PhD Thesis defense: Lightweight and Static verification of UML Executable Models
1. Lightweight and Static Verification of
UML Executable Models
a PhD thesis by
Elena Planas
Advised by: Dr. Jordi Cabot and Dra. Cristina Gómez
21st March, 2013
3. what is the meaning of
no-quality ?
FAILURE
Nokia® Lumia 900 software bug
4. how can the quality
of a software product
be improved?
5. contributions
conclusions
& further work
related experimentation
work
tool
M2M
may be evaluated Transformations
compared through we extract
implemented in
can also be
applied to
state of syntactic
the art correctness
our focuses correctness
on executability
solution properties
has been
addressed in completeness
we propose
follows
research research
problem methodology
6. contributions
conclusions
& further work
related experimentation
work
tool
M2M
may be evaluated Transformations
compared through we extract
implemented in
can also be
applied to
state of syntactic
the art correctness
our focuses correctness
on executability
solution properties
has been
addressed in completeness
we propose
follows
research research
problem methodology
7. Software development lifecycle
… Analysis Design Implementation
Model Model Code
Driven
Development
(MDD)
A model is a simplified representation of a
complex reality [Brown,2002]
Research Problem
8. Software development lifecycle
… Analysis Design Implementation
Model Model Code
Driven
Development
(MDD)
A model is a simplified representation of a
complex reality [Brown,2002]
Research Problem
9. Software development lifecycle
… Analysis Design Implementation
Model Model Code
Driven
Development
(MDD)
Research Problem
10. Software development lifecycle
… Analysis Design Implementation
Executable
Model Model Code
Driven
Development
(MDD)
Boehm’s curve
Research Problem
Errors are most frequent during the
first phases of the development
activities and are more expensive the
later they are removed
11. Software development lifecycle
… Analysis Design Implementation
Executable
Model Model Code
Driven
Development
(MDD)
Boehm’s curve
Research Problem
errors should
be removed
ASAP
12. Software development lifecycle
… Analysis Design Implementation
Executable
Model Model Code
Driven
Development
(MDD)
Boehm’s curve
how can the quality of
Research Problem
errors should
be removed
ASAP
executable models be improved?
13. quality of UML
executable
models
quality quality
of software of models
Research Problem
14. An executable models
is a model with a
behavioral specification
sufficiently detailed
so it can be
systematically
implemented/executed
in the production environment
15. An executable models
may be specified using several
modeling languages
Model
Modelling Languages Transformation
Languages
xUML OCL ALF QVT
standards
16. An executable models
UML Structural Model Detailed Behavioral Model
executable UML Class Diagram + UML Behavioral Diagram
model integrity constraints precisely defined
17. An executable models
UML Structural Model Detailed Behavioral Model
executable UML Class Diagram + UML Behavioral Diagram
model integrity constraints precisely defined
RestaurantBranch Menu Course
address: String * Offers * name: String * IsComposedOf 2..*
description: String
phone: String[0..2] price: Real category: CourseCategory
{incomplete}
<<enumeration>>
CourseCategory Period
SpecialMenu
Starter * OfferedDuring 1..*
discount: Real iniDate: Date
MainCourse
endDate: Date
Dessert
context SpecialMenu inv validDiscount: self.discount >=10
context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
context Period inv validDates: self.iniDate < self.endDate
18. An executable models
UML Structural Model Detailed Behavioral Model
executable UML Class Diagram + UML Behavioral Diagram
model integrity constraints precisely defined
19. An executable models
UML Structural Model Detailed Behavioral Model
executable UML Class Diagram + UML Behavioral Diagram
model integrity constraints precisely defined
Using Alf action language (OMG).
Alf is a clear, precise yet abstract textual
language to specify executable models in
the context of UML
action-based
operations
20. An executable models
UML Structural Model Detailed Behavioral Model
executable UML Class Diagram + UML Behavioral Diagram
model integrity constraints precisely defined
Using Alf action language (OMG).
Alf is a clear, precise yet abstract textual
language to specify executable models in
the context of UML
Menu Course
name: String * IsComposedOf 2..*
…
price: Real
activity addMenu (in _name: String, in _price: Real, in _courses:Course[3..*]) {
action-based
if ( !Menu.allInstances()->exists(m|m.name=_name) ) {
Menu m = new Menu(); operations
m.name = _name;
m.price = _price;
for ( i in 1.._courses->size() ) {
IsComposedOf.createlink(menu=>m,course=>_courses[i]);
}
}
}
21. An executable models
UML Structural Model Detailed Behavioral Model
executable UML Class Diagram + UML Behavioral Diagram
model integrity constraints precisely defined
Using Alf action language (OMG).
