Lecture 15: UML State Machines & Software Quality Assurance - - PowerPoint PPT Presentation
Softwaretechnik / Software-Engineering Lecture 15: UML State Machines & Software Quality Assurance 2018-07-02 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal Albert-Ludwigs-Universitt Freiburg, Germany 15 2018-07-02 main
– 15 – 2018-07-02 – main –
2018-07-02
Albert-Ludwigs-Universität Freiburg, Germany
– 15 – 2018-07-02 – Sblockcontent –
2/67
VL 11 . . . VL 12 . . . VL 13 . . . VL 14 . . . VL 15 . . .
– 15 – 2018-07-02 – Scontent –
3/67
– 15 – 2018-07-02 – main –
4/67
– 15 – 2018-07-02 – Scfasw –
5/67
set S of (finite or infinite) computation paths of the form σ0
α1
− → σ1
α2
− → σ2 · · · where
The (possibly partial) function · : S → S is called interpreta- tion of S.
ℓ0, ν0
λ1
− − → ℓ1, ν1
λ2
− − → ℓ2, ν2
λ3
− − → · · · | π is a computation path of C}.
– 15 – 2018-07-02 – Scfasw –
6/67
http://commons.wikimedia.org (CC-by-sa 4.0, Dirk Ingo Franke)
Alphabet:
– dispense cash only,
– return card only,
C
– dispense cash and return card.
S1 =
C
ω
S2 = (M.C)ω or (C.M)ω
S1 = (C.M)ω
– 15 – 2018-07-02 – Scfasw –
7/67
Customer 2 Mmmh, Software!
Requirements S1 = {(M.C, · 1), (C.M, · 1)} Design S2 = {(M.TM.C, · 1), (C.TC.M, · 1)} S1 = {σ1
α1
1
− − → σ1
1 α1
2
− − → σ1
2 · · · , . . . }
Implementation S2 = {σ2
α2
1
− − → σ2
1 α2
2
− − → σ2
2 · · · , . . . }
Development Process/ Project Management
– 15 – 2018-07-02 – main –
8/67
– 15 – 2018-07-02 – Scfaatwork –
9/67
CoinValidator User ChoicePanel WaterDispenser SoftDispenser TeaDispenser Service
C50, E1 WATER, SOFT, TEA OK DWATER DSOFT DTEA DOK FILLUP
ENVIRONMENT SYSTEM
half_idle request_sent tea_selected soft_selected water_selected idle DOK? OK! water_enabled := false, soft_enabled := false, tea_enabled := false DTEA! DWATER! DSOFT! tea_enabled TEA? soft_enabled SOFT? water_enabled WATER?
That is, ‘Service’ could send ‘WATER’ if the modeler wanted to.
– 15 – 2018-07-02 – Scfaatwork –
10/67
(Otherwise, the design is definitely broken.)
w = 0 is reachable, i.e. check NVM | = ∃♦ w = 0. for the vending machine model NVM.
– 15 – 2018-07-02 – Scfaatwork –
11/67
(Otherwise, the design is definitely broken.)
LSC: buy tea AC: true AM: initial I: permissive
User Coin Validator Choice Panel C50 C50 C50 TEA ¬E1!
end_of_scenario TEA! C50! C50! C50!
instead of User and check whether location end_of_scenario is reachable, i.e. check N ′
VM |
= ∃♦ Scenario.end_of_scenario. for the modified vending machine model N ′
VM.
– 15 – 2018-07-02 – Scfaatwork –
12/67
if there is e 1.50 in the machine?
(Otherwise, the design is broken.)
tea_enabled = ⇒ CoinValidator.have_c150 holds in all reachable configurations, i.e. check NVM | = ∀ tea_enabled imply CoinValidator.have_c150 for the vending machine model NVM.
drink_ready have_c150 have_e1 have_c100 have_c50 idle OK? OK? OK? OK? E1? tea_enabled := (t > 0) C50? water_enabled := (w > 0), tea_enabled := (t > 0) C50? tea_enabled := (t > 0) E1? soft_enabled := (s > 0) C50? soft_enabled := (s > 0) C50? water_enabled := (w>0)
– 15 – 2018-07-02 – Scfaatwork –
13/67
(Otherwise, the considered invariant tea_enabled = ⇒ CoinValidator.have_c150 holds vacuously.)
Exactly like we did with w = 0 earlier.
