02/13/162:15 AM Translating Graphically-Based Object-Oriented Specifications to Formal Specifications Scott A. DeLoach Air Force Institute of Technology Department of Electrical and Computer Engineering Wright-Patterson Air Force Base, OH 45433-7765 scott.deloach@afit.af.mil Jeffrey E. Smith Sanders, a Lockheed Martin Company Nashua, NH 03061 jeffrey.e.smith@lmco.com Thomas C. Hartrum Air Force Institute of Technology Department of Electrical and Computer Engineering Wright-Patterson Air Force Base, OH 45433-7765 thomas.hartrum@afit.af.mil Abstract Formal software specification has long been touted as a way to increase the quality and reliability of software; however, it remains an intricate, manually intensive activity. An alternative to using formal specifications is to use graphically-based, semi-formal specifications such as those used in many objectoriented specification methodologies. While semi-formal specifications are generally easier to develop and understand, they lack the rigor and precision of formal specification techniques. The basic premise of this investigation is that formal software specifications can be constructed using correctness preserving transformations from grahically-based object-oriented representations. In earlier work, an algebraic model of object-orientation was developed that defines how object-oriented concepts are represented algebraically using an object-oriented algebraic specification language O-SLANG. In this work, we develop transformations from the Unified Modeling Language Class and Statechart Diagrams to formal O-SLANG SPECIFICATIONS. Categories and subject descriptors: D.2.2 [Software Engineering]: Design Tools and Techniques – Computer aided software engineering; F.3.1 [Logics and Meanings of Programs]: Specifying and Verifying and Reasoning about Programs – Specification techniques; F.4.3 [Mathematical Logic and Formal Languages]: Formal languages – Algebraic language theory; I.2.2 [Artificial Intelligence]: Automatic Programming – Program transformation General Terms: Theory, Design Keywords: formal methods, specification acquisition, specification transformation D:\116107556.doc TABLE OF CONTENTS 1. 2. 3. INTRODUCTION ................................................................................................................................................... 1 THEORY FUNDAMENTALS ............................................................................................................................... 3 THEORY-BASED OBJECT MODEL .................................................................................................................. 6 3.1 INHERITANCE .................................................................................................................................................... 7 3.2 AGGREGATION .................................................................................................................................................. 8 3.3 ASSOCIATIONS .................................................................................................................................................. 9 3.4 OBJECT COMMUNICATION ............................................................................................................................... 11 3.5 SYNTAX........................................................................................................................................................... 12 4. UNIFIED MODELING LANGUAGE DIAGRAMS ......................................................................................... 13 4.1 CLASS DIAGRAM ............................................................................................................................................. 14 4.2 STATECHART DIAGRAM .................................................................................................................................. 16 4.2.1 Restrictions to the UML Statechart Diagram............................................................................................. 18 5. DIAGRAM TRANSLATION ............................................................................................................................... 18 5.1 CLASS DIAGRAM TRANSLATIONS .................................................................................................................... 19 5.1.1 Classes ....................................................................................................................................................... 19 5.1.1.1 5.1.1.2 5.1.1.3 5.1.2 5.1.3 Class Sets ................................................................................................................................................... 24 Aggregates ................................................................................................................................................. 25 5.1.3.1 5.1.4 Attributes ............................................................................................................................................................ 20 Operations .......................................................................................................................................................... 22 Constraints .......................................................................................................................................................... 24 Domain Theory Aggregate ................................................................................................................................. 28 Associations ............................................................................................................................................... 29 5.1.4.1 Link Classes........................................................................................................................................................ 30 5.2 STATECHART DIAGRAM TRANSLATIONS ......................................................................................................... 31 5.2.1 States .......................................................................................................................................................... 31 5.2.2 Transitions ................................................................................................................................................. 32 5.2.2.1 5.2.2.2 5.2.2.3 5.2.2.4 5.2.2.5 6. 7. Old-State............................................................................................................................................................. 34 Guard-Condition ................................................................................................................................................. 34 New-State ........................................................................................................................................................... 34 Method-Invocations ............................................................................................................................................ 35 Event-Sends ........................................................................................................................................................ 35 TRANSFORMATION VALIDATION ............................................................................................................... 35 DEMONSTRATION SYSTEM ........................................................................................................................... 36 7.1 EXAMPLE ........................................................................................................................................................ 37 8. FUTURE WORK .................................................................................................................................................. 39 9. ACKNOWLEDGMENTS..................................................................................................................................... 40 10. REFERENCES ...................................................................................................................................................... 41 1. Introduction As the field of software engineering continues to evolve toward a more traditional engineering discipline, an important concept to this evolution will be the use of formal specifications [1, 2]. Formal specifications have many potential benefits, ranging from the increased quality of the specification itself, to automatic code generation. While some impressive results have been reported [3, 4], developing formal specifications that adequately represent a user's requirements is still a difficult task and has slowed the adoption of formal specifications by practitioners. Specification acquisition problems include a lack of expertise in mathematical and logical concepts among software developers, an inability to effectively communicate formal specifications with end users, and the tendency of formal notations to restrict solution creativity [5]. Fraser et al. suggest an approach to overcoming these problems via parallel refinement of semi-formal and formal specifications. In a parallel refinement approach, designers develop specifications using both semi-formal and formal representations, successively refining both representations in parallel [5]. On the other hand, an approach to requirements modeling that has been gaining acceptance is the use of grahically-based object-oriented methods. Initially introduced as a programming paradigm, object orientation has been extended to the entire software lifecycle. This semi-formal approach, consisting of graphical representations and natural language descriptions, has many variations, but the Unified Modeling Language (UML) is now an Object Management Group (OMG) standard [6, 7]. In UML, many models are combined to capture the essence of a software system. The Use Case Diagram is used during analysis to organize the system behavior. The Sequence Diagram and Collaboration Diagram are the two diagrams that describe how objects in the system interact. The Class Diagram captures the structural aspects of the system by defining objects, their attributes, and the relationships between them. The Statechart Diagram and Activity Diagram capture the internal control flow of object classes. The Component Diagram shows the dependencies between software components and the Deployment Diagram shows the configuration of system components at runtime. Some UML diagrams overlap and