Alf is a clear, precise yet abstract textual
language to specify executable models in
the context of UML
Menu Course
name: String * IsComposedOf 3..*
…
price: Real
activity addMenu (in _name: String, in _price: Real, in _courses:Course[3..*]) {
action-based
if ( !Menu.allInstances()->exists(m|m.name=_name) ) {
Menu m = new Menu(); operations
m.name = _name;
m.price = _price;
for ( i in 1.._courses->size() ) {
IsComposedOf.createlink(menu=>m,course=>_courses[i]);
}
}
}
22. An executable models
UML Structural Model Detailed Behavioral Model
executable UML Class Diagram + UML Behavioral Diagram
model integrity constraints precisely defined
Using Alf action language (OMG).
Alf is a clear, precise yet abstract textual
language to specify executable models in
the context of UML
Menu Course
name: String * IsComposedOf 3..*
…
price: Real
activity addMenu (in _name: String, in _price: Real, in _courses:Course[3..*]) {
action-based
if ( !Menu.allInstances()->exists(m|m.name=_name) ) {
Menu m = new Menu(); operations
m.name = _name;
m.price = _price;
for ( i in 1.._courses->size() ) {
IsComposedOf.createlink(menu=>m,course=>_courses[i]);
}
}
}
23. An executable models
UML Structural Model Detailed Behavioral Model
executable UML Class Diagram + UML Behavioral Diagram
model integrity constraints precisely defined
Using Alf action language (OMG).
Alf is a clear, precise yet abstract textual
language to specify executable models in
the context of UML
Menu Course
name: String * IsComposedOf 3..*
…
price: Real
activity addMenu (in _name: String, in _price: Real, in _courses:Course[3..*]) {
action-based
if ( !Menu.allInstances()->exists(m|m.name=_name) ) {
Menu m = new Menu(); operations
m.name = _name;
m.price = _price; association.createLink(role1=>object1, role2=>object2)
for ( i in 1.._courses->size() ) {
IsComposedOf.createlink(menu=>m,course=>_courses[i]);
}
}
}
24. An executable models
UML Structural Model Detailed Behavioral Model
executable UML Class Diagram + UML Behavioral Diagram
model integrity constraints precisely defined
Using Alf action language (OMG).
Alf is a clear, precise yet abstract textual
language to specify executable models in
the context of UML
Menu Course
name: String * IsComposedOf 3..*
…
price: Real
activity addMenu (in _name: String, in _price: Real, in _courses:Course[3..*]) {
action-based
if ( !Menu.allInstances()->exists(m|m.name=_name) ) {
Menu m = new Menu(); operations
m.name = _name;
m.price = _price;
for ( i in 1.._courses->size() ) {
IsComposedOf.createlink(menu=>m,course=>_courses[i]);
}
}
}
25. An executable models
raise the level of abstraction productivity
platform independent models
allow early verification
costs
better software at less cost
standards for executable modelling
ALF
February 2011
Concrete Syntax for UML Foundational Subset for
October 2010
1997
2005
[UML version 1.0] [UML version 2.0] Action Language Executable UML Models
[Alf version 1.0 - Beta 1] [fUML version 1.0 - Beta]
2013
26. An executable models
raise the level of abstraction productivity
platform independent models
allow early verification
costs
better software at less cost
standards for executable modelling
1992
“In the future, most
2001
developments will be xUML: software
development
based on an exe-
methodology ALF
cutable specification”
February 2011
Concrete Syntax for UML Foundational Subset for
October 2010
designed to
1997
2005
[Harel]
[UML version 1.0] precisely define the [UML version 2.0] Action Language Executable UML Models
semantics of [Alf version 1.0 - Beta 1] [fUML version 1.0 - Beta]
executable models
2013
27. … Analysis Design Implementation
Executable
Model Model Code
Driven
Development
(MDD)
need for methods and tools to evaluate
Research Problem
the correctness of executable models
28. how can the quality
of UML executable models
be improved?
how can the quality of executable models be decomposed into
quality properties?
what methods
can be employed to support the verification of the quality
properties of executable models?
what kind of feedback
Research Problem
can help the designers to improve her executable models?
what types of executable models
can be verified using these methods?
