lightweight verification of executable models
TRANSCRIPT
Lightweight Verification of Executable
ModelsElena Planas
Jordi CabotCristina Gómez
Universitat Oberta de Catalunya (Spain)École des Mines de Nantes – INRIA (France)Universitat Politècnica de Catalunya (Spain)
30th International Conference on Conceptual ModelingNovember 3rd, 2011 - Brussels, Belgium
What is an Executable Model?
1/19
What is an Executable Model?
is a model described in sufficient detail so that it can be (semi)automatically implemented/executed in the production environment
1/19
Hight level Model Software system
MDD: Model-Driven Development approach
In MDD the quality of the final system implementation depends on the quality of the initial specification
The existence of methods to verify the correctness of executable models is becoming crucial
2/19
Propose a verification method for Executable Models
our goal
Lightweight (efficient) verification method Feedback suggesting possible corrections
Action-based operations
method features
focus
property Strong Executability (SE)
3/19
An operation is Strongly Executable if it is always successfully executed, that is, the operation’s execution generates a state consistent with all structural integrity constraints
context Product inv productPrimaryKey: Product.allInstances()isUnique(code)
context Product inv symmetricAssociation: self.p2.p2 includes(self)
Product
code: Integerprice: Real
CanBeSubstitutedBy
*
*
p1
p2
STRU
CTUR
AL M
ODEL
activity newProduct (in _code: String, in _price: Real, in _substitutedProducts: Products[0..*]) { Product p = new Product(); p.code = _code; p.price = _price; for (i in 1.._substitutedProductssize()) CanBeSubstitutedBy.createLink(p1=>self,p2=>_substitutedProducts[i]); }}
BEHA
VIOU
RAL
MOD
EL
After executing newProduct, several constraints may become violated!
Not strongly
executable
4/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
To determine if an operation is Strongly Executable we propose a three-step
verification method
5/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
6/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
An execution pathis a consecutive sequence of
actions that may be followed during the execution of an
operation
6/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
An execution pathis a consecutive sequence of
actions that may be followed during the execution of an
operation
6/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
An execution pathactivity newProduct (in _code: String, in _price: Real, in _substitutedProducts: Products[0..*])
{ Product p = new Product(); p.code = _code; p.price = _price; for (i in 1.._substitutedProductssize()) CanBeSubstitutedBy.createLink(p1=>self,p2=>_substitutedProducts[i]); }}
INPU
TEX
ECU
TIO
N P
ATH
S
CanBeSubstitutedBy.createLink(p1=>self, p2=>_substitutedProducts[i])
p.price = _price
p.code = _code
p = new Product()
for
7/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
1st p
ath
An execution pathactivity newProduct (in _code: String, in _price: Real, in _substitutedProducts: Products[0..*])
{ Product p = new Product(); p.code = _code; p.price = _price; for (i in 1.._substitutedProductssize()) CanBeSubstitutedBy.createLink(p1=>self,p2=>_substitutedProducts[i]); }}
INPU
TEX
ECU
TIO
N P
ATH
S
CanBeSubstitutedBy.createLink(p1=>self, p2=>_substitutedProducts[i])
p.price = _price
p.code = _code
p = new Product()
for
7/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
An execution pathactivity newProduct (in _code: String, in _price: Real, in _substitutedProducts: Products[0..*])
{ Product p = new Product(); p.code = _code; p.price = _price; for (i in 1.._substitutedProductssize()) CanBeSubstitutedBy.createLink(p1=>self,p2=>_substitutedProducts[i]); }}
INPU
T
2nd
path
CanBeSubstitutedBy.createLink(p1=>self, p2=>_substitutedProducts[i])
p.price = _price
p.code = _code
p = new Product()
for
7/19
EXEC
UTI
ON
PA
THS
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
8/19
An operation is Strongly Executable (SE) iff all its execution paths are SE
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
9/19
A Potentially Violating Action
is an action that its effect can change the system state in a
way that some integrity constraint becomes violated
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
A path has no PVAsA path has some
PVAs
is SEmay be not SE
9/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
A path has no PVAsA path has some
PVAs
is SEmay be not SE
2nd
path
EXEC
UTI
ON
PA
THS
CanBeSubstitutedBy.createLink(p1=>self, p2=>_substitutedProducts[i])
p.price = _price
p.code = _code
p = new Product()
for
A Potentially Violating Action
10/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
A path has no PVAsA path has some
PVAs
is SEmay be not SE
PVA
2nd
path
EXEC
UTI
ON
PA
THS
CanBeSubstitutedBy.createLink(p1=>self, p2=>_substitutedProducts[i])
p.price = _price
p.code = _code
p = new Product()
for
A Potentially Violating Action
10/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
A path has no PVAsA path has some
PVAs
is SEmay be not SE
PVA
2nd
path
EXEC
UTI
ON
PA
THS
CanBeSubstitutedBy.createLink(p1=>self, p2=>_substitutedProducts[i])
p.price = _price
p.code = _code
p = new Product()
forPV
A
A Potentially Violating Action
10/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
A path has no PVAsA path has some
PVAs
is SEmay be not SE
PVA
2nd
path
EXEC
UTI
ON
PA
THS
CanBeSubstitutedBy.createLink(p1=>self, p2=>_substitutedProducts[i])
p.price = _price
p.code = _code
p = new Product()
forPV
A
PVA
A Potentially Violating Action
10/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
A path has no PVAsA path has some
PVAs
is SEmay be not SE
MAY BE NOT STRONGLY EXECUTABLE
PVA
2nd
path
EXEC
UTI
ON
PA
THS
CanBeSubstitutedBy.createLink(p1=>self, p2=>_substitutedProducts[i])
p.price = _price
p.code = _code
p = new Product()
forPV
A
PVA
A Potentially Violating Action
10/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
11/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
When a PVA may be discarded?
