From Declarative to Imperative Operation Specifications (ER 2007)

1,431 views

Published on

Declarative specifications are better but have ambiguity problems. Here I present my common sense -based approach to interpret declarative postconditions in a non-ambiguos way

Full paper: http://jordicabot.com/papers/ER07.pdf
(presented in the ER'07 conference)

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,431
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • In this presentation Im proposing a new and practical approach to bridge the gap between declarative to imperative specifications written using UML/OCL langauges
  • From Declarative to Imperative Operation Specifications (ER 2007)

    1. 1. From Declarative to Imperative UML/OCL Operation Specifications Jordi Cabot Open University of Catalonia
    2. 2. Index <ul><li>Introduction </li></ul><ul><li>Motivation </li></ul><ul><li>Our approach (1) : Disambiguate </li></ul><ul><li>Our approach (2) : Generate </li></ul><ul><li>Inherently ambiguous postconditions </li></ul><ul><li>Discussion </li></ul><ul><li>Conclusions </li></ul>
    3. 3. Introduction <ul><li>There are two different approaches to specify the effect of an operation over the system state: the declarative and the imperative approaches </li></ul><ul><li>In an imperative specification the designer explicitly defines the set of actions (i.e. structural events:insert,update,delete) to be applied over the system state </li></ul><ul><li>For declarative specifications the designer defines a contract (set of pre and postconditions). A postcondition states the set of conditions to be satisfied by the system state at the end of the operation execution </li></ul><ul><li>From a specification point of view, declarative specifications are preferable (they are more concise and abstract) </li></ul><ul><li>BUT: </li></ul><ul><li>Declarative specifications are underspecifications (there are several possible final states satisfying the postcondition) </li></ul><ul><li>This is specially relevant in OCL contracts due to the OCL expressiveness </li></ul><ul><li>This hinders the practical use of declarative specifications </li></ul>
    4. 4. Motivation: Expected behavior of GoalEvaluation ? context Department::GoalEvaluation() post : self.sumSales=self.employee.sales.amount->sum() and if self.sumSales>self.goal then self.employee->forAll(e| e.salary= e.salary@pre + e.category.raise) else self.carFleet->excludesAll(Car::allInstances->select(c| c.type=‘Luxury’)) endif Or where we change the category where the employee belongs to Final states where not referenced objects are modified also satisfy the postcondition Or final states where we assign a zero value to sumSales and remove all sales from the employees Or where we remove the employees of a department Or final states where the id of the department is modified Or when we add/remove non-luxury cars to the department (or remove all cars) If employees have sold enough to fulfill the goal, their salary is increased as indicated by their category. Otherwise, employees are not longer allowed to use luxury cars
    5. 5. Motivation OCL WORKSHOP at MODELS’06 -- withdraw gives the customer money if there is enough money in the account. The return value indicates whether the withdrawal was successful or not. context ATMController::withdraw(amount:Real) : Boolean post : if (amount <= customer.account.balance) then customer.account.balance = customer.account.balance@pre – amount result:=true . . . BOOK: The Object Constraint Language. Kleppe and Warmer context LoyaltyProgram::addService(p: ProgramPartner, s: Service) pre: partners->includes( p ) post: partners.deliveredServices->includes( s ) . . .
    6. 6. My approach (1) : Disambiguate <ul><li>Given an operation op and an initial state s there exist a set of final states set s ’ that satisfy the postcondition of op. All states in set s ’ must be considered correct (from a theoretical point of view) </li></ul><ul><li>But, most probably, only a small subset acc s  set s ’ would be regarded as correct by the designer. In general |acc s | = 1 (from the designer’s point of view there is only a possible final state when executing op over s ) </li></ul>GOAL1: To deduce the state s’  set s ’ that represents the expected behavior of the operation as intended by the designer Several heuristics to clarify the interpretation of declarative postconditions are proposed.
