SlideShare a Scribd company logo

From Declarative to Imperative Operation Specifications (ER 2007)

Jordi Cabot, profile picture
Jordi Cabot

The document discusses approaches to translating declarative operation specifications defined using the Object Constraint Language (OCL) into imperative implementations. It proposes using heuristics to disambiguate ambiguous postconditions and determine the intended outcome, and provides patterns for translating common OCL expressions into sequences of UML actions. Open issues include inherently ambiguous expressions and combining translation patterns for complex postconditions.

Technology
1 of 24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
From Declarative to Imperative UML/OCL Operation Specifications Jordi Cabot Open University of Catalonia
Index Introduction Motivation Our approach (1) : Disambiguate Our approach (2) : Generate Inherently ambiguous postconditions Discussion Conclusions
Introduction There are two different approaches to specify the effect of an operation over the system state: the declarative and the imperative approaches In an imperative specification the designer explicitly defines the set of actions (i.e. structural events:insert,update,delete) to be applied over the system state For declarative specifications the designer defines a contract (set of pre and postconditions). A postcondition states the set of conditions to be satisfied by the system state at the end of the operation execution From a specification point of view, declarative specifications are preferable (they are more concise and abstract) BUT: Declarative specifications are underspecifications (there are several possible final states satisfying the postcondition) This is specially relevant in OCL contracts due to the OCL expressiveness This hinders the practical use of declarative specifications
Motivation: Expected behavior of GoalEvaluation ? context Department::GoalEvaluation() post : self.sumSales=self.employee.sales.amount->sum() and if self.sumSales>self.goal then self.employee->forAll(e| e.salary= e.salary@pre + e.category.raise) else self.carFleet->excludesAll(Car::allInstances->select(c| c.type=‘Luxury’)) endif Or where we change the category where the employee belongs to Final states where not referenced objects are modified also satisfy the postcondition Or final states where we assign a zero value to sumSales and remove all sales from the employees Or where we remove the employees of a department Or final states where the id of the department is modified Or when we add/remove non-luxury cars to the department (or remove all cars) If employees have sold enough to fulfill the goal, their salary is increased as indicated by their category. Otherwise, employees are not longer allowed to use luxury cars
Motivation OCL WORKSHOP at MODELS’06 -- withdraw gives the customer money if there is enough money in the account. The return value indicates whether the withdrawal was successful or not. context ATMController::withdraw(amount:Real) : Boolean post : if (amount <= customer.account.balance) then customer.account.balance = customer.account.balance@pre – amount result:=true . . . BOOK: The Object Constraint Language. Kleppe and Warmer context LoyaltyProgram::addService(p: ProgramPartner, s: Service) pre: partners->includes( p ) post: partners.deliveredServices->includes( s ) . . .
My approach (1) : Disambiguate Given an operation op and an initial state s there exist a set of final states set s ’ that satisfy the postcondition of op. All states in set s ’ must be considered correct (from a theoretical point of view) But, most probably, only a small subset acc s  set s ’ would be regarded as correct by the designer. In general |acc s | = 1 (from the designer’s point of view there is only a possible final state when executing op over s ) GOAL1: To deduce the state s’  set s ’ that represents the expected behavior of the operation as intended by the designer Several heuristics to clarify the interpretation of declarative postconditions are proposed.
Heuristics The heuristics try to represent common assumptions used during the specification of operation contracts. Each heuristic disambiguates a problematic type of expression that may appear in a postcondition. The ambiguity is solved by providing a default interpretation for each expression. This default interpretation identifies, among all states satisfying it, the one that, most probably , represents what the modeler meant when defining it. With these heuristics, modelers do not need to write long and cumbersome postconditions to clearly specify the expected behavior of the operation. They can rely on our heuristic to be sure that, after the operation execution, the new state will be the one they intended.
