![Page 1: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/1.jpg)
22c181:Formal Methods in Software Engineering
The University of Iowa
Spring 2008
Introduction to OCL
Copyright 2007-8 Reiner Hähnle and Cesare Tinelli.
Notes originally developed by Reiner Hähnle at Chalmers Uni versity and modified by Cesare Tinelli at the University of Io wa. These notes
are copyrighted materials and may not be used in other course settings outside of the University of Iowa in their current f orm or modified
form without the express written permission of one of the cop yright holders.
22c181: Formal Methods in Software Engineering – p.1/39
![Page 2: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/2.jpg)
Contents
Overview of KeY
UML and its semantics
Introduction to OCL
Specifying requirements with OCL
Modelling of Systems with Formal Semantics
Propositional & First-order logic, sequent calculus
OCL to Logic, horizontal proof obligations, using KeY
Dynamic logic, proving program correctness
JAVA CARD DL
Vertical proof obligations, using KeY
Wrap-up, trends
22c181: Formal Methods in Software Engineering – p.2/39
![Page 3: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/3.jpg)
Object Constraint Language (OCL)
Part of the UML standard
Formal Specification Language
Standardized formal semantics from OCL 2.0 onwards
In this course: OCL 1.5
• Semantics by mapping to typed FOL
• Not all features realized, some extra features
OCL syntax less mathematical,more programming language-oriented than Z, RSL, FOL, etc.
Why OCL? UML is not expressive enough!
22c181: Formal Methods in Software Engineering – p.3/39
![Page 4: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/4.jpg)
UML is not enough . . .
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
How old must a car owner be?
How to express that a person can own at most own one black car?
How to specify that value of age is i after calling setAge(i)?
UML unsuitable to express semantics of design
22c181: Formal Methods in Software Engineering – p.4/39
![Page 5: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/5.jpg)
Some OCL examples I
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
“A vehicle owner must be at least 18 years old”:
22c181: Formal Methods in Software Engineering – p.5/39
![Page 6: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/6.jpg)
Some OCL examples I
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
“A vehicle owner must be at least 18 years old”:
context Vehicle
inv : self. owner. age >= 18
22c181: Formal Methods in Software Engineering – p.5/39
![Page 7: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/7.jpg)
Some OCL examples I
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
“A vehicle owner must be at least 18 years old”:
context Vehicle - - context declaration for all instances of this class
inv : self . owner. age >= 18 - - ’self’ is like J AVA ’s ’this’
22c181: Formal Methods in Software Engineering – p.5/39
![Page 8: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/8.jpg)
Some OCL examples I
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
“A vehicle owner must be at least 18 years old”:
context Vehicle
inv : self. owner . age >= 18 - - navigate to instance of supplier
22c181: Formal Methods in Software Engineering – p.5/39
![Page 9: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/9.jpg)
Some OCL examples I
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
“A vehicle owner must be at least 18 years old”:
context Vehicle
inv : self. owner. age >= 18
22c181: Formal Methods in Software Engineering – p.5/39
![Page 10: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/10.jpg)
Some OCL examples I
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
“A vehicle owner must be at least 18 years old”:
context Vehicle
inv : self. owner. age >= 18
22c181: Formal Methods in Software Engineering – p.5/39
![Page 11: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/11.jpg)
Some OCL examples I
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
“A vehicle owner must be at least 18 years old”:
context Vehicle
inv : self. owner. age >= 18
What does that mean, instead? Relation between the constrai nts?