    7. 7. Heuristics <ul><li>The heuristics try to represent common assumptions used during the specification of operation contracts. </li></ul><ul><li>Each heuristic disambiguates a problematic type of expression that may appear in a postcondition. </li></ul><ul><li>The ambiguity is solved by providing a default interpretation for each expression. This default interpretation identifies, among all states satisfying it, the one that, most probably , represents what the modeler meant when defining it. </li></ul><ul><li>With these heuristics, modelers do not need to write long and cumbersome postconditions to clearly specify the expected behavior of the operation. </li></ul><ul><li>They can rely on our heuristic to be sure that, after the operation execution, the new state will be the one they intended. </li></ul>
    8. 8. Some heuristics <ul><li>X.a=Y (Order matters) </li></ul><ul><li>Possible final states satisfying the postcondition: </li></ul><ul><ul><li>States where a takes the value of Y </li></ul></ul><ul><ul><li>States where Y takes the value of a </li></ul></ul><ul><ul><li>States where a value c is assigned to both a and Y </li></ul></ul><ul><li>Default interpretation: The desired state is the one where a takes the value of Y </li></ul><ul><li>If X then Y (Do not falsify X) </li></ul><ul><li>Possible final states satisfying the postcondition </li></ul><ul><ul><li>States where X is true and Y is true </li></ul></ul><ul><ul><li>States where X is false </li></ul></ul><ul><li>Default interpretation: Do not falsify X </li></ul><ul><ul><li>Implementations where X is changed to ensure that it evaluates to false to avoid enforcing Y are not acceptable (even if it is easier!!) </li></ul></ul>
    9. 9. Some heuristics <ul><li>X->forAll(Y) (Do not empty the source) </li></ul><ul><li>Possible final states satisfying the postcondition: </li></ul><ul><ul><li>States where Y evaluates to true for all objects in X </li></ul></ul><ul><ul><li>States where X is empty </li></ul></ul><ul><li>Default interpretation: Do not empty the collection X. A solution removing all objects in X is not acceptable </li></ul><ul><li>X->includesAll(Y) (Minimum insertions) </li></ul><ul><li>Possible final states satisfying the postcondition: </li></ul><ul><ul><li>States where Y is empty </li></ul></ul><ul><ul><li>States where X includes all objects in Y </li></ul></ul><ul><ul><li>States where X includes all objects in Y plus/less additional objects </li></ul></ul><ul><li>Default interpretation: No changes over Y and a maximum of Y->size() insertions over X </li></ul>
    10. 10. Some heuristics <ul><li>Other heuristics: </li></ul><ul><ul><li>Nothing else changes </li></ul></ul><ul><ul><li>X->excludesAll(Y) | X->excludes(o) </li></ul></ul><ul><ul><li>X.r1.r2…rn-1.rn=Y </li></ul></ul><ul><ul><li>o.oclIsTypeOf(Cl) | o.oclIsKindOf(Cl) </li></ul></ul><ul><ul><li>not o.oclIsTypeOf(Cl) | not o.oclIsKindOf(Cl) </li></ul></ul>
    11. 11. Now, what is the expected behavior of Goal Evaluation ? If employees have sold enough to fulfill the goal, their salary is increased as indicated by their category. Otherwise, employees are not longer allowed to use luxury cars context Department::GoalEvaluation() post : self.sumSales=self.employee.sales.amount->sum() and if self.sumSales>self.goal then self.employee->forAll(e| e.salary= e.salary@pre + e.category.raise) else self.carFleet->excludesAll(Car::allInstances->select(c| c.type=‘Luxury’)) endif
