From Use Cases to Post Conditions Martin Giese and Rogardt Heldal - - PowerPoint PPT Presentation

▶

from use cases to post conditions

From Use Cases to Post Conditions Martin Giese and Rogardt Heldal - - PowerPoint PPT Presentation

Oct 04, 2022 31 likes •397 views

From Use Cases to Post Conditions Martin Giese and Rogardt Heldal Chalmers Tekniska Hgskola, Gteborg, Sweden KeY Workshop, June 7, 2004 p.1/26 Motivation . . . for the crowd: Until now, the KeY method starts at the design phase:

slide-1

SLIDE 1

From Use Cases to Post Conditions

Martin Giese and Rogardt Heldal Chalmers Tekniska Högskola, Göteborg, Sweden

KeY Workshop, June 7, 2004 – p.1/26

slide-2

SLIDE 2

Motivation

. . . for the crowd: Until now, the KeY method starts at the design phase:

add OCL pre/post conditions to methods
instantiate design patterns
Constraints like argument ranges, objects being non-null

What is missing is the analysis phase:

Specifications that correspond to customer requirements
Done before the first class diagram
Textual descriptions

KeY Workshop, June 7, 2004 – p.2/26

slide-3

SLIDE 3

Informal Specification in UML

UML use cases are a means for informal specification
Describe the system’s behaviour
Suitable for communication with customers
Parts of use case:
name
main flow
alternative flows
pre and post conditions
. . .

KeY Workshop, June 7, 2004 – p.3/26

slide-4

SLIDE 4

Example: Automated Teller Machine

In this case study, look only at withdrawal:
Main flow:

insert card, enter PIN, request cash amount, get money, return card

Alternative flows: wrong PIN, cash amount exceeds balance, etc.
In this work: put a more precise informal description in the

post condition of the use case. . .

KeY Workshop, June 7, 2004 – p.4/26

slide-5

SLIDE 5

Post Condition of Withdraw

If the customer entered the PIN on the Card, and

the customer’s balance was greater or equal to the requested amount, then the customer got the requested amount and the amount was deducted from the balance.

If the customer entered the wrong PIN three

times, the card was retained.

If the customer requested too much money, the

card was returned to the customer.

KeY Workshop, June 7, 2004 – p.5/26

slide-6

SLIDE 6

Main Scenario: Sequence Diagram

KeY Workshop, June 7, 2004 – p.6/26

slide-7

SLIDE 7

Main Scenario: Sequence Diagram

➠ Last Operation (giveAmount) must ensure post condition of use case

KeY Workshop, June 7, 2004 – p.6/26

slide-8

SLIDE 8

Informal to Formal Specification

Want to give the formal post-condition for the final operation in the

scenario, for example operation giveAmount

Guarantee that the formal post-condition of the operation satisfy the

informal post-condition of the use case

Problem:
There might be several scenarios of the use case
The final operation can vary for different scenarios

➠ Gather possible scenarios in state chart

KeY Workshop, June 7, 2004 – p.7/26

slide-9

SLIDE 9

State Chart for ATM Example

KeY Workshop, June 7, 2004 – p.8/26

slide-10

SLIDE 10

State Chart for ATM Example

A: givePin(userPin1)[userPin1 = cardPin1]

KeY Workshop, June 7, 2004 – p.8/26

slide-11

SLIDE 11

State Chart for ATM Example

A: givePin(userPin1)[userPin1 = cardPin1]
B: givePin(userPin1)[userPin1 <> cardPin1]

KeY Workshop, June 7, 2004 – p.8/26

slide-12

SLIDE 12

State Chart for ATM Example

A: givePin(userPin1)[userPin1 = cardPin1]
B: givePin(userPin1)[userPin1 <> cardPin1]
C: [balance >= amount]

KeY Workshop, June 7, 2004 – p.8/26

slide-13

SLIDE 13

State Chart for ATM Example

A: givePin(userPin1)[userPin1 = cardPin1]
B: givePin(userPin1)[userPin1 <> cardPin1]
C: [balance >= amount]
D: [balance < amount]

KeY Workshop, June 7, 2004 – p.8/26

slide-14

SLIDE 14

Condition to Satisfy: First Attempt

Given a path π: s0 s1 s2 . . . sk

p1(args1)
p2(args2)
pk(argsk)
Last operation for path: final(π) := opk
Post cond. of last method should ensure post cond. of use case:

Postfinal(π) → PostUC

KeY Workshop, June 7, 2004 – p.9/26

slide-15

SLIDE 15

Condition to Satisfy: First Attempt

Given a path π: s0 s1 s2 . . . sk

p1(args1)
p2(args2)
pk(argsk)
Last operation for path: final(π) := opk
Post cond. of last method should ensure post cond. of use case:

Postfinal(π) → PostUC wrong!