A
…
0..1 if (A.allInstances()size()=0){ A a = new A();}…
Safe context
…A a = new A();…
Critical context
way
1
The path contains a guard that ensures the PVA will
only be executed in a safe context
11/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
When a PVA may be discarded?
The path contains a guard that ensures the PVA will
only be executed in a safe context
The path contains another action which counters or complements the effect of the PVA in order to
maintain the integrity of the system
way
1w
ay 2
…a.destroy(); a = new A();…
Safe context
…A a = new A();…
Critical context
A
…
0..1
11/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
When a PVA may be discarded?
The path contains a guard that ensures the PVA will
only be executed in a safe context
The path contains another action which counters or complements the effect of the PVA in order to
maintain the integrity of the system
way
1w
ay 2
All PVAs discardedNOT all PVAs
discarded
is SEis not SE
11/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
All PVAs discardedNOT all PVAs
discarded
is SEis not SE
When a PVA may be discarded?
PVA
PVA
2nd
path
EXEC
UTI
ON
PA
THS
CanBeSubstitutedBy.createLink(p1=>self, p2=>_substitutedProducts[i])
p.price = _price
p.code = _code
p = new Product()
forPV
A
PVA
discarded
12/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
All PVAs discardedNOT all PVAs
discarded
is SEis not SE
When a PVA may be discarded?
is NOT STRONGLY EXECUTABLE
PVA
2nd
path
EXEC
UTI
ON
PA
THS
CanBeSubstitutedBy.createLink(p1=>self, p2=>_substitutedProducts[i])
p.price = _price
p.code = _code
p = new Product()
forPV
A
PVA
discarded
12/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
Our method provides feedbackto help designers identifying
and repairing the detected errors
13/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
Our method provides feedback
activity newProduct (in _code: String, in _price: Real, in _substitutedProducts: Products[0..*]) {
if (not Product.allInstances()exists(p|p.code=_code)) { Product p = new Product(); p.code = _code; p.price = _price; for (i in 1.._substitutedProductssize()) CanBeSubstitutedBy.createLink(p1=>self,p2=>_substitutedProducts[i]); CanBeSubstitutedBy.createLink(p1=>_substitutedProducts[i],p2=>self); } } }}
OUTPUT
context Product inv productPrimaryKey: Product.allInstances()isUnique(code)
avoids violating…
when action is executed p.code = _code
14/19
INPU
TO
UTP
UT
Computing execution paths
Analyzing PVAs
Discarding PVAs
Our method provides feedback
activity newProduct (in _code: String, in _price: Real, in _substitutedProducts: Products[0..*]) {
if (not Product.allInstances()exists(p|p.code=_code)) { Product p = new Product(); p.code = _code; p.price = _price; for (i in 1.._substitutedProductssize()) CanBeSubstitutedBy.createLink(p1=>self,p2=>_substitutedProducts[i]); CanBeSubstitutedBy.createLink(p1=>_substitutedProducts[i],p2=>self); } } }}
OUTPUT
context Product inv symmetricAssociation: self.p2.p2 includes(self)
avoids violating…
when action is executed CanBeSubstitutedBy.createLink(p1=>self, p2=>_substitutedProducts[i])
14/19
For concluding this presentation…
relevant conclusions
further work
related work
15/19
Work Behavioural Model Include Actions?
Integrity Constraints supported?
Checked Properties
Technique Repairing Feedback
?