    12. 12. My approach (2) : Generate <ul><li>In a MDD approach declarative operations must be transformed into imperative ones </li></ul><ul><li>The imperative version of an operation op must evolve the initial state to a final state that satisfies the postcondition of op . We use the previous heuristics (or any other method!) to characterize the desired final state </li></ul>GOAL2: To deduce the minimal set of actions set ac to implement a given postcondition. Minimal= no proper subset of set ac suffices to satisfy the postcondition and reach the desired final state Several transformation patterns (one for each common type of OCL expression) are provided
    13. 13. UML Actions <ul><li>The exact translation depends on the imperative sublanguage of each modeling language </li></ul><ul><li>List of actions (i.e. structural events) defined in the UML: </li></ul><ul><ul><li>CreateObject(Class c) </li></ul></ul><ul><ul><li>DestroyObject(Object o) </li></ul></ul><ul><ul><li>AddAttributeValue(Attribute at, Object o, Object value) </li></ul></ul><ul><ul><li>RemoveAttributeValue(Attribute at, Object o) </li></ul></ul><ul><ul><li>CreateLink(Association a, Object o1, …, Object on) </li></ul></ul><ul><ul><li>CreateLinkObject(Association a, Object o1, …, Object on) </li></ul></ul><ul><ul><li>D estroyLink(Association a, Object o1, …, Object on) </li></ul></ul><ul><ul><li>RemoveLinkValue(AssociationEnd ae, Object o) </li></ul></ul><ul><ul><li>R eclassifyObject(Object o, Class[] newClasses, Class[] oldClasses) </li></ul></ul>
    14. 14. Some translation patterns <ul><li>o.oclIsNew() and o.oclIsTypeOf(Cl) </li></ul><ul><ul><li>o:=CreateObject(Cl); </li></ul></ul><ul><li>not o.oclIsTypeOf(OclAny) | Cl.allInstances()->excludes(o) </li></ul><ul><ul><li>DestroyObject (o); </li></ul></ul><ul><li>o.at=Y (where at is a univalued attribute) </li></ul><ul><li> RemoveAttributeValue(at,o); </li></ul><ul><li>AddAttributeValue(at,o,Y); </li></ul><ul><li>o.oclIsKindOf(Cl) </li></ul><ul><li> ReclassifyObject(o,Cl,[]); </li></ul><ul><li>o.oclIsTypeOf(Cl) </li></ul><ul><li> ReclassifyObject(o,Cl,Cl.generalization.specific); </li></ul>
    15. 15. Some translation patterns <ul><li>X->forAll(Y) </li></ul><ul><ul><li>foreach o in X do </li></ul></ul><ul><ul><li>if not (o.Y) then Translate(o.Y) </li></ul></ul><ul><ul><li>endif; </li></ul></ul><ul><ul><li>endfor; </li></ul></ul><ul><li>o.r->includesAll(Y) </li></ul><ul><ul><li>foreach o’ in Y do </li></ul></ul><ul><ul><li>CreateLink(r.association, o, o’) </li></ul></ul><ul><ul><li>endfor; </li></ul></ul><ul><li>o.r->isEmpty() </li></ul><ul><ul><li>foreach o’ in o.r@pre </li></ul></ul><ul><ul><li>DestroyLink(r.association,o,o’) </li></ul></ul><ul><ul><li>endfor; </li></ul></ul>
    16. 16. Imperative version of GoalEvaluation context Department::GoalEvaluation() { AddAttributeValue(sumSales, self, self.employee.sales.amount->sum()); if self.sumSales>self.goal then foreach e in self.employee AddAttributeValue(salary, e, e.salary@pre + e.category.raise); endfor; else foreach c in Car::allInstances->select(c| c.type=‘Luxury’) DestroyLink (DepartmentCar, self, c); endfor; endif }
    17. 17. Inherently ambiguous expressions <ul><li>For some postconditions we cannot define a default interpretation (there is not a final state clearly more appropriate than the others). </li></ul><ul><li>It is worth identifying them since many times the designer is not aware of their ambiguity </li></ul><ul><li>We provide a default translation but usually designers should select themselves the preferred one </li></ul><ul><li>List of some inherently ambiguous expressions: </li></ul>Expression Ambiguity description post: B 1 or … or B n At least a B i condition should be true but it is not defined which one/s X<>Y, X>Y, X>=Y, X<Y, X<=Y The exact relation between the values of X and Y is not stated X+Y=W+Z (likewise with -,*,/,…) The exact relation between the values of the different variables is not stated. X->exists(Y) An element of X must verify Y but it is not defined which one X->any(Y)=Z Any element of X verifying Y could be the one equal to Z X.p->sum()=Y There exist many combinations of single values that once added may result in Y