context Person
inv : self.age >= 1822c181: Formal Methods in Software Engineering – p.5/39
![Page 12: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/12.jpg)
Some OCL examples I
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
“A vehicle owner must be at least 18 years old”:
context Vehicle
inv : self. owner. age >= 18
“A car owner must be at least 18 years old”:
context Car
inv : self.owner.age >= 1822c181: Formal Methods in Software Engineering – p.5/39
![Page 13: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/13.jpg)
Some OCL examples II
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
“No person owns more than 3 vehicles”:
22c181: Formal Methods in Software Engineering – p.6/39
![Page 14: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/14.jpg)
Some OCL examples II
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
“No person owns more than 3 vehicles”:
context Person
inv : self.fleet –> size() <= 3or change multiplicity
22c181: Formal Methods in Software Engineering – p.6/39
![Page 15: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/15.jpg)
Some OCL examples II
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
“All vehicles of a person are black”:
22c181: Formal Methods in Software Engineering – p.6/39
![Page 16: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/16.jpg)
Some OCL examples II
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
“All vehicles of a person are black”:
context Person
inv : self.fleet– >forAll(v | v.colour = Colour.black)
22c181: Formal Methods in Software Engineering – p.6/39
![Page 17: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/17.jpg)
Some OCL examples II
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
“All vehicles of a person are black”:
context Person
inv : self.fleet– >forAll(v | v.colour = Colour.black)
“No person owns more than 3 black vehicles”:
22c181: Formal Methods in Software Engineering – p.6/39
![Page 18: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/18.jpg)
Some OCL examples II
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
“All vehicles of a person are black”:
context Person
inv : self.fleet– >forAll(v | v.colour = Colour.black)
“No person owns more than 3 black vehicles”:
context Person
inv : self.fleet– >select(v | v.colour = Colour.black)– >size() <= 322c181: Formal Methods in Software Engineering – p.6/39
![Page 19: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/19.jpg)
The Classifier Context
context [instanceName :] classPath – – class from UML model
inv [invariantName] : oclExpression
context aCar:Car
inv minimumAge : aCar.owner.age >= 18
Class classPath is context of invariant constraint
Invariant must hold for all instances of classPath at all times
Instances can be named invariantName (not in Together)
May declare invariantName for the constraint (not in Together)
Type of oclExpression must be Boolean
22c181: Formal Methods in Software Engineering – p.7/39
![Page 20: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/20.jpg)
The Classifier Context
context [instanceName :] classPath – – class from UML model
inv [invariantName] : oclExpression
context [instanceName :] classPath
inv [invariantName 1] : oclExpression 1
. . .
. . .
inv [invariantName n] : oclExpression n
More than one invariant can be declared in same context
22c181: Formal Methods in Software Engineering – p.7/39
![Page 21: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/21.jpg)
When Do Invariants Hold?
Consider insert() operation for List type with attribute length : int
Assume the invariant of List states that
the number of nodes in a list is equal to the value of length
During execution of insert() usually the invariant is violated
Therefore, semantics of invariants in KeY and OCL:
Invariants hold at all times before and after execution of op erations
How to relax this rigid requirement is topic of active resear ch
22c181: Formal Methods in Software Engineering – p.8/39
![Page 22: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/22.jpg)
The Operator Context: Contract
Specifying the semantics of operations: their contract
context [instanceName :]
classPath ::opName (p1: type 1; . . . ;pk: type k )[:resultType]
{pre [preName] : oclExpression }
{post [postName] : oclExpression }
22c181: Formal Methods in Software Engineering – p.9/39
![Page 23: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/23.jpg)
The Operator Context: Contract
Specifying the semantics of operations: their contract
context [instanceName :]
classPath ::opName (p1: type 1; . . . ;pk: type k )[:resultType]
{pre [preName] : oclExpression }
{post [postName] : oclExpression }
Example
“Calling getName() returns the current value of the attribute name”
context Person::getName():String
post : result = name
Special variable result contains return value, has type resultType
22c181: Formal Methods in Software Engineering – p.9/39
![Page 24: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/24.jpg)
Together 6.2 Syntax for OCL Context Declarations
Classifiers
/**
* @invariants OCLExpression
*/
Operators
/**
* @preconditions OCLExpression
* @postconditions OCLExpression
*/
At most one may be present, connect multiple conditions with and.