29. contributions
conclusions
& further work
related experimentation
work
tool
M2M
may be evaluated Transformations
compared through we extract
implemented in
can also be
applied to
state of syntactic
the art correctness
our focuses correctness
on executability
solution properties
has been
addressed in completeness
we propose
follows
research research
problem methodology
30. correctness
properties to
be verified
Properties
type of model
Domain to be verified
State of the Art
Type of method
employed to perform
the verification
31. Dimension 1. Domain
Information they represent
Behavioural Model
Model to
Structural Non
Executable Model
Model executable
Behavioural Transformation
Behavioural
Model
Model
[activity, statechart, sequence]
UML/fUML diagrams
class diagram
declarative
OCL operations
OMG imperative
Alf
standards operations
M2M
QVT transformation
…
ATL M2M
State of the Art
transformation
Language
others xUML xUML model
…
32. Dimension 1. Domain
Information they represent
Behavioural Model
Model to
Structural Non
Executable Model
Model executable
Behavioural Transformation
Behavioural
Model
Model
[activity, statechart, sequence]
UML/fUML diagrams
class diagram
declarative
OCL operations
OMG imperative
Alf
standards operations
M2M
QVT transformation
…
ATL M2M
State of the Art
transformation
Language
others xUML xUML model
…
33. Dimension 2. Properties
* According to Lindland’s framework
[Lindland et al. Understanding Quality in
Level of quality Conceptual Modeling. 1994]
Syntactic Semantic Pragmatic
Properties Properties Properties
Domain checking that there are
not two different menus
Specific which contain exactly the
Properties same courses
syntactic correctness safety comprehension
Level of abstraction
liveness
Domain
Independent consistency
Properties
State of the Art
executability
completeness
34. Dimension 2. Properties
* According to Lindland’s framework
[Lindland et al. Understanding Quality in
Level of quality Conceptual Modeling. 1994]
Syntactic Semantic Pragmatic
Properties Properties Properties
Domain checking that there are
not two different menus
Specific which contain exactly the
Properties same courses
syntactic correctness safety comprehension
Level of abstraction
liveness
Domain
Independent consistency
Properties
State of the Art
executability
completeness
35. Dimension 3. Method
Level of formalization they use
Non Formal Lightweight
Formal Methods
Methods Methods
How the analysis is done?
inspection
Static
Methods abstract interpretation
review
Dynamic model checking
Methods testing
State of the Art
36. Dimension 3. Method
Level of formalization they use
Non Formal Lightweight
Formal Methods
Methods Methods
How the analysis is done?
inspection
Static
Methods our verification methods abstract interpretation
review
Dynamic model checking
Methods testing
State of the Art
37. contributions
conclusions
& further work
related experimentation
work
tool
M2M
may be evaluated Transformations
compared through we extract
implemented in
can also be
applied to
state of syntactic
the art correctness
our focuses correctness
on executability
solution properties
has been
addressed in completeness
we propose
follows
research research
problem methodology
38. we propose a verification framework
to help the designers improve the quality
of their executable models
correctness
executable should fulfill properties
models of executable
behavioural models
can be
provide checked
feedback to using
Our solution: Overview
improve
lightweight
and static
verification
methods
39. we propose a verification framework
method for
verifying the method for method for
verifying the verifying the
syntactic executability completeness
feedback correctness
No model execution
lightweight No translation to a formal language
Our solution: Overview
and static Quick feedback
methods Easy integration in the development process
Partial analysis
40. contributions
conclusions
& further work
related experimentation
work
tool
M2M
may be evaluated Transformations
compared through we extract
implemented in
can also be
applied to
state of syntactic
the art correctness
our focuses correctness
on executability
solution properties
has been
addressed in completeness
we propose
follows
research research
problem methodology
41. An operation is syntactically correct
iff all the actions in the operation satisfy all the
rules defined in the UML/fUML metamodels.
English UML
language language
English UML/fUML defined by
syntax metamodel
Properties: Syntactic correctness
Conform Conform
to to
UML model Well-Formedness Rules
English
(example: Alf-
sentences based operations)
42. An operation is syntactically correct
iff all the actions in the operation satisfy all the
rules defined in the UML/fUML metamodels.