– 15 – 2018-07-02 – Scfaatwork –
14/67
and water in stock, that the “water” button is enabled?
NVM | = ∀ (CoinValidator.have_c50 or CoinValidator.have_c100 or CoinValidator.have_c150) imply water_enabled.
drink_ready have_c150 have_e1 have_c100 have_c50 idle OK? OK? OK? OK? E1? tea_enabled := (t > 0) C50? water_enabled := (w > 0), tea_enabled := (t > 0) C50? tea_enabled := (t > 0) E1? soft_enabled := (s > 0) C50? soft_enabled := (s > 0) C50? water_enabled := (w>0)
– 15 – 2018-07-02 – Scfaatwork –
15/67
LSC: buy water AC: true AM: invariant I: strict User CoinValidator ChoicePanel Dispenser C 5 p W A T E R
¬(C50! ∨ E1! ∨ pSOFT! ∨ pTEA! ∨ pFILLUP!)
water_in_stock d W A T E R O K
¬(dSoft! ∨ dTEA!)
– 15 – 2018-07-02 – Scontent –
16/67
– 15 – 2018-07-02 – main –
17/67
– 15 – 2018-07-02 – Smdse –
18/67
– 15 – 2018-07-02 – Smdse –
19/67
Idea Structure Declarative Behaviour
Behaviour′
Constructive Behaviour
Constructive Behaviour′
elicit refine refine refine refine
requirements model requirements/ constraints design system model | =? | =?
generate/ program
– 15 – 2018-07-02 – Smdse –
20/67
– 15 – 2018-07-02 – Smdse –
21/67 task, problem
inside-out top-down bottom-up
user interface system software, hardware
– 15 – 2018-07-02 – Smdse –
22/67
– 15 – 2018-07-02 – Simpl –
23/67
W0 dispense Wi FILLUP? w := 3 FILLUP? w := 3 w == 0 DOK! w > 0 DOK! DWATER? w := w - 1
int w := 3; typedef {Wi, dispense, W0} st_T; st_T st := Wi; SetAct take_action( Act α ) { SetAct R := ∅; if st = Wi : if α = DWATER? : w := w − 1; st := dispense; if (w = 0) R := R ∪ {DOK!}; if (w > 0) R := R ∪ {DOK!}; α = FILLUP? : w := 3; st := Wi; R := R ∪ {DWATER?, FILLUP?}; else : R := R ∪ {DWATER?, FILLUP?} fi; st = dispense : if α = DOK! ∧ w = 0 : st := W0; R := R ∪ {FILLUP?}; α = DOK! ∧ w > 0 : st := Wi; R := R ∪ {FILLUP?}; else : R := R ∪ {DOK?} fi; st = W0 : if α = FILLUP? : w := 3; st := Wi; R := R ∪ {DWATER?, FILLUP?}; else : R := R ∪ {FILLUP?} fi; fi; return R; }
– 15 – 2018-07-02 – Scontent –
24/67
– 15 – 2018-07-02 – main –
25/67
– 15 – 2018-07-02 – Sumloutlook –
26/67
http://wikimedia.org (CC nc-sa 3.0, User:AutumnSnow) http://wikimedia.org (CC nc-sa 3.0, User:AutumnSnow) http://wikimedia.org (Public domain, Johannes Fasolt) use case model domain object model analysis model design model class... implementation model ... testing model may be expressed in terms of structured by realized by implemented by tested inin order to handle growing complexity.
Modelling languages: Flowcharts, Nassi-Shneiderman, Entity-Relation Diagrams
— Inflation of notations and methods, most prominent:
Each “persuasion” selling books, tools, seminars...
Standards published by Object Management Group (OMG): “international, open membership, not-for-profit computer industry consortium”. Much criticised for lack of formality.
– 15 – 2018-07-02 – Sumloutlook –
27/67
Figure A.5 - The taxonomy of structure and behavior diagram
Diagram Structure Diagram Behavior Diagram Interaction Diagram Use Case Diagram Activity Diagram Composite Structure Diagram Class Diagram Component Diagram Deployment Diagram Sequence Diagram Interaction Overview Diagram Object Diagram State Machine Diagram Package Diagram Communication Diagram Timing Diagram
OCL
Dobing and Parsons (2006)
– 15 – 2018-07-02 – Sumlmode –
28/67
Recall: definition “model” (Glinz, 2008, 425): (iii) the pragmatic attribute, i.e. the model is built in a specific context for a specific purpose. Examples for context/purpose: Floorplan as sketch: Floorplan as blueprint: Floorplan as program: +
wiringplan
+
windows
+
...