not all UML diagrams are required to capture the software system's requirements. For a given system, 1 some of the models may be of lesser importance and omitted. Our work concentrates on two of the more widely used diagrams: Class Diagrams and Statechart Diagrams. We chose to use these two diagrams since they model basic system structure and behavior. Defining provably correct formal transformations from semi-formal to formal object-oriented models is critical to the successful application of the parallel refinement approach discussed above. This paper describes a method for translating UML specifications into our theory-based model of object-oriented concepts described in an earlier paper [8]. In our previous work, we developed an algebraic language O-SLANG as an extension of Kestrel Institute's Slang [9]. O-SLANG not only supports an algebraic representation of objects, but also allows the use of category theory operations such as morphisms and colimits to combine primitive object specifications to form more complex aggregates and to extend object specifications to capture multiple inheritance [10]. Category theory itself has been gaining popularity in formal approaches to software engineering. While many formal specification techniques provide the ability to describe the structure and behavior of problems, category theory explicitly captures relationships between specification objects. This capability has led to its selection as the formal foundation for the emerging UML-RT standard [11]. There are at least two methods of implementing correctness proving transformations from UML to a Slang formal specification. One approach is to construct a Slang form of the UML Semantics Guide [12] and to ensure that a transformation from a UML application to Slang is consistent with the Slang form of UML Semantics [13-15]. Our approach is to define a theory-based object model, with an associated object-based formal specification language (viz. O-SLANG) and to translate UML applications to O-SLANG. In a related effort, we performed the language-to-language translation of O-SLANG to Slang. This distinction is important in explaining our theory-based object model. In the first approach, an object and instance are both meta-objects, specified in the UML Semantics Guide, and are dependent on a metaobject hierarchy that includes specifications of many other meta-objects, e.g. Classifier, Association, Attribute, etc., all of which have only semi-formal semantic specification. In this paper, we give our (meta) objects a precise meaning with respect to the given theory-based object model. 2 The remainder of the paper is organized as follows. Section 2 defines the basic concepts of theory-based algebraic specification, while Section 3 gives a quick overview of our theory-based object model. Section 0 introduces the UML Class and Statechart Diagrams and Section 5 defines their translation into the theory-based object model. Section 6 presents our method for proving the transformations are correct while Section 7 discusses a demonstration system that produces O-SLANG directly from UML diagrams. Finally, Section 8 presents our plans for future research. 2. Theory Fundamentals Theory-based algebraic specification is concerned with (1) modeling system behavior using algebras (a collection of values and operations on those values) and axioms that characterize algebra behavior, and (2) composition of larger specifications from smaller specifications. Composition of specifications is accomplished via specification building operations defined by category theory constructs [16]. A theory is the set of all assertions that can be logically proved from the axioms of a given specification. Thus, a specification defines a theory and is termed a theory presentation. In algebraic specifications, the structure of a specification is defined in terms of sorts, which are abstract collections of values, and operations over those sorts. This structure is called a signature. A signature describes the structure of a solution; however, it does not describe the meaning of that structure. To specify semantics, a signature is extended with axioms defining the intended semantics of signature operations. A signature with its associated axioms is a specification. An example of a specification is shown in Figure 1. spec ARRAY is sorts E, I, A operations assign : A, I, E A apply : A, I E axioms (i,j I, a A, e E) (i = j) apply(assign(a,i,e),j) = e; (i j) apply(assign(a,i,e),j) = apply(a,j) end-spec Figure 1. Array Specification 3 A specification allows us to formally define the internal structure of object classes (attributes and operations); however, they do not provide the capability to reason about relationships between object classes. To create theory-based algebraic specifications that parallel object-oriented specifications, the ability to define and reason about relationships between theories, similar to those used in object-oriented approaches (inheritance, aggregation, etc.), must be available. Category theory is an abstract mathematical theory used to describe the external structure of various mathematical systems [17] and is used here to describe relationships between specifications. A category consists of a collection of C-objects and C-arrows between objects such that (1) there is a C-arrow from each object to itself, (2) C-arrows are composable, and (3) arrow composition is associative. An obvious example is the category Set where “C-objects” are sets and “C-arrows” are functions between sets. However, of greater interest in our research is the category Spec. Spec consists of specifications as the “C-objects” with specification morphisms as the “C-arrows”. A specification morphism, , is a pair of functions that map sorts (S) and operations () from one specification to compatible sorts and operations of a second specification such that the axioms of the first specification are theorems of the second specification. Intuitively, specification morphisms define how one specification is embedded in another. An example of a morphism from array (Figure 1) to finite-map, as shown in Figure 2, is as follows. = {assign update, apply apply} S = {A M, I D, E R} Specification morphisms are the basic instrument for defining and refining specifications. However, we can extend the notion of a specification morphism to allow for the creation of new specifications from a set of existing specifications. Often two specifications derived from a common ancestor specification need to be combined. The desired combination consists of the unique parts of two specifications and some “shared part” common to both specifications (the part defined in the shared ancestor specification). This combining operation is a colimit. 4 spec FINITE-MAP is sorts M, D, R operations empty : M update : M, D, R M apply : A, D R def? : A, D Boolean axioms (d1,d2 D, m M, r R) (d1 = d2) apply(update(m,d2,r),d1) = r; (d1 d2) apply(assign(m,d2,r),d1) = apply(m,d1); def?(update(m,d2,r),d1) = (d1 = d2) def?(m,d1); def?(empty,d1) = false end-spec Figure 2. Finite Map Specification Conceptually, a colimit defines a colimit specification that is the “shared union” of a set of specifications based on the morphisms between the specifications. These morphisms define equivalence classes of sorts and operations. For example, as shown in Figure 3, if a morphism, , from specification A to specification B maps sort to sort , then and are in the same equivalence class and thus become a single sort in the colimit specification created by taking the colimit of A, B, and . In addition to the colimit specification, the colimit operation creates a specification morphism from each specification to the colimit specification. spec A is sort end-spec : { } A B colimit spec spec B is sort end-spec spec colimit-spec is sort {, } end-spec Figure 3. Colimit Example From these basic instruments (morphisms and colimits), we can construct specifications in a number of ways [16]. We can (1) build a specification from a signature and a set of axioms, (2) form the union of a set of specifications via a colimit, (3) rename sorts or operations via a specification morphism, and (4) parameterize specifications. Many of these methods are useful in translating object-oriented specifications into theory-based specifications. 5 3. Theory-Based Object Model In object-orientation, the object class defines the structure of an object and its response to external stimuli based on its current state. In our theory-based object model, we capture the structure of a class as a theory presentation, or algebraic specification, in O-SLANG, an object-oriented algebraic specification language. In these class specifications, we use sorts to describe collections of data values. In our theory-based object model, the class sort is a distinguished sort that represents the set of all possible objects in the class. In an algebraic sense, this is actually the set of all possible abstract value representations of objects in the class. Attributes, methods, and operations are defined as functions in O-SLANG class specifications. Attributes are defined implicitly by functions that return specific data values while methods are functions that modify an object's attribute values. In Figure 4, the functions create-person and increment-age are methods. The semantics of functions, as well as invariants between class attribute values, are defined using first order predicate logic axioms. In the theory-based object model, we capture the notion of state explicitly by separating state attributes from normal attributes. An O-SLANG class specification has at least one state sort, a set of states that are elements in a state sort (defined by nullary functions), and a state attribute defined over each state sort as a function that returns the current state of an object. Typically, a single state sort is used to model simple state-based objects; however, we can use multiple state sorts to model more complex objects that require concurrent or substate models. In Figure 4, the class state sort is Person-State, the class state attribute is person-state, and the actual states are young and old. Communication between objects is handled by events, which are functions that may invoke methods, generate events for other objects, and directly modify state attributes. Events are distinct from methods to separate control from execution. Each class has a new event which triggers the create method to create a new object and initialize its attributes. In Figure 4, the functions new-person and birthday are events. 