3. Why do engineers build models?
- To understand
... problems and solutions
Models as "Means for Knowledge Acquisition"
- To communicate
... understanding and design intent
Models as "Means for Knowledge Transfer"
- To predict
... the interesting characteristics of system under study
Models as "Surrogates"
- To specify
... the implementation of the system
Models as "Blueprints"
Building models is done by selecting statements through
abstraction, i.e., reduction of information preserving
properties relative to a given set of concerns
[From: Bran Selic, UML2 Tutorial @ MoDELS 2012]
8. Model analysis
●
Aim of model analysis: Check model for relevant and interesting
properties; detect deficiencies on the modeling level before
implementation
●
Example properties
– Is the set of states and transitions not empty?
Which properties do the states have?
– Which transition sequences are possible?
– Are the transitions deterministic?
Are there states with no outgoing transition?
– ...
●
General model properties: Consistency, Independence (Minimality),
Detection of consequences, Exploration of reachability, ...
9. (Textual) Modeling with UML and OCL within USE
(UML-based Specification Environment)
●
Class diagrams (classes, associations, generalization, abstract
classes, association clases, aggregation, composition, ...)
●
Protocol State Machines (states and guarded transitions)
●
Support for full OCL with all collection kinds (sets, bags, sequences,
ordered sets) and operations (forAll, select, collect, iterate, closure, ...)
●
Central assurance technique: Expressing scenarios (test cases);
UML object and sequence diagrams
●
Employing OCL for ad-hoc queries, class invariants, operation pre-
and postconditions, operation definitions (for side-effect free
operations), state invariants, transition pre- and postconditions
●
Employing SOIL (Simple Ocl-like Imperative Language) for
implementing operations manipulating the system state
●
Validation: Are we building the right product?
Verification: Are we building the product right?
12. Model understanding and analysis with positive examples
●
Search for scenarios satisfying all constraints
●
Prove consistency of structural model
●
Provide valid object diagrams with meaningful objects and values to
stakeholders not interested in technical details
●
Systematically construct object diagrams in order to span up a
particular search space consisting of a sequence of object diagrams
●
Automatically construct object diagrams with the so-called
model validator which realizes a transformation from UML and OCL
into relational logic implemented in Alloy resp. Kodkod
23. Modeling Behavior with SOIL and Statecharts
●
Employ OCL pre- and postconditions for operations
●
Employ SOIL statements for implementing operations
manipulating the system state
●
Employ UML statecharts (UML protocol state machines)
for specifying complete object life cycles (in extension to the
OCL pre- and postconditions which cover single state transitions with
one pre and one post state)
●
Employ UML sequence diagrams for capturing execution traces
with object lifelines and exchanged messages
25. class Person < Accessor
operations
invite(invitee:Person)
begin SOIL
[prescriptive]
insert (self,invitee) into Pendship;
invitee.invited(self);
end
pre inviteeNotSelf: invitee<>self OCL
[descriptive]
pre inviteeNotFriend: friends()->excludes(invitee)
pre inviteeNotPending: pends()->excludes(invitee)
post pInvited: self.pInvitee->includes(invitee)
accept(inviter:Person)
begin
inviter.accepted(self);
delete (inviter,self) from Pendship;
insert (inviter,self) into Friendship;
end
pre pInvited: inviter.pInvitee->includes(self)
post pendingCanceled: inviter.pInvitee->excludes(self)
post invited: inviter.invitee->includes(self)
decline(inviter:Person) ...
invited(inviter:Person) ...
accepted(invitee:Person) ...
declined(invitee:Person) ...
end
26.
27.
28.
29.
30.
31.
32. Result of scenario construction
●
Structural model: Class diagram and invariants
●
Behavioral model: Operation pre- and postconditions, SOIL operation
realization, and statecharts including transition pre- and
postconditions and state invariants
●
All operations touched at least once in the scenario
●
Invariants, operation pre- and postconditions, and transition pre- and
post conditions are all valid
●
Structural and behavioral model are consistent
33. Summary
●
Software development concentrating on models as first class citizens
●
Successfully applied approach in larger German project:
XGenerator @ Deutschland online
●
UML (Class and Statechart diagrams) in combination with OCL (not
mentioned yet the darker side of the force, namely class diagram
features like subsets, redefines, union, association inheritance and
association class inheritance)
●
SOIL (Simple Ocl-like Imperative Language) for operation
implementation together model unit tests (Object and Sequence
diagrams)
●
Employ model validator for searching object diagram spaces
●
Validation and verification
●
Aim of modeling: Obtain trustworthy models
34. Perspectives
●
Support for model transformation: From descriptive models to
prescriptive models, from platform-indepedent models to platform-
dependent ones, ...