WFR: We cannot create instances of an abstract classifier.
context CreateObjectAction inv: not (self.classifier.isAbstract = true)
Properties: Syntactic correctness
Course
activity addCourse(…) {
…
Course c = new Course();
…
{complete} }
ItalianCourse VegetarianCourse …
… …
43. An operation is syntactically correct
iff all the actions in the operation satisfy all the
rules defined in the UML/fUML metamodels.
WFR: We cannot create instances of an abstract classifier.
context CreateObjectAction inv: not (self.classifier.isAbstract = true)
Properties: Syntactic correctness
Course
activity addCourse(…) {
…
Course c = new Course();
…
{complete} }
ItalianCourse VegetarianCourse …
… … Feedback: The
classifier cannot
be abstract.
44. An operation is syntactically correct
iff all the actions in the operation satisfy all the
rules defined in the UML/fUML metamodels.
39 Well-Formedness Rules
Properties: Syntactic correctness
75% from UML | 15% from fUML | 10% added
40% rules from the UML/fUML metamodels corrected
45. contributions
conclusions
& further work
related experimentation
work
tool
M2M
may be evaluated Transformations
compared through we extract
implemented in
can also be
applied to
state of syntactic
the art correctness
our focuses correctness
on executability
solution properties
has been
addressed in completeness
we propose
follows
research research
problem methodology
46. The executability
of an operation is its ability to run without breaking
the integrity constraints defined in the structural model.
Two levels of correctness:
An operation is weakly executable (WE) An operation is strongly executable (SE)
when there is a chance that a user may when it is always successfully executed.
successfully execute the operation.
Property: Executability
47. The executability
of an operation is its ability to run without breaking
the integrity constraints defined in the structural model.
Two levels of correctness:
An operation is weakly executable (WE) An operation is strongly executable (SE)
when there is a chance that a user may when it is always successfully executed.
successfully execute the operation.
Menu context SpecialMenu inv validDiscount: self.discount >=10
name: String context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
price: Real
activity classifyAsSpecialMenu (in _discount:Real, in _preiod: Period) {
{incomplete}
if ( _discount>=10 ) {
SpecialMenu classify self to SpecialMenu;
OfferedDuring.createLink(specialMenu=>self,period=>_period);
discount: Real
Property: Executability
self.discount = _discount;
* }
OfferedDuring
}
1..*
Period
iniDate: Date
endDate: Date
48. The executability
of an operation is its ability to run without breaking
the integrity constraints defined in the structural model.
Two levels of correctness:
An operation is weakly executable (WE) An operation is strongly executable (SE)
when there is a chance that a user may when it is always successfully executed.
successfully execute the operation.
Menu context SpecialMenu inv validDiscount: self.discount >=10
name: String context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
price: Real
activity classifyAsSpecialMenu (in _discount:Real, in _preiod: Period) {
{incomplete}
if ( _discount>=10 ) {
SpecialMenu classify self to SpecialMenu;
OfferedDuring.createLink(specialMenu=>self,period=>_period);
discount: Real
Property: Executability
self.discount = _discount;
* }
OfferedDuring
}
1..*
Period
iniDate: Date
endDate: Date
49. The executability
of an operation is its ability to run without breaking
the integrity constraints defined in the structural model.
Two levels of correctness:
An operation is weakly executable (WE) An operation is strongly executable (SE)
when there is a chance that a user may when it is always successfully executed.
successfully execute the operation.
Menu context SpecialMenu inv validDiscount: self.discount >=10
name: String context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
price: Real
activity classifyAsSpecialMenu (in _discount:Real, in _preiod: Period) {
{incomplete}
if ( _discount>=10 ) {
SpecialMenu classify self to SpecialMenu;
OfferedDuring.createLink(specialMenu=>self,period=>_period);
discount: Real
Property: Executability
self.discount = _discount;
* }
OfferedDuring
}
1..*
Period
iniDate: Date
endDate: Date
Italian menu Vegetarian menu Japanese menu
(special menu) (special menu) (special menu)
50. The executability
of an operation is its ability to run without breaking
the integrity constraints defined in the structural model.
Two levels of correctness:
An operation is weakly executable (WE) An operation is strongly executable (SE)
when there is a chance that a user may when it is always successfully executed.
successfully execute the operation.