6 class PERSON is import Sex, Natural class sort Person sorts Person-State operations person-attr-equal : Person, Person Boolean attributes age : Person Integer gender : Person Sex state-attributes person-state : Person Person-State methods create-person : Sex Person increment-age : Person Person states old, young : Person-State events new-person : Sex Person birthday : Person Person axioms (p, p1: Person, s : Sex) old young; person-state(a) = young age(a) < 30; person-state(a) = old age(a) 30; person-attr-equal(p, p1) gender(p) = gender(p1) age(p) = age(p1); age(create-person(s)) = 0 gender(create-person(s)) = s; age(increment-age(p)) = age(p) + 1 gender(increment-age(p)) = gender(p); person-attr-equal(birthday(p), increment-age(p)); person-attr-equal(new-person(s), create-person(s)) end-class Figure 4. Person Class Operations are functions that do not modify attribute values and are generally used to compute derived attributes. In Figure 4, the function person-attr-equal is an operation. Similar to methods and events, the semantics of operations are also defined using first order predicate logic axioms. In order to manage a set of objects in a class, a class set is also created for each class defined. A class set is a class whose class sort is a set of objects from a previously defined object class. A class set includes class event definitions for each event in the original class. This class event is defined so that the reception of a class event by a class set object sends the corresponding event to each object in the class set. 3.1 Inheritance Our theory-based object model uses a strict form of inheritance that allows a subclass object to be freely substituted for a superclass object in any situation as captured in the “substitution property” [18]: 7 If for each object o1 of type S there is an object o1 of type T such that for all programs P defined in terms of T the behavior of P is unchanged when o1 is substituted for o1, then S is a subtype of T. We can ensure the substitution property holds if we have a specification morphism from the superclass to the subclass and the subclass class sort is a sub-sort of the superclass class sort. In O-SLANG, this is usually done using the import operation, which includes the superclass specification directly into the subclass specification, and a statement that ensures the appropriate sub-sort relationship between the class sorts. An example of single inheritance, using a subclass of the Person class, is shown in Figure 5. The import statement includes all the sorts, functions, and axioms declared in the Person class directly into the new class. The class sort declaration, Student < Person, states that Student is a sub-sort of Person, and as such, all functions and axioms that apply to a Person object apply to a Student object as well. Multiple inheritance requires a slight modification to the notion of inheritance stated above. The set of superclasses must first be combined via a category theory colimit operation and then used to “inherit from”. Importing the colimit specification and specifying that the class sort is a sub-sort of each of the superclass sorts ensures that the subclass inherits from each superclass and satisfies the substitution property. 3.2 Aggregation Aggregation is a relationship between two classes where one class, the aggregate, represents an entire assembly and the other class, the component, is “part-of” the assembly. Not only do aggregate classes allow the modeling of systems from components, but they also provide a convenient context in which to define constraints and associations between components. Components of an aggregate class are modeled similarly to attributes of a class through the concept of object-valued attributes. An object-valued attribute is a class attribute whose sort type is a set of objects – the class sort of another class. Formally, object-valued attributes are functions that take an object and return an external object or set of objects. An aggregate class combines a number of classes via the colimit operation to specify a system or subsystem. The colimit operation also unifies sorts and functions defined in separate classes, 8 associations, and events. To capture the entirety of a domain model within a single structure, we can create a domain-level aggregate. To create this aggregate, the colimit of all classes and associations within the domain is taken. class STUDENT is import Person, Class class sort Student < Person operations student-attr-equal : Student, Student Boolean attributes class : Student Class methods create-student : Student increment-class : Student, Date Student events new-student : Student promote : Student Student axioms (s, s1: Student) student-attr-equal(a, a1) class(s) = class(s1) person-attr-equal(s, s1); class(s) = Freshman class(increment-class(s)) = Sophomore; class(s) = Sophomore class(increment-class(s)) = Junior; class(s) = Junior class(increment-class(s)) = Senior; class(s) = Senior class(increment-class(s)) = Alumni; age(increment-class(s)) = age(s); gender(increment-class(s)) = gender(s); class(create-student(s)) = Freshman age(create-student(s) = age(create-person(s)) gender(create-student(s)) = gender(create-person(s)); student-attr-equal(promote(s), increment-class(s)); student-attr-equal(new-student(), create-student()) end-class Figure 5. Student Class 3.3 Associations Associations model the relationships between aggregate components. We define a link as an actual connection, or relationship, between specific object instances and an association as a set of such links. A link defines which object classes are related, along with any link attributes or link functions. A link is basically a class specification that uses object-valued attributes to reference other objects while associations are represented as a class set of links. 9 Association multiplicities are defined as the number of links in which any given object may participate. These multiplicities are defined as constraints on the links in an association and can be captured axiomatically in the association specification. Examples of a link and association specification are given in Figure 6 and Figure 7 respectively. This example defines an association between the Student class as shown in Figure 5 and a similarly defined Teacher class (not shown). The student – teacher (ST-Link) link specification relates objects from the two classes without embedding internal references into the classes themselves. Although the names of the object-valued attributes and sorts correspond to the Student and Teacher classes, the link specification does not formally tie the classes together. This relationship is actually formalized in the aggregate specification. link ST-LINK is class sort ST-Link sorts Student, Teacher operations ca-link-attr-equal : ST-Link, ST-Link Boolean attributes student : ST-Link Student teacher : ST-Link Teacher methods create-st-link : Student, Teacher ST-Link events new-st-link : Student, Teacher ST-Link axioms (l1,l2: ST-Link) st-link-attr-equal(l1,l2) student(l1) = student(l2) teacher(l1) = teacher(l2); (s: Student, t: Teacher) student(create-st-link(s,t)) = s teacher(create-st-link(s,t)) = t; (s: Student, t: Teacher) st-link-attr-equal(new-st-link(s,t), create-st-link(s,t)) end-link Figure 6. Student-Teacher Link The Student-Teacher class defines a set of ST-Link objects while its axioms define the multiplicity relationships between teachers and students. In this case a student must have at least one teacher while a teacher may have zero or more students. The sorts Students and Teachers are implicitly defined as sets of individual students and teachers respectively and are unified with their related class set in a higher level aggregate class. 10 association STUDENT-TEACHER is link-class ST-Link class sort Student-Teacher sorts Teachers, Students methods image : Student-Teacher, Student Teachers image : Student-Teacher, Teacher Students events new-student-teacher : Student-Teacher axioms % multiplicity axioms (st: Student-Teacher, s: Student) size(image(st, s)) 1; (st: Student-Teacher, t: Teacher) size(image(st, t)) 0; % new event definition new-student-teacher() = empty-set; ... definition of image operations ... end-association Figure 7. Student-Teacher Association 3.4 Object Communication In our theory-based object model, each object is aware of only a certain set of events that it generates or receives. From an object's perspective, these events are generated and broadcast to the entire system and received from the system. In this scheme, each event is defined in a separate event theory as shown in Figure 8. event EVENT-NAME is class sort Class-Sort sorts Param-Sort events event-name : Class-Sort, Param-Sort Class-Sort end-class Figure 8. Event Theory An event theory consists of a class sort, parameter sorts, and an event signature that are mapped via morphisms to sorts and events in the generating and receiving classes. If an event is being sent to a single object then the event theory class sort is mapped to the class sort of that object class. However, if the event theory class sort is mapped to the class sort of a class set then communication may occur with a set of objects of that class. The other sorts in an event theory class are the sorts of event parameters. The final part of an event theory, the event signature, is mapped to a compatible event signature in the receiving class. The colimit of the classes and the event theory are used to unify the event and sorts of 11 two or more classes so that invocation of the event in the generating class corresponds to an invocation of the actual event in the receiving class. Communicating with objects from multiple classes requires the addition of another level of specification that “broadcasts” the communication event to all interested object classes. The class sort of a broadcast theory is called a broadcast sort and represents the object with which the sending object communicates. The broadcast theory then defines an object-valued attribute for each receiving class. Multiple receiver classes add a layer of specification; however, multiple sending classes are handled very simply. The only additional construct required is a morphism from each sending class to the event theory mapping the appropriate object-valued attribute in the sending class to the class sort of the event theory, and the event signature in the sending class to the event signature in the event theory. 