UpSTAIRS with Sequence Diagrams

1
UpSTAIRS with Sequence Diagrams

• Øystein Haugen,Ragnhild Kobro Runde, Ketil
  Stølen
• University of Oslo and SINTEF ICT, Norway

2
Overview

• Interactions and trace semantics
• Interactions as example runs
• Underspecification and nondeterminism
• Refinement
• Data and guards

3
Background UML interactions
Lifeline (instance)
Message
Receive-event (?x)
Send-event (!x)

• Partial ordering of events
• The send event is ordered before the
  corresponding receive event.
• Events on the same lifeline are ordered from the
  top and downwards.
• S specifies the two traces
• lt !x, ?x, !y, ?y gt
• lt !x, !y, ?x, ?y gt

4
Alternatives

• S specifies the four traces
• lt !x, ?x, !y, ?y gt
• lt !x, !y, ?x, ?y gt
• lt !x, ?x, !z, ?z gt
• lt !x, !z, ?x, ?z gt

First alternative
Second alternative
5
Example Network communication

• Interactions example runs!
• Specifies a set of positive and/or negative
  behaviours.

6
Negative behaviour
Positivelt!mAS,?mAS,!mSB,?mSBgt Negative lt!mAS,?
mAS ,!mSB,?mSB,!mSB,?mSBgt lt!mAS,?mAS
,!mSB,!mSB,?mSB,?mSBgt

• Formally(p1,n1) (p2,n2) (p1 p2, (p1
  n2)U(n1 p2)U(n1 n2) )
• Note
• Inconclusive positive/negative inconclusive
• Positive negative negative

7
Overview

• Interactions and trace semantics
• Interactions as example runs
• Underspecification and nondeterminism
• Refinement
• Data and guards

8
Underspecification and non-determinism

• Underspecification Several alternative
  behaviours are considered equivalent (serve the
  same purpose).
• Inherent non-determinism Alternative behaviours
  that must all be possible for the implementation.
• These two should be described differently!

9
STAIRS
xalt
10
alt vs xalt

• Assume d1 (p1,n1) d2 (p2,n2)
• alt specifies potential behaviour d1 alt d2
  d1 d2 (p1 U p2, n1 U n2)
• xalt specifies mandatory behaviour d1 xalt
  d2 d1 U d2 (p1,n1) U (p2,n2)

P1 U P2
I
N1 U N2
11
Example Network communication
12
alt vs xalt
Snetwork
13
Overview

• Interactions and trace semantics
• Interactions as example runs
• Underspecification and nondeterminism
• Refinement
• Data and guards

14
Refinement in STAIRS
Supplementing
Narrowing

• An interaction obligation o'(p',n') is a
  refinement of an interaction obligation o(p,n)
  iff
• n n'
• p p'Un'

15
Refinement contd.

• An interaction d' is a refinement of an
  interaction d iff o d o'
  d' o o'

NOT VALID!
16
Adding new obligations
NEW
17
Supplementing
Everything else
Everything else
18
Overview

• Interactions and trace semantics
• Interactions as example runs
• Underspecification and nondeterminism
• Refinement
• Data and guards

19
Including data

• Two special events
• write (for assignments)
• check (for constraints)
• A state is a total function s Var ? Val
• For an expression expr, expr(s) denotes its value
  in s.
• Assignmentassign(var,expr) ( ltwrite(s,
  s')gt s'(var) expr(s) , Ø

20
Constraints

• constr(c) ( ltcheck(s)gtc(s) ,
  ltcheck(s)gtc(s) )

21
Guards

• A special kind of constraint
• May be overlapping
• Need not be exhaustive

22
Definition of guarded xalt

• Assume d1 (p1,n1) d2 (p2,n2)
• Guarded xalt g1-gtd1 xalt g2-gtd2
  constr(g1) seq d1 U constr(g2) seq d2

23
Definition of guarded xalt

• Assume d1 (p1,n1) d2 (p2,n2)
• Guarded xalt g1-gtd1 xalt g2-gtd2 (
  ltcheck(s)gt p1 g1(s), ltcheck(s)gt p1
  g1(s) U ltcheck(s)gt n1 g1(s) v
  g1(s) ) U( ltcheck(s)gt p2 g2(s),
  ltcheck(s)gt p2 g2(s) U ltcheck(s)gt
  n2 g2(s) v g2(s) )

24
(No Transcript)
25
Narrowing by using guards
A-gtG-gtN1 ok-gtN1-gtB
A-gtG-gtN2 ok-gtN2-gt...
A-gtG-gtN1 not ok-gtN1-gtB
A-gtG-gtN2 not ok-gtN2-gt...
A-gtG-gtN1 not ok-gtN1-gtB
A-gtG-gtN2 not ok-gtN2-gt...
Everything else
Everything else
26
Narrowing by using guards
A-gtG-gtN2 ok-gtN2-gtN3 ok-gtN3-gtBA-gtG-gtN2
ok-gtN2-gtN4 ok-gtN4-gtB
A-gtG-gtN2 ok-gtN2-gtN3 not ok and N4 not ok
A-gtG-gtN2 ok-gtN2-gtN3 not ok-gtN3-gtBA-gtG-gtN2
ok-gtN2-gtN4 not ok-gtN4-gtB
A-gtG-gtN2 not ok-gtN2-gtN3 ok/not
ok-gtN3-gtBA-gtG-gtN2 not ok-gtN2-gtN4 ok/not
ok-gtN4-gtB
A-gtG-gtN2 ok-gtN2-gtN3 not ok-gtN3-gtBA-gtG-gtN2
ok-gtN2-gtN4 not ok-gtN4-gtB
Everything else
27
xalt to ensure security
28
A possible refinement
29
Summary

• Interactions are partial specifications
• Distinguish between positive and inconclusive
  traces.
• Distinguish between underspecification (alt) and
  inherent non-determinism (xalt).
• Refinement also of partial interactions.
• Supplementing
• Narrowing
• Introducing guards should be a valid refinement
  step.
• Traces with a false guards should be negative.

30
Literature on STAIRS

• Øystein Haugen, Ketil StølenSTAIRS Steps to
  analyze interactions with refinement semantics
  (UML'2003, LNCS 2863).
• Distinguishes between mandatory and potential
  behaviour
• Øystein Haugen, Knut Eilif Husa, Ragnhild Kobro
  Runde, Ketil StølenSTAIRS towards formal design
  with sequence diagrams (SOSYM, Online First,
  2005).
• Denotational trace semantics for interactions
• Formalizes the refinement relations in STAIRS
• Øystein Haugen, Knut Eilif Husa, Ragnhild Kobro
  Runde, Ketil Stølen Why timed sequence diagrams
  require three-event semantics (Dagstuhl
  post-proc., LNCS 3466). Extended version as
  research report 309.
• Extends STAIRS with time and three-event semantics

31
Literature on STAIRS

• Ragnhild Kobro Runde, Øystein Haugen, Ketil
  StølenRefining UML interactions with explicit
  and implicit nondeterminism (Nordic Journal of
  Computing, to appear).
• Extends STAIRS with data and guards
• More on mandatory vs potential behaviour
• Ragnhild Kobro Runde, Øystein Haugen, Ketil
  StølenHow to transform UML neg into a useful
  construct (NIK'2005, to appear).
• Investigates various formal definitions for
  negation
• Atle Refsdal, Knut Eilif Husa, Ketil
  StølenSpecification and refinement of soft
  real-time requirements using sequence diagrams
  (FORMATS'05).
• Extends STAIRS with probabilistic alternatives

32
http//heim.ifi.uio.no/ragnhilk/stairs/

• Thank you!