Write constraints in .java file directly before feature they apply to.22c181: Formal Methods in Software Engineering – p.10/39
![Page 25: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/25.jpg)
Design by Contract
Pre-/postconditions like clauses in a contract about an operation
If the caller fulfills the precondition before the operation is called,
then the called object ensures the postcondition to holdafter execution of the operation
22c181: Formal Methods in Software Engineering – p.11/39
![Page 26: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/26.jpg)
Design by Contract
Pre-/postconditions like clauses in a contract about an operation
If the caller fulfills the precondition before the operation is called,
then the called object ensures the postcondition to holdafter execution of the operation
NOT“Before executing an operation its precondition must hold”
or
“Whenever the precondition holds, the operation is called”
22c181: Formal Methods in Software Engineering – p.11/39
![Page 27: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/27.jpg)
Constraints with Attributes
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
context Person
inv : age ≥ 18
22c181: Formal Methods in Software Engineering – p.12/39
![Page 28: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/28.jpg)
Equivalent notational variations
context Person
inv : self.age ≥ 18
22c181: Formal Methods in Software Engineering – p.13/39
![Page 29: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/29.jpg)
Equivalent notational variations
context Person
inv : self.age ≥ 18
context p:Person
inv : p.age ≥ 18
22c181: Formal Methods in Software Engineering – p.13/39
![Page 30: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/30.jpg)
Equivalent notational variations
context Person
inv : self.age ≥ 18
context p:Person
inv : p.age ≥ 18
context p:Person
inv minimumAge : p.age ≥ 18
22c181: Formal Methods in Software Engineering – p.13/39
![Page 31: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/31.jpg)
Equivalent notational variations
context Person
inv : self.age ≥ 18
context p:Person
inv : p.age ≥ 18
context p:Person
inv minimumAge : p.age ≥ 18
context Person
inv minimumAge : age ≥ 18
Beware: variants using named instances not possible in Togther
22c181: Formal Methods in Software Engineering – p.13/39
![Page 32: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/32.jpg)
Operator Constraint: Contract
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
context Person::setAge(newAge: int):int
pre : self.age ≥ 0 and newAge ≥ 0
post : self.age = newAge
22c181: Formal Methods in Software Engineering – p.14/39
![Page 33: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/33.jpg)
Which implementation satisfies the contract?
context Person::setAge(newAge: int):int
pre : self.age ≥ 0 and newAge ≥ 0
post : self.age = newAge
i n t setAge( i n t newAge) {
i f (age>=0 && newAge>=0) { t h i s.age = newAge; }
return t h i s.age;
}
i n t setAge( i n t newAge) {
return t h i s.age = newAge;
}
i n t setAge( i n t newAge) {
t h i s.age = newAge;
return -1;
}22c181: Formal Methods in Software Engineering – p.15/39
![Page 34: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/34.jpg)
OCL Types
UML class types
User-defined classes from context diagram of an OCL constraintEach class of UML context diagram is legal type in OCL constraint
22c181: Formal Methods in Software Engineering – p.16/39
![Page 35: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/35.jpg)
OCL Types
UML class types
User-defined classes from context diagram of an OCL constraintEach class of UML context diagram is legal type in OCL constraint
Primitive types
Integer , Real , Boolean and String (Together: int , real , boolean )int , real not in J AVA CARD, but int , short , byte work in KeY
22c181: Formal Methods in Software Engineering – p.16/39
![Page 36: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/36.jpg)
OCL Types
UML class types
User-defined classes from context diagram of an OCL constraintEach class of UML context diagram is legal type in OCL constraint
Primitive types
Integer , Real , Boolean and String (Together: int , real , boolean )int , real not in J AVA CARD, but int , short , byte work in KeY
Enumeration types
User-defined enumeration types (not supported in Together a nd KeY)
22c181: Formal Methods in Software Engineering – p.16/39
![Page 37: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/37.jpg)
OCL Types
UML class types
User-defined classes from context diagram of an OCL constraintEach class of UML context diagram is legal type in OCL constraint
Primitive types
Integer , Real , Boolean and String (Together: int , real , boolean )int , real not in J AVA CARD, but int , short , byte work in KeY
Enumeration types
User-defined enumeration types (not supported in Together a nd KeY)
Collection types
Set , Bag , Sequence
22c181: Formal Methods in Software Engineering – p.16/39
![Page 38: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/38.jpg)
OCL Types
UML class types
User-defined classes from context diagram of an OCL constraintEach class of UML context diagram is legal type in OCL constraint
Primitive types
Integer , Real , Boolean and String (Together: int , real , boolean )int , real not in J AVA CARD, but int , short , byte work in KeY