3.5 Syntax The syntax used to capture the theory-based object model is shown below. Lowercase names represent terminal symbols, “{…}” represents a set, “<…>” represents a tuple and “[…]” represents a sequence. It should be noted that while axioms have a very specific syntax, we have omitted the complete description here for simplicity. Since we only describe a subset of the formal mappings between the UML models and the theory-based model (see [19] for the complete set), we have omitted the syntax definitions for all specification types (abstract classes, events, links, associations, and aggregates) except the basic class definition, which is used in the formal mappings presented in this paper. TheoryModel = {Spec} Spec = C | Event | Link | A | Aggregate C = <name, ClassSort, Operations, Imports, Sorts, Attributes, Methods, StateAttrs, Events, States, Axioms, contained-in> ClassSort = <name, Subsorts> Operations = {Op} Attributes = {Op} Methods = {Op} StateAttrs = {Op} Events = {Op} 12 States = {Op} Imports = {name} Sorts = {name} Subsorts = {name} Axioms = {valid O-SLANG expression} Op = <name, Domain, Range> Domain = [sort] Range = [sort] 4. Unified Modeling Language Diagrams In this section, we present an overview of the two UML diagrams under consideration – Class and Statechart – and some restrictions placed on their use in our research. The restrictions imposed on the diagrams ensure we can automatically translate them from their graphical notation to an algebraic representation. Translation of grahically-based models into algebraic specifications in the category Spec requires that two criteria be met. First, all entities in the model must correspond to components of an algebraic specification or be defined using category theory constructs. This means that all important features of the model must be representable as specifications, functions, sorts, first-order axioms defined over those sorts and functions, or category theory operations between specifications. The second requirement is that there must be a single, unique interpretation of the model. In a previous paper [8], we defined a theory-based model of object-orientation, originally based on concepts from Rumbaugh's OMT. In this paper, we define transformations from UML Class and Statechart Diagrams into our O-SLANG algebraic specification language. We originally showed the correctness of these transformations from OMT to O-SLANG [19]. Since the UML Class and Statechart Diagrams have changed little from OMT, we do not reproduce those results here. A complete comparison between UML and OMT features was given in an early version (0.8) of the Unified Method, comparing 97 features of UML and OMT (as well as the Booch method). Most of these features were similar with 13 respect to Class/Object properties and Statechart Diagrams. Table 1 is exemplary of some of the key, primarily notational, differences. 4.1 Class Diagram The UML Class Diagram defines the structure of a domain based on classes of objects and the relationships between them. A UML class, C, defines the structure of a similar set of objects. This structure is defined by attributes, which are data that describe various aspects of an object, and operations that describe how an object behaves. Table 1. Class and Object Properties UML/OMT Comparison Chart Feature abstract class UML Keyword “abstract" as class property parameterized class class rectangle impacted by small dashed rectangle containing list of template arguments in attribute format stacked objects indicating anonymous set of objects, stacked to upper right link line to multiobject implies multilink dashed arrow (dependency) labeled friend from the friend to the supplier multiobject multilink friend nested class global visibility of a category dependency parallel inheritance nest class box within other class box or special icon within the name compartment of the class box stereotype “global" dashed line from a client to a supplier Grouping with “and" constraint OMT multiplicity 0 in upper right of class C++ like syntax with a list of actual expressions N/A N/A % in front of the name of the friend class or operation within the supplier class none N/A deemed unnecessary explicit with multiple generalization symbols A UML association, A, captures relationships between objects. Associations are relationships between two or more classes and include the special relationships: aggregation and inheritance. Aggregation describes a “part-of” relationship between an object and a sub-object (or its component), which is used to make up the aggregate object. In UML, aggregation is the exception from the other relationships described in this paper in that there is no meta-object specification for an aggregation. An aggregation is an association where one of the ends of an association connection is marked with the type of aggregation (marked as aggregate if the other end, or part, may be contained in other aggregates or marked as 14 composite if the other end may not be part of any other composite). Inheritance describes a “generalization-specialization” relationship between two classes of objects where, if A is a subclass of B, then objects of class A are also objects of class B. General associations represent some relationship between two or more object classes. These associations can be a simple relation between two classes or may be more complex with class-like properties such as attributes and operations. An association may also have a role name for each class in the association as well as qualifiers, which are attributes that identify specific objects associated with a specific object. Finally, each association has a specific multiplicity, which defines the number of objects that may be associated with another object. Thus we can represent a UML class in a formal notation as a set consisting of the attributes shown below. (The State and Transition parts of a class are discussed in Section 4.2.) UMLmodel = <{ C}, {A}> C = <name, Attributes, Operations, Superclasses, Components, States, Transitions, Constraints> A = <name, Attributes, Operations, Classes> Attributes = {Attribute} Attribute Normal Derived = Normal | Derived = <name, type, Axiom> = <name, type, Axiom> Operations = {Operation} Operation = <name, Parameters, type, Axioms> Parameters = {Parameter} Parameter = <name, type> Superclasses = {name} Constraints = {Axiom} Components = {name} Axioms = {Axiom} Axiom = valid O-SLANG expression Classes = {Class} Class = <name, role, Qualifier, Multiplicity> Qualifier = <name, type> Multiplicity = {<lower, upper>} 15 An example of a UML Class Diagram, the Pump domain, is shown in Figure 9. Basically, the diagram models a type of pump, or more precisely, two types of pumps – sophisticated and regular – that are subtypes of a basic pump class. Each object in a pump class has a Pump-ID attribute and consists of one Gun-Holster-Assemblies, Clutch-Motor-Assemblies, and Displays. Each Gun-Holster-Assembly object consists of a Gun object and a Holster object. While both the Gun and Holster classes appear to be simple classes with no attributes, their Statecharts are non-trivial. Likewise, a Clutch-Motor-Assembly object has exactly two components, Motor and Clutch, which also are defined by their dynamic models. The Display class has a more typical appearance than the Gun, Holster, Motor, or Clutch classes in that it has four attributes: cost, volume, ppg, and grade. Gun Holster Motor Gun-Holster-Assembly Clutch Clutch-Motor-Assembly Display cost : amount = 0 volume : volume = 0 grade / ppg : amount = cost / volume set-amount() Pump Pump-id : integer Regular Sophisticated volume-select : volume = 0 amount-select : amount = 0 Figure 9. Pump Domain Object Model 4.2 Statechart Diagram The concept of state is vital to object-orientation. In object-orientation, state is generally an abstraction of an object's attribute values and is represented in UML via a Statechart. A typical Statechart is shown in Figure 10. Statecharts have five parts: states, transitions, parameterized events, guards, and actions. The state of a system “summarizes the information concerning past input and what is needed to determine the 16 behavior of the system on subsequent inputs” [20]. Therefore, a system typically resides in a state between events and may change state based on the occurrence of additional events. Transitions change the state of an object based on a specific input and the current state. Transition labels define the input event, parameters, guard, actions and send-clauses associated with a transition as shown below. event-name (parameter-list) [ guard-condition ] / action1 ... actionn send-clause (Note, in the UML 1.3 draft, the send-clause is replaced by an action expression – an action sequence comprising a number of distinct actions including actions that generate events). Events are the instantaneous transmittal of information from one object (or the external environment) to another object. If there is no explicit transition from a given state for a particular event, it is assumed that no resulting actions occur. Guard Conditions allow a system to ensure that certain conditions hold before a transition takes place. Actions are the behavior initiated by a transition and may include computation of data, modification of object attributes, or broadcasting of additional events. A special type of action, a send-clause, specifies that an event is to be broadcast to other objects as shown below. event-name(parameter-list) In this case, the event-name is sent to another object along with its associated parameters. All other actions are operations on the current object. withdrawal(a,x) [bal(a) >= x) / debit(a,x) deposit(a,x) [x + bal(a) < 0] / credit(a,x) new-acct(d) OK withdrawal(a,x) [bal(a) < x] / debit(a,x) ^ notify-user Overdrawn deposit(a,x) [x + bal(a) >= 0] / credit(a,x) deposit(a,x) / credit(a,x) Figure 10. Account Statechart Diagram Statecharts also allow for concurrent states or substates in which case the state of an object becomes a tuple consisting of the object state in each concurrent state diagram. Within a single state, substates may 17 exist that refine the state allowing the object to change its substate while remaining in the superstate. Such substates “inherit” the transitions of their superstate. Formally we capture the State and Transition information from a UML Statechart as part of the domain as described in Section 4.1. The components of states and transitions are formalized as follows. States = {State} State = <name, States> Transitions = {Transition} Transition = <name, Parameters, Guard, Actions, Events, FromState, ToState> Guard = valid axiom Actions = {Action} Action = <name, Parameters> Events = {Event} Event = <name, Parameters> FromState = name ToState = name 4.2.1 Restrictions to the UML Statechart Diagram Although UML allows actions inside states (the equivalent of a Moore machine from finite automata) as well as on transitions, for convenience and simplicity we assume all actions occur on transitions (a Mealy machine). This does not represent a semantic restriction as the equivalence of Mealy and Moore machines is well known [20]. We also assume that if the user specifies guard conditions for a set of transitions on event e from state s, then the guards for that set of transitions are consistent and complete. This may require the user to define transitions that “do nothing”; however, this assumption ensures that a complete and consistent set of axioms can be generated from the Statechart Diagram without resorting to considerable reasoning about the validity of the guard conditions. 