Contractual
Consistency Between
BON Static and
Dynamic Diagrams
Ali Taleghani
July 30, 2004
1
Overview
Model-Driven Development & Models
 Contractual Consistency – The Problem
 Previous Work
 Current Work – Semantics of Dynamic
Diagrams
 BON Development Tool – BDT
 Contribution and Future Work

2
MDD & Models




Model-Driven Development proposes
development based on models
Several views can be used to describe system
Models must be executable, and views
consistent
Contributions
 Automated
consistency checking
 Symbolic model execution
3
Contractual Consistency –
Example
ACCOUNT
Scenario 1: Bank Example
balance: INTEGER
make
! balance = 0
PERSON
1. Create Account
2. Withdraw 200
withdraw(a: INTEGER)
? balance >= a
! balance = old balance - a
Invariant
balance >= 0
PERSON
1, 2
ACCOUNT
• SD contains contracts only – No implementation
• Want to create account and withdraw $200
• make sets (balance = 0), but precondition of withdraw requires
(balance >= 200)  Contract Violation
4
Contractual Consistency




SD and DD are the two views involved
SD contains contracts only – no implementation
Contracts are pre, postconditions and class
invariants
Views contractually consistent if messages in
DD corresponding to routines in SD can be
executed without contract violations
5
Previous Work





Problem of consistency with contracts not
extensively discussed –informal approaches
only
[Paige 2002] first to formalize problem
Cites 4 criteria for checking consistency
Last criteria is contractual consistency
We add additional constraints for implementation
6
Semantics of Dynamic Diagram
SSCi 
 SSCi 1
ri
• Message mi in DD is mapped to a feature ri in the target class in SD
• Routine takes system from one system state constraint (SSCi) to the
next (SSCi+1)
• SSC represents a constraint on the attributes in the system
• SSCi+1 constructed using SSCi and contracts of ri
7
Current Contribution - 1



Check Contractual Consistency using
Symbolic Model Execution
Define Symbolic Execution Step as execution
of one message in DD
Step(SSCi , ri , SSCi 1 ) successful iff

SSCi  ri . pre
Precondition of routine is satisfied

SSCi 1  False
SSC is not a contradiction
8
Current Contribution - 2

Views contractually consistent iff
i 1  i  n | Step(SSCi , ri , SSCi 1 )



No implementation provided
Require use of Theorem Prover
Use Simplify from ESC/Java


Automatic and Fast
Returns counter example
9
BON Development Tool - BDT
Static Diagramming Tool
• Construct Class diagrams
• Include contracts
10
BON Development Tool - BDT
Dynamic Diagramming
Tool
• Draw objects and
messages
• Assign messages to
routines from SD
11
BON Development Tool - BDT
Consistency Tool
• Specify an initial state constraint
• Contract violation results in counter
example
• User can use counter example to
make changes to contracts,
messages
12
Comparison to Tool of [Gao2004]

Gao’s Tool
 Test
drivers and implementation required
 Checks one or a few execution paths
 Complete (for that execution)

BDT

Automatic and no implementation required
 All execution paths starting in a state constraint are
checked
 Incomplete since working with a theorem prover
13
Contribution





First contractual consistency tool without the
need to specify implementation
Early symbolic execution of partial models
Can use dynamic (collaboration) diagrams
Use contracts only – higher level than MDD
State Chart Action Languages
Tool is user friendly
 Simplify
works automatically under the hood
 Simplify works quickly
14
Future Work
Work out theory for sub-messages in DD
 BDT

 Add
invariants and inheritance
 Support quantifications
 Combine BDT with EDT for complete code
generation
 Add support for program verification – using
ERC
15
Thank You
16