Docstoc

overture

Document Sample
overture Powered By Docstoc
					                                          SAC2007 (PSC Track)




Context-aware Feature-Oriented Modeling
with an Aspect Extension of VDM




  Naoyasu Ubayashi (Kyushu Institute of Technology)
  Shin Nakajima    (National Institute of Informatics)


  March 13, 2007

                                                         1
Motivation

   Embedded systems react to a certain
    change in the context.
   The context results in a set of
    description fragments spreading over
    a lot of modules.

      context
      feature

                    modules

                 embedded system
                                           2
Example: an electric pot
   pot


         thermistor                  liquid
  water level sensor
                                    context
                        heater
               system



                                 liquid
                                   - water or milk?
    PourIn PourOut      Boil         - water level
                                     - temperature
                                   - air pressure
               pot
                                     …
                                                      3
       Our approach

          We propose
           - Context-aware FOM (feature-oriented modeling)
           - VDM-based design for Formal Analysis
           - AspectVDM (aspect-oriented VDM descriptions)
             and Proof obligation generation


                          Cross-cutting
  feature
composition
                   System features
                        (VDM)              Context features
                                               (VDM)

                                                              4
     Context-aware FOM
             System Line                               Context Line
              Features                                  Features

             Electric Pot                              Physical World
                                compose

   Control        Sensor        Actuator         Air Pressure            Liquid
  Software
                             Heater      Level
                                                                   Water           Milk
                                         Meter

Pressure Liquid Level       Thermister
                                                                required feature
                                                                optional feature

                                                                                     5
         Incremental Development
          --- Separation of context concerns
               Step1:                        Step2:
               model system specifications   model context specifications

                             Electric
                                                  Water
                             Pot_0

Step3:
compose the system
and context specifications
                             Electric
                                                 Pressure
                             Pot_1




                             Electric
                                                Not discussed here
                             Pot_2
                                                                     6
                                                                                      Electronic
                                                                                        Pot_0



Step 1: model system specifications
types
  Tem = <Zero> | <Room> | <Hot> | <Max> ;
  Level = <Below> | <Above> ;
  Switch = <On> | <Off> ;
                                                                State Definitions
state Pot of
  temp : Tem
  liquid : Level
  heat : Switch                        Invariants
inv pot == (pot.liquid = <Below>) => (pot.heat = <Off>)
init pot == pot = mk_Pot(<Room>,<Below>,<Off>)
end

                       PourIn                     SwitchOn
                                                                   Boil [ T < Max ]


     <T, Below, Off>            <T, Above, Off>          <T, Above, On>




                       PourOut                    SwitchOff
                                                               Boil [ T == Max ]
                                                                                           7
                                                    References to State Variables
       Operations
operations
 PourIn()
  ext wr liquid : Level                       SwitchOn()
       rd heat : Switch                        ext wr heat : Switch
  pre (liquid = <Below>) and (heat = <Off>)        rd liquid : Level
  post (liquid = <Above>) ;                    pre (liquid = <Above>) and (heat = <Off>)
                                               post (heat = <On>) ;
 PourOut()
  ext wr liquid : Level                       SwitchOff()
      rd heat : Switch                         ext wr heat : Switch
  pre (liquid = <Above>) and (heat = <Off>)        rd liquid : Level
  post (liquid = <Below>) ;                    pre (liquid = <Above>) and (heat = <On>)
                                               post (heat = <Off>) ;
 Boil()
  ext wr temp : Tem
        rd liquid : Level
        wr heat : Switch
  pre (liquid = <Above>) and (heat = <On>)
  post (      (temp~ = <Max>) => (heat = <Off>))
   and (not(temp~ = <Max>) => (temp = incTem(temp~)))




                                                Pre- and Post-Conditions
                                                                                   8
                                                                           Model
                                                                           Water



   Step 2: model context specifications
   types
     Vol = <Empty> | <Little> | <Large> | <Full> ;
     Tem = <Zero> | <Room> | <Hot> | <Max> ;
     Water :: t : Tem
              v : Vol
              p : real
     inv mk_Water(x,y,z) == (x in set { <Zero>, <Room>, <Hot>, <Max> })
                   and (y in set { <Empty>, <Little>, <Large>, <Full> })
                   and (z in set { 1.0, 0.53 })

   functions
     heatUp (w : Water) r : Water
      pre w.v <> <Empty>
      post (ltTem(w.t, critical(w.p)) => (r = mk_Water(incTem(w.t), w.v, w.p)))
       and ((w.t = critical(w.p))     => (r = mk_Water(w.t, decVol(w.v), w.p))) ;

    critical(p : real) r : Tem
     post ((p = 1.0) => (r = <Max>)) and ((p = 0.53) => (r = <Hot>)) ;