5. Diagram Translation In this section, we present the translations from the UML Class Diagram and Statechart Diagram described in Section 0. Section 5.1 defines the Class Diagram translations while Section 5.2 defines the Statechart Diagram translations. In this section, we use the convention that calligraphic uppercase letters, 18 such as A and C, refer to associations and classes from the UML diagrams while letters using a font such as A and C refer to equivalent association and class specifications in O-SLANG (i.e., C is the UML class corresponding to the O-SLANG class C). Dot notation is used to refer to both sub-objects and attributes of objects. 5.1 Class Diagram Translations A UML Class Diagram consists of two basic entities: classes and associations. In this section, we discuss the translations of each of these to O-SLANG. Throughout this section, we use the example shown in Figure 9 to illustrate the translation process. We use the Sophisticated and Motor classes to demonstrate basic translations. The example translations based on Figure 9 were created using our demonstration system, which is discussed in Section 6. 5.1.1 Classes Each UML class C generates an O-SLANG class specification C. If C is a simple class (no inheritance or aggregation), then the class sort of C is simply the name of the class as shown in Figure 11, which is the class specification for the Motor class from Figure 9. However, if inheritance is involved then the superclass specifications of C must be imported into the O-SLANG class specification C and class sort of C must be defined to be a subset of each of the superclass class sorts [8]. This is accomplished by placing each superclass name in the import block of C and stating that the class sort of C is a sub-sort of each of its superclass class sorts. An example of such a sub-sort definition is shown in the Sophisticated pump class in Figure 12. The following statements are part of each O-SLANG class. A class without superclasses simply omits the import statement and has a simple class sort statement such as class sort class-name. class sort class-name < superclass-name1, ... superclass-namen import superclass-name1, ... superclass-namen The following mapping formally defines the translation from the UML class to the O-SLANG class specification C. We show this formal mapping for each transformation in this section to demonstrate our 19 methodology; however, to keep from overwhelming the reader with detail, we do not include them in the rest of the paper. The detailed definition of each transformation can be found in [19]. C UMLmodel ( C TheoryModel C.name = C.name C.ClassSort.name = C.name C.Imports = C.Superclasses C.ClassSort.Subsorts = C.Superclasses) class Motor is class-sort Motor import free-clutch, disable-clutch sort Motor-State attributes free-clutch-Obj : Motor free-clutch-Sort disable-clutch-Obj : Motor disable-clutch-Sort state-attributes Motor-State: Motor Motor-State operations attr-equal : Motor, Motor Boolean methods create-motor : Motor states motor-disabled: Motor-State motor-running: Motor-State events start-pump-motor : Motor Motor stop-motor : Motor Motor new-motor : Motor Motor axioms motor-disabled <> motor-running; attr-equal(M1, M2) (free-clutch-Obj(M1) = free-clutch-Obj(M2) disable-clutch-Obj(M1) = disable-clutch-Obj(M2)); (Motor-State(New-Motor(M)) = motor-disabled attr-equal(New-Motor(M), create-motor(M))); (Motor-State(M) = motor-disabled) (Motor-State(start-pump-motor(M)) = motor-running free-clutch-Obj(start-pump-motor(M)) = free-clutch(free-clutch-Obj(M))); (Motor-State(M) = motor-running) (Motor-State(stop-motor(M)) = motor-disabled disable-clutch-Obj(stop-motor(M)) = disable-clutch(disable-clutch-Obj(M))); Motor-State(M) = motor-disabled Motor-State(stop-motor(M)) = motor-disabled; Motor-State(M) = motor-running Motor-State(start-pump-motor(M)) = motor-running; end-class Figure 11. Motor Specification 20 class Sophisticated is class-sort Sophisticated < Pump import Pump, volume-select, amount-select attributes volume-select : Sophisticated volume amount-select : Sophisticated amount operations attr-equal : Sophisticated, Sophisticated Boolean methods Create-Sophisticated: Sophisticated events New-Sophisticated: Sophisticated axioms volume-select(create-Sophisticated(S)) = 0; amount-select(create-Sophisticated(S)) = 0; attr-equal(S1, S2) (volume-select(S1) = volume-select(S2) amount-select(S1) = amount-select(S2)); attr-equal(New-Sophisticated(), Create-Sophisticated()) end-class Figure 12. Sophisticated Pump Specification 5.1.1.1 Attributes Each attribute in C is either normal or derived and has a name, datatype and expression. Each attribute thus defines an attribute declaration in C of the form: attribute-name : class-name attribute-datatype The expression of a normal attribute is interpreted as the initial value computation for the attribute and defines an axiom of the form, attribute-name(CREATE-class-name(parameters)) = attribute-expression where CREATE-class-name(parameters) is the create object function automatically created when C is defined (see below). Both the volume-select and amount-select attributes of the Sophisticated class are normal attributes as shown in Figure 12. Each of these has a default value of zero as specified in the first two axioms of the specification. The user may define the value of a derived attribute by providing an expression in the attribute definition, which becomes an axiom in the axiom block of C of the form: attribute-name(class-name) = attribute-expression A formal representation of this transformation is shown below. 21 C.Attributes ( C.Attributes .name = .name .Domain [C.name] .Range [.type] .Axioms C.Axioms) 5.1.1.2 Operations Operations can represent three different O-SLANG constructs: 1) a newly defined O-SLANG method, 2) a newly defined O-SLANG operation, or 3) the method definition of an action in the Statechart Diagram. As defined in UML, operations consist of a name, a set of parameters (with a name and datatype), an output datatype, and an axiomatic definition. If the operation does not have an output datatype, we assume the operation is a method and the output datatype is the class sort of C (i.e., it produces a modified object). Each UML operation defines either a method or operation signature in O-SLANG. If the output datatype is the class sort of C or undefined, the operation defines a method signature in the method block of C (where p1 ... pn are parameter types of the operation), as shown below. operation-name : class-name, p1 ... pn class-name If the output datatype of the UML operation is not the class sort of C then the operation defines an O-SLANG operation whose signature is placed in the operations block of C. operation-name : class-name, p1 ... pn operation-datatype An operation is defined as a set of axioms, which are specified by the designer. In our demonstration system, the user may specify preconditions and postconditions of the operation. For translation purposes, we assume that the axioms are valid O-SLANG syntax, semantically correctly, and thus can be translated directly into axioms in the axiom block of C. A formal representation of these transformations is shown below. 22 o C.Operations (o.type m C.Operations m.name = o.name p o.Parameters p.type m.Domain m.range = [o.type] o.Axioms C.Axioms) o C.Operations (o.type = m C.Methods m.name = o.name o.name m.Domain p o.Parameters p.type m.Domain m.range = [o.name] o.Axioms C.Axioms) A special operation defined in all classes with non-state attributes is attr-equal, which determines if two objects of the same class have identical non-state attribute values. Therefore, if a class has normal attributes, it must have an attr-equal operation. The signature of the operation is shown below. attr-equal : class-name, class-name Boolean Assuming C has normal attributes 1 ... n, the definition of attr-equal takes the form: attr-equal(c1, c1) 1(c1) = 1(c1) ... n(c1) = n(c1) The formal mapping is shown below. a C.Attributes a .Attribute = Normal o C.Operations o.name = “attr-equal” o.Domain = [C.name, C.name] o.Range = [“Boolean”] attr-axiom C.Axioms where attr-axiom = “attr-equal(c1, c1) 1(c1) = 1(c1) ... n(c1) = n(c1)” as defined above. Each class also generates a default create method if it is not explicitly defined by the user in the Class or Statechart models. A default create method takes no inputs and produces a value of the class sort of C as shown below. CREATE-class-name : class-name The default values of normal attributes define the effect of the create method. For each normal attribute in C with a defined default value expression, the following axiom is generated. 23 attribute-name(CREATE-class-name())= attribute-expression Examples of the attr-equal axiom can be seen in both Figure 11 and Figure 12. In both cases, all the attributes are normal attributes and are included in the appropriate axiomatic definition of attr-equal. When a default create method is defined, a corresponding new event must also be created to invoke the create method. This new event has the exact same domain and range as the create method, NEW-class-name : class-name and its only axiom “invokes” the create method as shown below. ATTR-EQUAL(NEW-class-name(), CREATE-class-name()) An example of such an event definition and axiom can be seen in Figure 12 where the last axiom defines the event in terms of the associated Create-Sophisticated method. 