the model are represented as formulas over relations
Peter Müller – Software Architecture and Engineering
sig Node {next: lone Node
}
next is a binary relation in
Node × Node
fact {all n: Node | n != n.next
}
3. Modeling and Specifications – Formal Models
![Page 285: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/285.jpg)
285
Translation into Formula over Boolean Vars
Internally, Alloy represents all data types as relations- A relation is a set of tuples
Constraints and formulas in the model are represented as formulas over relations
Peter Müller – Software Architecture and Engineering
sig Node {next: lone Node
}
next is a binary relation in
Node × Node
fact {all n: Node | n != n.next
}∀n • (n,n) ∉ next
3. Modeling and Specifications – Formal Models
![Page 286: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/286.jpg)
286
Translation into Boolean Formula (cont’d)
A relation is translated into boolean variables- Introduce one boolean variable for each tuple that is
potentially contained in the relationsig Node {next: lone Node
}pred show { }run show for 3
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Formal Models
![Page 287: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/287.jpg)
287
Translation into Boolean Formula (cont’d)
A relation is translated into boolean variables- Introduce one boolean variable for each tuple that is
potentially contained in the relationsig Node {next: lone Node
}pred show { }run show for 3
next is a binary relation in
Node × Node
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Formal Models
![Page 288: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/288.jpg)
288
Translation into Boolean Formula (cont’d)
A relation is translated into boolean variables- Introduce one boolean variable for each tuple that is
potentially contained in the relationsig Node {next: lone Node
}pred show { }run show for 3
n00, n01, n02,n10, n11, n12,n20, n21, n22
next is a binary relation in
Node × Node
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Formal Models
![Page 289: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/289.jpg)
289
Translation into Boolean Formula (cont’d)
A relation is translated into boolean variables- Introduce one boolean variable for each tuple that is
potentially contained in the relationsig Node {next: lone Node
}pred show { }run show for 3
n00, n01, n02,n10, n11, n12,n20, n21, n22
next is a binary relation in
Node × Node
For the given scope, the next
relation may contain nine
different tuples
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Formal Models
![Page 290: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/290.jpg)
290
Translation into Boolean Formula (cont’d)
A relation is translated into boolean variables- Introduce one boolean variable for each tuple that is
potentially contained in the relation
Constraints and formulas are translated into boolean formulas over these variables
sig Node {next: lone Node
}pred show { }run show for 3
n00, n01, n02,n10, n11, n12,n20, n21, n22
next is a binary relation in
Node × Node
For the given scope, the next
relation may contain nine
different tuples
Peter Müller – Software Architecture and Engineering
fact {all n: Node | n != n.next
}
¬(n00 ∧ n01) ∧ ¬(n00 ∧ n02) ∧ ¬(n01 ∧ n02) ∧¬(n10 ∧ n11) ∧ ¬(n10 ∧ n12) ∧ ¬(n11 ∧ n12) ∧¬(n20 ∧ n21) ∧ ¬(n20 ∧ n22) ∧ ¬(n21 ∧ n22) ∧
¬n00 ∧ ¬n11 ∧ ¬n22
3. Modeling and Specifications – Formal Models
![Page 291: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/291.jpg)
291
Check for Satisfying Assignments
Satisfiability of formulas over boolean variables is a well understood problem- Find a satisfying assignment if one exists and return
UNSAT otherwise- The problem is NP-complete
In practice, SAT solvers are extremely efficient
Peter Müller – Software Architecture and Engineering
n 0 1 20 F F F1 F F T2 F T F
¬(n00 ∧ n01) ∧ ¬(n00 ∧ n02) ∧ ¬(n01 ∧ n02) ∧¬(n10 ∧ n11) ∧ ¬(n10 ∧ n12) ∧ ¬(n11 ∧ n12) ∧¬(n20 ∧ n21) ∧ ¬(n20 ∧ n22) ∧ ¬(n21 ∧ n22) ∧
¬n00 ∧ ¬n11 ∧ ¬n22
3. Modeling and Specifications – Formal Models
![Page 292: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/292.jpg)
292
Translation Back to Model
A satisfying assignment can be translated back to relations
and then visualized
Peter Müller – Software Architecture and Engineering
n 0 1 20 F F F1 F F T2 F T F
next = { (1,2), (2,1) }
3. Modeling and Specifications – Formal Models
![Page 293: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/293.jpg)
293
Interpretation of UNSAT
If a boolean formula has no satisfying assignment, the SAT solver returns UNSAT
The boolean formula encodes an Alloy model within a given scope- There are no structures within this scope,
but larger structures may exist- The model may be, but is not necessarily inconsistent
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Formal Models
![Page 294: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/294.jpg)
294
Interpretation of UNSAT
If a boolean formula has no satisfying assignment, the SAT solver returns UNSAT
The boolean formula encodes an Alloy model within a given scope- There are no structures within this scope,
but larger structures may exist- The model may be, but is not necessarily inconsistent
Peter Müller – Software Architecture and Engineering
sig Node { next: lone Node }fact { #Node = 4 }pred show { }run show for 3
3. Modeling and Specifications – Formal Models
![Page 295: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/295.jpg)
295
Interpretation of UNSAT
If a boolean formula has no satisfying assignment, the SAT solver returns UNSAT