Some heuristics X.a=Y (Order matters) Possible final states satisfying the postcondition: States where a takes the value of Y States where Y takes the value of a States where a value c is assigned to both a and Y Default interpretation: The desired state is the one where a takes the value of Y If X then Y (Do not falsify X) Possible final states satisfying the postcondition States where X is true and Y is true States where X is false Default interpretation: Do not falsify X Implementations where X is changed to ensure that it evaluates to false to avoid enforcing Y are not acceptable (even if it is easier!!)
Some heuristics X->forAll(Y) (Do not empty the source) Possible final states satisfying the postcondition: States where Y evaluates to true for all objects in X States where X is empty Default interpretation: Do not empty the collection X. A solution removing all objects in X is not acceptable X->includesAll(Y) (Minimum insertions) Possible final states satisfying the postcondition: States where Y is empty States where X includes all objects in Y States where X includes all objects in Y plus/less additional objects Default interpretation: No changes over Y and a maximum of Y->size() insertions over X
Some heuristics Other heuristics: Nothing else changes X->excludesAll(Y) | X->excludes(o) X.r1.r2…rn-1.rn=Y o.oclIsTypeOf(Cl) | o.oclIsKindOf(Cl) not o.oclIsTypeOf(Cl) | not o.oclIsKindOf(Cl)
Now, what is the expected behavior of Goal Evaluation ? If employees have sold enough to fulfill the goal, their salary is increased as indicated by their category. Otherwise, employees are not longer allowed to use luxury cars context Department::GoalEvaluation() post : self.sumSales=self.employee.sales.amount->sum() and if self.sumSales>self.goal then self.employee->forAll(e| e.salary= e.salary@pre + e.category.raise) else self.carFleet->excludesAll(Car::allInstances->select(c| c.type=‘Luxury’)) endif
My approach (2) : Generate In a MDD approach declarative operations must be transformed into imperative ones The imperative version of an operation op must evolve the initial state to a final state that satisfies the postcondition of op . We use the previous heuristics (or any other method!) to characterize the desired final state GOAL2: To deduce the minimal set of actions set ac to implement a given postcondition. Minimal= no proper subset of set ac suffices to satisfy the postcondition and reach the desired final state Several transformation patterns (one for each common type of OCL expression) are provided
UML Actions The exact translation depends on the imperative sublanguage of each modeling language List of actions (i.e. structural events) defined in the UML: CreateObject(Class c) DestroyObject(Object o) AddAttributeValue(Attribute at, Object o, Object value) RemoveAttributeValue(Attribute at, Object o) CreateLink(Association a, Object o1, …, Object on) CreateLinkObject(Association a, Object o1, …, Object on) D estroyLink(Association a, Object o1, …, Object on) RemoveLinkValue(AssociationEnd ae, Object o) R eclassifyObject(Object o, Class[] newClasses, Class[] oldClasses)
Some translation patterns o.oclIsNew() and o.oclIsTypeOf(Cl) o:=CreateObject(Cl); not o.oclIsTypeOf(OclAny) | Cl.allInstances()->excludes(o) DestroyObject (o); o.at=Y (where at is a univalued attribute) RemoveAttributeValue(at,o); AddAttributeValue(at,o,Y); o.oclIsKindOf(Cl) ReclassifyObject(o,Cl,[]); o.oclIsTypeOf(Cl) ReclassifyObject(o,Cl,Cl.generalization.specific);
Some translation patterns X->forAll(Y) foreach o in X do if not (o.Y) then Translate(o.Y) endif; endfor; o.r->includesAll(Y) foreach o’ in Y do CreateLink(r.association, o, o’) endfor; o.r->isEmpty() foreach o’ in o.r@pre DestroyLink(r.association,o,o’) endfor;
Imperative version of GoalEvaluation context Department::GoalEvaluation() { AddAttributeValue(sumSales, self, self.employee.sales.amount->sum()); if self.sumSales>self.goal then foreach e in self.employee AddAttributeValue(salary, e, e.salary@pre + e.category.raise); endfor; else foreach c in Car::allInstances->select(c| c.type=‘Luxury’) DestroyLink (DepartmentCar, self, c); endfor; endif }