Menu context SpecialMenu inv validDiscount: self.discount >=10
name: String context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
price: Real
activity classifyAsSpecialMenu (in _discount:Real, in _preiod: Period) {
{incomplete}
if ( _discount>=10 ) {
SpecialMenu classify self to SpecialMenu;
OfferedDuring.createLink(specialMenu=>self,period=>_period);
discount: Real
Property: Executability
self.discount = _discount;
* }
OfferedDuring
}
1..*
Period
iniDate: Date
endDate: Date
Italian menu Vegetarian menu Japanese menu Another special menu
(special menu) (special menu) (special menu) (special menu)
51. INPUT
To determine
Computing if an operation is
executable
execution paths
Analyzing PVAs
we propose a
Discarding PVAs four-step
verification
Property: Executability
Classifying the
method
operation
OUTPUT
53. An execution path
INPUT
is a consecutive sequence of
actions that may be followed
during the execution of an
Computing
execution paths
operation
Analyzing PVAs
Discarding PVAs
Property: Executability
Classifying the
operation
OUTPUT
54. INPUT
An execution paths
INPUT
activity classifyAsSpecialMenu (in _discount:Real, in _preiod: Period) {
if ( _discount>=10 ) {
classify self to SpecialMenu;
OfferedDuring.createLink(specialMenu=>self,period=>_period);
Computing self.discount = _discount;
execution paths }
}
Analyzing PVAs
EXECUTION PATHS
Discarding PVAs
if
_discount >= 10
Property: Executability
Classifying the
classify self to SpecialMenu
operation
OfferedDuring.createLink(specialMenu=>self,period=>_period)
OUTPUT
self.discount = _discount
55. INPUT
An execution paths
INPUT
activity classifyAsSpecialMenu (in _discount:Real, in _preiod: Period) {
if ( _discount>=10 ) {
classify self to SpecialMenu;
OfferedDuring.createLink(specialMenu=>self,period=>_period);
Computing self.discount = _discount;
execution paths }
}
Analyzing PVAs
EXECUTION PATHS
Discarding PVAs
1st path
if
_discount >= 10
Property: Executability
Classifying the
classify self to SpecialMenu
operation
OfferedDuring.createLink(specialMenu=>self,period=>_period)
OUTPUT
self.discount = _discount
56. INPUT
An execution paths
INPUT
activity classifyAsSpecialMenu (in _discount:Real, in _preiod: Period) {
if ( _discount>=10 ) {
classify self to SpecialMenu;
OfferedDuring.createLink(specialMenu=>self,period=>_period);
Computing self.discount = _discount;
execution paths }
}
Analyzing PVAs
EXECUTION PATHS
Discarding PVAs
2nd path
if
_discount >= 10
Property: Executability
Classifying the
classify self to SpecialMenu
operation
OfferedDuring.createLink(specialMenu=>self,period=>_period)
OUTPUT
self.discount = _discount
58. A Potentially Violating Actions
INPUT
is an action that its effect can
change the system state in a way
Computing that some integrity constraints
become violated
execution paths
Analyzing PVAs
Discarding PVAs
Property: Executability
Classifying the
operation
OUTPUT
A path does not have
PVAs is WE/SE
A path has some PVAs may be not WE/SE
59. A Potentially Violating Actions
INPUT
if
Computing _discount >= 10
execution paths
classify self to SpecialMenu
Analyzing PVAs OfferedDuring.createLink(specialMenu=>self,period=>_period)
self.discount = _discount
Discarding PVAs
Property: Executability
Classifying the
operation
OUTPUT
60. A Potentially Violating Actions
INPUT
if
Computing _discount >= 10
execution paths
classify self to SpecialMenu
Analyzing PVAs OfferedDuring.createLink(specialMenu=>self,period=>_period)
self.discount = _discount
Discarding PVAs
Menu
Property: Executability
Classifying the name: String
operation price: Real
{incomplete}
SpecialMenu Period
OUTPUT
* OfferedDuring 1..* iniDate: Date
discount: Real
endDate: Date
context SpecialMenu inv validDiscount: self.discount >=10
context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
61. A Potentially Violating Actions
INPUT
The attribute discount must be
initialized if
[weak and strong executability]
Computing _discount >= 10
execution paths
classify self to SpecialMenu
Analyzing PVAs OfferedDuring.createLink(specialMenu=>self,period=>_period)
self.discount = _discount
Discarding PVAs
Menu
Property: Executability
Classifying the name: String
operation price: Real
{incomplete}
SpecialMenu Period
OUTPUT
* OfferedDuring 1..* iniDate: Date
discount: Real