5.1.1.3 Constraints In addition to attributes and operations, a user may also supply additional axioms to constrain the behavior of various components of the class. These constraints are translated directly to axioms in the axiom block of C. C.Constraints C.Axioms 5.1.2 Class Sets Each class C generates a second specification called the class set, Cs, that defines a set of objects of type C, as shown in Figure 13. The name of C defines the name of Cs as well as the name of the class sort of Cs. The string “-CLASS” is simply appended to the name of the class set specification and class sort. To explicitly state that Cs defines a set of objects of type C, a contained-class name is defined as the name of the defining class. If C has superclasses, the class sets of these superclasses must also be imported into the class set of C. This is accomplished by placing each superclass name in the import block of Cs. 24 class Motor-CLASS is class-sort Motor-CLASS contained-class Motor events start-pump-motor : Motor-class Motor-class stop-motor : Motor-class Motor-class new-motor-class : Motor-class axioms New-Motor-class() = empty-set; (M : Motor, MC : Motor-class) M MC (start-pump-motor(M) start-pump-motor(MC)); (M : Motor, MC : Motor-class) M MC (stop-motor(M) stop-motor(MC)) end-class Figure 13. Motor Class Specification Each event in class C defines a class event in Cs. The purpose of class-level events is to distribute the object-level event to each object in the class set. As shown by the first two events in Figure 13, these class events have the same signature as the events from class C with the class sort of C replaced by the class sort of Cs. The axioms that implement these class events are defined as: (x:class-name, y:class-name-CLASS) x y event-name(x) event-name(y) Because O-SLANG requires that all methods be invoked by events, each class must have a new event that invokes the create method to create a new object. Because the class sort of a class set is a set, a new class set object is simply an empty set. 5.1.3 Aggregates If a class C has components, then it is an aggregate class and an O-SLANG aggregate class specification must be defined and imported into C. This aggregate class has a special form that defines the colimit of a category theory diagram. When generating the aggregate class, the name of CA is defined by simply appending the string “-AGGREGATE” to the name of the C, e.g. with the aggregation of the Clutch and Motor classes shown in Figure 14. The diagram of specifications and specification morphisms is defined by a set of nodes (specifications) and a set of arcs (specification morphisms). These nodes correspond to all classes, data types, associations, and event theories referenced by a class, or any of its superclasses or components. For 25 instance, in Figure 14, we include the Motor and Clutch class components of the Clutch-Motor-Assembly-Aggregate and the event theories (and send-clauses associated with those theories) associated with the Clutch and Motor classes, e.g. the free-clutch and disable-clutch events and start-fuel send-clause defined in the Clutch class and the free-clutch and disable-clutch send-clauses defined in the Motor class. A specification is in the node set of CA if it is one of the following. A specification imported in C. A component of C. The class set specification of a component of C. The aggregate specification of a component of C. Any specification imported by nodes in CA. An association specification whose connections are all nodes in CA. Any specification imported by components of two or more nodes of CA. A unique TRIV specification is added to the node set for each connection in an association specification CA.Node. 9. An event theory defining the communication between nodes in CA. 10. A broadcast theory defining the communication between multiple nodes in CA. 1. 2. 3. 4. 5. 6. 7. 8. aggregate Clutch-Motor-Assembly-AGGREGATE is nodes Motor, Motor-CLASS, free-clutch, disable-clutch, Clutch, Clutch-CLASS, start-fuel arcs Motor Motor-Class : {}, free-clutch Motor : {}, free-clutch Clutch : {free-clutch-Sort Clutch}, disable-clutch Motor : {}, disable-clutch Clutch : {disable-clutch-Sort Clutch}, Clutch Clutch-Class : {}, start-fuel Clutch : {} end-aggregate Figure 14. Clutch-Motor-Assembly Aggregate Specification The morphisms between nodes of C define the set of arcs in C and are critical to correctly defining the colimit of the diagram. An arc is in the arc set of C if for n1, n1 in the node set of CA one of the following holds. 1. 2. 3. 4. 5. 6. 7. 8. 9. n1 is directly or indirectly imported by n2 n1 is a component of n2 n1 is superclass of n2 n2 = n1-CLASS n1 = n2-AGGREGATE n1 = n2-LINK n2 is a connection of n1, an association n1 is an event theory received by n2 (or a subcomponent of n2) n1 is an event theory sent by a component of n2 26 Once the aggregate specification has been created and imported into C, as shown in Figure 15, mechanisms for referencing component objects are created. A component of the aggregate C has a name, an optional qualifier (a name and a datatype), an optional role name, and a multiplicity. class Clutch-Motor-Assembly is class-sort Clutch-Motor-Assembly import Clutch-Motor-Assembly-Aggregate attributes Motor-Obj : Clutch-Motor-Assembly Motor-Class Clutch-Obj : Clutch-Motor-Assembly Clutch-Class methods Create-Clutch-Motor-Assembly: Clutch-Motor-Assembly events New-Clutch-Motor-Assembly: Clutch-Motor-Assembly axioms attr-equal(C1, C2) (Motor-Obj(C1) = Motor-Obj(C2) Clutch-Obj(C1) = Clutch-Obj(C2)); attr-equal(New-Clutch-Motor-Assembly(), Create-Clutch-Motor-Assembly()); size(Motor-obj(C)) = 1 ; size(Clutch-obj(C)) = 1 end-class Figure 15. Clutch-Motor Assembly Specification Each component class defines an object-valued attribute that is used to reference the component. If the component has a role name assigned to it, the name of the object-valued attribute becomes the role name as shown below. class-role : class-name class-name-CLASS If the component does not have a role name assigned, the component name appended with the string “-OBJ” is used to define the object-valued attribute. The Motor-Obj and Clutch-Obj of Figure 15 are the object-valued attributes that refer to the motor and clutch objects belonging to the aggregate. class-name-OBJ : class-name class-name-CLASS A component qualifier is used to discriminate between components in a set. To identify individual components, the qualifier becomes an attribute of the component class specification. If component classes of an aggregate class C have a common association, A, then the association defines an object-valued attribute in C of the form: 27 association-name-ASSOC : class-name association-name The multiplicity of a component defines how many of each component may be part of the aggregate class C. As defined in UML, these multiplicities are denoted as a sequence of integer intervals. Therefore, the multiplicity of component defines an O-SLANG axiom specifying the allowable number of components that may be part of C. Generating the axiom defining the appropriate multiplicity may be complex since it may have more than one range. It may be used to specify an exact number, a range of numbers, or a combination of both. For each single-valued range, the sub-axiom, SIZE(attr-name(c)(O)) = single-value is generated as part of the overall specified axiom. However, if two values (value1 .. value2) are specified, then the multiplicity defines a range as shown in the following sub-axiom. SIZE(attr-name(c)(O)) value1 SIZE(attr-name(c)(O)) value2 A special case where an asterisk (*) is used in either the form 1..* or just * results in axioms of the form: SIZE(attr-name(c)(O)) 1 SIZE(attr-name(c)(O)) 0 In the case of multiple ranges, the sub-axioms are disjuncted to create a single axiom defining the possible multiplicities of a component c. In Figure 14, both components have a multiplicity of exactly one and thus the axioms are of the form size(Motor-obj(C)) = 1. 5.1.3.1 Domain Theory Aggregate To ensure that all classes, associations, and events are unified in the domain theory, an overall domain theory aggregate is created that combines all top-level classes into a single specification. This is accomplished by creating a top-level aggregate with all top-level classes as nodes. Then additional nodes (associations, common imports, and event and broadcast theories) and arcs are added to the aggregate. The top-level classes are those classes that are not components or subclasses of any other class. 28 5.1.4 Associations An association in UML, A, consists of a name, a set of participating classes, a set of attributes, and a set of operations. Each association, A, defines two O-SLANG specifications, a link specification, AL, and an association specification A where the association specification defines a set of link objects similar to a class set specification. The name of A defines the names and class sorts of A and AL. We must know how many links an object may participate in to constrain link multiplicity. This requires an image operation. To reference sets of objects from the participating classes, we define a sort in A for each participating class. (This sort is eventually unified with the actual class set sort in a higher level aggregate.) Assuming the association is a simple (no qualifier) binary association, the signature for the two image operations defined by classes c1 and c2 is shown below. IMAGE : association-name, c1-name c2-name-CLASS IMAGE : association-name, c2-name c2-name-CLASS Both operations take an association object (a set of links) and an object from one of the two participating classes and returns the set of objects that are related via links to the input object. The image operation is defined as follows. (S : association-name, l : link-name, x : c1-name, y : c1-name) l S attr-name(c1)(l) = x attr-name(c1)(l) = y y image(S, x) A qualifier is used to discriminate between links in an association and thus the link qualifier becomes an attribute of the link class. This qualified attribute is used as an additional parameter in a modified image operation. Assuming class c1 has a qualifier, the following image operation would be generated. IMAGE : association-name, c1-name, type(c1-qualifier) c1-name-CLASS The multiplicity of a component defines how many of each component may be referred to by links in the association class A and thus generates multiplicity axioms over the image operations defined above. These multiplicity axioms are very similar to the aggregate multiplicity axioms