Inherently ambiguous expressions For some postconditions we cannot define a default interpretation (there is not a final state clearly more appropriate than the others). It is worth identifying them since many times the designer is not aware of their ambiguity We provide a default translation but usually designers should select themselves the preferred one List of some inherently ambiguous expressions: Expression Ambiguity description post: B 1 or … or B n At least a B i condition should be true but it is not defined which one/s X<>Y, X>Y, X>=Y, X<Y, X<=Y The exact relation between the values of X and Y is not stated X+Y=W+Z (likewise with -,*,/,…) The exact relation between the values of the different variables is not stated. X->exists(Y) An element of X must verify Y but it is not defined which one X->any(Y)=Z Any element of X verifying Y could be the one equal to Z X.p->sum()=Y There exist many combinations of single values that once added may result in Y
Discussion: Facts  Ambiguity problems difficult a wider adoption of declarative specifications  We must deal with these ambiguities to ensure that the implementation of the operation behaves as expected by the designer (some of the states accepted by the post are not valid from the designer's point of view)  Regardless the proposed solution it is important to identify which are the ambiguities that may appear (many times designers are unaware of them)  No methods exist that provide a declarative-to-imperative translation of OCL specifications Tools admitting declarative specifications transform the contract into if-then clauses that check if the pre and postconditions are satisfied (and raise an exception otherwise). The actual body is not generated
Discussion: My solution Heuristic-based translation  Designers do not need to define additional information  Some of the heuristics are generally accepted  Evolving the schema does not affect the interpretation of existing operations X Consensus on the heuristics is required (at least within the particular company/group using this approach) X This solution does not cover (yet) all kinds of OCL expressions nor all combinations between them (rules to combine the basic patterns are required for elements appearing in different parts of the post)
Discussion: Alternatives (1) Frame axioms Designers explicitly define which parts of the system may (or may not) change during the operation  No hidden interpretations X Additional burden for the designer (feasible?) X Not all ambiguities solved (things that do change may change in different ways. Ex: multivalued properties) X Evolving the schema may imply adding new frame axioms (more things that “do not change”)
Discussion: Alternatives (2) Imperative constructs embedded in the declarative specification  No hidden interpretations X Additional burden for the designer X No clear separation between declarative and imperative specifications X Evolving the schema may require adding new constructs
Discussion: Alternatives (3) Computing all possible final states: Designers review them and select the one they prefer  No hidden interpretations X Additional burden for the designer ? Feasible? -> Risk of exponential combination of possible final states
Discussion: Alternatives (4) Force the designer to write non-ambiguous postconditions Avoiding some problematic OCL constructs and Adding many additional postconditions, specially with the @pre operator to reduce the possible set of final states  No hidden interpretations X Additional burden for the designer (feasible?) X Limits the usefulness of declarative specifications X Evolving the schema may imply adding new conditions X Needs a verification/validation method that ensures that the post is not ambiguous
Conclusions and Further work There is not a perfect solution. This method can be regarded as an alternative/complement of other methods (depending on the designers’ preferences) This method can be useful to: Leverage current model-driven development tools, which up to now only support code-generation from imperative specifications. Validate operation definitions since modelers could immediately check which would be the interpretation of their declarative specifications Further work: Richer translation patterns Considering integrity constraints Mixing different techniques depending on the designer requirements