Enumeration types
User-defined enumeration types (not supported in Together a nd KeY)
Collection types
Set , Bag , Sequence
Special types
e.g. OclAny , OclType 22c181: Formal Methods in Software Engineering – p.16/39
![Page 39: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/39.jpg)
Type Conformance in OCL
Integer < Real (subtype relation)
22c181: Formal Methods in Software Engineering – p.17/39
![Page 40: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/40.jpg)
Type Conformance in OCL
Integer < Real (subtype relation)
T1, T2 class types:
T1 < T2 holds exactly if T1 is a subclass of T2 in context diagram
22c181: Formal Methods in Software Engineering – p.17/39
![Page 41: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/41.jpg)
Type Conformance in OCL
Integer < Real (subtype relation)
T1, T2 class types:
T1 < T2 holds exactly if T1 is a subclass of T2 in context diagram
For all type expressions T , not denoting a collection type:
– Set(T ) < Collection(T )– Bag(T ) < Collection(T )– Sequence(T ) < Collection(T )
22c181: Formal Methods in Software Engineering – p.17/39
![Page 42: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/42.jpg)
Type Conformance in OCL
Integer < Real (subtype relation)
T1, T2 class types:
T1 < T2 holds exactly if T1 is a subclass of T2 in context diagram
For all type expressions T , not denoting a collection type:
– Set(T ) < Collection(T )– Bag(T ) < Collection(T )– Sequence(T ) < Collection(T )
If T is not a collection type: T < OCLAny
22c181: Formal Methods in Software Engineering – p.17/39
![Page 43: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/43.jpg)
Type Conformance in OCL
Integer < Real (subtype relation)
T1, T2 class types:
T1 < T2 holds exactly if T1 is a subclass of T2 in context diagram
For all type expressions T , not denoting a collection type:
– Set(T ) < Collection(T )– Bag(T ) < Collection(T )– Sequence(T ) < Collection(T )
If T is not a collection type: T < OCLAny
If T1 < T2 and C is any of the type constructorsCollection , Set , Bag , Sequence :
C(T1) < C(T2).
22c181: Formal Methods in Software Engineering – p.17/39
![Page 44: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/44.jpg)
Typing Examples
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
context Person - - self.name has type String
- - self.age has type Integer
- - self.fleet has type Set(Vehicle)
context Vehicle - - self.colour has type Colour
context ... - - Colour.black has type Colour
22c181: Formal Methods in Software Engineering – p.18/39
![Page 45: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/45.jpg)
Navigation: Accessing Properties
OCL Properties (functions that may occur in OCL expr)
Attributes from underlying UML model
Association ends from underlying UML model
Operations with stereotype ≪query ≫ from UML model
Predefined OCL properties
If argument has no collection type : dot notation (like J AVA )
If argument has collection type : arrow notation “– >”
Collection type has large number of predefined properties:
includes, intersection, forAll, etc.
22c181: Formal Methods in Software Engineering – p.19/39
![Page 46: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/46.jpg)
User-Defined Operations within Constraints
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
1 0..*
driver drives
Only ≪query ≫ operations allowed to occur within OCL expressions
22c181: Formal Methods in Software Engineering – p.20/39
![Page 47: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/47.jpg)
User-Defined Operations within Constraints
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
1 0..*
driver drives
Only ≪query ≫ operations allowed to occur within OCL expressions
context Person
inv :self.name = self.getName()
Beware: parameterless properties with brackets, eg:
Set{1,2,3} –> sum()
22c181: Formal Methods in Software Engineering – p.20/39
![Page 48: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/48.jpg)
Constraints that use Associations
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
1 0..*
driver drives
context Vehicle
inv :owner <> driver - - ’self’ implicit!
22c181: Formal Methods in Software Engineering – p.21/39
![Page 49: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/49.jpg)
Constraints that use Associations
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
1 0..*
driver drives
context Vehicle
inv :owner <> driver - - ’self’ implicit!
context Person
inv :fleet –>intersection(drives) – >isEmpty()
inv :self.fleet – >intersection(self.drives) – >isEmpty()
22c181: Formal Methods in Software Engineering – p.21/39
![Page 50: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/50.jpg)
Notational Variants of Collection Properties
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
1 0..*
driver drives
context Person - - all constraints are equivalent
inv :fleet –>collect(v:Vehicle | v.colour) – >size() = 1
inv :fleet –>collect(v | v.colour) – >size() = 1
inv :fleet –>collect(colour) – >size() = 1
inv :fleet.colour – >size() = 1 - - shorthand for ’collect’ in Together
22c181: Formal Methods in Software Engineering – p.22/39
![Page 51: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/51.jpg)
The type OclType
What is the type of UML model types (eg, Person)?