– 15 – 2018-07-02 – Sumlmode –
29/67
The last slide is inspired by Martin Fowler, who puts it like this: “[...] people differ about what should be in the UML because there are differing fundamental views about what the UML should be. I came up with three primary classifications for thinking about the UML: UmlAsSketch, UmlAsBlueprint, and UmlAsProgrammingLanguage. ([...] S. Mellor independently came up with the same classifications.) So when someone else’s view of the UML seems rather different to yours, it may be because they use a different UmlMode to you.” Claim:
– 15 – 2018-07-02 – Sumlmode –
30/67
+
wiringplan
+
windows
+
...
Sketch
In this UmlMode developers use the UML to help communicate some aspects of a
Sketches are also useful in documents, in which case the focus is communication ra- ther than completeness. [...] The tools used for sketching are lightweight drawing tools and often people aren’t too particular about keeping to every strict rule of the UML. Most UML diagrams shown in books, such as mine, are sketches. Their emphasis is on selective communication rather than complete specification. Hence my sound-bite “comprehensive- ness is the enemy of comprehensibility”
Blueprint
[...] In forward engineering the idea is that blueprints are developed by a designer whose job is to build a detailed design for a programmer to code up. That design should be sufficiently complete that all design decisions are laid out and the programming should follow as a pretty straightforward activity that requires little thought. [...] Blueprints require much more sophisticated tools than sketches in
the task. [...] Forward engineering tools support dia- gram drawing and back it up with a repository to hold the information. [...]
ProgrammingLanguage
If you can detail the UML enough, and provide semantics for everything you need in software, you can make the UML be your programming language. Tools can take the UML diagrams you draw and compile them into executable code. The promise of this is that UML is a higher level language and thus more productive than current programming languages. The question, of course, is whether this promise is true. I don’t believe that graphical program- ming will succeed just because it’s graph-
Our goal:
Yet we tried to be consistent with the (informal semantics) from OMG (2007a,b) as far as possible.
– 15 – 2018-07-02 – main –
31/67
– 15 – 2018-07-02 – Sumlstm –
32/67
n
e s resigned X/ X/ X/ X/
e s resigned X/ n fastN
fastW e fastE s fastS F/ F/
e s
fast F/ F/
– 15 – 2018-07-02 – Sumlstm –
33/67
Idle waitOK have_c100_or_e1> have_c100 have_e1 have_c150> have_c50> drinkReady Idle waitOK have_c100_or_e1> have_c100 have_e1 have_c150> have_c50> drinkReady E1/itsChanger
C50/itsChoicePanel
E1/ itsChanger
C50 C50/ itsChanger
C50 E1/itsChoicePanel->enableSoft(); E1 C50 OK Entry Action: itsChoicePanel
Entry Action: itsChoicePanel
Entry Action: itsChoicePanel
Tea_selected Inactive Soft_selected Water_selected Request_sent Tea_selected Inactive Soft_selected Water_selected Request_sent TEA[Tea_enabled] /itsDrinkDispenser
/itsDrinkDispenser
if (itsCoinValidator
itsChanger->giveback_50(); WATER[Water_enabled] /disable_all(); SOFT[Soft_enabled] /itsDrinkDispenser
if (itsCoinValidator->IS_IN(have_c150)) itsChanger->giveback_100(); else if (itsCoinValidator->IS_IN(have_c100)) itsChanger->giveback_50();
T2 Tea_out T1 T3 S2 Soft_out S1 S3 W2 Water_out W1 W3 FillingUp
T2 Tea_out T1 T3 S2 Soft_out S1 S3 W2 Water_out W1 W3 FillingUp DTEA/ Prepare_Tea(); itsCoinValidator
DTEA/ Prepare_Tea(); itsCoinValidator
DTEA/ Prepare_Tea(); itsCoinValidator
DSOFT/ Prepare_Soft(); itsCoinValidator
DSOFT/ Prepare_Soft(); itsCoinValidator
DSOFT/ Prepare_Soft(); itsCoinValidator
DWATER/ Prepare_Water(); itsCoinValidator
DWATER/ Prepare_Water(); itsCoinValidator
DWATER/ Prepare_Water(); itsCoinValidator
FILLUP/itsCoinValidator
– 15 – 2018-07-02 – Sumlstm –
34/67
s2
s8 s4
s6
E/ F/ F/ E/ G/
s7 [true]/ F/ → “Software Design, Modelling, and Analysis with UML” in some winter semesters.