defined in Section 5.1.3. The axioms generated by these multiplicities for simple binary associations are shown below. SIZE(attr-name(c)(O)) value1 SIZE(attr-name(c)(O)) value2 SIZE(attr-name(c)(O)) value1 SIZE(attr-name(c)(O)) 0 29 Each association also defines a new event, but not a create method, since an association has no attributes. The new event simply returns an empty set. 5.1.4.1 Link Classes A UML association also defines a link class, AL, as shown in Figure 6. A link may also contain additional attributes, operations, methods, and events. Each class participating in an association defines an objectvalued attribute in AL. class-name-OBJ : link-name class-name However, if the participating class has a role name, the role name is used as the attribute name. class-role : link-name class-name Additional link attributes and operations may be entered directly into the Class Diagram and are transformed exactly like class attributes and operations as defined in Section 5.1.1. The only method created automatically for a link is the create method similar to the create method defined for classes. However, to create a link, all object references must be provided to the create method. Therefore, the link create method has the signature CREATE-linkname : component1, ... , componentn linkname while the new event has a similar signature. NEW-linkname : component1, ... , componentn linkname The axiom that defines a link create method is simple since object references for each component must be provided. This axiom takes the form attr-name(xi)(CREATE-association-name(x1, ... xn)) = xi where xi represents a parameter in the parameter string of create and attr-name(xi) is the object-valued attribute name in the link class corresponding to that component. 30 5.2 Statechart Diagram Translations The Statechart Diagram of an UML class C is translated by translating the states and transitions into sorts, operations and axioms in the theory-based object model. A statechart for the Motor class is shown in Figure 16. 5.2.1 States Each state in C is defined by a name and a set of substates. If the Statechart Diagram is defined for a class C, then four types of declarations are added to C. However, before adding these declarations, the set of states must be partitioned into n partitions such that 1) there is exactly one initial state in each partition, 2) each state is reachable from the start state in its partition, and 3) there are no transitions between partitions. If n 2 then there are n distinct concurrent subdiagrams for class C. start-pump-motor ^ free-clutch new-motor / create-motor motor-disabled motor-running stop-motor ^ disable-clutch Figure 16. Motor Class Statechart For each partition i 1...n, a sort declaration and state attribute are added as shown below. sort class-name-STATE-i class-name-STATE-i : class-name class-name-STATE-i Then, for each state in the partition, a state attribute of the form state-name : class-name-STATE-i is added to the states block. Finally, for each pair of states, 1 and 2, in a partition the axiom, 1-state-name 2-state-name, is added to the axioms of C. Each state, , may also contain substates. If a state contains substates, then four additional declarations, similar to the ones defined above, are generated for the state. Again, however, before the declarations can be added, the concurrent states must be partitioned for the subdiagram. 31 The procedure for partitioning substates is identical to the procedure for partitioning top level states described above except for the name of the substate sort, where substate-name-SUBSTATE-i is substituted for class-name-STATE-i. Since the Motor class statechart does not have any concurrent or substates, there is only one state attribute, Motor-State, as shown in Figure 11. The Motor class statechart also defines two states, motor-disabled and motor-running, which are also shown in Figure 11 in the states block. 5.2.2 Transitions In the Statechart Diagram, transitions are used to represent incoming events and actions taken by the object. A transition defines a receive event, a set of methods, and a transition axiom in O-SLANG and consist of seven components: 1. 2. 3. 4. 5. 6. 7. a name, a set of parameters (name and datatype), a set of guard conditions defined via axioms, a set of actions, a set of send-clauses, a from-state, and a to-state. Each transition in class C defines an incoming event signature in the event block of C. Each parameter, p, passed via the transition becomes a parameter in the event as defined below. transition-name : class-name, p1 ... pn class-name Each action in a transition defines a signature in the method block of C and each parameter, p, in an action becomes a parameter of the method as shown below. action-name : class-name, p1 ... pn class-name Send-clauses are used to send messages to other objects. Each send-clause in a transition defines an outgoing event in C, as well as an event theory specification that is used in an aggregate specification to unify C with the receiving object's class specification. The event theory defines an event sort and signature and is imported into C. Therefore, instead of creating a signature for the outgoing event, the 32 event theory name, which is the name of the send-clause, is added to the import block of C. An event theory is shown below, event event-name is class sort event-name-SORT sorts p1, ..., pn events event-name : event-name-SORT, p1 ... pn event-name-SORT end-event where p1 ... pn denote the parameters of the outgoing event. In Figure 11, the free-clutch and disable-clutch names in the import block refer to event theories generated from the send-clauses in Figure 16. The event theory for the free-clutch event is shown in Figure 17. event free-clutch is class-sort free-clutch-sort events free-clutch : free-clutch-sort free-clutch-sort end-event Figure 17. Free-Clutch Event Specification Before sending an event, the sending object must know where to send it. Therefore each event must have an object-valued attribute of the form: event-name-OBJ : class-name event-name-SORT to define where an event is sent. This declaration is generated and placed in the attribute block of C. Both free-clutch-Obj and disable-clutch-Obj in Figure 11 are the object-valued attributes associated with the free-clutch and disable-clutch events. Each transition defines an axiom that causes the object, upon receipt of an incoming event in the appropriate state, to change state as well as to invoke methods and send events. This axiom has five parts the current state, guard condition, new state, method invocations, and event sends. These parts are merged into a single axiom of the form: old-state guard-condition new-state method-invocations event-sends In Figure 11, the last four axioms are defined directly from the state transitions in Figure 16. The transformations for each of the components of these transition axioms are defined in the following sections. 33 5.2.2.1 Old-State Because the from-state is a mandatory part of a transition, an old-state is always generated. If the transition’s from-state is a top-level state, then the old-state part of the axiom is simply: class-name-STATE(o) = from-state However, if the from-state is a substate of another state then the superstate must be in the correct state as well, as shown below. class-name-STATE(o) = superstate(transition, from-state) superstate(transition, from-state)-SUBSTATE(o) = from-state In this example, superstate is a function that determines the superstate of a substate. Obviously, there can be many levels of substates so that an arbitrary number of superstates may be included in the old state part of the axiom. 5.2.2.2 Guard-Condition The guard condition part of the transition axiom is optional. If the guard condition does exists, it is assumed that the guard condition is an axiom written in O-SLANG syntax based on the object's attribute values and incoming parameter values only. Thus if the guard condition exists, it requires no translation. 5.2.2.3 New-State Because a transition always has a to-state, the new state part of the transition axiom takes the form: class-name-STATE(transition-name(o, p1 ... pn)) = to-state or, if the state is a substate, superstate(transition, to-state)-SUBSTATE(transition-name(o, p1 ... pn)) = to-state where p1 ... pn denote the parameters of the incoming event. If the transition occurs in a substate diagram, the values of superstate attributes do not change. 34 5.2.2.4 Method-Invocations An action specifies that a method is invoked as the result of the event receipt. The form used to specify method invocation is, attr-equal(transition-name(o, p1 ... pn), action-name(o, pa1 ... pa2)) where p1 ... pn denote the parameters of the incoming event and pa1 ... pa2 denote the parameters of the method. 5.2.2.5 Event-Sends Send events represent the sending of an event to the object whose reference is stored in the appropriate object-valued attribute. Therefore, a send event generates the axiom, event-name-OBJ(transition-name (o, p1...pn)) = event-name(event-name-OBJ(o), ps1...ps2) where p1 ... pn denote the parameters of the incoming event and pa1 ... pa2 denote the parameters of the outgoing event. Once the valid transitions have been transformed and all incoming events and states defined in C, invalid transitions can be computed. Because the theory-based object model assumes there is no reaction to an event that occurs in a state with no explicitly defined transition for that event, axioms explicitly stating this assumption must be generated. These axioms, as illustrated in the last two axioms in Figure 11, are of the form, old-state same-state where old-state are defined as before and same-state is of the form: class-name-STATE(transition-name (o, p1 ... pn)) = from-state 6. Transformation Validation This section shows how we formally established the correctness of our transformations. First, we defined a formal semantics for both the Class and Statechart Diagrams [20, 21] and then defined a formal mapping from O-SLANG to those semantics. The definition of the semantics and the mapping from 35 O-SLANG defined the arrows and in Figure 18. From there we constructed a set of proofs that showed that, given either a Class or Statechart Diagram, the formal semantics defined by were identical to the formal semantics defined by . These proofs led to the following theorems. Restricted Restricted UML UML Diagram Diagram Formal Formal Semantics Semantics O-Slang O-Slang Figure 18. Transformation Verification Theorem 6.1: Given a valid UML Class Diagram, the translation to O-SLANG as defined by in Section 5 preserves the semantics of the object model as defined in [19]. Theorem 6.2: Given a valid UML Statechart Diagram, the translation to O-SLANG as defined by in Section 5 preserves the semantics of the dynamic model as defined in [19]. 