G. Gray et al.Transformation and Verification of Executable UML Models.
Activity Diagram, Sequence Diagram, Statechart Diagram
Yes None Consistency Model Checking
No
I. Abdelhalim et at. Formal Verification of Tokeneer Behaviours Modelled in fUML using CSP
Activity Diagram Yes None Deadlocks Model Checking
No
D Latella et al. Automatic Verification of a Behavioural Subset UML Statechart Diagrams Using the SPIN Model Checker
Statechart Diagram No None Safety Liveness
Model Checking
No
J. Lilius et at.vUML: A Tool for Verifying UML Models
Statechart Diagram No Associated to states
DeadlocksLivelocks
Model Checking
No
J. Cabot et al.Verifying UML/OCL Operation Contracts
Declarative operations
No All Strong Executability
Constraint Pgoramming
No
A. Queralt et al.Reasoning on UML Conceptual Schemas with Operations
Declarative operations
No Subset Weak Executability
Query Containment
No
Our work Imperative operations
Yes Subset Strong Executability
Static Analysis
Yes
related work
16/19
related work
16/19
Work Behavioural Model Include Actions?
Integrity Constraints supported?
Checked Properties
Technique Repairing Feedback
?
G. Gray et al.Transformation and Verification of Executable UML Models.
Activity Diagram, Sequence Diagram, Statechart Diagram
Yes None Consistency Model Checking
No
I. Abdelhalim et at. Formal Verification of Tokeneer Behaviours Modelled in fUML using CSP
Activity Diagram Yes None Deadlocks Model Checking
No
D Latella et al. Automatic Verification of a Behavioural Subset UML Statechart Diagrams Using the SPIN Model Checker
Statechart Diagram No None Safety Liveness
Model Checking
No
J. Lilius et at.vUML: A Tool for Verifying UML Models
Statechart Diagram No Associated to states
DeadlocksLivelocks
Model Checking
No
J. Cabot et al.Verifying UML/OCL Operation Contracts
Declarative operations
No All Strong Executability
Constraint Pgoramming
No
A. Queralt et al.Reasoning on UML Conceptual Schemas with Operations
Declarative operations
No Subset Weak Executability
Query Containment
No
Our work Imperative operations
Yes Subset Strong Executability
Static Analysis
Yes
Work Behavioural Model Include Actions?
Integrity Constraints supported?
Checked Properties
Technique Repairing Feedback
?
G. Gray et al.Transformation and Verification of Executable UML Models.
Activity Diagram, Sequence Diagram, Statechart Diagram
Yes None Consistency Model Checking
No
I. Abdelhalim et at. Formal Verification of Tokeneer Behaviours Modelled in fUML using CSP
Activity Diagram Yes None Deadlocks Model Checking
No
D Latella et al. Automatic Verification of a Behavioural Subset UML Statechart Diagrams Using the SPIN Model Checker
Statechart Diagram No None Safety Liveness
Model Checking
No
J. Lilius et at.vUML: A Tool for Verifying UML Models
Statechart Diagram No Associated to states
DeadlocksLivelocks
Model Checking
No
J. Cabot et al.Verifying UML/OCL Operation Contracts
Declarative operations
No All Strong Executability
Constraint Pgoramming
No
A. Queralt et al.Reasoning on UML Conceptual Schemas with Operations
Declarative operations
No Subset Weak Executability
Query Containment
No
Our work Imperative operations
Yes Subset Strong Executability
Static Analysis
Yes
related work
16/19
Work Behavioural Model Include Actions?
Integrity Constraints supported?
Checked Properties
Technique Repairing Feedback
?
G. Gray et al.Transformation and Verification of Executable UML Models.
Activity Diagram, Sequence Diagram, Statechart Diagram
Yes None Consistency Model Checking
No
I. Abdelhalim et at. Formal Verification of Tokeneer Behaviours Modelled in fUML using CSP
Activity Diagram Yes None Deadlocks Model Checking
No
D Latella et al. Automatic Verification of a Behavioural Subset UML Statechart Diagrams Using the SPIN Model Checker
Statechart Diagram No None Safety Liveness
Model Checking
No
J. Lilius et at.vUML: A Tool for Verifying UML Models
Statechart Diagram No Associated to states
DeadlocksLivelocks
Model Checking
No
J. Cabot et al.Verifying UML/OCL Operation Contracts
Declarative operations
No All Strong Executability
Constraint Pgoramming
No
A. Queralt et al.Reasoning on UML Conceptual Schemas with Operations
Declarative operations
No Subset Weak Executability
Query Containment
No
Our work Imperative operations
Yes Subset Strong Executability
Static Analysis
Yes
related work
16/19
relevant conclusions
We have proposed a lightweight method for assisting the designer during the specification of Executable Models.
Checking Strong Executability of action-based operations.
Method features: efficiency and feedback.
17/19
further work
Implement our method (we are working on it!).
Study the executability of operations when they are combined with other UML behavioural diagrams.
Integrate our method in a more complete verification framework.
18/19
Elena Planas [email protected]
Thanks for your attention!