More Related Content

PPTX
Paper reading: Cost-based Query Transformation in Oracle
PingCAP
 
PDF
No More Promises! Let's RxJS!
Ilia Idakiev
 
PDF
Reflection in Go
strikr .
 
PPTX
Monad
Konstantin (Konst) __
 
PPTX
Improving Correctness With Type - Goto Con Berlin
Iain Hull
 
PPTX
Improving Correctness with Types
Iain Hull
 
PDF
SeneJug java_8_prez_122015
senejug
 
PPTX
Software design principles SOLID
Foyzul Karim
 
Paper reading: Cost-based Query Transformation in Oracle
PingCAP
 
No More Promises! Let's RxJS!
Ilia Idakiev
 
Reflection in Go
strikr .
 
Monad
Konstantin (Konst) __
 
Improving Correctness With Type - Goto Con Berlin
Iain Hull
 
Improving Correctness with Types
Iain Hull
 
SeneJug java_8_prez_122015
senejug
 
Software design principles SOLID
Foyzul Karim
 

What's hot (7)

PPTX
重構—改善既有程式的設計(chapter 8)part 2
Chris Huang
 
PPTX
重構—改善既有程式的設計(chapter 8)part 1
Chris Huang
 
PDF
Chapter01
Tianlu Wang
 
PPSX
Concepts of C [Module 2]
Abhishek Sinha
 
PPSX
Programming in C [Module One]
Abhishek Sinha
 
PDF
04. constructor & destructor
Haresh Jaiswal
 
PPT
Constructor and destructor in C++
Carelon Global Solutions
 
重構—改善既有程式的設計(chapter 8)part 2
Chris Huang
 
重構—改善既有程式的設計(chapter 8)part 1
Chris Huang
 
Chapter01
Tianlu Wang
 
Concepts of C [Module 2]
Abhishek Sinha
 
Programming in C [Module One]
Abhishek Sinha
 
04. constructor & destructor
Haresh Jaiswal
 
Constructor and destructor in C++
Carelon Global Solutions
 
Ad

Viewers also liked (8)

PDF
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Achim D. Brucker
 
PDF
Towards Domain Refinement for UML/OCL Bounded Verification
rclariso
 
PPT
From UML/OCL to natural language (using SBVR as pivot)
Jordi Cabot
 
PDF
On the verification of UML/OCL class diagrams using constraint programming
UOC Universitat Oberta de Catalunya
 
PDF
Extracting UML/OCL Integrity Constraints and Derived Types from Relational Da...
Valerio Cosentino
 
PDF
Master Thesis presentation
Bogdan Vasilescu
 
PDF
My Thesis Defense Presentation
David Onoue
 
PPTX
Thesis Power Point Presentation
riddhikapandya1985
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Achim D. Brucker
 
Towards Domain Refinement for UML/OCL Bounded Verification
rclariso
 
From UML/OCL to natural language (using SBVR as pivot)
Jordi Cabot
 
On the verification of UML/OCL class diagrams using constraint programming
UOC Universitat Oberta de Catalunya
 
Extracting UML/OCL Integrity Constraints and Derived Types from Relational Da...
Valerio Cosentino
 
Master Thesis presentation
Bogdan Vasilescu
 
My Thesis Defense Presentation
David Onoue
 
Thesis Power Point Presentation
riddhikapandya1985
 
Ad

Similar to From Declarative to Imperative Operation Specifications (ER 2007) (20)

PDF
Introducing Assignment invalidates the Substitution Model of Evaluation and v...
Philip Schwarz
 
PPTX
C++ decision making
Zohaib Ahmed
 
PPT
c_tutorial_2.ppt
gitesh_nagar
 
PPTX
LECTUE 2-OT (1).pptx
ProfOAJarali
 
DOCX
Layout planning
8979473684
 
PPT
06-ControlStatements in Java Loops, If statements, Switch.ppt
javidmiakhil63
 
PPTX
Presentation 2
Army Public School and College -Faisal
 
PDF
Data structure scope of variables
Saurav Kumar
 
PPT
Process view framework for artifact centric business processes
Dr. Sira Yongchareon
 
PPTX
C basics
sridevi5983
 
PPTX
C basics
sridevi5983
 
PPT
Software System Engineering - Chapter 13
Fadhil Ismail
 
PDF
High-Performance Haskell
Johan Tibell
 
PPTX
operatorsincprogramming-190221094522.pptx
ShirishaBuduputi
 
PPTX
chap 2 : Operators and Assignments (scjp/ocjp)
It Academy
 
DOCX
PROG3040 Assignment 1 – Fall 2013 Glenn Paulley – 2A605, x25.docx
wkyra78
 
DOCX
Notes on c++
Selvam Edwin
 
PPTX
2.overview of c#
Raghu nath
 
PPT
Dipso K Mi
msabou
 
DOCX
C – operators and expressions
Chukka Nikhil Chakravarthy
 
Introducing Assignment invalidates the Substitution Model of Evaluation and v...
Philip Schwarz
 
