Validating UML and OCL models in USE by automatic snapshot generation

We study the testing and certification of UML and OCL models as supported by the validation tool USE. We extend the available USE features by introducing a language for defining properties of desired snapshots and by showing how such snapshots are generated. Within the approach, it is possible to treat test cases and validation cases. Test cases show that snapshots having desired properties can be constructed. Validation cases show that given properties are consequences of the original UML and OCL model.     

Modeling and validating Mondex scenarios described in UML and OCL with USE

This paper describes the Mondex case study with UML class diagrams and restricting OCL constraints. The constraints have been formulated either as OCL class invariants or as OCL pre- and postconditions. The proposed two models include UML class diagrams and OCL constraints which have been checked by the UML and OCL tool USE (UML-based Specification Environment). USE allows validation of a model by testing it with scenarios. The Mondex case study has been validated by positive and negative test cases. The test cases allow the validity of the various constraints to be traced and checked. Validation results are presented as textual protocols or as UML sequence diagrams where starting, intermediate, and resulting system states are represented by UML object diagrams. UML sequence diagrams, UML object diagrams, and textual protocols are shown with varying degrees of detail for the attributes, constraints, and executed commands. J. C. P. Woodcock     

Applying black-box testing to UML/OCL database models

Most Unified Modeling Language (UML) computer-aided software engineering tools have been insufficient in the development process because they provide little support for conceptual model testing. Model testing aims to ensure the correctness of a UML/OCL class diagram, or, in other words, that a given class diagram can perfectly meet the user’s requirements. This study proposes the validation of class diagrams with black-box testing, a technique used to test software without focusing on the software’s implementation or structure. An approach is proposed for the automatic transformation of the constraints of a UML/OCL class diagram into test cases. Following the creation of the test cases, they are executed with JUnit and the results produced are shown to the tester. To demonstrate the applicability of this approach, an effectiveness evaluation and an efficiency evaluation are performed here. Evaluation studies show that all faults included in a class diagram have been detected within an efficient time.     

On an equivalence between continuation and stack semantics

Summary A class of continuation models and a class of stack models for defining the semantics of programming languages are specified. A transformation is given that maps any continuation model into an equivalent stack model, and the equivalence is proved. The transformation is illustrated for an example language which includes gotos and recursive procedures.     

Least-change bidirectional model transformation with QVT-R and ATL

QVT Relations (QVT-R) is the standard language proposed by the OMG to specify bidirectional model transformations. Unfortunately, in part due to ambiguities and omissions in the original semantics, acceptance and development of effective tool support have been slow. Recently, the checking semantics of QVT-R has been clarified and formalized. In this article, we propose a QVT-R tool that complies to such semantics. Unlike any other existing tool, it also supports meta-models enriched with OCL constraints (thus avoiding returning ill-formed models) and proposes an alternative enforcement semantics that works according to the simple and predictable “principle of least change.” The implementation is based on an embedding of both QVT-R transformations and UML class diagrams (annotated with OCL) in Alloy, a lightweight formal specification language with support for automatic model finding via SAT solving. We also show how this technique can be applied to bidirectionalize ATL, a popular (but unidirectional) model transformation language.     

Full contract verification for ATL using symbolic execution

The Atlas Transformation Language (ATL) is currently one of the most used model transformation languages and has become a de facto standard in model-driven engineering for implementing model transformations. At the same time, it is understood by the community that enhancing methods for exhaustively verifying such transformations allows for a more widespread adoption of model-driven engineering in industry. A variety of proposals for the verification of ATL transformations have arisen in the past few years. However, the majority of these techniques are either based on non-exhaustive testing or on proof methods that require human assistance and/or are not complete. In this paper, we describe our method for statically verifying the declarative subset of ATL model transformations. This verification is performed by translating the transformation (including features like filters, OCL expressions, and lazy rules) into our model transformation language DSLTrans. As we handle only the declarative portion of ATL, and DSLTrans is Turing-incomplete, this reduction in expressivity allows us to use a symbolic-execution approach to generate representations of all possible input models to the transformation. We then verify pre-/post-condition contracts on these representations, which in turn verifies the transformation itself. The technique we present in this paper is exhaustive for the subset of declarative ATL model transformations. This means that if the prover indicates a contract holds on a transformation, then the contract’s pre-/post-condition pair will be true for any input model for that transformation. We demonstrate and explore the applicability of our technique by studying several relatively large and complex ATL model transformations, including a model transformation developed in collaboration with our industrial partner. As well, we present our ‘slicing’ technique. This technique selects only those rules in the DSLTrans transformation needed for contract proof, thereby reducing proving time.     