– 15 – 2018-07-02 – Sumlstm –
35/67
C D
x : Int = 27 itsD 0..1 itsC 0..1
s1 s2
E/itsD ! F G
s1 s2
F[x > 0]
s3
/itsC ! G /x := 0 annot ::=
[ [ guard ] ] [ / action]
(optional)
(default: true, assumed to be in ExprS )
(default: skip, assumed to be in ActS )
– 15 – 2018-07-02 – Sumlstm –
36/67 s1 s2
E/itsD ! F G
s1 s2
F[x > 0]
s3
/itsC ! G /x := 0
u1 : C
state : {s1, s2} stable : Bool
u2 : D x = 27
state : {s1, s2, s3} stable : Bool
itsD itsC
u1 u2 step state stable x state stable event pool s1 1 27 s1 1 E ready for u1
– 15 – 2018-07-02 – Sumlstm –
36/67 s1 s2
E/itsD ! F G
s1 s2
F[x > 0]
s3
/itsC ! G /x := 0
u1 : C
state : {s1, s2} stable : Bool
u2 : D x = 27
state : {s1, s2, s3} stable : Bool
itsD itsC
u1 u2 step state stable x state stable event pool s1 1 27 s1 1 E ready for u1 1 s2 1 27 s1 1 F ready for u2
– 15 – 2018-07-02 – Sumlstm –
36/67 s1 s2
E/itsD ! F G
s1 s2
F[x > 0]
s3
/itsC ! G /x := 0
u1 : C
state : {s1, s2} stable : Bool
u2 : D x = 27
state : {s1, s2, s3} stable : Bool
itsD itsC
u1 u2 step state stable x state stable event pool s1 1 27 s1 1 E ready for u1 1 s2 1 27 s1 1 F ready for u2 2 s2 1 27 s2
– 15 – 2018-07-02 – Sumlstm –
36/67 s1 s2
E/itsD ! F G
s1 s2
F[x > 0]
s3
/itsC ! G /x := 0
u1 : C
state : {s1, s2} stable : Bool
u2 : D x = 27
state : {s1, s2, s3} stable : Bool
itsD itsC
u1 u2 step state stable x state stable event pool s1 1 27 s1 1 E ready for u1 1 s2 1 27 s1 1 F ready for u2 2 s2 1 27 s2 3 s2 1 27 s3 G ready for u1
– 15 – 2018-07-02 – Sumlstm –
36/67 s1 s2
E/itsD ! F G
s1 s2
F[x > 0]
s3
/itsC ! G /x := 0
u1 : C
state : {s1, s2} stable : Bool
u2 : D x = 27
state : {s1, s2, s3} stable : Bool
itsD itsC
u1 u2 step state stable x state stable event pool s1 1 27 s1 1 E ready for u1 1 s2 1 27 s1 1 F ready for u2 2 s2 1 27 s2 3 s2 1 27 s3 G ready for u1 4.a s2 1 s1 1 G ready for u1
– 15 – 2018-07-02 – Sumlstm –
36/67 s1 s2
E/itsD ! F G
s1 s2
F[x > 0]
s3
/itsC ! G /x := 0
u1 : C
state : {s1, s2} stable : Bool
u2 : D x = 27
state : {s1, s2, s3} stable : Bool
itsD itsC
u1 u2 step state stable x state stable event pool s1 1 27 s1 1 E ready for u1 1 s2 1 27 s1 1 F ready for u2 2 s2 1 27 s2 3 s2 1 27 s3 G ready for u1 4.a s2 1 s1 1 G ready for u1 5.a s1 1 s1 1
– 15 – 2018-07-02 – Sumlstm –
36/67 s1 s2
E/itsD ! F G
s1 s2
F[x > 0]
s3
/itsC ! G /x := 0
u1 : C
state : {s1, s2} stable : Bool
u2 : D x = 27
state : {s1, s2, s3} stable : Bool
itsD itsC
u1 u2 step state stable x state stable event pool s1 1 27 s1 1 E ready for u1 1 s2 1 27 s1 1 F ready for u2 2 s2 1 27 s2 3 s2 1 27 s3 G ready for u1 4.a s2 1 s1 1 G ready for u1 5.a s1 1 s1 1 4.b s1 1 27 s3
– 15 – 2018-07-02 – Sumlstm –
36/67 s1 s2
E/itsD ! F G
s1 s2
F[x > 0]
s3
/itsC ! G /x := 0
u1 : C
state : {s1, s2} stable : Bool
u2 : D x = 27
state : {s1, s2, s3} stable : Bool
itsD itsC
u1 u2 step state stable x state stable event pool s1 1 27 s1 1 E ready for u1 1 s2 1 27 s1 1 F ready for u2 2 s2 1 27 s2 3 s2 1 27 s3 G ready for u1 4.a s2 1 s1 1 G ready for u1 5.a s1 1 s1 1 4.b s1 1 27 s3 5.b s1 1 s1 1
– 15 – 2018-07-02 – Sumlstm –
37/67
C.h D.h C.cpp D.cpp MainDefaultComponent.cpp
DfltCmp.exe
generate build / make (compiler) run E! go
“D just stepped from s1 to s2 by transition t”
– 15 – 2018-07-02 – Scontent –
38/67
– 15 – 2018-07-02 – Sttwytt –
39/67
verify code against model.