C++ decision making
Zohaib Ahmed
 
c_tutorial_2.ppt
gitesh_nagar
 
LECTUE 2-OT (1).pptx
ProfOAJarali
 
Layout planning
8979473684
 
06-ControlStatements in Java Loops, If statements, Switch.ppt
javidmiakhil63
 
Presentation 2
Army Public School and College -Faisal
 
Data structure scope of variables
Saurav Kumar
 
Process view framework for artifact centric business processes
Dr. Sira Yongchareon
 
C basics
sridevi5983
 
C basics
sridevi5983
 
Software System Engineering - Chapter 13
Fadhil Ismail
 
High-Performance Haskell
Johan Tibell
 
operatorsincprogramming-190221094522.pptx
ShirishaBuduputi
 
chap 2 : Operators and Assignments (scjp/ocjp)
It Academy
 
PROG3040 Assignment 1 – Fall 2013 Glenn Paulley – 2A605, x25.docx
wkyra78
 
Notes on c++
Selvam Edwin
 
2.overview of c#
Raghu nath
 
Dipso K Mi
msabou
 
C – operators and expressions
Chukka Nikhil Chakravarthy
 

More from Jordi Cabot (20)

PPTX
Who will create the languages of the future?
Jordi Cabot
 
PPTX
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
PPTX
¿Cómo será el programador del futuro? ¿Tendremos trabajo?
Jordi Cabot
 
PPTX
The low-code handbook - Chapter 1: Basic Low-code questions and answers.
Jordi Cabot
 
PPTX
Who is going to develop the apps of the future? (hint: it’s not going to be ...
Jordi Cabot
 
PPTX
Application of the Tree-of-Thoughts Framework to LLM-Enabled Domain Modeling
Jordi Cabot
 
PPTX
AI and Software consultants: friends or foes?
Jordi Cabot
 
PPTX
Model-driven engineering for Industrial IoT architectures
Jordi Cabot
 
PPTX
Smart modeling of smart software
Jordi Cabot
 
PPTX
Modeling should be an independent scientific discipline
Jordi Cabot
 
PPTX
¿Quién va a desarrollar las Apps del futuro? (aviso: no serán los programador...
Jordi Cabot
 
PPTX
How to sustain a tool building community-driven effort
Jordi Cabot
 
PPTX
All Researchers Should Become Entrepreneurs
Jordi Cabot
 
PPTX
The Software Challenges of Building Smart Chatbots - ICSE'21
Jordi Cabot
 
PPTX
Low-code vs Model-Driven Engineering
Jordi Cabot
 
PDF
Lessons learned from building a commercial bot development platform
Jordi Cabot
 
PDF
Future Trends on Software and Systems Modeling
Jordi Cabot
 
PPTX
Ingeniería del Software dirigida por modelos -Versión para incrédulos
Jordi Cabot
 
PPTX
Chatbot Tutorial - Create your first bot with Xatkit
Jordi Cabot
 
PPTX
Création facile de chatbots - Créez votre chatbot en 20 minutes avec une plat...
Jordi Cabot
 
Who will create the languages of the future?
Jordi Cabot
 
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
¿Cómo será el programador del futuro? ¿Tendremos trabajo?
Jordi Cabot
 
The low-code handbook - Chapter 1: Basic Low-code questions and answers.
Jordi Cabot
 
Who is going to develop the apps of the future? (hint: it’s not going to be ...
Jordi Cabot
 
Application of the Tree-of-Thoughts Framework to LLM-Enabled Domain Modeling
Jordi Cabot
 
AI and Software consultants: friends or foes?
Jordi Cabot
 
Model-driven engineering for Industrial IoT architectures
Jordi Cabot
 
Smart modeling of smart software
Jordi Cabot
 
Modeling should be an independent scientific discipline
Jordi Cabot
 
¿Quién va a desarrollar las Apps del futuro? (aviso: no serán los programador...
Jordi Cabot
 