Specification-driven model transformation testing

Testing model transformations poses several challenges, among them the automatic generation of appropriate input test models and the specification of oracle functions. Most approaches for the generation of input models ensure a certain coverage of the source meta-model or the transformation implementation code, whereas oracle functions are frequently defined using query or graph languages. However, these two tasks are usually performed independently regardless of their common purpose, and sometimes, there is a gap between the properties exhibited by the generated input models and those considered by the transformations. Recently, we proposed a formal specification language for the declarative formulation of transformation properties (by means of invariants, pre-, and postconditions) from which we generated partial oracle functions used for transformation testing. Here, we extend the usage of our specification language for the automated generation of input test models by SAT solving. The testing process becomes more intentional because the generated models ensure a certain coverage of the transformation requirements. Moreover, we use the same specification to consistently derive both the input test models and the oracle functions. A set of experiments is presented, aimed at measuring the efficacy of our technique.     

The duality of fault-tolerant system structures

An examination of the structure of fault-tolerant systems incorporating backward error recovery indicates a partitioning into two broad classes. Two canonical models, each representing a particular class of systems, have been constructed. The first model incorporates objects and actions as the entities for program construction whereas the second model employs communicating processes and conversations. Applications in areas such as office information and banking systems are typically described and built in terms of the first model whereas applications in the area of process control are usually described and built in terms of the second model. The paper claims that the two models are duals of each other and presents arguments and examples to substantiate this claim. It will be shown that the techniques that have been developed within the context of one model turn out to have interesting and hitherto unexplored duals in the other model.     

航天软件测试模型构建与应用

针对航天软件高可靠性的特点,构建一种输入与输出模型测试方案,提出基于覆盖测试算法的测试方法,测试覆盖算法主要包含三种功能测试方法和三种结构测试方法。功能测试主要使用基于边界的方法、定义等价类、使用决策表分析三种方法。结构测试主要使用基于路径的测试、数据流测试、片测试三种方法。实例验证,该方法清晰明了、便于发现航天软件缺陷、降低航天软件开发风险与代价以及保证航天软件质量。     

Analysis of a two-parameter algebraic model of programs by methods developed for one-parameter models

For a particular two-parameter algebraic program model, two fundamental problems are solved: the recognition of the equivalence of program schemas in this model and the construction of a complete system of equivalent transformations (ETs) of program schemas in the model. The solution is performed by methods developed for one-parameter algebraic program models. This summarizes previous studies of this model. An important functional feature of the model is revealed: the existence of several canonical forms for the representation of schemas in their equivalence class.     

基于DBSCAN算法的测试用例优化方法

在软件测试研究领域,测试用例约简一直以来都是研究的重点,目前的一些研究利用测试需求之间复杂的相互关系得到约简的测试需求集,在此基础上可以优化对应的测试用例集,但单个测试需求所对应的测试用例集可能是一个密度分布且数量较大的集合.对单个测试需求所对应的测试用例集合进行合理优化约简,本文在这个方面做了深入的研究和探索,提出了两种基于黑盒测试的类等价划分和类边界值分析策略.基于DBSCAN算法提出了科学合理的参数取值方法,提高了算法的适应问题程度和效率,结合优化的算法和两种策略从而得到优化约简的测试用例集.     

基于OCL文法的测试用例自动生成方法研究

随着软件测试技术的飞速发展,很多自动生成和执行测试用例的方法的技术已经发展起来。对于自动生成测试用例的约束的形式化定义也有很多方法,其中,对象约束语言(OCL)就是其中最具代表性的。OCL能够弥补UML模型的不足,精确地定义约束条件。本文将着重介绍一种从OCL文法解析到约束条件分离的方法的研究结果,通过与OCL文法比较,解析输入的OCL文本,提取OCL表达式,构建约束条件树,实现约束条件分离,最终实现测试用例集的自动生成。     

On a new method for finding generalized equivalence transformations for differential equations involving arbitrary functions

A new efficient method for finding generalized equivalence transformations for a class of differential equation systems via its related extended classical symmetries is presented. This technique can be further adapted to find the equivalence transformations for the mathematical model. It applies to classes of differential systems whose arbitrary functions involve all equations’ independent variables. As a consequence, any symbolic manipulation program designed to find classical Lie symmetries can also be used to determine generalized equivalence transformations and equivalence transformations, respectively, without any modification of the program. The method has been implemented as the maple routine gendefget and is based on the maple package desolv(by Carminati and Vu). The nonlinear stationary heat conduction parameter identification problem is considered as an example.     

Minimum-entropy data partitioning using reversible jump Markovchain Monte Carlo

Problems in data analysis often require the unsupervised partitioning of a data set into classes. Several methods exist for such partitioning but many have the weakness of being formulated via strict parametric models (e.g., each class is modeled by a single Gaussian) or being computationally intensive in high-dimensional data spaces. We reconsider the notion of such cluster analysis in information-theoretic terms and show that an efficient partitioning may be given via a minimization of partition entropy. A reversible-jump sampling is introduced to explore the variable-dimension space of partition models     