OclType
OclType is metatype with predefined properties:
aType.name() gives name string of aType
Similar are attributes() , operations() , associationEnds()
aType.allInstances() gives all instances of aType in current
snapshot
allInstances needed to express properties relating to all currently
existing objects
22c181: Formal Methods in Software Engineering – p.23/39
![Page 52: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/52.jpg)
Using allInstances
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
1 0..*
driver drives
context Person
inv :Person.allInstances – > forAll(p | p.age ≥ 0)
22c181: Formal Methods in Software Engineering – p.24/39
![Page 53: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/53.jpg)
Using allInstances
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
1 0..*
driver drives
context Person
inv :Person.allInstances – > forAll(p | p.age ≥ 0)
Constraint is independent of model context — equivalent:
context Vehicle
inv :Person.allInstances – > forAll(p | p.age ≥ 0)
22c181: Formal Methods in Software Engineering – p.24/39
![Page 54: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/54.jpg)
Using allInstances
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
1 0..*
driver drives
context Person
inv :Person.allInstances – > forAll(p | p.age ≥ 0)
Context declaration of invariant has implicit allInstance s/forAll:
context Person - - equivalent to constraint above
inv :self.age ≥ 0
22c181: Formal Methods in Software Engineering – p.24/39
![Page 55: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/55.jpg)
Avoiding allInstances
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
1 0..*
driver drives
context Person
inv :Person.allInstances – >
forAll(p1, p2 | p1.name = p2.name implies p1 = p2)
allInstances
. . . tends to make constraint difficult to read
. . . can give rise to unnecessarily difficult verification tas k22c181: Formal Methods in Software Engineering – p.25/39
![Page 56: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/56.jpg)
Avoiding allInstances
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
1 0..*
driver drives
context Person
inv :Person.allInstances – >
forAll(p1, p2 | p1.name = p2.name implies p1 = p2)
Can be equivalently replaced with: (not in Together!)
context p1,p2:Person
inv :p1.name = p2.name implies p1 = p222c181: Formal Methods in Software Engineering – p.25/39
![Page 57: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/57.jpg)
Avoiding allInstances
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Client Car Bike
1 0..*
ownershipowner fleet
1 0..*
driver drives
context Person
inv :Person.allInstances – >
forAll(p1, p2 | p1.name = p2.name implies p1 = p2)
Often, collection of objects available via suitable associ ation:
context Client
inv : person –> forAll(p1, p2 | p1.name = p2.name implies p1 = p2)22c181: Formal Methods in Software Engineering – p.25/39
![Page 58: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/58.jpg)
The iterate Property
AccountEntry
movement:int
debits:boolean
turnover:int
balance:int
context AccountEntry
inv :AccountEntry.allInstances – >
iterate(a:AccountEntry ; m:Integer=0 | m+a.movement) =
AccountEntry.turnover
22c181: Formal Methods in Software Engineering – p.26/39
![Page 59: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/59.jpg)
Syntax of the iterate Property
iterator variable expr of type T , initial expr
source expr t -> iterate(x : S; y : T = t0 | u)
subtype ofCollection(S)
result variable (accumulator) expr of type T , bodyx and y occur in u
22c181: Formal Methods in Software Engineering – p.27/39
![Page 60: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/60.jpg)
Java Pseudocode of iterate
t –>iterate(x:S; y:T=t 0 | u )
S x;
T y = t0;
for (Enumeration e = t.elements(); e.hasMoreElements() ) {
x = e.nextElement();
y = u(x,y);
}
Type of x and y can be inferred from t and u
OCL’s iterate is also similar to the accumulate function of t he C++ STL
22c181: Formal Methods in Software Engineering – p.28/39
![Page 61: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/61.jpg)
Quantifiers
t –>iterate(x:S; y:Boolean=true | y and a(x) )
. . . where a(x) is an expression of type Boolean (with occurrence of x)
22c181: Formal Methods in Software Engineering – p.29/39