How to sustain a tool building community-driven effort
Jordi Cabot
 
All Researchers Should Become Entrepreneurs
Jordi Cabot
 
The Software Challenges of Building Smart Chatbots - ICSE'21
Jordi Cabot
 
Low-code vs Model-Driven Engineering
Jordi Cabot
 
Lessons learned from building a commercial bot development platform
Jordi Cabot
 
Future Trends on Software and Systems Modeling
Jordi Cabot
 
Ingeniería del Software dirigida por modelos -Versión para incrédulos
Jordi Cabot
 
Chatbot Tutorial - Create your first bot with Xatkit
Jordi Cabot
 
Création facile de chatbots - Créez votre chatbot en 20 minutes avec une plat...
Jordi Cabot
 

Recently uploaded (20)

PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
KodekX | Application Modernization Development
KodekX
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 

From Declarative to Imperative Operation Specifications (ER 2007)

  • 1. From Declarative to Imperative UML/OCL Operation Specifications Jordi Cabot Open University of Catalonia
  • 2. Index Introduction Motivation Our approach (1) : Disambiguate Our approach (2) : Generate Inherently ambiguous postconditions Discussion Conclusions
  • 3. Introduction There are two different approaches to specify the effect of an operation over the system state: the declarative and the imperative approaches In an imperative specification the designer explicitly defines the set of actions (i.e. structural events:insert,update,delete) to be applied over the system state For declarative specifications the designer defines a contract (set of pre and postconditions). A postcondition states the set of conditions to be satisfied by the system state at the end of the operation execution From a specification point of view, declarative specifications are preferable (they are more concise and abstract) BUT: Declarative specifications are underspecifications (there are several possible final states satisfying the postcondition) This is specially relevant in OCL contracts due to the OCL expressiveness This hinders the practical use of declarative specifications
  • 4. Motivation: Expected behavior of GoalEvaluation ? context Department::GoalEvaluation() post : self.sumSales=self.employee.sales.amount->sum() and if self.sumSales>self.goal then self.employee->forAll(e| e.salary= e.salary@pre + e.category.raise) else self.carFleet->excludesAll(Car::allInstances->select(c| c.type=‘Luxury’)) endif Or where we change the category where the employee belongs to Final states where not referenced objects are modified also satisfy the postcondition Or final states where we assign a zero value to sumSales and remove all sales from the employees Or where we remove the employees of a department Or final states where the id of the department is modified Or when we add/remove non-luxury cars to the department (or remove all cars) If employees have sold enough to fulfill the goal, their salary is increased as indicated by their category. Otherwise, employees are not longer allowed to use luxury cars
  • 5. Motivation OCL WORKSHOP at MODELS’06 -- withdraw gives the customer money if there is enough money in the account. The return value indicates whether the withdrawal was successful or not. context ATMController::withdraw(amount:Real) : Boolean post : if (amount <= customer.account.balance) then customer.account.balance = customer.account.balance@pre – amount result:=true . . . BOOK: The Object Constraint Language. Kleppe and Warmer context LoyaltyProgram::addService(p: ProgramPartner, s: Service) pre: partners->includes( p ) post: partners.deliveredServices->includes( s ) . . .
  • 6. My approach (1) : Disambiguate Given an operation op and an initial state s there exist a set of final states set s ’ that satisfy the postcondition of op. All states in set s ’ must be considered correct (from a theoretical point of view) But, most probably, only a small subset acc s  set s ’ would be regarded as correct by the designer. In general |acc s | = 1 (from the designer’s point of view there is only a possible final state when executing op over s ) GOAL1: To deduce the state s’  set s ’ that represents the expected behavior of the operation as intended by the designer Several heuristics to clarify the interpretation of declarative postconditions are proposed.