    18. 18. Discussion: Facts <ul><li> Ambiguity problems difficult a wider adoption of declarative specifications </li></ul><ul><li> We must deal with these ambiguities to ensure that the implementation of the operation behaves as expected by the designer (some of the states accepted by the post are not valid from the designer's point of view) </li></ul><ul><li> Regardless the proposed solution it is important to identify which are the ambiguities that may appear (many times designers are unaware of them) </li></ul><ul><li> No methods exist that provide a declarative-to-imperative translation of OCL specifications </li></ul><ul><ul><li>Tools admitting declarative specifications transform the contract into if-then clauses that check if the pre and postconditions are satisfied (and raise an exception otherwise). The actual body is not generated </li></ul></ul>
    19. 19. Discussion: My solution <ul><li>Heuristic-based translation </li></ul><ul><li> Designers do not need to define additional information </li></ul><ul><li> Some of the heuristics are generally accepted </li></ul><ul><li> Evolving the schema does not affect the interpretation of existing operations </li></ul><ul><li>X Consensus on the heuristics is required (at least within the particular company/group using this approach) </li></ul><ul><li>X This solution does not cover (yet) all kinds of OCL expressions nor all combinations between them (rules to combine the basic patterns are required for elements appearing in different parts of the post) </li></ul>
    20. 20. Discussion: Alternatives (1) <ul><li>Frame axioms </li></ul><ul><li>Designers explicitly define which parts of the system may (or may not) change during the operation </li></ul><ul><li> No hidden interpretations </li></ul><ul><li>X Additional burden for the designer (feasible?) </li></ul><ul><li>X Not all ambiguities solved (things that do change may change in different ways. Ex: multivalued properties) </li></ul><ul><li>X Evolving the schema may imply adding new frame axioms (more things that “do not change”) </li></ul>
    21. 21. Discussion: Alternatives (2) <ul><li>Imperative constructs embedded in the declarative specification </li></ul><ul><li> No hidden interpretations </li></ul><ul><li>X Additional burden for the designer </li></ul><ul><li>X No clear separation between declarative and imperative specifications </li></ul><ul><li>X Evolving the schema may require adding new constructs </li></ul>
    22. 22. Discussion: Alternatives (3) <ul><li>Computing all possible final states: </li></ul><ul><li>Designers review them and select the one they prefer </li></ul><ul><li> No hidden interpretations </li></ul><ul><li>X Additional burden for the designer </li></ul><ul><li>? Feasible? -> Risk of exponential combination of possible final states </li></ul>
    23. 23. Discussion: Alternatives (4) <ul><li>Force the designer to write non-ambiguous postconditions </li></ul><ul><li>Avoiding some problematic OCL constructs and </li></ul><ul><li>Adding many additional postconditions, specially with the @pre operator to reduce the possible set of final states </li></ul><ul><li> No hidden interpretations </li></ul><ul><li>X Additional burden for the designer (feasible?) </li></ul><ul><li>X Limits the usefulness of declarative specifications </li></ul><ul><li>X Evolving the schema may imply adding new conditions </li></ul><ul><li>X Needs a verification/validation method that ensures that the post is not ambiguous </li></ul>
    24. 24. Conclusions and Further work <ul><li>There is not a perfect solution. This method can be regarded as an alternative/complement of other methods (depending on the designers’ preferences) </li></ul><ul><li>This method can be useful to: </li></ul><ul><ul><li>Leverage current model-driven development tools, which up to now only support code-generation from imperative specifications. </li></ul></ul><ul><ul><li>Validate operation definitions since modelers could immediately check which would be the interpretation of their declarative specifications </li></ul></ul><ul><li>Further work: </li></ul><ul><ul><li>Richer translation patterns </li></ul></ul><ul><ul><li>Considering integrity constraints </li></ul></ul><ul><ul><li>Mixing different techniques depending on the designer requirements </li></ul></ul>

    ×