7. Demonstration System We developed a prototype system to demonstrate the feasibility of a formal specification acquisition and transformation system. Our goal was simply to show that UML diagrams could be automatically transformed into theory-based specifications consistent with the original diagrams. In [19], DeLoach performed the transformation of the pump domain object model, depicted in Figure 9, as a process of several automated and manual translations. This process has recently been updated to perform the conversion from UML to the O-SLANG specification in a single automated translation [22]. This one step approach uses Visual Basic to transform a Rational Rose UML model into O-SLANG. The rules to transform UML diagrams to the theory-based object model are captured in the transformation software. 36 We reused the same pump domain object model to verify that our translation produces the same results as in [19]. Figure 19 shows an actual screen of the CASE tool used to construct the pump domain model. Figure 20 depicts the Visual Basic IDE (with a fragment of the translator software) and sample output screen. Figure 19. Actual Pump Domain Object Model Screen 7.1 Example Using the following code fragment, the transformation software first invokes Rational Rose and opens a model file, which contains the UML specification. AllClasses is set to a collection of all the classes in the model file as shown below. umlfile = InputBox("Input Name of UML .mdl File ("Input UML File to translate?") roseApp.OpenModel umlfile Set AllClasses = roseApp.CurrentModel.GetAllClasses() 37 Figure 20. Actual Integrated Development Environment (IDE) and Output Screen The translation software contains a loop, transforming each class in the model file individually. Logic inside the loop implements the formal transformations described in Section 5, thus translating each UML Class and Statechart Diagram into O-SLANG. Next, using the Motor specification, we demonstrate some of the transformations from UML into O-SLANG. As a simple example, we stated “Each UML class C generates an O-SLANG class specification C. If C is a simple class, then the class sort of C is simply the name of the class”. When theClass.Name (theClass is a RoseClass in the RoseClassCollection AllClasses) equals Motor in the translation loop, the first two lines of the Motor specification are created by the following code. 38 If theClass.Abstract Then prl ("abstract-class " & theClass.Name) Else pr ("class " & theClass.Name & " is") End If prl (" class-sort " & theClass.Name) The translation software is a Visual Basic implementation of each transformation rule. For a more involved example, farther into the Motor class specification we show the Visual Basic analog for the semantic rule in the Statechart Diagram section that stated “for each pair of states in partition i 1...n, 1 and 2, the axiom 1-state-name 2-state-name is added to the axioms of C”. This rule generates the motor-disabled motor-running; axiom in the Motor specification and is implemented by the following code. (AllStates contains a collection of all the states for the Motor Class and theState is the state of the Motor class currently being processed.) ' axioms for state space inequality For I = 1 To AllStates.Count - 2 For J = I + 1 To AllStates.Count - 1 Set theState = AllStates.GetAt(I) Set theStateTemp = AllStates.GetAt(J) If nostates <> "" Then pr (" " & theState.Name & " <> " & theStateTemp.Name & ";") End If Next J Next I As another example, we explained in the Section 5 how the attr-equal operation determines if two objects of the same class have identical non-state attribute values as shown below. operations attr-equal : Motor, Motor -> Boolean axioms attr-equal(M1, M2) <=> (free-clutch-Obj(M1) = free-clutch-Obj(M2) & disable-clutch-Obj(M1) = disable-clutch-Obj(M2)); This portion of the Motor class specification are automatically generated by our demonstration system using the code shown in Figure 21. 8. Future Work The definition of theory-based models that can be created directly from semi-formal graphical representation provides the necessary framework for a parallel refinement system for specification development [5]. Our current prototype allows a user to develop graphically-based specifications that can 39 automatically be converted into O-SLANG specifications. The O-SLANG specifications can then be transformed into a Slang specification in a straightforward manner to allow the full use of the Specware code generation system [9]. Work is also currently underway to define transformations from all UML diagrams beyond the Class and Statechart Diagrams to O-SLANG. This research will concentrate on formally defining the relationships between modeling constructs in the different diagrams and capturing the combination of dynamic and functional aspects of UML Collaboration Diagrams. 9. Acknowledgments This work has been supported by grants from the National Security Agency, the Air Force Research Laboratory, and the Air Force Office of Scientific Research. 40 ' for the operation section If theClass.Attributes.Count > 0 Then pr (" operations") pr (" attr-equal : " & theClass.Name & ", " & theClass.Name & " -> Boolean") End If ' for the axiom section S1 = Left(theClass.Name, 1) S2 = "" If nostates <> "" Then For stateid = 1 To AllStates.Count - 1 Set theState = AllStates.GetAt(stateid) If theState.Name <> "" Then For xitionid = 1 To theState.Transitions.Count S = "" S = S & " (" & theClass.Name & "-State(" & S1 & ") = " & theState.Name & ")" & Chr$(10) & " => (" & theClass.Name & "-State(" Set theXition = theState.Transitions.GetAt(xitionid) ' trace xition from current state ' cls1 contains send-clauses and clsc1 contains the number of send-clauses getxsends theClass, theXition, cls1, clsc1 Set theAction = theXition.GetTriggerAction() ' RoseAction retrieves the action of target state of the transition Set theEvent = theXition.GetTriggerEvent() ' RoseEvent stemming from current transition Set targetState = theXition.GetTargetState() ' RoseState of transition endpoint Set targetSend = theXition.GetSendAction() ' RoseAction retrieves the message to send when the transition occurs If theEvent.Name <> "" Then If InStr(S, theEvent.Name) = 0 Then S = S & theEvent.Name & "(" & S1 & ")) = " & targetState.Name If clsc1 <> 0 Then For sendno = 0 To clsc1 - 1 S = S & Chr$(10) & " & " & cls1(sendno) & "-Obj(" & theEvent.Name & "(" & S1 & "))" & Chr$(10) & " = " & cls1(sendno) & "(" & cls1(sendno) & "-Obj(" & S1 & ")))" Next sendno S = S & ";" ElseIf theAction.Name <> "" Then ' process action block rules here End If pr (S) End If End If Next xitionid End If Next stateid End If Figure 21. Transformation Code 10. References 1. Green, C., et al., Report on a Knowledge-Based Software Assistant, in Readings in Artificial Intelligence and Software Engineering, C. Rich and R. Waters, Editors. 1986, Morgan Kaufmann Publishers: Los Altos, California. p. 377-428. 2. Lowry, M.R., Software Engineering in the Twenty-First Century. AI Magazine, 1992. 3. Smith, D.R., KIDS - A Semi-automatic Program Development System. IEEE Transactions on Software Engineering, 1990. 16(9): p. 1024-1043. 4. Smith, D.R., Transformational Approach to Transportation Scheduling. in Proceedings of the 8th Knowledge-Based Software Engineering Conference. 1993. 41 5. Fraser, M.D., K. Kumar, and V.K. Vaishnavi, Strategies for Incorporating Formal Specifications. Communications of the ACM, 1994. 37(10): p. 74-86. 6. OMG, OMG UML Specification, 1999, OMG, http://www.rational.com/uml/. 7. Booch, G., The Unified Modeling Language User Guide. 1999. 8. DeLoach, S.A., A Theory-Based Representation for Object-Oriented Domain Models. IEEE Transactions on Software Engineering, to appear. 9. Waldinger, R., SPECWARE Language Manual: Specware 2.0.3. 1998, Kestrel Institute. 10. Goguen, J.A. and R.M. Burstall, Some Fundamental Algebraic Tools for the Semantics of Computation Part I: Comma Categories, Colimits, Signatures and Theories. Theoretical Computer Science, 1984. 31: p. 175-209. 11. Grosu, R., et al., What is Behind UML-RT, in Behavioral specifications of businesses and systems, H. Kilov, B. Rumpe, and I. Simmonds, Editors. 1999, Kluwer Academic. 12. Booch, G., J. Rumbaugh, and I. Jacobsen, UML Semantics, Version 1.1. 1997, Rational Software Corporation. 13. Smith, J., M. Kokar, and K. Baclawski, Alternative Formalizations of Aggregations and Associations in UML. in The Second International Conference on The Unified Modeling Language (UML '99). 1999. Fort Collins, Colorado. 14. Smith, J., M. Kokar, and K. Baclawski, Formal Verification of UML Diagrams: a First Step Towards Code Generation. in OOPSLA'99. 1999. Denver, Colorado. 15. Smith, J., UML Formalization and Transformation thesis, Northeastern University, Graduate School of Engineering, 1999, Northeastern University. Boston, MA. p. 299. 16. Srinivas, Y.V., Algebraic Specification: Syntax, Semantics, Structure. 1990, Department of Information and Computer Science, University of California, Irvine. TR 90-15. 17. Srinivas, Y.V., Category Theory Definitions and Examples. 1990, Department of Information and Computer Science, University of California, Irvine. TR 90-14. 18. Liskov, B., Data Abstraction and Hierarchy. in (addendum to) Conference Proceedings, Object Oriented Programming Systems Languages and Applications (OOPSLA). 1987. 19. DeLoach, S.A., Formal Transformations from Graphically-Based Object-Oriented Representations to Theory-Based Specification thesis, Air Force Institute of Technology, Department of Electrical and Computer Engineering. AFIT/DS/ENG/96-05, AD-A310-608, 1996, Air Force Institute of Technology. Wright-Patterson AFB, OH. 20. Hopcroft, J.E. and J.D. Ullman, Introduction to Automata Theory, Languages, and Computation. 1979, Reading, Massachusetts: Addison-Wesley. 21. Bourdeau, R.H. and B.H.C. Cheng, A Formal Semantics for Object Model Diagrams. IEEE Transactions on Software Engineering, 1995. 21(10): p. 799-821. 22. Baclawski, K., et al., Object Oriented Transformation, in Behavioral Specifications of Businesses and Systems, H. Kilov, B. Rumpe, and I. Simmonds, Editors. 1999, Kluwer Academic Publishers: Norwell, MA. p. 1-14. 42