Software Design, Modelling and Analysis in UML

Transcription

1 Software Design, Modelling and Analysis in UML Lecture 14: Core State Machines IV main Prof. Dr. Andreas Podelski, Dr. Bernd Westphal Albert-Ludwigs-Universität Freiburg, Germany

2 Contents & Goals Last Lecture: System configuration Transformer Action language: skip, update, send This Lecture: Educational Objectives: Capabilities for following tasks/questions. What does this State Machine mean? What happens if I inject this event? Can you please model the following behaviour. What is: Signal, Event, Ether, Transformer, Step, RTC Sprelim Content: Transformers for Action Language Run-to-completion Step Putting It All Together 2/38

3 Transformer Cont d 3/ main

4 Sactlang Transformer: Create abstract syntax create(c, expr, v) concrete syntax intuitive semantics Create an object of class C and assign it to attribute v of the object denoted by expression expr. well-typedness expr : τ D, v atr(d), atr(c) = { v 1 : τ 1,expr 0 i 1 i n} semantics observables (error) conditions IÂexpr Ã(σ, β) not defined. We use an and assign -action for simplicity it doesn t add or remove expressive power, but moving creation to the expression language raises all kinds of other problems such as order of evaluation (and thus creation). Also for simplicity: no parameters to construction ( parameters of constructor). Adding them is straightforward (but somewhat tedious). 4/38

5 Create Transformer Example SM C : /...;n := new C;... s 1 s 2 create(c, expr, v) t create(c,expr,v) (σ, ε) =... σ: d : D n = :σ Sactlang ε: :ε 5/38

6 How To Choose New Identities? Re-use: choose any identity that is not alive now, i.e. not in dom(σ). Doesn t depend on history. May undangle dangling references may happen on some platforms. Fresh: choose any identity that has not been alive ever, i.e. not in dom(σ) and any predecessor in current run. Depends on history. Dangling references remain dangling could mask dirty effects of platform Sactlang 6/38

7 Sactlang Transformer: Create abstract syntax create(c, expr, v) concrete syntax intuitive semantics Create an object of class C and assign it to attribute v of the object denoted by expression expr. well-typedness expr : τ D, v atr(d), atr(c) = { v 1 : τ 1,expr 0 i 1 i n} semantics ((σ, ε), (σ, ε )) t iff σ = σ[u 0 σ(u 0 )[v u]] {u {v i d i 1 i n}}, ε = [u](ε); u (C) fresh, i.e. u dom(σ); u 0 = IÂexpr Ã(σ, β); d i = IÂexpr 0 i Ã(σ, β) if expr0 i and arbitrary value from (τ i ) otherwise; β = {this u x }. observables (error) conditions Obs create [u x ] = {(u x,, (, ), u)} IÂexpr Ã(σ) not defined. 7/38

8 Transformer: Destroy abstract syntax destroy(expr) intuitive semantics Destroy the object denoted by expression expr. well-typedness semantics observables (error) conditions expr : τ C, C... Obs destroy [u x ] = {(u x,, (+, ), u)} IÂexpr Ã(σ, β) not defined. concrete syntax Sactlang 8/38

9 Destroy Transformer Example SM C : /...;delete n;... s 1 s 2 destroy(expr) t destroy(expr) [u x ](σ, ε) =... σ: c : C n : C :σ Sactlang ε: :ε 9/38

10 What to Do With the Remaining Objects? Assume object u 0 is destroyed... object u 1 may still refer to it via association r: allow dangling references? or remove u 0 from σ(u 1 )(r)? object u 0 may have been the last one linking to object u 2 : leave u 2 alone? or remove u 2 also? Plus: (temporal extensions of) OCL may have dangling references Sactlang Our choice: Dangling references and no garbage collection! This is in line with expect the worst, because there are target platforms which don t provide garbage collection and models shall (in general) be correct without assumptions on target platform. But: the more dirty effects we see in the model, the more expensive it often is to analyse. Valid proposal for simple analysis: monotone frame semantics, no destruction at all. 10/38