Problem:

Holds only if we add information about the path taken

KeY Workshop, June 7, 2004 – p.9/26

slide-16

SLIDE 16

Information about a Path

Let Cond(π) gather information about the path taken. s0 s1a s2 . . . s1b . . .

p1a(args1a)[cond1a]
p2(args2)[cond2]
p1b(args1b)[cond1b]

KeY Workshop, June 7, 2004 – p.10/26

slide-17

SLIDE 17

Information about a Path

Let Cond(π) gather information about the path taken. s0 s1a s2 . . . s1b . . .

p1a(args1a)[cond1a]
p2(args2)[cond2]
p1b(args1b)[cond1b]
For simplicity, take conjunction of guards:

Cond(π) = cond1a ∧ cond2

KeY Workshop, June 7, 2004 – p.10/26

slide-18

SLIDE 18

Information about a Path

Let Cond(π) gather information about the path taken. s0 s1a s2 . . . s1b . . .

p1a(args1a)[cond1a]
p2(args2)[cond2]
p1b(args1b)[cond1b]
For simplicity, take conjunction of guards:

Cond(π) = cond1a ∧ cond2

➠ Restriction:

Guards in state chart do not refer to attribute values
Distinct names for event arguments

KeY Workshop, June 7, 2004 – p.10/26

slide-19

SLIDE 19

Condition to Satisfy

If we are on this path, the post cond. of the final method

ensures that of the use case: Cond(π) → (Postfinal(π) → PostUC)

KeY Workshop, June 7, 2004 – p.11/26

slide-20

SLIDE 20

Condition to Satisfy

If we are on this path, the post cond. of the final method

ensures that of the use case: Cond(π) → (Postfinal(π) → PostUC)

or equvialently:

(Cond(π) ∧ Postfinal(π)) → PostUC

KeY Workshop, June 7, 2004 – p.11/26

slide-21

SLIDE 21

Condition to Satisfy

If we are on this path, the post cond. of the final method

ensures that of the use case: Cond(π) → (Postfinal(π) → PostUC)

or equvialently:

(Cond(π) ∧ Postfinal(π)) → PostUC

Finally, this should be the case for all possible paths π:
π∈Σ
(Cond(π) ∧ Postfinal(π)) → PostUC
KeY Workshop, June 7, 2004 – p.11/26

slide-22

SLIDE 22

OCL Post-Condition for giveAmount

Context ATMController::giveAmount(amount:long) post: if ( amount <= bank.getBalance(card.getID()) ) then cashDispenser^giveOutCash(amount) and bank.getBalance(card.getID()) = bank.getBalance@pre(card.getID()) - amount and card^returnCard() else not cashDispenser^giveOutCash(?) and bank.getBalance(card.getID()) = bank.getBalance@pre(card.getID()) and card^returnCard()

KeY Workshop, June 7, 2004 – p.12/26

slide-23

SLIDE 23

Case Study: Normal Flow

Consider: The “normal flow” with no wrong PIN entered and a

sufficient balance

Call this path π1.
Combined conditions from guards:

Cond(π1)

= (userPin1 = cardPin ∧ balance >= amount)

Final operation on π1:

final(π1) = giveAmount

KeY Workshop, June 7, 2004 – p.13/26

slide-24

SLIDE 24

Case Study: Relationship between specifications

Need to show:

(Cond(π1) ∧ Postfinal(π1)) → PostUC

KeY Workshop, June 7, 2004 – p.14/26

slide-25

SLIDE 25

Case Study: Relationship between specifications

Need to show:

userPin1 = cardPin and balance >= amount and if ( amount <= bank.getBalance(card.getID()) ) then cashDispenser^giveOutCash(amount) and bank.getBalance(card.getID()) = bank.getBalance@pre(card.getID()) - amount and card^returnCard() else not cashDispenser^giveOutCash(?) and bank.getBalance(card.getID()) = bank.getBalance@pre(card.getID()) and card^returnCard() implies PostUC.

