Refining UML specifications
- the STAIRS method
Ragnhild Kobro Runde
Joint work with Ketil Stølen and Øystein Haugen
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 1
Ragnhild Kobro Runde
Outline
•
•
•
•
•
Introduction to sequence diagrams.
What is refinement?
The pragmatics of creating sequence diagrams.
The pragmatics of refining sequence diagrams.
Summary.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 2
Ragnhild Kobro Runde
Example: Appointment system
• MakeAppointment
• CancelAppointment
• DecideAppTime
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 3
Ragnhild Kobro Runde
UML sequence diagrams
sd CancelAppointment
:Client
:AppSystem
Message
cancel(appointment)
Lifeline
(instance)
appointmentCancelled()
Send-event
appointmentSuggestion(time)
Receive-event
yes()
appointmentMade()
• Partial ordering of events:
- The send event is ordered before the corresponding receive event.
- Events on the same lifeline are ordered from the top and downwards.
• CancelAppointment specifies two traces.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 4
Ragnhild Kobro Runde
Referencing
sd DecideAppTime
:Client
:AppSystem
appointmentSuggestion(time)
yes()
appointmentMade()
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 5
Ragnhild Kobro Runde
UML 2.x operators
sd D2
:L1
:L2
a
loop {0...4}
b
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 6
Ragnhild Kobro Runde
Sequence diagrams as example runs
sd CancelAppointment
:Client
:AppSystem
cancel(appointment)
appointmentCancelled()
appointmentSuggestion(time)
yes()
appointmentMade()
• A sequence diagram is a
partial description!
• Positive traces represent
valid system behaviour.
• Negative traces represent
invalid system behaviour.
• All remaining traces are
called inconclusive.
Positive
Inconclusive
Negative
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 7
Ragnhild Kobro Runde
Outline
•
•
•
•
•
Introduction to sequence diagrams.
What is refinement?
The pragmatics of creating sequence diagrams.
The pragmatics of refining sequence diagrams.
Summary.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 8
Ragnhild Kobro Runde
Refinement
• Refinement is a development step, adding more
information to the model.
• Step-wise refinement.
• Compositional refinement.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 9
Ragnhild Kobro Runde
Other changes
• Not all changes are refinements!
- Correcting errors.
- Handling changed requirements.
- Describing the system addressing a different concern,
i.e. from a different viewpoint.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 10
Ragnhild Kobro Runde
Outline
• Introduction to sequence diagrams.
• What is refinement?
• The pragmatics of creating sequence diagrams.
- The pragmatics of alternative behaviour
- The pragmatics of guards
- The pragmatics of negative behaviour
• The pragmatics of refining sequence diagrams.
• Summary.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 11
Ragnhild Kobro Runde
Alternative behaviour
sd DecideAppTime
:Client
:AppSystem
appointmentSuggestion(time)
yes()
xalt
appointmentMade()
no()
noAppointment()
• alt ≈ similar traces, giving implementation freedom
• xalt ≈ traces that must all be present in the system
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 12
Ragnhild Kobro Runde
Alternative behaviour (2)
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 13
Ragnhild Kobro Runde
Guards
sd CancelAppointment
:Client
:AppSystem
cancel(appointment)
[ appointment < now + 24h ]
xalt
errorMessage()
[ else ]
appointmentCancelled()
ref
DecideAppTime
• Use guards to constrain the situations in which the different
alternatives are positive.
• Traces with a false guard are negative. Always make sure that for
each alternative, the guard is sufficiently general to capture all
possible situations in which the described traces are positive.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 14
Ragnhild Kobro Runde
Guards (2)
sd MakeAppointment
:Client
alt
:AppSystem
[ true ]
needApp()
[ date ≥ today ]
needApp(date)
[ 7 ≤ hour ≤ 17 ]
needApp(hour)
ref
DecideAppTime
• In an alt-construct, make sure that the guards are exhaustive.
• If doing nothing is valid, specify this by using the empty diagram, skip.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 15
Ragnhild Kobro Runde
Negative behaviour
• To effectively constrain the
implementation, the specification
should include a reasonable set of
negative traces.
• Use veto when the empty trace
(i.e. doing nothing) should be
positive, as when specifying a
negative message in an otherwise
positive scenario.
• Use refuse when specifying that
one of the alternatives in an altconstruct represents negative
traces.
• Use assert on an interaction
fragment when all possible positive
traces for that fragment have been
described.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 16
Ragnhild Kobro Runde
Outline
•
•
•
•
•
Introduction to sequence diagrams.
What is refinement?
The pragmatics of creating sequence diagrams.
The pragmatics of refining sequence diagrams.
Summary.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 17
Ragnhild Kobro Runde
Refinement in STAIRS
Positive
Supplementing
Inconclusive
Narrowing
Negative
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 18
Ragnhild Kobro Runde
Supplementing
sd DecideAppTime
:Client
:AppSystem
appointmentSuggestion(time)
yes()
xalt
appointmentMade()
no()
noAppointment()
• Use supplementing to add positive
or negative traces to the model.
• All of the original positive traces
must remain positive and all of the
original negative traces must
remain negative.
• Do not use supplementing on the
operand of an assert.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 19
Ragnhild Kobro Runde
Narrowing
sd MakeAppointment
:Client
alt
sd MakeAppointment
:AppSystem
[ true ]
needApp()
[ date ≥ today ]
needApp(date)
[ 7 ≤ hour ≤ 17 ]
needApp(hour)
ref
:Client
alt
:AppSystem
[ true ]
needApp()
[ date ≥ today ]
needApp(date)
refuse
needApp(hour)
ref
DecideAppTime
DecideAppTime
• Use narrowing to remove underspecification by redefining positive
traces as negative.
• All original negative traces must remain negative.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 20
Ragnhild Kobro Runde
Narrowing (2)
sd CancelAppointment
:Client
:AppSystem
cancel(appointment)
[ appointment < now + 24h ]
xalt
errorMessage()
[ else ]
appointmentCancelled()
ref
DecideAppTime
• Guards may be added to an alt/xalt-construct as a legal narrowing
step.
• Guards may be narrowed, i.e. the refined condition must imply the
original one.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 21
Ragnhild Kobro Runde
Outline
•
•
•
•
•
Introduction to sequence diagrams.
What is refinement?
The pragmatics of creating sequence diagrams.
The pragmatics of refining sequence diagrams.
Summary.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 22
Ragnhild Kobro Runde
Summary
• Take special care when specifying
- alternative behaviours
- negative behaviours
• Refinement means adding more information
- supplementing: new positive/negative traces
- narrowing: positive traces redefined as negative
• These refinement notions enable
- step-wise refinement
- compositional refinement
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 23
Ragnhild Kobro Runde
Evaluation
• Formal proofs
- Transitivity.
- Monotonicity.
• Other examples/cases
-
Automatic teller machine.
Vending machine with tea/coffee.
Network communication.
Games: tic-tac-toe, flipping a coin, throwing a dice.
Gambling machine.
BuddySync: automatically matching service providers
with users of those services.
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 24
Ragnhild Kobro Runde
Thank you!
ragnhild.runde@ifi.uio.no
http://heim.ifi.uio.no/~ragnhilk/
SARDAS-seminar 21.05.2008 / Refining UML specifications / Slide 25
Ragnhild Kobro Runde