endDate: Date
context SpecialMenu inv validDiscount: self.discount >=10
context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
62. A Potentially Violating Actions
INPUT
The attribute discount must be
initialized if
[weak and strong executability]
Computing _discount >= 10
execution paths
Each special menu must be
related with at least one Period classify self to SpecialMenu
[weak and strong executability]
Analyzing PVAs OfferedDuring.createLink(specialMenu=>self,period=>_period)
self.discount = _discount
Discarding PVAs
Menu
Property: Executability
Classifying the name: String
operation price: Real
{incomplete}
SpecialMenu Period
OUTPUT
* OfferedDuring 1..* iniDate: Date
discount: Real
endDate: Date
context SpecialMenu inv validDiscount: self.discount >=10
context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
63. A Potentially Violating Actions
INPUT
The attribute discount must be
initialized if
[weak and strong executability]
Computing _discount >= 10
execution paths
Each special menu must be
related with at least one Period classify self to SpecialMenu
[weak and strong executability]
Analyzing PVAs There may exist at most 3
OfferedDuring.createLink(specialMenu=>self,period=>_period)
special menus in the system
[strong executability]
self.discount = _discount
Discarding PVAs
Menu
Property: Executability
Classifying the name: String
operation price: Real
{incomplete}
SpecialMenu Period
OUTPUT
* OfferedDuring 1..* iniDate: Date
discount: Real
endDate: Date
context SpecialMenu inv validDiscount: self.discount >=10
context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
64. A Potentially Violating Actions
INPUT
The attribute discount must be
initialized if
[weak and strong executability]
Computing _discount >= 10
execution paths
Each special menu must be PVA
related with at least one Period classify self to SpecialMenu
[weak and strong executability]
Analyzing PVAs There may exist at most 3
OfferedDuring.createLink(specialMenu=>self,period=>_period)
special menus in the system
[strong executability]
self.discount = _discount
Discarding PVAs
Menu
Property: Executability
Classifying the name: String
operation price: Real
{incomplete}
SpecialMenu Period
OUTPUT
* OfferedDuring 1..* iniDate: Date
discount: Real
endDate: Date
context SpecialMenu inv validDiscount: self.discount >=10
context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
65. A Potentially Violating Actions
INPUT
if
Computing _discount >= 10
execution paths PVA
classify self to SpecialMenu
Analyzing PVAs OfferedDuring.createLink(specialMenu=>self,period=>_period)
self.discount = _discount
Discarding PVAs
Menu
Property: Executability
Classifying the name: String
operation price: Real
{incomplete}
SpecialMenu Period
OUTPUT
* OfferedDuring 1..* iniDate: Date
discount: Real
endDate: Date
context SpecialMenu inv validDiscount: self.discount >=10
context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
66. A Potentially Violating Actions
INPUT
if
Computing _discount >= 10
execution paths PVA
classify self to SpecialMenu
Analyzing PVAs OfferedDuring.createLink(specialMenu=>self,period=>_period)
self.discount = _discount
Discarding PVAs
The value of the discount
attribute must be >= 10
[strong executability]
Menu
Property: Executability
Classifying the name: String
operation price: Real
{incomplete}
SpecialMenu Period
OUTPUT
* OfferedDuring 1..* iniDate: Date
discount: Real
endDate: Date
context SpecialMenu inv validDiscount: self.discount >=10
context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
67. A Potentially Violating Actions
INPUT
if
Computing _discount >= 10
execution paths PVA
classify self to SpecialMenu
Analyzing PVAs OfferedDuring.createLink(specialMenu=>self,period=>_period)
PVA
self.discount = _discount
Discarding PVAs
Property: Executability
Classifying the
operation
MAY BE NOT
[weakly | STRONGLY]
OUTPUT
EXECUTABLE
69. when a PVA may be discarded?
INPUT
The path contains a guard
way 1
Computing that ensures the PVA will only
be executed in a safe context
execution paths
Analyzing PVAs Critical scenario Safe scenario
A
… if ( A.allInstances()size()=0 ){
A a = new A(); A a = new A();
…
… }
Discarding PVAs Cmax(A)=1 …
Property: Executability
Classifying the
operation
OUTPUT
70. when a PVA may be discarded?
