Contractual Consistency Between BON Static and Dynamic Diagrams

1

Contractual Consistency Between BON Static and Dynamic DiagramsAli Taleghani

July 30, 2004

2

Overview

Model-Driven Development & Models Contractual Consistency – The Problem Previous Work Current Work – Semantics of Dynamic

Diagrams BON Development Tool – BDT Contribution and Future Work

3

MDD & Models

Model-Driven Development proposes development based on models

Several views can be used to describe system Models must be executable, and views

consistent Contributions

Automated consistency checking Symbolic model execution

4

Contractual Consistency – Example

ACCOUNT

balance: INTEGER

make! balance = 0

withdraw(a: INTEGER)? balance >= a! balance = old balance - a

PERSON

Invariant

balance >= 0 PERSON ACCOUNT1, 2

Scenario 1: Bank Example

1. Create Account2. Withdraw 200

• SD contains contracts only – No implementation

• Want to create account and withdraw $200

• make sets (balance = 0), but precondition of withdraw requires (balance >= 200) Contract Violation

5

Contractual Consistency

SD and DD are the two views involved SD contains contracts only – no implementation Contracts are pre, postconditions and class

invariants Views contractually consistent if messages in

DD corresponding to routines in SD can be executed without contract violations

6

Previous Work

Problem of consistency with contracts not extensively discussed –informal approaches only

[Paige 2002] first to formalize problem Cites 4 criteria for checking consistency Last criteria is contractual consistency We add additional constraints for implementation

7

Semantics of Dynamic Diagram

1 ir

i SSCSSC i

• Message mi in DD is mapped to a feature ri in the target class in SD

• Routine takes system from one system state constraint (SSCi) to the next (SSCi+1)

• SSC represents a constraint on the attributes in the system

• SSCi+1 constructed using SSCi and contracts of ri

8

Current Contribution - 1

Check Contractual Consistency using Symbolic Model Execution

Define Symbolic Execution Step as execution of one message in DD

prerSSC ii .

FalseSSCi 1

),,( 1iii SSCrSSCStep successful iff

Precondition of routine is satisfied

SSC is not a contradiction

9

Current Contribution - 2

Views contractually consistent iff

No implementation provided Require use of Theorem Prover Use Simplify from ESC/Java

Automatic and Fast Returns counter example

),,(|1 1 iii SSCrSSCStepnii

10

BON Development Tool - BDT

Static Diagramming Tool

• Construct Class diagrams

• Include contracts

11

BON Development Tool - BDT

Dynamic Diagramming Tool

• Draw objects and messages

• Assign messages to routines from SD

12

BON Development Tool - BDT

Consistency Tool

• Specify an initial state constraint

• Contract violation results in counter example

• User can use counter example to make changes to contracts, messages

13

Comparison to Tool of [Gao2004]

Gao’s Tool Test drivers and implementation required Checks one or a few execution paths Complete (for that execution)

BDT Automatic and no implementation required All execution paths starting in a state constraint are

checked Incomplete since working with a theorem prover

14

Contribution

First contractual consistency tool without the need to specify implementation

Early symbolic execution of partial models Can use dynamic (collaboration) diagrams Use contracts only – higher level than MDD

State Chart Action Languages Tool is user friendly

Simplify works automatically under the hood Simplify works quickly

15

Future Work

Work out theory for sub-messages in DD BDT

Add invariants and inheritanceSupport quantificationsCombine BDT with EDT for complete code

generationAdd support for program verification – using

ERC

16

Thank You