11 Transformer: Destroy Sactlang abstract syntax destroy(expr) intuitive semantics Destroy the object denoted by expression expr. well-typedness semantics observables (error) conditions expr : τ C, C t[u x ](σ, ε) = (σ, ε) where σ = σ dom(σ)\{u} with u = IÂexpr Ã(σ, β). Obs destroy [u x ] = {(u x,, (+, ), u)} IÂexpr Ã(σ, β) not defined. concrete syntax 11/38

12 Sequential Composition of Transformers Sequential composition t 1 t 2 of transformers t 1 and t 2 is canonically defined as with observation (t 2 t 1 )[u x ](σ, ε) = t 2 [u x ](t 1 [u x ](σ, ε)) Obs (t2 t 1 )[u x ](σ, ε) = Obs t1 [u x ](σ, ε) Obs t2 [u x ](t 1 (σ, ε)). Clear: not defined if one the two intermediate micro steps is not defined Sactlang 12/38

13 Transformers And Denotational Semantics Observation: our transformers are in principle the denotational semantics of the actions/action sequences. The trivial case, to be precise. Note: with the previous examples, we can capture empty statements, skips, assignments, conditionals (by normalisation and auxiliary variables), create/destroy, but not possibly diverging loops Sactlang Our (Simple) Approach: if the action language is, e.g. Java, then (syntactically) forbid loops and calls of recursive functions. Other Approach: use full blown denotational semantics. No show-stopper, because loops in the action annotation can be converted into transition cycles in the state machine. 13/38

14 Step and Run-to-completion Step 14/ main

15 Transition Relation, Computation Sstmrtc Definition. Let A be a set of actions and S a (not necessarily finite) set of of states. We call a (labelled) transition relation. S A S Let S 0 S be a set of initial states. A sequence a s 0 a 0 1 a s1 2 s2... with s i S, a i A is called computation of the labelled transition system (S,, S 0 ) if and only if initiation: s 0 S 0 consecution: (s i, a i, s i+1 ) for i N 0. Note: for simplicity, we only consider infinite runs. 15/38

16 Active vs. Passive Classes/Objects Note: From now on, assume that all classes are active for simplicity. We ll later briefly discuss the Rhapsody framework which proposes a way how to integrate non-active objects. Note: The following RTC algorithm follows [Harel and Gery, 1997] (i.e. the one realised by the Rhapsody code generation) where the standard is ambiguous or leaves choices Sstmrtc 16/38

17 From Core State Machines to LTS Definition. Let Ë 0 = (Ì 0, 0, V 0,atr 0, ) be a signature with signals (all classes active), 0 a structure of Ë 0, and (Eth,ready,,, [ ]) an ether over Ë 0 and 0. Assume there is one core state machine M C per class C. We say, the state machines induce the following labelled transition relation on states S := (Σ ( 2: {#} Eth) with actions A := 2 ( ) ( ( ) { })Evs(, ) ( )) Ë (σ, ε) (cons,snd) (σ, ε ) u if and only if (i) an event with destination u is discarded, (ii) an event is dispatched to u, i.e. stable object processes an event, or (iii) run-to-completion processing by u commences, i.e. object u is not stable and continues to process an event, (iv) the environment interacts with object u, Sstmrtc s (cons, ) # if and only if (v) s = # and cons =, or an error condition occurs during consumption of cons. 17/38

18 (i) Discarding An Event if (σ, ε) (cons,snd) u (σ, ε ) an E-event (instance of signal E) is ready in ε for object u of a class, i.e. if Sstmrtc and u dom(σ) (C) u E ( ) : u E ready(ε,u) u is stable and in state machine state s, i.e. σ(u)(stable) = 1 and σ(u)(st) = s, but there is no corresponding transition enabled (all transitions incident with current state of u either have other triggers or the guard is not satisfied) (s, F,expr,act, s ) (SM C ) : F E IÂexpr Ã(σ) = 0 the system configuration doesn t change, i.e. σ = σ the event u E is removed from the ether, i.e. consumption of u E is observed, i.e. ε = ε u E, cons = {(u,(e,σ(u E )))},Snd =. 18/38