yet provide more convenient syntax.
in contrast to CFA.
(We could define the same for CFA, but then the Uppaal simulator would not be useful any more.)
– 15 – 2018-07-02 – main –
40/67
– 15 – 2018-07-02 – Sblockcontent2 –
41/67
VL 15 . . . VL 16 . . . VL 17 . . . VL 18 . . .
– 15 – 2018-07-02 – Scontent2 –
42/67
– 15 – 2018-07-02 – main –
43/67
– 15 – 2018-07-02 – Stestquotes –
44/67 “Testing is the execution of a program with the goal to discover errors.”
(G. J. Myers, 1979)
“Testing is the demonstration of a program or system with the goal to show that it does what it is supposed to do.”
(W. Hetzel, 1984)
“Software testing can be used to show the presence of bugs, but never to show their absence!”
(E. W. Dijkstra, 1970)
Rule-of-thumb: (fairly systematic) tests discover half of all errors.
(Ludewig and Lichter, 2013)
– 15 – 2018-07-02 – Stestintro –
45/67
Recall:
infinite) computation paths of the form σ0
α1
− − → σ1
α2
− − → σ2 · · · where
The (possibly partial) function · : S → S is called interpretation of S.
there are Σin and Σout such that Σ = Σin × Σout.
π = σi σo
− − → σi
1
σo
1
− − → · · ·
α1
− − → σi
1 α2
− − → · · · , i.e. the projection of π onto Σin.
– 15 – 2018-07-02 – Stestintro –
46/67
and an interpretation · of these descriptions:
Soll ⊆ (Σ × A)∗ ∪ (Σ × A)ω
Examples:
T = (s = "abc", r = 3) s = "abc" = {σi
τ
− → σi
1 | σ0(s) = "abc"},
r = 3 = {σ0
τ
− → σ1 | σ1(r) = 3}, Shorthand notation: T = ("abc", 3).
– 15 – 2018-07-02 – Stestintro –
46/67
and an interpretation · of these descriptions:
Soll ⊆ (Σ × A)∗ ∪ (Σ × A)ω
Examples:
T = (C50, WATER; DWATER) C50, WATER = {σi
C50
− − → σi
1 τ
− → · · ·
τ
− → σi
j−1 WATER
− − − − − → σi
j},
DWATER = {σ0
α1
− − → · · ·
αk
− − → σk−1
DWATER
− − − − − − → σk | k ≤ 10},
– 15 – 2018-07-02 – Stestintro –
46/67
and an interpretation · of these descriptions:
Soll ⊆ (Σ × A)∗ ∪ (Σ × A)ω
Note:
– 15 – 2018-07-02 – Stestintro –
47/67
π = σi σo
− − → σi
1
σo
1
− − → · · · from S is called execution of test case (In, Soll ) if and only if
α1
− − → . . .
αn
− − → σn ↓ Σin ∈ In.
(“A prefix of π corresponds to an input sequence”).
Execution π of test case T is called
∈ Soll.
– 15 – 2018-07-02 – Stestintro –
48/67
such that there is at least one execution for each test case.
if and only if at least one test case execution is positive. Otherwise, it is called negative.