  • 7. Heuristics The heuristics try to represent common assumptions used during the specification of operation contracts. Each heuristic disambiguates a problematic type of expression that may appear in a postcondition. The ambiguity is solved by providing a default interpretation for each expression. This default interpretation identifies, among all states satisfying it, the one that, most probably , represents what the modeler meant when defining it. With these heuristics, modelers do not need to write long and cumbersome postconditions to clearly specify the expected behavior of the operation. They can rely on our heuristic to be sure that, after the operation execution, the new state will be the one they intended.
  • 8. Some heuristics X.a=Y (Order matters) Possible final states satisfying the postcondition: States where a takes the value of Y States where Y takes the value of a States where a value c is assigned to both a and Y Default interpretation: The desired state is the one where a takes the value of Y If X then Y (Do not falsify X) Possible final states satisfying the postcondition States where X is true and Y is true States where X is false Default interpretation: Do not falsify X Implementations where X is changed to ensure that it evaluates to false to avoid enforcing Y are not acceptable (even if it is easier!!)
  • 9. Some heuristics X->forAll(Y) (Do not empty the source) Possible final states satisfying the postcondition: States where Y evaluates to true for all objects in X States where X is empty Default interpretation: Do not empty the collection X. A solution removing all objects in X is not acceptable X->includesAll(Y) (Minimum insertions) Possible final states satisfying the postcondition: States where Y is empty States where X includes all objects in Y States where X includes all objects in Y plus/less additional objects Default interpretation: No changes over Y and a maximum of Y->size() insertions over X
  • 10. Some heuristics Other heuristics: Nothing else changes X->excludesAll(Y) | X->excludes(o) X.r1.r2…rn-1.rn=Y o.oclIsTypeOf(Cl) | o.oclIsKindOf(Cl) not o.oclIsTypeOf(Cl) | not o.oclIsKindOf(Cl)
  • 11. Now, what is the expected behavior of Goal Evaluation ? If employees have sold enough to fulfill the goal, their salary is increased as indicated by their category. Otherwise, employees are not longer allowed to use luxury cars context Department::GoalEvaluation() post : self.sumSales=self.employee.sales.amount->sum() and if self.sumSales>self.goal then self.employee->forAll(e| e.salary= e.salary@pre + e.category.raise) else self.carFleet->excludesAll(Car::allInstances->select(c| c.type=‘Luxury’)) endif
  • 12. My approach (2) : Generate In a MDD approach declarative operations must be transformed into imperative ones The imperative version of an operation op must evolve the initial state to a final state that satisfies the postcondition of op . We use the previous heuristics (or any other method!) to characterize the desired final state GOAL2: To deduce the minimal set of actions set ac to implement a given postcondition. Minimal= no proper subset of set ac suffices to satisfy the postcondition and reach the desired final state Several transformation patterns (one for each common type of OCL expression) are provided
  • 13. UML Actions The exact translation depends on the imperative sublanguage of each modeling language List of actions (i.e. structural events) defined in the UML: CreateObject(Class c) DestroyObject(Object o) AddAttributeValue(Attribute at, Object o, Object value) RemoveAttributeValue(Attribute at, Object o) CreateLink(Association a, Object o1, …, Object on) CreateLinkObject(Association a, Object o1, …, Object on) D estroyLink(Association a, Object o1, …, Object on) RemoveLinkValue(AssociationEnd ae, Object o) R eclassifyObject(Object o, Class[] newClasses, Class[] oldClasses)
  • 14. Some translation patterns o.oclIsNew() and o.oclIsTypeOf(Cl) o:=CreateObject(Cl); not o.oclIsTypeOf(OclAny) | Cl.allInstances()->excludes(o) DestroyObject (o); o.at=Y (where at is a univalued attribute) RemoveAttributeValue(at,o); AddAttributeValue(at,o,Y); o.oclIsKindOf(Cl) ReclassifyObject(o,Cl,[]); o.oclIsTypeOf(Cl) ReclassifyObject(o,Cl,Cl.generalization.specific);
  • 15. Some translation patterns X->forAll(Y) foreach o in X do if not (o.Y) then Translate(o.Y) endif; endfor; o.r->includesAll(Y) foreach o’ in Y do CreateLink(r.association, o, o’) endfor; o.r->isEmpty() foreach o’ in o.r@pre DestroyLink(r.association,o,o’) endfor;
  • 16. Imperative version of GoalEvaluation context Department::GoalEvaluation() { AddAttributeValue(sumSales, self, self.employee.sales.amount->sum()); if self.sumSales>self.goal then foreach e in self.employee AddAttributeValue(salary, e, e.salary@pre + e.category.raise); endfor; else foreach c in Car::allInstances->select(c| c.type=‘Luxury’) DestroyLink (DepartmentCar, self, c); endfor; endif }