19 Example: Discard [x > 0]/x := x 1; n! J signal,env H SM C : G[x > 0]/x := y s 1 s 2 signal G, J H/z := y/x n 0,1 C x, z : Int y : Int env σ: c : C x = 1, z = 0, y = 2 st = s 1 stable = 1 ε: J for c, G for c Sstmrtc u dom(σ) (C) u E ( ) : u E ready(ε, u) (s, F,expr,act, s ) (SM C ) : F E IÂexpr Ã(σ) = 0 σ(u)(stable) = 1, σ(u)(st) = s, σ = σ, ε = ε u E cons = {(u, (E, σ(u E )))}, Snd = 19/38

20 (ii) Dispatch and (σ, ε) (cons,snd) u (σ, ε ) if u dom(σ) (C) u E ( ) : u E ready(ε, u) u is stable and in state machine state s, i.e. σ(u)(stable) = 1 and σ(u)(st) = s, a transition is enabled, i.e. (s, F,expr,act, s ) (SM C ) : F = E IÂexpr Ã( σ) = 1 where σ = σ[u.params E u E ]. (σ, ε ) results from applying t act to (σ,ε) and removing u E from the ether, i.e. (σ,ε ) = t act ( σ, ε u E ), Sstmrtc σ = (σ [u.st s, u.stable b, u.params E ]) ( )\{u E } where b depends: If u becomes stable in s, then b = 1. It does become stable if and only if there is no transition without trigger enabled for u in (σ,ε ). Otherwise b = 0. Consumption of u E and the side effects of the action are observed, i.e. cons = {(u,(e, σ(u E )))},Snd = Obs tact ( σ, ε u E ). 20/38

21 Example: Dispatch [x > 0]/x := x 1; n! J signal,env H SM C : G[x > 0]/x := y s 1 s 2 signal G, J H/z := y/x n 0,1 C x, z : Int y : Int env σ: c : C x = 1, z = 0, y = 2 st = s 1 stable = 1 ε: G for c Sstmrtc u dom(σ) (C) u E ( ) : u E ready(ε, u) (s, F,expr,act, s ) (SM C ) : F = E IÂexpr Ã( σ) = 1 σ = σ[u.params E u E ]. σ(u)(stable) = 1, σ(u)(st) = s, (σ, ε ) = t act ( σ, ε u E ) σ = (σ [u.st s, u.stable b, u.params E ]) ( )\{u E } cons = {(u, (E, σ(u E )))}, Snd = Obs tact ( σ, ε u E ) 21/38

22 (iii) Commence Run-to-Completion if (σ, ε) (cons,snd) u there is an unstable object u of a class, i.e. (σ, ε ) Sstmrtc and u dom(σ) (C) σ(u)(stable) = 0 there is a transition without trigger enabled from the current state s = σ(u)(st), i.e. (s,,expr,act,s ) (SM C ) : IÂexpr Ã(σ) = 1 (σ, ε ) results from applying t act to (σ, ε), i.e. (σ,ε ) t act [u](σ,ε), σ = σ [u.st s,u.stable b] where b depends as before. Only the side effects of the action are observed, i.e. cons =,Snd = Obs tact (σ, ε). 22/38

23 Example: Commence [x > 0]/x := x 1; n! J signal,env H SM C : G[x > 0]/x := y s 1 s 2 signal G, J H/z := y/x n 0,1 C x, z : Int y : Int env σ: c : C x = 2, z = 0, y = 2 st = s 2 stable = 0 ε: Sstmrtc u dom(σ) (C) : σ(u)(stable) = 0 (s,,expr,act, s ) (SM C ) : IÂexpr Ã(σ) = 1 σ(u)(stable) = 1, σ(u)(st) = s, (σ, ε ) = t act (σ, ε), σ = σ [u.st s, u.stable b] cons =, Snd = Obs tact (σ, ε) 23/38

24 (iv) Environment Interaction Assume that a set env is designated as environment events and a set of attributes v env V is designated as input attributes. Then if (σ, ε) (cons,snd) env (σ, ε ) an environment event E env is spontaneously sent to an alive object u (σ), i.e. σ = σ {u E {v i d i 1 i n}, ε = ε u E Sstmrtc or where u E / dom(σ) and atr(e) = {v 1,...,v n }. Sending of the event is observed, i.e. cons =, Snd = {(env, E( d))}. Values of input attributes change freely in alive objects, i.e. v V u dom(σ) : σ (u)(v) σ(u)(v) = v V env. and no objects appear or disappear, i.e. dom(σ ) = dom(σ). ε = ε. 24/38