INPUT
The path contains a guard
way 1
Computing that ensures the PVA will only
be executed in a safe context
execution paths
Analyzing PVAs
The path contains another action
which counters or complements
way 2
Discarding PVAs
the effect of the PVA in order to
maintain the integrity of the system
Property: Executability
Classifying the
operation
Critical scenario Safe scenario
A …
…
a0.destroy(); //where a0.type == A
OUTPUT
… A a = new A();
a1 = new A();
…
Cmax(A)=1 …
71. when a PVA may be discarded?
INPUT
The attribute discount must be
initialized if
[weak and strong executability]
Computing _discount >= 10
execution paths
Each special menu must be PVA
related with at least one Period classify self to SpecialMenu
[weak and strong executability]
Analyzing PVAs There may exist at most 3 OfferedDuring.createLink(specialMenu=>self,period=>_period)
special menus in the system
[strong executability] PVA
self.discount = _discount
Discarding PVAs
The value of the discount
attribute must be >= 10
[strong executability]
Menu
Property: Executability
Classifying the name: String
operation price: Real
{incomplete}
SpecialMenu Period
OUTPUT
* OfferedDuring 1..* iniDate: Date
discount: Real
endDate: Date
context SpecialMenu inv validDiscount: self.discount >=10
context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
72. when a PVA may be discarded?
INPUT
The attribute discount must be
initialized if
[weak and strong executability]
Computing _discount >= 10
execution paths
Each special menu must be PVA
related with at least one Period classify self to SpecialMenu
[weak and strong executability]
Analyzing PVAs There may exist at most 3 OfferedDuring.createLink(specialMenu=>self,period=>_period)
special menus in the system
[strong executability] PVA
self.discount = _discount
Discarding PVAs
The value of the discount
attribute must be >= 10
[strong executability]
Menu
Property: Executability
Classifying the name: String
operation price: Real
{incomplete}
SpecialMenu Period
OUTPUT
* OfferedDuring 1..* iniDate: Date
discount: Real
endDate: Date
context SpecialMenu inv validDiscount: self.discount >=10
context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
73. when a PVA may be discarded?
INPUT
if
Computing _discount >= 10
execution paths
Each special menu must be PVA
related with at least one Period classify self to SpecialMenu
[weak and strong executability]
Analyzing PVAs There may exist at most 3 OfferedDuring.createLink(specialMenu=>self,period=>_period)
special menus in the system
[strong executability] PVA
self.discount = _discount
Discarding PVAs
The value of the discount
attribute must be >= 10
[strong executability]
Menu
Property: Executability
Classifying the name: String
operation price: Real
{incomplete}
SpecialMenu Period
OUTPUT
* OfferedDuring 1..* iniDate: Date
discount: Real
endDate: Date
context SpecialMenu inv validDiscount: self.discount >=10
context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
74. when a PVA may be discarded?
INPUT
if
Computing _discount >= 10
execution paths PVA
classify self to SpecialMenu
Analyzing PVAs There may exist at most 3 OfferedDuring.createLink(specialMenu=>self,period=>_period)
special menus in the system
[strong executability] PVA
self.discount = _discount
Discarding PVAs
The value of the discount
attribute must be >= 10
[strong executability]
Menu
Property: Executability
Classifying the name: String
operation price: Real
{incomplete}
SpecialMenu Period
OUTPUT
* OfferedDuring 1..* iniDate: Date
discount: Real
endDate: Date
context SpecialMenu inv validDiscount: self.discount >=10
context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3
75. when a PVA may be discarded?
INPUT
if
Computing _discount >= 10
execution paths PVA
classify self to SpecialMenu
Analyzing PVAs There may exist at most 3 OfferedDuring.createLink(specialMenu=>self,period=>_period)
special menus in the system
[strong executability] PVA
self.discount = _discount
Discarding PVAs
The value of the discount
attribute must be >= 10
[strong executability]
Menu
Property: Executability
Classifying the name: String
operation price: Real
{incomplete}
SpecialMenu Period
OUTPUT
* OfferedDuring 1..* iniDate: Date
discount: Real
endDate: Date
context SpecialMenu inv validDiscount: self.discount >=10
context SpecialMenu inv atMost3SpecialMenus: SpecialMenu.allInstances()->size()<=3