Ivan Marsic Rutgers University
-
Upload
erich-francis -
Category
Documents
-
view
30 -
download
1
description
Transcript of Ivan Marsic Rutgers University
Ivan MarsicRutgers University
LECTURE 11: Specifying Systems – State Diag’s & OCL
2
Topics
UML State Machine Diagrams– State Activities: Entry, Do, and Exit Activities
– Composite States and Nested States
– Concurrency
UML Object Constraint Language (OCL)– OCL Syntax
– OCL Constraints and Contracts
3
State Machine Diagram:Basic Notation
DelistedListing
plannedTraded
initial-listing
trade bankruptcy, merger,
acquisition, …
States of Stock_i
initial state
indicated by
terminal state
indicated by
event
transition
These are not states:
They are only labels that indicate the actual initial/terminal states
4
UML Diagrams Differ from FSMs
Modularization of states Concurrent behaviors State activities
5
States of Stock_i
trade
tradetrade
trade
trade
trade
trade
trade
Buy SellHold
Traded
Buy SellHold
Listing planned
Delisted
DelistedListing
plannedTraded
initial-listing
trade bankruptcy, merger,
acquisition, …
composite state
sub-states:(based on analyst recommendations)
6
States of Stock_i
DelistedIPO
plannedTraded
initial-listing
trade
bankruptcy, acquisition, merger, …
Traded
IPO planned
Delistedtrade
tradetrade
trade
trade
trade
trade
trade
Buy SellHold
initial-listing
bankruptcy, acquisition, merger, …
IPO = initial public offering
composite statenestedstate
7
State Activities:Entry, Do, and Exit Activities
matched
completion transition
cancel,reject
view
trade
Executed Archived
Cancelled
submit
dataentry
InPreparation
Pending
do: check_price & supply [buy] check_price & demand [sell]
States of a Trading Order
“do”state
activity
(order placed and waiting for the specified market conditions)
8
timer-expired /signal-reset,
set numOfAttemps := 0
User leaves without succeeding or blocking
autoLockInterval-expired /
Auto-locking feature not shown!
State Diagram for Controller[ Recall Section 2.7.4: Test Coverage and Code Coverage ]
invalid-key [numOfAttemps maxNumOfAttempts] / signal-failure
invalid-key / signal-failure invalid-key
[numOfAttemps maxNumOfAttempts] / sound-alarm
Blocked
Locked Accepting
valid-key / signal-success valid-key /
signal-success,set numOfAttemps := 0
Unlocked
Note how the object responds differently to the same event (invalid-key in Accepting state), depending on which events preceded it
How state diagram motivates you to consider alternative usage scenarios and provides “crutches”:
9
invalid-key [numOfAttemps maxNumOfAttempts] / signal-failure
invalid-key / signal-failure invalid-key
[numOfAttemps maxNumOfAttempts] / sound-alarm
autoLockInterval-expired /
timer-expired /signal-reset,
set numOfAttemps := 0
Blocked
Locked
Accepting
entry: start timerdo: countdown
valid-key / signal-success
valid-key / signal-success
Unlocked
entry: start timerdo: countdown
State Diagram for Controller
Need “entry” and “do” state activities for countdown timers
10
State “Accepting” Refined
Accepting
invalid-key / signal-failure
invalid-key /sound-alarm
timer-expired /signal-reset,
set numOfAttemps := 0
valid-key / signal-success valid-key /
signal-success
invalid-key / signal-failure
invalid-key / signal-failure
Two MaxNumOfAttemptsOne
valid-key / signal-success
Or, get rid of state “Accepting” and introduce state “Zero” …
11
Problem: States of a Hotel Room
make-reservation /
arrive /
depart /
Vacant
Occupied
Reserved
Problem:
- but a guest may be occupying the room while it is reserved by a future guest!?
- or the room may be vacantwhile reserved by a future guest!?
need a notion of time (“timing diagram”)
12
Problem: States of a Hotel Room
Vacant
Reserved
Time [days]
Occupied
Reservedby guest BC
mak
e-re
serv
atio
n
C a
rriv
e
C d
epar
t
Reservedby guest C
A a
rriv
e
A d
epar
t
B m
ake-
rese
rvat
ion
B a
rriv
e
B d
epar
t
Sta
tes
13
Problem: States of a Hotel Room
Vacant
Reserved
Time [days]
Occupied
Reservedby guest BC
mak
e-re
serv
atio
n
C a
rriv
e
C d
epar
t
Reservedby guest C
A a
rriv
e
A d
epar
t
B m
ake-
rese
rvat
ion
B a
rriv
e
B d
epar
t
What state?
What if the guest is late? – “Holding” state? What if the room is overbooked? What when it is being cleaned?
Issue: state transitions are weird—”Reserved” is
a future state but transitioned to by a
current event!