25 Example: Environment [x > 0]/x := x 1; n! J signal,env H SM C : G[x > 0]/x := y s 1 s 2 signal G, J H/z := y/x n 0,1 C x, z : Int y : Int env σ: c : C x = 0, z = 0, y = 2 st = s 2 stable = 1 ε: Sstmrtc σ = σ {u E {v i d i 1 i n} ε = ε u E where u E / dom(σ) and atr(e) = {v 1,...,v n }. u dom(σ) cons =, Snd = {(env, E( d))}. 25/38

26 (v) Error Conditions if, in (ii) or (iii), and IÂexpr à is not defined for σ, or t act is not defined for (σ,ε), s (cons,snd) u consumption is observed according to (ii) or (iii), but Snd =. # Examples: E[x/0]/act s 2 s 1 s 3 E[true]/act Sstmrtc E[expr]/x := x/0 s 1 s 2 26/38

27 Example: Error Condition [x > 0]/x := x 1; n! J signal,env H SM C : G[x > 0]/x := y s 1 s 2 signal G, J H/z := y/x n 0,1 C x, z : Int y : Int env σ: c : C x = 0, z = 0, y = 27 st = s 2 stable = 1 ε: H for c Sstmrtc IÂexpr à not defined for σ, or t act is not defined for (σ, ε) consumption according to (ii) or (iii) Snd = 27/38

28 Notions of Steps: The Step Sstmstep Note: we call one evolution (σ, ε) (cons,snd) u Thus in our setting, a step directly corresponds to (σ, ε ) a step. one object (namely u) takes a single transition between regular states. (We have to extend the concept of single transition for hierarchical state machines.) That is: We re going for an interleaving semantics without true parallelism. Remark: With only methods (later), the notion of step is not so clear. For example, consider c 1 calls f() at c 2, which calls g() at c 1 which in turn calls h() for c 2. Is the completion of h() a step? Or the completion of f()? Or doesn t it play a role? It does play a role, because constraints/invariants are typically (= by convention) assumed to be evaluated at step boundaries, and sometimes the convention is meant to admit (temporary) violation in between steps. 28/38

29 Notions of Steps: The Run-to-Completion Step What is a run-to-completion step...? Intuition: a maximal sequence of steps, where the first step is a dispatch step and all later steps are commence steps. Note: one step corresponds to one transition in the state machine. A run-to-completion step is in general not syntacically definable one transition may be taken multiple times during an RTC-step. Example: E[x > 0]/ s 1 s 2 /x := x Sstmstep σ: ε: : C x = 2 E for u 29/38

30 Notions of Steps: The Run-to-Completion Step Cont d Proposal: Let (σ 0, ε 0 ) (cons 0,Snd 0 ) u 0... (cons n 1,Snd n 1) u n 1 (σ n, ε n ), n > 0, be a finite (!), non-empty, maximal, consecutive sequence such that object u is alive in σ 0, u 0 = u and (cons 0,Snd 0 ) indicates dispatching to u, i.e. cons = {(u, v d)}, there are no receptions by u in between, i.e. cons i {u} Evs(, ) =,i > 1, u n 1 = u and u is stable only in σ 0 and σ n, i.e. σ 0 (u)(stable) = σ n (u)(stable) = 1 and σ i (u)(stable) = 0 for 0 < i < n, Sstmstep Let 0 = k 1 < k 2 < < k N = n be the maximal sequence of indices such that u ki = u for 1 i N. Then we call the sequence (σ 0 (u) =) σ k1 (u), σ k2 (u)...,σ kn (u) (= σ n 1 (u)) a (!) run-to-completion computation of u (from (local) configuration σ 0 (u)). 30/38

31 Divergence We say, object u can diverge on reception cons from (local) configuration σ 0 (u) if and only if there is an infinite, consecutive sequence (σ 0, ε 0 ) (cons 0,Snd 0 ) (σ 1, ε 1 ) (cons 1,Snd 1 )... such that u doesn t become stable again. Note: disappearance of object not considered in the definitions. By the current definitions, it s neither divergence nor an RTC-step Sstmstep 31/38