●
Technical extension in USE
- statecharts features, e.g. adding change events and nested states
- sequence diagram, e.g. states and object diagram on lifelines
●
Filmstriping models, i.e. simulating system dynamics by encoding
filmstrips (state sequences and operation calls) into a single state
●
Temporal logic for dynamic properties!
Deontic logic for obligations and permissions?
●
Monitoring running applications (JVM, CRL, ...) with models
●
THANKS: to Mark Richters, Jörn Bohling, Fabian Büttner,
Mirco Kuhlmann and Lars Hamann for their work on USE!
35. Apologies for this long presentation. I did not find
the time to prepare a short smart one. [B. Pascal]
Thanks for your attention!
36. Relevant Properties
●
Consistency: Are the model inherent constraints (e.g., multiplicities,
agggregation, composition) and class invariants consistent? Is there
at least one object diagram? Empty populations? Finite populations?
Classes? Associations? Consistency also for other constraints, e.g.
invariants and operation pre- and postconditions?
●
Independence: Are the class invariants independent? Is there an
invariant which is implied by the other invariants? Are the invariants
implied by the operation pre- and postconditions?
●
Consequences: Is a newly stated invariant a consequence of the
stated ones? Must operationA always be followed by operationB?
●
Reachability: Is a given object diagram reachable from another object
diagram through a sequence of operation calls? Which operation calls
lead from a start object diagram to an end object diagram? Are there
operation call sequences leading to dead end object diagrams?
●
Many further properties worth to be investigated!
37. Example property: Agggregation and composition
context Person inv cannotBeMemberOfFriendsList:
ownedList.member.ownedList.member->excludes(self)
Object diagram
violating diamonds
and constraint
44. String2ObjDia(s:Seq(Tuple(PERSON:String, parameters &
class/assoc
INVITEES:Sequence(String), SOIL
features
POSTS:Sequence(String),
COMMENTS:Sequence(String),
DENIES:Sequence(String))))
begin
declare ps:Person, po:Post, po_str:String, co_str:String,
co:Commenting, ps_str:String, ac:Access;
for x in s->collectNested(e|e.PERSON) do
ps:=new Person(x); end;
for x in s->collectNested(e|e.PERSON) do
for y in s->any(e|e.PERSON=x).INVITEES do
insert (Person.byUseId(x),Person.byUseId(y)) into Friendship; end;
end;
for x in s->collectNested(e|e.PERSON) do
for y in s->any(e|e.PERSON=x).POSTS do
po:=new Post(y); insert (Person.byUseId(x),Post.byUseId(y)) into
Posting;
end; end;
for x in s->collectNested(e|e.PERSON) do
for y in Set{0..(s->any(e|e.PERSON=x).COMMENTS->size() div 2)-1} do
po_str:=s->any(e|e.PERSON=x).COMMENTS->at(y*2+1);
co_str:=s->any(e|e.PERSON=x).COMMENTS->at(y*2+2);
co:=new Commenting between (Person.byUseId(x),Post.byUseId(po_str));
co.comment:=co_str; end; end;
for x in s->collectNested(e|e.PERSON) do
for y in Set{0..(s->any(e|e.PERSON=x).DENIES->size() div 2)-1} do
po_str:=s->any(e|e.PERSON=x).DENIES->at(y*2+1);
ps_str:=s->any(e|e.PERSON=x).DENIES->at(y*2+2);
ac:=new Access between(Post.byUseId(po_str),Person.byUseId(ps_str));
ac.deny:=true; end; end;
45. procedure societyComplete(numPerson:Integer,
numFriendship:Integer,
numList:Integer, numMember:Integer, numPost:Integer,
numComment:Integer, numDeny:Integer)
var persons:Sequence(Person), p1:Person, p2:Person,
lists:Sequence(List), l:List, po:Post, posts:Sequence(Post),
acc:Accessor, commentings:Sequence(Commenting),
accesses:Sequence(Access)
begin
persons:=CreateN(Person,[numPerson])
for i:Integer in [Sequence{1..numFriendship}]
begin p1:=Try([persons]) p2:=Try([persons])
if [p1.invitee->excludes(p2)] then
begin Insert(Friendship,[p1],[p2]) end
end
lists:=CreateN(List,[numList])
for i:Integer in [Sequence{1..numList}]
.. Insert(ListOwnership,[p1],[lists->at(i)]) ..
..ListMembership..Post..Posting..
for i:Integer in [Sequence{1..numComment}]
.. Create(Commenting,[p1],[po]) ..
..
for i:Integer in [Sequence{1..commentings->size}]
.. [commentings->at(i)].comment:=[''] ..
for i:Integer in [Sequence{1..numDeny}]
.. acc:=Try([persons->union(lists)]) ..
..
end