![Page 62: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/62.jpg)
Quantifiers
t –>iterate(x:S; y:Boolean=true | y and a(x) )
. . . where a(x) is an expression of type Boolean (with occurrence of x)
Can be equivalently expressed by
t –>forAll(x | a(x))
22c181: Formal Methods in Software Engineering – p.29/39
![Page 63: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/63.jpg)
Quantifiers
t –>iterate(x:S; y:Boolean=true | y and a(x) )
. . . where a(x) is an expression of type Boolean (with occurrence of x)
Can be equivalently expressed by
t –>forAll(x | a(x))
Similar:
t –>exists(x | a)
22c181: Formal Methods in Software Engineering – p.29/39
![Page 64: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/64.jpg)
Selecting Elements
AccountEntry
movement:int
debits:boolean
turnover:int
balance:int
countPositiveEntries():int
0..*
entries
context AccountEntry::countPositiveEntries():int
pre : truepost : result = AccountEntry.allInstances – >
select(e | not e.debits) – > size()
22c181: Formal Methods in Software Engineering – p.30/39
![Page 65: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/65.jpg)
Selecting Elements
AccountEntry
movement:int
debits:boolean
turnover:int
balance:int
countPositiveEntries():int
0..*
entries
context AccountEntry::countPositiveEntries():int
pre : truepost : result = AccountEntry.allInstances – >
select(e | not e.debits) – > size()
Alternative notation using self-association:
post : result = entries – > select(not debits) – > size()
22c181: Formal Methods in Software Engineering – p.30/39
![Page 66: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/66.jpg)
Reducing select to iterate
Like all other collection properties select definable with iterate
s –> select(x:T | e) =
iterate( x:T; acc: Set(T) = Set {} |
if e then acc – > including(x) else acc)
s is of type Set(T )
e is an OCL expression of type Boolean
including in turn is definable with iterate
all built-in collection properties definable with iterate and includes
22c181: Formal Methods in Software Engineering – p.31/39
![Page 67: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/67.jpg)
Referring to Previous Values
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
1 0..*
driver drives
context Person::birthday()
pre :age ≥ 0
post :age = age@pre + 1
User-defined properties qualified with @pre refer to value in prestate
22c181: Formal Methods in Software Engineering – p.32/39
![Page 68: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/68.jpg)
Multiple Occurrences of @pre
Bank
void : m()
CustomerEmployee
phone:int1*
pa
*
*customer
1
*
employment
aCustomer.pa.phone new phone numberof current p.a.
[email protected] new phone numberof previous p.a.
aCustomer.pa.phone@pre old phone numberof current p.a.
[email protected]@pre old phone numberof previous p.a.
22c181: Formal Methods in Software Engineering – p.33/39
![Page 69: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/69.jpg)
A Method Does More Than It Should
Person
name:String
age:int
≪query≫getName():String
birthday()
setAge(newAge:int):int
Vehicle
colour:Colour
≪enumeration≫Colour
black:Colour
white:Colour
red:Colour
Car Bike
1 0..*
ownershipowner fleet
context Person::setAge(newAge: int):int
pre : self.age ≥ 0 and newAge ≥ 0
post : self.age = newAge
i n t setAge( i n t newAge) { // correct implementation?!
name = "Jabberwocky";
return t h i s.age = newAge;
} 22c181: Formal Methods in Software Engineering – p.34/39
![Page 70: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/70.jpg)
The Frame Problem
How to express that nothing else is changed than what is speci fied?
Known in AI as the Frame Problem
22c181: Formal Methods in Software Engineering – p.35/39
![Page 71: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/71.jpg)
The Frame Problem
How to express that nothing else is changed than what is speci fied?
Known in AI as the Frame Problem
First Solution
context Person::setAge(newAge: int):int
pre : self.age ≥ 0 and newAge ≥ 0
post : self.age = newAge and name = name@pre
Done for all attributes visible for context class: very tedi ous!
22c181: Formal Methods in Software Engineering – p.35/39
![Page 72: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/72.jpg)
The Frame Problem
How to express that nothing else is changed than what is speci fied?