Critical Temperature to Boil Depends on Air-Pressure
                                                                               9
                                       Electronic       Model       Electronic
                                         Pot_0      +   Water         Pot_1
     Step 3: compose
     the system and context specifications

     state Pot of
                                A New Reference to Context Variable
        temp : Tem
        liquid : Level
        heat : Switch
        water : Water
      inv pot == (pot.liquid = <Below>) => (pot.heat = <Off>)
             and (pot.temp = pot.water.t)
             and ((pot.liquid = <Below>) <=> (ltVol(pot.water.v, <Little>)))
      init pot ==
           pot = mk_Pot(<Room>,<Below>,<Off>,mk_Water(<Room>,<Little>,1.0))
        or pot = mk_Pot(<Room>,<Below>,<Off>,mk_Water(<Room>,<Little>,0.53))
      end




Further Invariants are Added


                                                                        10
 operations
   PourIn()
    ext wr liquid : Level
         rd heat : Switch
         wr water : Water
    pre (liquid = <Below>) and (heat = <Off>)
    post (liquid = <Above>) and (water.v = <Large>);

   PourOut()
    ext wr liquid : Level
        rd heat : Switch
        wr water : Water
    pre (liquid = <Above>) and (heat = <Off>)
    post (liquid = <Below>) and (water.v = <Little>);

   Boil()
    ext wr temp : Tem
          rd liquid : Level
          wr heat : Switch
          wr water : Water
    pre (liquid = <Above>) and (heat = <On>)
    post ( (temp~ = <Max>) => (heat = <Off>))
     and (not(temp~ = <Max>) => ((temp = incTem(temp~))
     and (water = heatUp(water~))));



Pre- and Post-conditions (of Operations) are Changed Adequately
Separation of context concerns is nice,
but …

   Writing down VDM descriptions to follow
    the idea of separation of context concerns
    requires to edit various parts of the base
    description (Electric Pot_0).

   The modification is scattered. The process
    is not systematic as well as error-prone.

   Our approach is to introduce aspects in
    VDM-SL to propose AspectVDM.

                                                 12
Introducing Aspects into VDM-SL
   Join Point Model
       Pointcut & Advice <- Basically Editting

   Heterogeneous Aspects
       Dedicated Mostly to a Particular Join Point
       As opposed to Homogeneous Aspects such as
        Logging
                           Colyer, A. and Clement, A.:
                           Large-Scale AOSD for Middleware.
                           In Proc. AOSD2004
   More?
       Proof Obligation


                                                        13
   AspectVDM JPM
             Aspect Module             Base Design in VDM
         pointcut PCD():               OP1
pointcut    precondition(OP1)          pre P1
          || precondition(OP2)         post Q1
                                                 join point
advice   assert() : PCD()              OP2
          == P3                        pre P2
                                       post Q2
                             weaving

                       OP1
                       pre P1 and P3
                       post Q1
         woven VDM
                       OP2
                       pre P2 and P3
                       post Q2                                14
Pointcut & Advice

Pointcut
   precondition    select a set of pre-conditions
                   denoted by pre
   postcondition   select a set of post-conditions
                   denoted by post
   invariant       select a set of invariants
                   denoted by inv
   init            select a set of initialization
                   denoted by init

Advice
   assert          append logical expressions
                   (connected by and operator)
   retract         retract logical expressions
   replace         replace initializations
                                                     15
 Aspect for the Pot Example
aspect pot_water of

 Pot.water : Water                                         Inter-type declaration
 ext wr Pot.PourIn().water : Water
 ext wr Pot.PourOut().water : Water
 ext wr Pot.Boil().water : Water

                                                           Pointcut & Advice
 pointcut   potinv() : invariant(Pot.pot)
 pointcut   potinit() : init(Pot.pot)
 pointcut   pourinpost() : postcondition(Pot.PourIn())
 pointcut   pouroutpost() : postcondition(Pot.PourIn())
 pointcut   boilpost() : postcondition(Pot.Boil())

 assert() : potinv() == (pot.temp = pot.water.t)
   and ((pot.liquid = <Below>) <=>(ltVol(pot.water.v, <Little>)))

 replace() : potinit() ==
     pot = mk_Pot(<Room>,<Below>,<Off>,mk_Water(<Room>,<Little>,1.0))
  or pot = mk_Pot(<Room>,<Below>,<Off>,mk_Water(<Room>,<Little>,0.53))

 assert() : pourinpost() == (water.v = <Large>)
 assert() : pouroutpost() == (water.v = <Little>)
 assert() : boilpost() == (water = heatUp(water~))

end                                                                            16
Weaving in AspectVDM

   Verification in VDM-SL is performed by
    Discharging Proof obligations.