– 15 – 2018-07-02 – Stestintro –
49/67
T = ("", 0) for procedure strlen.
(“Empty string has length 0.”)
π = {s → NULL, r → 0}
τ
− → program-abortion
Note:
Thus π is neither positive nor negative (only defined for test executions).
– 15 – 2018-07-02 – Stestintro –
50/67 Test — (one or multiple) execution(s) of a program on a computer with the goal to find errors.
(Ludewig and Lichter, 2013)
Not (even) a test (in the sense of this weak definition):
Systematic Test — a test such that
that have been fixed before.
(Ludewig and Lichter, 2013)
(Our) Synonyms for non-systematic tests: Experiment, ‘Rumprobieren’. In the following: test means systematic test; if not systematic, call it experiment.
– 15 – 2018-07-02 – main –
51/67
– 15 – 2018-07-02 – Stesttooeasy –
52/67
Strictly speaking, a test case is a triple (In, Soll, Env) comprising a description Env of (environmental) conditions. Env describes any aspects which could have an effect
be specified as part of In, such as:
→ test executions should be (as) reproducible and objective (as possible). Full reproducibility is hardly possible in practice — obviously (err, why...?).
– 15 – 2018-07-02 – Scontent2 –
53/67
– 15 – 2018-07-02 – main –
54/67
– 15 – 2018-07-02 – Slimits –
55/67
the specification to results:
executable, etc.), and
(using requirements specifications).
examination result is positive.
crucial: specification and comparison.
Recall:
checking procedure shows no error reports error artefact has error yes false negative true positive no true negative false positive
specification implement specification comprehend specification “is”-result requirements
compare examination result ✔/✘/? information flow development information flow examination (Ludewig and Lichter, 2013)
– 15 – 2018-07-02 – Slimits –
56/67 “Software testing can be used to show the presence of bugs, but never to show their absence!”
(E. W. Dijkstra, 1970)
– 15 – 2018-07-02 – Slimits –
57/67
Consider a simple pocket calculator for adding 8-digit decimals:
12345678 + 27 7 8 9 4 5 6 + 1 2 3 =
= ,
considered for exhaustive testing, i.e. testing every possible case!
we do not know anything about problems with sequences of inputs...
(Local variables may not be re-initialised properly, for example.)
– 15 – 2018-07-02 – Slimits –
58/67
With ten thousand (10,000) different test cases (that’s a lot!), 9,999,999,999,990,000 of the 1016 possible inputs remain uncovered. In other words: Only 0.0000000001% of the possible inputs are covered, 99.9999999999% not touched.
108 108
– 15 – 2018-07-02 – Spointrange –
59/67
ε δ
For sufficiently small ε-environments of an input, the outputs differ only by a small amount δ.
we strongly expect the bridge to endure cars of 990 kg or 1010 kg.
Vocabulary:
we can not conclude from some values to others.
– 15 – 2018-07-02 – Scontent2 –
60/67
– 15 – 2018-07-02 – Sttwytt2 –
65/67
– 15 – 2018-07-02 – main –
66/67
– 15 – 2018-07-02 – main –
67/67 Booch, G. (1993). Object-oriented Analysis and Design with Applications. Prentice-Hall. Dobing, B. and Parsons, J. (2006). How UML is used. Communications of the ACM, 49(5):109–114. Glinz, M. (2008). Modellierung in der Lehre an Hochschulen: Thesen und Erfahrungen. Informatik Spektrum, 31(5):425–434. Harel, D. (1987). Statecharts: A visual formalism for complex systems. Science of Computer Programming, 8(3):231–274. Harel, D., Lachover, H., et al. (1990). Statemate: A working environment for the development of complex reactive systems. IEEE Transactions on Software Engineering, 16(4):403–414. Jacobson, I., Christerson, M., and Jonsson, P. (1992). Object-Oriented Software Engineering - A Use Case Driven
Ludewig, J. and Lichter, H. (2013). Software Engineering. dpunkt.verlag, 3. edition. OMG (2007a). Unified modeling language: Infrastructure, version 2.1.2. Technical Report formal/07-11-04. OMG (2007b). Unified modeling language: Superstructure, version 2.1.2. Technical Report formal/07-11-02. Rumbaugh, J., Blaha, M., Premerlani, W., Eddy, F., and Lorensen, W. (1990). Object-Oriented Modeling and Design. Prentice Hall.