32 Run-to-Completion Step: Discussion Sstmstep What people may dislike on our definition of RTC-step is that it takes a global and non-compositional view. That is: In the projection onto a single object we still see the effect of interaction with other objects. Adding classes (or even objects) may change the divergence behaviour of existing ones. Compositional would be: the behaviour of a set of objects is determined by the behaviour of each object in isolation. Our semantics and notion of RTC-step doesn t have this (often desired) property. Can we give (syntactical) criteria such that any global run-to-completion step is an interleaving of local ones? Maybe: Strict interfaces. (A): Refer to private features only via self. (Proof left as exercise...) (Recall that other objects of the same class can modify private attributes.) (B): Let objects only communicate by events, i.e. don t let them modify each other s local state via links at all. 32/38

33 Putting It All Together 33/ main

34 The Missing Piece: Initial States Recall: a labelled transition system is (S,, S 0 ). We have S: system configurations (σ, ε) : labelled transition relation (σ, ε) (cons,snd) u Wanted: initial states S 0. (σ, ε ). Proposal: Require a (finite) set of object diagrams OD as part of a UML model And set S 0 = {(σ, ε) σ G 1 (OD), OD Ç, ε empty}. (, ËÅ,Ç ) Stogether Other Approach: (used by Rhapsody tool) multiplicity of classes. We can read that as an abbreviation for an object diagram. 34/38

35 Semantics of UML Model So Far The semantics of the UML model where M = (, ËÅ,Ç ) some classes in are stereotyped as signal (standard), some signals and attributes are stereotyped as external (non-standard), there is a 1-to-1 relation between classes and state machines, Ç is a set of object diagrams over, is the transition system (S,, S 0 ) constructed on the previous slide Stogether The computations of M are the computations of (S,, S 0 ). 35/38

36 OCL Constraints and Behaviour Let M ( =, ËÅ,Ç ) be a UML model. We call M consistent iff, for each OCL constraint expr Inv( ), σ = expr for each reasonable point (σ, ε) of computations of M. (Cf. exercises and tutorial for discussion of reasonable point.) Note: we could define Inv(ËÅ) similar to Inv( ) Stogether Pragmatics: In UML-as-blueprint mode, if ËÅ doesn t exist yet, then M = (,, Ç ) is typically asking the developer to provide ËÅ such that M = (, ËÅ,Ç ) is consistent. If the developer makes a mistake, then M is inconsistent. Not common: if ËÅ is given, then constraints are also considered when choosing transitions in the RTC-algorithm. In other words: even in presence of mistakes, the ËÅ never move to inconsistent configurations. 36/38

37 References 37/ main

38 References main [Crane and Dingel, 2007] Crane, M. L. and Dingel, J. (2007). UML vs. classical vs. rhapsody statecharts: not all models are created equal. Software and Systems Modeling, 6(4): [Damm et al., 2003] Damm, W., Josko, B., Votintseva, A., and Pnueli, A. (2003). A formal semantics for a UML kernel language 1.2. IST/33522/WP 1.1/D1.1.2-Part1, Version 1.2. [Fecher and Schönborn, 2007] Fecher, H. and Schönborn, J. (2007). UML 2.0 state machines: Complete formal semantics via core state machines. In Brim, L., Haverkort, B. R., Leucker, M., and van de Pol, J., editors, FMICS/PDMC, volume 4346 of LNCS, pages Springer. [Harel and Gery, 1997] Harel, D. and Gery, E. (1997). Executable object modeling with statecharts. IEEE Computer, 30(7): [Harel and Kugler, 2004] Harel, D. and Kugler, H. (2004). The rhapsody semantics of statecharts. In Ehrig, H., Damm, W., Große-Rhode, M., Reif, W., Schnieder, E., and Westkämper, E., editors, Integration of Software Specification Techniques for Applications in Engineering, number 3147 in LNCS, pages Springer-Verlag. [OMG, 2007] OMG (2007). Unified modeling language: Superstructure, version Technical Report formal/ /38