KeY Workshop, June 7, 2004 – p.15/26

slide-26

SLIDE 26

Case Study: Relationship between specifications

Need to show:

userPin1 = cardPin and balance >= amount and cashDispenser^giveOutCash(amount) and bank.getBalance(card.getID()) = bank.getBalance@pre(card.getID()) - amount and card^returnCard() implies PostUC.

KeY Workshop, June 7, 2004 – p.16/26

slide-27

SLIDE 27

Informal Proof 1

userPin1 = cardPin and balance >= amount and cashDispenser^giveOutCash(amount) and bank.getBalance(card.getID()) = bank.getBalance@pre(card.getID()) - amount and card^returnCard()

⇓

If the customer entered the PIN on the Card, and the customer’s balance was greater or equal to the requested amount, then the customer got the requested amount and the amount was deducted from the balance.

KeY Workshop, June 7, 2004 – p.17/26

slide-28

SLIDE 28

Informal Proof 2

userPin1 = cardPin and balance >= amount and cashDispenser^giveOutCash(amount) and bank.getBalance(card.getID()) = bank.getBalance@pre(card.getID()) - amount and card^returnCard()

⇓

If the customer entered the wrong PIN three times, the card was retained.

KeY Workshop, June 7, 2004 – p.18/26

slide-29

SLIDE 29

Informal Proof 3

userPin1 = cardPin and balance >= amount and cashDispenser^giveOutCash(amount) and bank.getBalance(card.getID()) = bank.getBalance@pre(card.getID()) - amount and card^returnCard()

⇓

If the customer requested too much money, the card was returned to the customer.

KeY Workshop, June 7, 2004 – p.19/26

slide-30

SLIDE 30

Reflection

We have considered whether

every behavior allowed by the formal specification

is also allowed according to the informal one We have not yet considered whether

every behavior the informal specification allows

is still allowed by the formal one, stated as:

π∈Σ
(Cond(π) ∧ PostUC) → Postfinal(π)
KeY Workshop, June 7, 2004 – p.20/26

slide-31

SLIDE 31

Too Strong Statement

In general it is not the case that:
π∈Σ
(Cond(π) ∧ PostUC) → Postfinal(π)
Information is added when the informal specification is formalized
Changing PostUC might make it unnecessarily verbose
Might be important to keep track of the extra information,

so we state instead:

π∈Σ
(Cond(π) ∧ PostUC ∧ Extra(π)) → Postfinal(π)
KeY Workshop, June 7, 2004 – p.21/26

slide-32

SLIDE 32

Case Study: Extra Information

Extra information in the post condition of giveAmount:

if ( amount <= bank.getBalance(card.getID()) ) then cashDispenser^giveOutCash(amount) and bank.getBalance(card.getID()) = bank.getBalance@pre(card.getID()) - amount and card^returnCard() else not cashDispenser^giveOutCash(?) and bank.getBalance(card.getID()) = bank.getBalance@pre(card.getID()) and card^returnCard()

➠ In this case, about half of the specification!

KeY Workshop, June 7, 2004 – p.22/26

slide-33

SLIDE 33

Future Work

Handle state charts with (infinitely) many paths efficiently

➠ handle groups of similar paths together

Remove restrictions on state chart guards
Tool support within the

system

Automatically translate OCL constraints back to natural language

➠ Round-trip engineering

More clearly separate the steps

Informal ⇔ Formal Analysis ⇔ Design

KeY Workshop, June 7, 2004 – p.23/26

slide-34

SLIDE 34

Grouping Similar Paths

The post condition PostUC is often composed of a number of clauses: PostUC = (C1 → P1) ∧ (C2 → P2) ∧ (C3 → P3) Sufficient to show

π∈Σ
(Cond(π) ∧ Postfinal(π) ∧ Ci) → Pi
for i = 1, 2, 3.

➠ many paths are immediately excluded by Ci

KeY Workshop, June 7, 2004 – p.24/26

slide-35

SLIDE 35

Case Study: Simplification

Consider:

C3 = “If the customer requested too much money”

Here we can conclude that

only fulfilled on the three paths that go through the state

‘insufficientBalance’ in the state chart

final(π) = giveAmount, on all these paths
condition balance < amount is on all three paths

In this case it is sufficient to show:

(balance < amount ∧ PostgiveAmount ∧ C3) → P3

KeY Workshop, June 7, 2004 – p.25/26

slide-36

SLIDE 36

End of Talk

Questions?

KeY Workshop, June 7, 2004 – p.26/26