一种面向形式化表格需求模型的测试用例生成方法

现代安全关键性系统的软件规模和复杂性的快速增长给这类安全关键性软件系统的开发带来了很多挑战。传统文本文档的需求描述方法无法保证此类系统的开发进度和系统可靠性要求。为此文中提出了一种兼具可读性和可自动分析的形式化表格需求建模方法。文中介绍了一种针对这种表格模型测试用例的自动生成方法,工作包括对该形式化需求表格模型展开语义分析,建立需求模型的控制树结构,得到其测试等价类;为了减少不必要的测试,定义了不同安全级别的软件需求模型的测试覆盖标准,并针对不同覆盖率准则分别给出基于控制树结构的测试路径约束选择方法;对于每条路径约束测试等价类,提出了基于域错误的测试用例选择方法,能够自动生成所需的检测域错误的测试用例集。最后,通过一个需求模型实例展示了所提方法的有效性。     

Case-based exploration of bidirectional transformations in QVT Relations

QVT Relations (QVT-R), a standard issued by the Object Management Group, is a language for the declarative specification of model transformations. This paper focuses on a particularly interesting feature of QVT-R: the declarative specification of bidirectional transformations. Rather than writing two unidirectional transformations separately, a transformation developer may provide a single relational specification which may be executed in both directions. This approach saves specification effort and ensures the consistency of forward and backward transformations. This paper explores QVT-R’s support for bidirectional model transformations through a spectrum of transformation cases. The transformation cases vary with respect to several factors such as the size of the transformation definition or the relationships between the metamodels for source and target models. The cases are solved in QVT-R, but may be applied to other bidirectional transformation languages, as well; thus, they may be used as a benchmark for comparing bidirectional transformation languages. In our work, we focus on the following research questions: functionality of bidirectional transformations in terms of relations between source and target models, solvability (which problems may be solved by a single relational specification of a bidirectional transformation), variability (does a bidirectional transformation contain varying elements, i.e., elements being specific to one direction), comprehensibility (referring to the ease of understanding and constructing QVT-R transformations), and the semantic soundness of bidirectional transformations written in QVT-R.     

A ‘division’ transformation for program and data structures and the structure clash problem

Motivated by the structure clash problem, this study examines certain formal transformations of data and program structures and relates them to the structure clash problem. It defines a division and a decomposition transformation of program and data structures with respect to one of its structure blocks. The latter allows a formal derivation of a new structure where this block appears at the beginning. The transformation is intuitively introduced for program and data structures. At the same time, it is mathematically treated in terms of regular algebra and is shown to be reflexive, symmetric and transitive. Thus, equivalence classes of regular expressions that are decompositions of each other may be defined. A formal realization of these is constructed as a type of circuitless graph.     

A simple game-theoretic approach to checkonly QVT Relations

The QVT Relations (QVT-R) transformation language allows the definition of bidirectional model transformations, which are required in cases where two (or more) models must be kept consistent in the face of changes to either or both. A QVT-R transformation can be used either in checkonly mode, to determine whether a target model is consistent with a given source model, or in enforce mode, to change the target model. A precise understanding of checkonly mode transformations is prerequisite to a precise understanding of enforce mode transformations, and this is the focus of this paper. In order to give semantics to checkonly QVT-R transformations, we need to consider the overall structure of the transformation as given by when and where clauses, and the role of trace classes. In the standard, the semantics of QVT-R are given both directly, and by means of a translation to QVT Core, a language which is intended to be simpler. In this paper, we argue that there are irreconcilable differences between the intended semantics of QVT-R and those of QVT Core, so that no translation from QVT-R to QVT Core can be semantics-preserving, and hence no such translation can be helpful in defining the semantics of QVT-R. Treating QVT-R directly, we propose a simple game-theoretic semantics. We demonstrate its behaviour on examples and show how it can be used to prove an example result comparing two QVT-R transformations. We demonstrate that consistent models may not possess a single trace model whose objects can be read as traceability links in either direction. We briefly discuss the effect of variations in the rules of the game, to elucidate some design choices available to the designers of the QVT-R language.     

一种随机化的软件模型生成方法

模型转换是模型驱动开发的核心技术. 当要把模型转换用于工业生产时, 其性能成为影响这一技术成败的关键因素之一. 为了测试模型转换程序的性能, 需要能够快速地生成一组具有较大规模的模型数据用于作为测试的输入数据. 本文提出一种随机化的模型生成方法. 该方法能够根据元模型的定义以及用户输入的约束条件随机、正确地生成模型文件. 实验结果也表明, 本方法和其它方法相比具有更好的生成效率, 从而更加适合支持模型转换的性能测试.     

Refactoring object constraint language specifications

The object constraint language (OCL) plays an important role in the elaboration of precise models. Although OCL was designed to be both formal and simple, OCL specifications may be difficult to understand and evolve, particularly those containing complex or duplicated expressions. In this paper, we discuss how refactoring techniques can be applied in order to improve the understandability and maintainability of OCL specifications. In particular, we present several potentially bad constructions often found in OCL specifications and a collection of refactorings that can be applied to replace such constructions by better ones. We also briefly discuss how refactorings can be automated and how model regression testing can be used to increase our confidence that the semantics of an OCL specification has been preserved after manually performed refactorings.