Known in AI as the Frame Problem
Second Solution
context Person::setAge(newAge: int):int
pre : self.age ≥ 0 and newAge ≥ 0
post : self.age = newAge
modifies: self.age
The OCL to FOL compiler creates an efficient representation
KeY extension to OCL, not in the standard
22c181: Formal Methods in Software Engineering – p.35/39
![Page 73: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/73.jpg)
Snapshots and OCL Constraints
OCL constraints evaluated relative to a snapshot I
(Recall that snapshot determines an object diagram)
OCL expressions have type Boolean ⇒ they are true or false wrt I
OCL constraints restrict legal snapshots of UML diagram
Possibility to express intended semantics of diagram
OCL expressions can be evaluated and checked wrt given snaps hot
Don’t give formal semantics of OCL in terms of snapshots
Tell later how UML/OCL is translated into FOL/DL
22c181: Formal Methods in Software Engineering – p.36/39
![Page 74: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/74.jpg)
Object Diagrams and OCL Constraints
id0815:Person
name = ‘‘Jane’’
age = 5
harley17:Bike
colour = idBlack
idBlack:Colour
black() = idBlack
white() = idWhite
red() = idRed
id0825:Person
name = ‘‘Paul’’
age = 25
bmw3:Car
colour = idWhite
idWhite:Colour
black() = idBlack
white() = idWhite
red() = idRed
idRed:Colour
black() = idBlack
white() = idWhite
red() = idRed
ownership
ownership
22c181: Formal Methods in Software Engineering – p.37/39
![Page 75: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/75.jpg)
Object Diagrams and OCL Constraints
id0815:Person
name = ‘‘Jane’’
age = 5
harley17:Bike
colour = idBlack
idBlack:Colour
black() = idBlack
white() = idWhite
red() = idRed
id0825:Person
name = ‘‘Paul’’
age = 25
bmw3:Car
colour = idWhite
idWhite:Colour
black() = idBlack
white() = idWhite
red() = idRed
idRed:Colour
black() = idBlack
white() = idWhite
red() = idRed
ownership
ownership
context Vehicleinv: self.owner.age >= 18
22c181: Formal Methods in Software Engineering – p.37/39
![Page 76: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/76.jpg)
Object Diagrams and OCL Constraints
id0815:Person
name = ‘‘Jane’’
age = 5
harley17:Bike
colour = idBlack
idBlack:Colour
black() = idBlack
white() = idWhite
red() = idRed
id0825:Person
name = ‘‘Paul’’
age = 25
bmw3:Car
colour = idWhite
idWhite:Colour
black() = idBlack
white() = idWhite
red() = idRed
idRed:Colour
black() = idBlack
white() = idWhite
red() = idRed
ownership
ownership
context Vehicleinv: self.owner.age >= 18 �
22c181: Formal Methods in Software Engineering – p.37/39
![Page 77: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/77.jpg)
Object Diagrams and OCL Constraints
id0815:Person
name = ‘‘Jane’’
age = 5
harley17:Bike
colour = idBlack
idBlack:Colour
black() = idBlack
white() = idWhite
red() = idRed
id0825:Person
name = ‘‘Paul’’
age = 25
bmw3:Car
colour = idWhite
idWhite:Colour
black() = idBlack
white() = idWhite
red() = idRed
idRed:Colour
black() = idBlack
white() = idWhite
red() = idRed
ownership
ownership
context Vehicleinv: self.owner.age >= 18 �context Personinv: fleet– >forAll(colour = Colour.black)
22c181: Formal Methods in Software Engineering – p.37/39
![Page 78: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/78.jpg)
Object Diagrams and OCL Constraints
id0815:Person
name = ‘‘Jane’’
age = 5
harley17:Bike
colour = idBlack
idBlack:Colour
black() = idBlack
white() = idWhite
red() = idRed
id0825:Person
name = ‘‘Paul’’
age = 25
bmw3:Car
colour = idWhite
idWhite:Colour
black() = idBlack
white() = idWhite
red() = idRed
idRed:Colour
black() = idBlack
white() = idWhite
red() = idRed
ownership
ownership
context Vehicleinv: self.owner.age >= 18 �context Personinv: fleet– >forAll(colour = Colour.black) 4
22c181: Formal Methods in Software Engineering – p.37/39
![Page 79: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/79.jpg)
Object Diagrams and OCL Constraints
id0815:Person
name = ‘‘Jane’’
age = 5
harley17:Bike
colour = idBlack
idBlack:Colour
black() = idBlack
white() = idWhite
red() = idRed
id0825:Person
