Refinement formal design with sequence diagrams

Transcription

1 Refinement formal design with sequence diagrams Ketil tølen INTEF & University of Oslo Octoer 14, 2011 Overview Oligatory Exercise No. 2 Motivation How can we incrementally develop UML specifications Requirements to TAIR What should we require from a stepwise method for developing UML specifications Explanation through an example A Dinner Restaurant Refinement Comparison with traditional pre-post paradigm

2 Oligatory Exercise No. 2 hould e solved individually y each student The exercise will e made availale next week The deadline is Octoer 25, PM You should send your individual solutions y to kst@sintef.no as an attachment in pdf-format Novemer 2: We will walk through the oligatory exercise and return the individual solutions in the group session Octoer 2 Motivation Exploit classical theory of inement in a practical UML setting From theory to practice, and not the other way around Briefly summarized: we aim to explain how classical theory of inement can e applied to ine specifications expressed with the help of sequence diagrams equence diagrams can e used to capture the meaning of other UML description techniques for ehavior By defining inement for sequence diagrams we theore implicitly define inement for UML

3 Requirements to TAIR hould allow specification of potential ehavior upport for under-specification hould allow specification of mandatory ehavior upport for information hiding (inherent non-determinism, unpredictaility) hould allow specification of negative ehavior in addition to positive ehavior upport for threat modeling hould capture the notion of inement hould formalize incremental development hould support compositional analysis, verification and testing equence diagram message instanceline component sd L1 L2 x output event!x input event?x

4 Weak sequencing sd W L1 L2 x y <!x,?x,!y,?y> <!x,!y,?x,?y> Traces Traces are used to capture executions (ehaviors) semantically Within the field of formal methods there are many variants of traces In TAIR traces are sequences of events <e1, e2, e3, e4, e4, e1, e2, e5, > An event represent either the transmission or reception of messages?m - reception of message m!m - transmission of message m Events are instantaneous A trace may e finite termination, deadlock, infinite waiting, crash A trace may also e infinite infinite loop, intended non termination

5 Example sd Ex A B C a c d This sequence diagram has six traces: <!a,?a,!,?,!c,?c,!d,?d> <!a,?a,!,?,!c,!d,?c,?d> <!a,?a,!,?,!d,!c,?c,?d> <!a,?a,!,!c,?,?c,!d,?d> <!a,?a,!,!c,?,!d,?c,?d> <!a,?a,!,!c,?c,?,!d,?d> Alternative sd A L1 L2 alt x y

6 Parallel execution sd P L1 L2 par x y Interaction overview diagram sd IOD seq (IO par W) seq (IO alt W) IO W IO W

7 Dinner sd Dinner a alad as a starter alad then a main course consisting of an Entree and ideorder in parallel choices sd Entree Vegetarian sd ideorder Baked Potato choices Beef Rice Pork Frites ome potential positive traces of Beef sd Beef Cook tove Refrigerator main dish please turn on heat heat is adequate fetch_meat() fetch_meat():sirloin put on grill (sirloin) fetch_meat() main dish:sirloin fetch_meat():sirloin

8 TAIR semantics: simple case Each positive execution is represented y a trace Each negative execution is represented y a trace The semantics of a sequence diagram is a pair of sets of traces (Positive, Negative) Positive Inconclusive Negative All other traces over the actual alphaet of events are inconclusive Potential negative Beef experiences sd Beef main dish please Cook tove Refrigerator turn on heat fetch_meat() fetch_meat():sirloin heat is adequate negative traces put on grill (sirloin) neg smell of urned meat fetch_meat() main dish:sirloin fetch_meat():sirloin Positive traces Beef with French fries Turkey entree Inconclusive traces Forgotten irloin Negative traces Burned irloin

9 Pre-post specifications Pre-post specifications are ased on the assumption-guarantee paradigm Integer division var dividend, divisor, quotient, rest : Nat pre divisor 0 Assumption aout the state at the moment the execution is initiated post ( dividend = (quotient * divisor) + rest ) & rest < divisor Guarantee with respect to the state at the moment of termination emantics of pre-post specifications pre false initially pre true initially Legal system ehavior Legal, ut aritrary ehavior no constraints on state at termination post true at termination post false at termination Illegal system ehavior