The boolean formula encodes an Alloy model within a given scope- There are no structures within this scope,
but larger structures may exist- The model may be, but is not necessarily inconsistent
Peter Müller – Software Architecture and Engineering
sig Node { next: lone Node }fact { #Node = 4 }pred show { }run show for 3
3. Modeling and Specifications – Formal Models
![Page 296: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/296.jpg)
296
Validity and Invalidity Checking
A formula F is valid if it evaluates to true in allstructures that satisfy the constraints C of the model
Enumerating all structures within a given scope is possible, but would be too slow
Instead of checking validity, the Alloy Analyzer checks for invalidity, that is, looks for counterexamples
Peter Müller – Software Architecture and Engineering
∀s • C(s) ⇒ F(s)
¬(∀s • C(s) ⇒ F(s)) ≡ (∃s • C(s) ∧ ¬F(s))
3. Modeling and Specifications – Formal Models
![Page 297: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/297.jpg)
297
Validity and Invalidity Checking
A formula F is valid if it evaluates to true in allstructures that satisfy the constraints C of the model
Enumerating all structures within a given scope is possible, but would be too slow
Instead of checking validity, the Alloy Analyzer checks for invalidity, that is, looks for counterexamples
Peter Müller – Software Architecture and Engineering
∀s • C(s) ⇒ F(s)
¬(∀s • C(s) ⇒ F(s)) ≡ (∃s • C(s) ∧ ¬F(s))
This is a consistency
check
3. Modeling and Specifications – Formal Models
![Page 298: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/298.jpg)
298
Validity Checking
Peter Müller – Software Architecture and Engineering
Translate constraints and negated formula into
formula over boolean vars
Check whether this formula has a satisfying
assignment
Formula is invalid:Translate satisfying
assignment back to model
Formula is validwithin the given scope
Yes
No
3. Modeling and Specifications – Formal Models
![Page 299: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/299.jpg)
299
Interpretation of UNSAT
Validity checking searches for a counterexample within a given scope- UNSAT means there are no structures within this scope,
but larger structures may exist- The model may be, but is not necessarily valid
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Formal Models
![Page 300: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/300.jpg)
300
Interpretation of UNSAT
Validity checking searches for a counterexample within a given scope- UNSAT means there are no structures within this scope,
but larger structures may exist- The model may be, but is not necessarily valid
Peter Müller – Software Architecture and Engineering
sig Node { next: Node }assert demo { all n: Node | some m: Node | m.next = n }
3. Modeling and Specifications – Formal Models
![Page 301: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/301.jpg)
301
Interpretation of UNSAT
Validity checking searches for a counterexample within a given scope- UNSAT means there are no structures within this scope,
but larger structures may exist- The model may be, but is not necessarily valid
Peter Müller – Software Architecture and Engineering
sig Node { next: Node }assert demo { all n: Node | some m: Node | m.next = n }
check demo for 1
3. Modeling and Specifications – Formal Models
![Page 302: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/302.jpg)
302
Interpretation of UNSAT
Validity checking searches for a counterexample within a given scope- UNSAT means there are no structures within this scope,
but larger structures may exist- The model may be, but is not necessarily valid
Peter Müller – Software Architecture and Engineering
sig Node { next: Node }assert demo { all n: Node | some m: Node | m.next = n }
check demo for 1
3. Modeling and Specifications – Formal Models
![Page 303: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/303.jpg)
303
Interpretation of UNSAT
Validity checking searches for a counterexample within a given scope- UNSAT means there are no structures within this scope,
but larger structures may exist- The model may be, but is not necessarily valid
Peter Müller – Software Architecture and Engineering
sig Node { next: Node }assert demo { all n: Node | some m: Node | m.next = n }
check demo for 2
check demo for 1
3. Modeling and Specifications – Formal Models
![Page 304: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/304.jpg)
304
Interpretation of UNSAT
Validity checking searches for a counterexample within a given scope- UNSAT means there are no structures within this scope,
but larger structures may exist- The model may be, but is not necessarily valid
Peter Müller – Software Architecture and Engineering
sig Node { next: Node }assert demo { all n: Node | some m: Node | m.next = n }
check demo for 2
check demo for 1
3. Modeling and Specifications – Formal Models
![Page 305: Software Architecture and Engineering · the software architecture as a composition of sub-systems Components: Computational units with specified interface - Filters, databases, layers](https://reader030.vdocuments.net/reader030/viewer/2022041000/5e9f6a51ee5ad7437b578fff/html5/thumbnails/305.jpg)
305
Analyzing Models: Summary
Consistency checking- Performed by run command within a scope- Positive answers are definite (structures)
Validity checking- Performed by check command within a scope- Negative answers are definite (counterexamples)
Small model hypothesis:Most interesting errors are found by looking at small instances
Peter Müller – Software Architecture and Engineering
3. Modeling and Specifications – Formal Models