name = ‘‘Paul’’
age = 25
bmw3:Car
colour = idWhite
idWhite:Colour
black() = idBlack
white() = idWhite
red() = idRed
idRed:Colour
black() = idBlack
white() = idWhite
red() = idRed
ownership
ownership
context Vehicleinv: self.owner.age >= 18 �context Personinv: fleet– >forAll(colour = Colour.black) 4inv: fleet– >select(colour = Colour.black) – >size() <= 3
22c181: Formal Methods in Software Engineering – p.37/39
![Page 80: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/80.jpg)
Object Diagrams and OCL Constraints
id0815:Person
name = ‘‘Jane’’
age = 5
harley17:Bike
colour = idBlack
idBlack:Colour
black() = idBlack
white() = idWhite
red() = idRed
id0825:Person
name = ‘‘Paul’’
age = 25
bmw3:Car
colour = idWhite
idWhite:Colour
black() = idBlack
white() = idWhite
red() = idRed
idRed:Colour
black() = idBlack
white() = idWhite
red() = idRed
ownership
ownership
context Vehicleinv: self.owner.age >= 18 �context Personinv: fleet– >forAll(colour = Colour.black) 4inv: fleet– >select(colour = Colour.black) – >size() <= 3 �
22c181: Formal Methods in Software Engineering – p.37/39
![Page 81: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/81.jpg)
Object Diagrams and OCL Constraints
id0815:Person
name = ‘‘Jane’’
age = 5
harley17:Bike
colour = idBlack
idBlack:Colour
black() = idBlack
white() = idWhite
red() = idRed
id0825:Person
name = ‘‘Paul’’
age = 25
bmw3:Car
colour = idWhite
idWhite:Colour
black() = idBlack
white() = idWhite
red() = idRed
idRed:Colour
black() = idBlack
white() = idWhite
red() = idRed
ownership
ownership
context Vehicleinv: self.owner.age >= 18 �context Personinv: fleet– >forAll(colour = Colour.black) 4inv: fleet– >select(colour = Colour.black) – >size() <= 3 �inv: Car.allInstances – >exists(colour = Colour.red)
22c181: Formal Methods in Software Engineering – p.37/39
![Page 82: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/82.jpg)
Object Diagrams and OCL Constraints
id0815:Person
name = ‘‘Jane’’
age = 5
harley17:Bike
colour = idBlack
idBlack:Colour
black() = idBlack
white() = idWhite
red() = idRed
id0825:Person
name = ‘‘Paul’’
age = 25
bmw3:Car
colour = idWhite
idWhite:Colour
black() = idBlack
white() = idWhite
red() = idRed
idRed:Colour
black() = idBlack
white() = idWhite
red() = idRed
ownership
ownership
context Vehicleinv: self.owner.age >= 18 �context Personinv: fleet– >forAll(colour = Colour.black) 4inv: fleet– >select(colour = Colour.black) – >size() <= 3 �inv: Car.allInstances – >exists(colour = Colour.red) 4
22c181: Formal Methods in Software Engineering – p.37/39
![Page 83: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/83.jpg)
Object Diagrams and OCL Constraints
id0815:Person
name = ‘‘Jane’’
age = 5
harley17:Bike
colour = idBlack
idBlack:Colour
black() = idBlack
white() = idWhite
red() = idRed
id0825:Person
name = ‘‘Paul’’
age = 25
bmw3:Car
colour = idWhite
idWhite:Colour
black() = idBlack
white() = idWhite
red() = idRed
idRed:Colour
black() = idBlack
white() = idWhite
red() = idRed
ownership
ownership
context Person::getName()post: result = name ?context Person::birthDay()pre: age ≥ 0post: age = age@pre + 1 ?
22c181: Formal Methods in Software Engineering – p.38/39
![Page 84: 22c181: Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Spring08/Notes/05-OCL-intro.pdfUML and its semantics Introduction to OCL Specifying requirements](https://reader034.vdocuments.mx/reader034/viewer/2022052023/6038bdd251e1d909ba727112/html5/thumbnails/84.jpg)
Why (Formal) Specification?
Importance of Requirements Specification
Advantages of formal requirements spec before implementation:
No need to decide on algorithm, but sufficient to describe res ult
Parts of behaviour can be left open ( underspecification )
Possibility of code generation, platform/technology inde pendencymodel-driven development
Formalisation exhibits bugs & missing requirements in earl y stage
Two independent formal models (specification, code):
Possibility of formal verification
Find more bugs
More trust in resulting system22c181: Formal Methods in Software Engineering – p.39/39