Evaluation of OCL for Large

Evaluation of OCL for
Large-Scale Modelling
A Different View of the Mondex
Smart Card Application
Emine G. Aydal, Richard F. Paige, Jim Woodcock
University of York
1
AGENDA







Motivation
Goal
Modelling Mondex
Modelling issues
Validation
Test case generation
Conclusion
2
Motivation | Goal |
Modelling Mondex
| Modelling Issues | Validation | Test case generation | Conclusion
Motivation



MONDEX : Global e-payment scheme that offers
immediate transfer of value without signature or
PIN in currencies allowed.
First Step in Grand Challenge Program
 Alloy (MIT)
Contribution
of this study
Event-B (University of Southampton)
Model the system from informal requirements by using
OCL (University of Bremen)
semi-formal techniques
 Perfect Developer (Escher Technologies)
 Perform model-based testing on formally-verified
 RAISE (Uni. of UN Macao and TUD)
versions of Mondex
 Z (University of York)
 Assess the value added



Based on the monograph that outlined the specifications, refinement and
proof details of Mondex in Z (Stepney and Woodcock)
3
Motivation | Goal |
Modelling Mondex
| Modelling Issues | Validation | Test case generation| Conclusion
Goal


Test cases derived from models before
development stage
Model-based testing of formally verified s/w
4
Motivation | Goal |
Modelling Mondex
| Modelling Issues | Validation | Test case generation| Conclusion
Goal

Model Mondex by using UML and OCL





Diagrams
Invariants
Pre/post-conditions
Validate the model through scenarios
Explore the relationship between test case
generation and assertion-based scenarios
5
Motivation | Goal |
Modelling Mondex
| Modelling Issues | Validation | Test case generation | Conclusion
Modelling Mondex
No.
Module Name
M1
Payment
M2
Logging
M3
Recovery
M4
Currency Management
M5
Operational Control
M6
Data Display and Customisation
6
Motivation | Goal | Modelling Mondex | Modelling Issues | Validation | Test case generation | Conclusion
Modelling Mondex

Modelling Language : UML enriched with
OCL expressions

Tool : UML Specification Environment (USE)

Use case diagrams and use scenarios
7
Motivation | Goal | Modelling Mondex | Modelling Issues | Validation | Test case generation | Conclusion
Modelling Mondex





8 Classes
30 Invariants
31 Operations
197 Pre/post-conditions
Traceability Matrix
8
Motivation | Goal | Modelling Mondex | Modelling Issues | Validation | Test case generation | Conclusion
Modeling issues


Constants
 May be fixed at a later stage in the development or
Derived
Parameters
during application loading






Prefixed with ‘/’ in UML (‘_’ in USE)
Currently no support for constants
Supported by OCL
Example:
Not
integrated into the OCL tools
inv iNoLanguages:
Workaround
: create invariants ensuring
the correct
self.languages->size()
<= cNoLanguages
calculation of the derived attributes
inv iNoUnusedException :
_NumberOfUnusedExceptions =
cNoException - exceptionlogs->size()
9
Motivation | Goal | Modelling Mondex | Modelling Issues | Validation | Test case generation | Conclusion
Modeling issues




Constants
Derived Parameters
Invariants
 No consistency check
Pre/post-conditions
(assertions)


Restricting invariants
No tool support yet (OCL Compiler v2.0)
10
Motivation | Goal | Modelling Mondex | Modelling Issues | Validation | Test case generation | Conclusion
Modeling issues

Pre/Post-conditions

State Checking
Self.OclInState(Unlocked)
Self.LockingState = ‘Unlocked’

Messaging: HasSent Operator (‘^’)
post ChangePersonalCodePost1:
%Personal Code changes successfully
or
(PersonalCode = PersonalCode@pre
and Self^ChangeTheStateToLockedOut
and result = false)
11
Motivation | Goal | Modelling Mondex | Modelling Issues | Validation | Test case generation | Conclusion
Modeling issues

Pre/Post-conditions

Frame Variables Set (FVS)





Distinct set of variables read/written by each operation
Determination of these variables
Management of the post values of these variables
Assumption : All the variables not included in FVS of
an operation stay unchanged after the execution of
that operation
No tool support
12
Motivation | Goal | Modelling Mondex | Modelling Issues | Validation | Test case generation | Conclusion
Validation of the model

Overall Objective: The model behaves as
expected when an instance of the model is
executed under certain conditions.


There is at least one instance of the model that
satisfies all the invariants.
There is at least one instance of the model that
allows each operation to run successfully, i.e.
preconditions and postconditions of the operation
are satisfied and the instance does not conflict
with any of the invariants.
13
Motivation | Goal | Modelling Mondex | Modelling Issues | Validation | Test case generation | Conclusion
Validation of the model



Scenario: An instance of the model that serves
a purpose, i.e. that satisfies a property.
Base object model : An initial, stable instance
of the model that satisfies all the invariants.
Scenario structure




Setting/creation of FVS
Access the operation (Precondition check)
Modification/Deletion of FVS
Exit the operation (Postcondition check)
14
Motivation | Goal | Modelling Mondex | Modelling Issues | Validation | Test case generation | Conclusion
Validation of the model




Creation of scenarios that validate operations
Execution of scenarios
Immediate feedback by the tool
Drawback: Finding the set of frame variables
and their values in order to satisfy assertions
of a certain operation
15
Motivation | Goal | Modelling Mondex | Modelling Issues | Validation | Test case generation | Conclusion
Test Case Generation

Assertions ensure the correct functioning of
operations. So why not using these critical
points in test case generation?

Idea: Find scenarios that violates each
assertion of each operation.
16
Motivation | Goal | Modelling Mondex | Modelling Issues | Validation | Test case generation | Conclusion
Test Case Generation

Existing research: In order to validate a
model, generate automatic snapshots of a
model by using ASSL (A Snapshot and
Sequence Language) in USE [Gogolla,2003]


Based on invariant conflict.
Each invariant is addressed separately by feeding the
system with its reverse.
17
Motivation | Goal | Modelling Mondex | Modelling Issues | Validation | Test case generation | Conclusion
Test Case Generation

Additional information


Scenarios that violate 197 assertions are already
created manually.
Future work




Apply the technique described in [Gogolla,2003] for
invariants to assertions .
Automate the generation of such scenarios
Compare the results of manual and automatic
scenario generation
Concretise scenarios into test scripts
18
Motivation | Goal | Modelling Mondex | Modelling Issues | Validation | Test case generation | Conclusion
Conclusion




Modeled a real life application by using OCL.
The large number of invariants and assertions
provided us ideas in terms of features that needs
to be added into OCL tools.
The scenarios are a way of validating your model.
The fact that scenarios use artifacts of the model
supports the validation process.
Test case generation and Validation are two
processes that may have common grounds.
19
Motivation | Goal | Modelling Mondex | Modeling Issues | Validation | Test case generation | Conclusion
THANK YOU…
20
Motivation | Goal | Modelling Mondex | Modeling Issues | Validation | Test case generation | Conclusion