   Weaving in AspectVDM is not just a
    syntactical transformation alone.

   How Proof Obligations are generated should
    be considered.




                                             17
                                                  Aspect for the pot
                                                 aspect pot_water of

                                                  Pot.water : Water                                         Inter-type declaration
                                                  ext wr Pot.PourIn().water : Water
                                                  ext wr Pot.PourOut().water : Water




Woven Descriptions
                                                  ext wr Pot.Boil().water : Water

                                                                                                            Pointcut & Advice
                                                  pointcut   potinv() : invariant(Pot.pot)
                                                  pointcut   potinit() : init(Pot.pot)
                                                  pointcut   pourinpost() : postcondition(Pot.PourIn())
                                                  pointcut   pouroutpost() : postcondition(Pot.PourIn())
                                                  pointcut   boilpost() : postcondition(Pot.Boil())

                                                  assert() : potinv() == (pot.temp = pot.water.t)
                                                    and ((pot.liquid = <Below>) <=>(ltVol(pot.water.v, <Little>)))

                                                  replace() : potinit() ==
                                                       pot = mk_Pot(<Room>,<Below>,<Off>,mk_Water(<Room>,<Little>,1.0))
                                                    or pot = mk_Pot(<Room>,<Below>,<Off>,mk_Water(<Room>,<Little>,0.53))




State
                                                  assert() : pourinpost() == (water.v = <Large>)
                                                  assert() : pouroutpost() == (water.v = <Little>)
                                                  assert() : boilpost() == (water = heatUp(water~))

                                                 end                                                                            21




Its component may be added : S changes to S+δS
For init, the initialization pattern may be completely
 changed : K(S) changes to L(S+δS)
For inv, the invariant may be added : I(V) changes to
 I(V)∧J(V+δV)
                 [note: V represents a set of component names defined in S]



Operation
The pre- and post-conditions may be modified :
For pre, P changes to P'
For post, Q changes to Q'

                                                                                                                             18
Consistency is Required
Aspect
The addition to inv is valid : I(V)∧J(V+δV)
The modification to pre is valid : ∀S' | P'
The modification to post is valid : ∀S' | Q'
                                         [note: S' refers to S+δS]



Operation
Since an operation Op after weaving (denoted by Opw)
 should be valid in the context where the original base Op
 is valid, the formula for Opw should be satisfied.
 ∀S' | P ⇒ P'


                                                                     19
Not All are Re-Generated

Policy for Preservation
  All the operations being not woven are
   expected to be valid after the weaving.
  The proof obligations before the weaving
   are supposed to be preserved.

Policy for re-generation

  An addition to invariants may invalidate
   some pre- and/or post-conditions.
  New proof obligations should be generated.
                                              20
   Re-Generation
All Operators having references to Variables in Added Invariants
                                     v-name(J) : variable names in J
v-name(J) ∩ ext(Op) = Φ              ext(Op)   : variable names in ext of Op

should be re-analyzed to generate proof obligations



Aspects will violates the Base Description if

∀S‘ | (P∧I)∧J and ∀S‘ | (Q∧I)∧J

are not satisfied

Added Invariant may violate either P or Q or both of such Op.


                                                                       21
Aspects in VDM

   This work  Implicit Style
       Explicit Style (execution semantics) :
        Aspects would be different from Ours


   Refinement has been Studied Much
       Refinement : into Programs
       Weaving : Base and Aspects are at the
        same abstraction level


                                                 22
Related work

   Aspect extension of Z and Object-Z
    [Yu, H. et al. 2005, 2006]
                Description only (no Proof Obligation studied)

   Aspects in JML
    [Yamada and Watanabe 2005]
                Description only (no Proof Obligation studied)


   Aspects in Caml
    [Masuhara et al 2005]
                 Strongly-typed programming language
                  Aspects in Explicit Style VDM
                                                            23
Conclusion

   Feature-oriented Modeling Method
     + VDM-based Formal Design

   AspectVDM for Reducing the Gap
       Heterogenenous Aspects
       Proof Obligation is Studied


   Semantics have not been studied yet

                                       24

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:8/4/2011
language:English
pages:24