Evaluation of OCL for Large-Scale Modelling

1
Evaluation of OCL for Large-Scale Modelling

• A Different View of the Mondex Smart Card
  Application

Emine G. Aydal, Richard F. Paige, Jim
Woodcock University of York
2
AGENDA

• Motivation
• Goal
• Modelling Mondex
• Modelling issues
• Validation
• Test case generation
• Conclusion

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
3
Motivation

• MONDEX Global e-payment scheme that offers
  immediate transfer of value without signature or
  PIN in currencies allowed.
• First Step in Grand Challenge Program
• Contribution of this study
• Model the system from informal requirements by
  using semi-formal techniques
• Perform model-based testing on formally-verified
  versions of Mondex
• Assess the value added

• Alloy (MIT)
• Event-B (University of Southampton)
• OCL (University of Bremen)
• Perfect Developer (Escher Technologies)
• RAISE (Uni. of UN Macao and TUD)
• Z (University of York)
• Based on the monograph that outlined the
  specifications, refinement and proof details of
  Mondex in Z (Stepney and Woodcock)

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
4
Goal

• Test cases derived from models before development
  stage
• Model-based testing of formally verified s/w

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
5
Goal

• Model Mondex by using UML and OCL
• Diagrams
• Invariants
• Pre/post-conditions
• Validate the model through scenarios
• Explore the relationship between test case
  generation and assertion-based scenarios

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
6
Modelling Mondex
No. Module Name
M1 Payment
M2 Logging
M3 Recovery
M4 Currency Management
M5 Operational Control
M6 Data Display and Customisation
Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
7
Modelling Mondex

• Modelling Language UML enriched with OCL
  expressions
• Tool UML Specification Environment (USE)
• Use case diagrams and use scenarios

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
8
Modelling Mondex

• 8 Classes
• 30 Invariants
• 31 Operations
• 197 Pre/post-conditions
• Traceability Matrix

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
9
Modeling issues

• Constants
• Derived Parameters

• May be fixed at a later stage in the development
  or during application loading
• Currently no support for constants
• Example
• inv iNoLanguages
• self.languages-gtsize() lt cNoLanguages

• Prefixed with / in UML (_ in USE)
• Supported by OCL
• Not integrated into the OCL tools
• Workaround create invariants ensuring the
  correct calculation of the derived attributes
• inv iNoUnusedException
• _NumberOfUnusedExceptions
• cNoException - exceptionlogs-gtsize()

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
10
Modeling issues

• Constants
• Derived Parameters
• Invariants
• Pre/post-conditions (assertions)

• No consistency check
• Restricting invariants
• No tool support yet (OCL Compiler v2.0)

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
11
Modeling issues

• Pre/Post-conditions

• State Checking
• Self.OclInState(Unlocked)
• Self.LockingState Unlocked
• Messaging HasSent Operator ()
• post ChangePersonalCodePost1
• Personal Code changes successfully
• or
• (PersonalCode PersonalCode_at_pre
• and SelfChangeTheStateToLockedOut
• and result false)

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
12
Modeling issues

• Pre/Post-conditions

• Frame Variables Set (FVS)
• Distinct set of variables read/written by each
  operation
• Determination of these variables
• Management of the post values of these variables
• Assumption All the variables not included in
  FVS of an operation stay unchanged after the
  execution of that operation
• No tool support

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
13
Validation of the model

• Overall Objective The model behaves as expected
  when an instance of the model is executed under
  certain conditions.
• There is at least one instance of the model that
  satisfies all the invariants.
• There is at least one instance of the model that
  allows each operation to run successfully, i.e.
  preconditions and postconditions of the operation
  are satisfied and the instance does not conflict
  with any of the invariants.

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
14
Validation of the model

• Scenario An instance of the model that serves a
  purpose, i.e. that satisfies a property.
• Base object model An initial, stable instance
  of the model that satisfies all the invariants.
• Scenario structure
• Setting/creation of FVS
• Access the operation (Precondition check)
• Modification/Deletion of FVS
• Exit the operation (Postcondition check)

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
15
Validation of the model

• Creation of scenarios that validate operations
• Execution of scenarios
• Immediate feedback by the tool
• Drawback Finding the set of frame variables and
  their values in order to satisfy assertions of a
  certain operation

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
16
Test Case Generation

• Assertions ensure the correct functioning of
  operations. So why not using these critical
  points in test case generation?
• Idea Find scenarios that violates each assertion
  of each operation.

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
17
Test Case Generation

• Existing research In order to validate a model,
  generate automatic snapshots of a model by using
  ASSL (A Snapshot and Sequence Language) in USE
  Gogolla,2003
• Based on invariant conflict.
• Each invariant is addressed separately by feeding
  the system with its reverse.

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
18
Test Case Generation

• Additional information
• Scenarios that violate 197 assertions are already
  created manually.
• Future work
• Apply the technique described in Gogolla,2003
  for invariants to assertions .
• Automate the generation of such scenarios
• Compare the results of manual and automatic
  scenario generation
• Concretise scenarios into test scripts

Motivation Goal Modelling Mondex
Modelling Issues Validation Test case
generation Conclusion
19
Conclusion

• Modeled a real life application by using OCL.
• The large number of invariants and assertions
  provided us ideas in terms of features that needs
  to be added into OCL tools.
• The scenarios are a way of validating your model.
  The fact that scenarios use artifacts of the
  model supports the validation process.
• Test case generation and Validation are two
  processes that may have common grounds.

Motivation Goal Modelling Mondex
Modeling Issues Validation Test case
generation Conclusion
20
THANK YOU
Motivation Goal Modelling Mondex
Modeling Issues Validation Test case
generation Conclusion