  • 17. Inherently ambiguous expressions For some postconditions we cannot define a default interpretation (there is not a final state clearly more appropriate than the others). It is worth identifying them since many times the designer is not aware of their ambiguity We provide a default translation but usually designers should select themselves the preferred one List of some inherently ambiguous expressions: Expression Ambiguity description post: B 1 or … or B n At least a B i condition should be true but it is not defined which one/s X<>Y, X>Y, X>=Y, X<Y, X<=Y The exact relation between the values of X and Y is not stated X+Y=W+Z (likewise with -,*,/,…) The exact relation between the values of the different variables is not stated. X->exists(Y) An element of X must verify Y but it is not defined which one X->any(Y)=Z Any element of X verifying Y could be the one equal to Z X.p->sum()=Y There exist many combinations of single values that once added may result in Y
  • 18. Discussion: Facts  Ambiguity problems difficult a wider adoption of declarative specifications  We must deal with these ambiguities to ensure that the implementation of the operation behaves as expected by the designer (some of the states accepted by the post are not valid from the designer's point of view)  Regardless the proposed solution it is important to identify which are the ambiguities that may appear (many times designers are unaware of them)  No methods exist that provide a declarative-to-imperative translation of OCL specifications Tools admitting declarative specifications transform the contract into if-then clauses that check if the pre and postconditions are satisfied (and raise an exception otherwise). The actual body is not generated
  • 19. Discussion: My solution Heuristic-based translation  Designers do not need to define additional information  Some of the heuristics are generally accepted  Evolving the schema does not affect the interpretation of existing operations X Consensus on the heuristics is required (at least within the particular company/group using this approach) X This solution does not cover (yet) all kinds of OCL expressions nor all combinations between them (rules to combine the basic patterns are required for elements appearing in different parts of the post)
  • 20. Discussion: Alternatives (1) Frame axioms Designers explicitly define which parts of the system may (or may not) change during the operation  No hidden interpretations X Additional burden for the designer (feasible?) X Not all ambiguities solved (things that do change may change in different ways. Ex: multivalued properties) X Evolving the schema may imply adding new frame axioms (more things that “do not change”)
  • 21. Discussion: Alternatives (2) Imperative constructs embedded in the declarative specification  No hidden interpretations X Additional burden for the designer X No clear separation between declarative and imperative specifications X Evolving the schema may require adding new constructs
  • 22. Discussion: Alternatives (3) Computing all possible final states: Designers review them and select the one they prefer  No hidden interpretations X Additional burden for the designer ? Feasible? -> Risk of exponential combination of possible final states
  • 23. Discussion: Alternatives (4) Force the designer to write non-ambiguous postconditions Avoiding some problematic OCL constructs and Adding many additional postconditions, specially with the @pre operator to reduce the possible set of final states  No hidden interpretations X Additional burden for the designer (feasible?) X Limits the usefulness of declarative specifications X Evolving the schema may imply adding new conditions X Needs a verification/validation method that ensures that the post is not ambiguous
  • 24. Conclusions and Further work There is not a perfect solution. This method can be regarded as an alternative/complement of other methods (depending on the designers’ preferences) This method can be useful to: Leverage current model-driven development tools, which up to now only support code-generation from imperative specifications. Validate operation definitions since modelers could immediately check which would be the interpretation of their declarative specifications Further work: Richer translation patterns Considering integrity constraints Mixing different techniques depending on the designer requirements

Editor's Notes

  • #2: In this presentation Im proposing a new and practical approach to bridge the gap between declarative to imperative specifications written using UML/OCL langauges