14
Object:Reservation table
Object:Room occupancy
Problem: States of a Hotel Room
Vacant
Reserved
Time [days]
Occupied
Reservedby guest BC
mak
e-re
serv
atio
n
Reservedby guest C
A a
rriv
e
A d
epar
t
B m
ake-
rese
rvat
ion
Available
curr
ent
time
SOLUTION:Introduce a new object!
rese
rve
free
Objects send messages that change states
15
Problem: States of a Hotel Room
Vacant
Reserved
Time [days]
Occupied
C a
rriv
e
C d
epar
t
A a
rriv
e
A d
epar
t
B a
rriv
e
B d
epar
t
Available
curr
ent
time
Object 2:Reservation table
Object 1:Room occupancy
We need two objects:One tracks room’s current state (occupancy)and the other its future state (reservation)
16
OCL: Object Constraint Language
OCL is used in UML diagrams to– write constraints in class diagrams– guard conditions in state and activity diagrams
based on Boolean logic
Boolean expressions (“OCL constraints”) used to state facts about elements of UML diagrams
The implementation must ensure that the constraints always hold true
17
Basic OCL Types and Operations
17
Type Values Operations
Boolean true, false and, or, xor, not, implies, if-then-else
Integer 1, 48, 3, 84967, … *, , , /, abs()
Real 0.5, 3.14159265, 1.e+5 *, , , /, floor()
String 'With more exploration comes more text.' concat(), size(), substring()
18
OCL: Types of Navigation
Class_A
– attribute1– attribute2– …
(a) Local attribute (b) Directly related class (c) Indirectly related class
Class_A
Class_B
*
*
assocBA
assocAB
Class_A
Class_B
*
*
Class_C
*
*
assocBA
assocAB
assocCB
assocBC
Within Class_A:self.attribute2
Within Class_A:self.assocAB
Within Class_A:self.assocAB.assocBC
19
Accessing Collections in OCL
19
OCL Notation Meaning
EXAMPLE OPERATIONS ON ALL OCL COLLECTIONS
c->size() Returns the number of elements in the collection c.
c->isEmpty() Returns true if c has no elements, false otherwise.
c1->includesAll(c2) Returns true if every element of c2 is found in c1.
c1->excludesAll(c2) Returns true if no element of c2 is found in c1.
c->forAll(var | expr)Returns true if the Boolean expression expr true for all elements in c. As an element is being evaluated, it is bound to the variable var, which can be used in expr. This implements universal quantification .
c->forAll(var1, var2 | expr)Same as above, except that expr is evaluated for every possible pair of elements from c, including the cases where the pair consists of the same element.
c->exists(var | expr)Returns true if there exists at least one element in c for which expr is true. This implements existential quantification .
c->isUnique(var | expr) Returns true if expr evaluates to a different value when applied to every element of c.
c->select(expr) Returns a collection that contains only the elements of c for which expr is true.
EXAMPLE OPERATIONS SPECIFIC TO OCL SETS
s1->intersection(s2) Returns the set of the elements found in s1 and also in s2.
s1->union(s2) Returns the set of the elements found either s1 or s2.
s->excluding(x) Returns the set s without object x.
EXAMPLE OPERATION SPECIFIC TO OCL SEQUENCES
seq->first() Returns the object that is the first element in the sequence seq.
20
OCL Constraints and Contracts
A contract specifies constraints on the class state that must be valid always or at certain times, such as before or after an operation is invoked
Three types of constraints in OCL: invariants, preconditions, and postconditions An invariant must always evaluate to true for all instance objects
of a class, regardless of what operation is invoked and in what order
• applies to a class attribute
A precondition is a predicate that is checked before an operation is executed
• applies to a specific operation; used to validate input parameters
A postcondition is a predicate that must be true after an operation is executed
• also applies to a specific operation; describes how the object’s state was changed by an operation
21
Example Constraints (1)
Invariant: the maximum allowed number of failed attempts at disarming the lock must be a positive integer– context Controller inv: self.getMaxNumOfAttempts() > 0
Precondition: to execute enterKey() the number of failed attempts must be less than the maximum allowed number– context Controller::enterKey(k : Key) : boolean pre: self.getNumOfAttempts() self.getMaxNumOfAttempts()
22
Example Constraints (2)
The postconditions for enterKey() are– (Poc1) a failed attempt is recorded– (Poc2) if the number of failed attempts reached the maximum allowed, the system
blocks and the alarm bell blurts– Reformulate (Poc1) to:
(Poc1) if the key is not element of the set of valid keys, then the counter of failed attempts after exiting from enterKey() must be by one greater than before entering enterKey()
context Controller::enterKey(k : Key) : Boolean-- postcondition (Poc1):post: let allValidKeys : Set = self.checker.validKeys() if allValidKeys.exists(vk | k = vk) then getNumOfAttempts() = getNumOfAttempts()@pre else getNumOfAttempts() = getNumOfAttempts()@pre + 1
-- postcondition (Poc2):post: getNumOfAttempts() >= getMaxNumOfAttempts() implies self.isBlocked() and self.alarmCtrl.isOn()
23
xUnit / JUnit assert_*_()
Verification is usually done using the assert_*_() methods that define the expected state and raise errors if the actual state differs
http://www.junit.org/ Examples:
– assertTrue(4 == (2 * 2));– assertEquals(expected, actual);– assertNull(Object object);– etc.
24
TLA+ Specification
[closed, unlit] [open, lit]
[closed, lit]turnLightOff
(?)
unlock(valid key)
unlock(valid key)lock
lock,unlock(invalid key)
lock,unlock(invalid key)
MAIN CONFUSION:What is this state diagram representing?
The state of _what_ object?