10 Comparing TAIR with pre-post pre=false pre=true assumption inconclusive post=true positive post=false negative guarantee Refinement in pre-post Weakening pre trengthening post pre false initially no constraint on state at termination pre sann i starttilstand pre true initially post true at termination post false at termination post sann i det øyelikk operasjonen terminerer

11 TAIR: supplementing upplementing involves reducing the set of inconclusive traces y redefining inconclusive traces as either positive or negative Positive trace remains positive Negative trace remains negative Positive traces Beef with French fries Turkey entree supplementing Beef with FF Turkey entree Inconclusive traces Negative traces Forgotten irloin Burned irloin Forgotten irloin Burned irloin upplementing in pre-post weakening the assumption pre=false pre=true assumption inconclusive post=true positive post=false negative guarantee

12 TAIR: narrowing Narrowing involves reducing the set of positive traces y redefining them as negative Inconclusive traces remain inconclusive Negative traces remain negative Indian Restaurant Positive traces in sets of traces Vegetarian Beef Pork narrowing Vegetarian Pork Inconclusive traces Negative traces Beef Narrowing in pre-post pre=false pre=true assumption inconclusive post=true positive post=false negative strengthening the guarantee guarantee

13 Indirect definition: Refinement in TAIR A sequence diagram B is a general inement of a sequence diagram A if A and B are semantically identical B can e otained from A y supplementing B can e otained from A y narrowing B can e otained from A y a finite numer of steps A -> C1 -> C2 ->. ->Cn->B each of which is either a supplementing or a narrowing Is B a inement of A? sd A sd B T T e e c c

14 Is B a inement of A? sd A sd B T T e e c c Is B a inement of A? sd A sd B T T e c alt e c d k f

15 Is B a inement A? sd A sd B T T e c e c d k f Is B a inement of A? sd A sd B T T e e c

16 DIRECT DEFINITION: Refinement in TAIR A sequence diagram B is a inement of a sequence diagram A if every trace classified as negative y A is also classified as negative y B every trace classified as positive y A is classified as either positive or negative y B Refinement in TAIR Positive upplementing Inconclusive Negative Narrowing An interaction oligation o'=(p',n') is a inement of an interaction oligation o=(p,n) iff n n' p p'un'

17 Underspecification and non-determinism Underspecification: everal alternative ehaviours are considered equivalent (serve the same purpose). Inherent non-determinism: Alternative ehaviours that must all e possile for the implementation. These two should e descried differently! The need for oth alt and xalt Potential non-determinism captured y alt allows astraction and inessential non-determinism Under-specification Non-critical design decisions may e postponed Mandatory non-determinism captured y xalt characterizes non-determinism that must e lected in every correct implementation Makes it possile to specify games Important in relation to security Also helpful as a means of astraction

18 Restaurant example with oth alt and xalt Entree menus must have the choice of Vegetarian or Meat sd Dinner-2 alad sd Entree xalt sd ideorder alt Vegetarian alt Baked Potato Beef Pork Rice Frites Meat may e either Beef or Pork, ut menus need not have oth choices TAIR Positive Inconclusive Negative Positive Inconclusive Negative Positive Inconclusive Negative xalt Positive Inconclusive Negative Positive Inconclusive Negative Positive Inconclusive Negative

19 alt vs xalt Assume [[ d1 ]] = {(p1,n1)} [[ d2 ]] = {(p2,n2)} alt specifies potential ehaviour: [[ d1 alt d2 ]] = [[ d1 ]] + [[ d2 ]] = {(p1 U p2, n1 U n2)} xalt specifies mandatory ehaviour: [[ d1 xalt d2 ]] = [[ d1 ]] U [[ d2 ]] P1 = {(p1,n1)} U {(p2,n2)} I1 N1 P1 U P2 I N1 U N2 P2 I2 N2 Example: Network communication cs C A:sender :network B:receiver cs N1:N G:N N3:N N2:N N4:N

20 alt vs xalt :network sd _Comm A:sender G:N N1:N N2:N N3:N N4:N B:receiver m xalt m m m alt m m m m A->G->N1->B Everything else A->G->N2->N3->B A->G->N2->N4->B Everything else Mandatory requirements TAIR Haugen, Husa, Runde, tølen: TAIR towards formal design with sequence diagrams, oym, pringer. Runde, Haugen, tølen: The Pragmatics of TAIR, pringer-verlag. LNC NOTE: Next Friday: Refinement III