Metamodel-based model conformance and multiview consistency checking

Model-driven development, using languages such as UML and BON, often makes use of multiple diagrams (e.g., class and sequence diagrams) when modeling systems. These diagrams, presenting different views of a system of interest, may be inconsistent. A metamodel provides a unifying framework in which to ensure and check consistency, while at the same time providing the means to distinguish between valid and invalid models, that is, conformance. Two formal specifications of the metamodel for an object-oriented modeling language are presented, and it is shown how to use these specifications for model conformance and multiview consistency checking. Comparisons are made in terms of completeness and the level of automation each provide for checking multiview consistency and model conformance. The lessons learned from applying formal techniques to the problems of metamodeling, model conformance, and multiview consistency checking are summarized

Fair Refinement for Asynchronous Session Types

International audienceSession types are widely used as abstractions of asynchronous message passing systems. Refinement for such abstractions is crucial as it allows improvements of a given component without compromising its compatibility with the rest of the system. In the context of session types, the most general notion of refinement is the asynchronous session subtyping, which allows to anticipate message emissions but only under certain conditions. In particular, asynchronous session subtyping rules out candidates subtypes that occur naturally in communication protocols where, e.g., two parties simultaneously send each other a finite but unspecified amount of messages before removing them from their respective buffers. To address this shortcoming, we study fair compliance over asynchronous session types and fair refinement as the relation that preserves it. This allows us to propose a novel variant of session subtyping that leverages the notion of controllability from service contract theory and that is a sound characterisation of fair refinement. In addition, we show that both fair refinement and our novel subtyping are undecidable. We also present a sound algorithm, and its implementation, which deals with examples that feature potentially unbounded buffering

Session Communication and Integration

The scenario-based specification of a large distributed system is usually naturally decomposed into various modules. The integration of specification modules contrasts to the parallel composition of program components, and includes various ways such as scenario concatenation, choice, and nesting. The recent development of multiparty session types for process calculi provides useful techniques to accommodate the protocol modularisation, by encoding fragments of communication protocols in the usage of private channels for a class of agents. In this paper, we extend forgoing session type theories by enhancing the session integration mechanism. More specifically, we propose a novel synchronous multiparty session type theory, in which sessions are separated into the communicating and integrating levels. Communicating sessions record the message-based communications between multiple agents, whilst integrating sessions describe the integration of communicating ones. A two-level session type system is developed for pi-calculus with syntactic primitives for session establishment, and several key properties of the type system are studied. Applying the theory to system description, we show that a channel safety property and a session conformance property can be analysed. Also, to improve the utility of the theory, a process slicing method is used to help identify the violated sessions in the type checking.Comment: A short version of this paper is submitted for revie

Frameworks: the future of formal software development?

It could be argued that the primary issue to be dealt with in software engineering today is re-use of software. Current software development rarely, if ever, starts from nothing. Unfortunately, the same cannot be said for the development of specifications. To overcome this problem, various works have attempted to show how specifications can be built using architectural principles. We discuss one such approach in particular, the Architectural Semantics of Open Distributed Processing. We show the limitations of this work with regard to the architecting of specifications and propose a new approach, based on frameworks. To highlight the approach we use the work currently being done in the TOSCA project in its development of a service creation and validation environment for telecommunication services

Foundations of Session Types and Behavioural Contracts

International audienceBehavioural type systems, usually associated to concurrent or distributed computations, encompass concepts such as interfaces, communication protocols, and contracts, in addition to the traditional input/output operations. The behavioural type of a software component specifies its expected patterns of interaction using expressive type languages, so that types can be used to determine automatically whether the component interacts correctly with other components. Two related important notions of behavioural types are those of session types and behavioural contracts. This paper surveys the main accomplishments of the last twenty years within these two approaches

Mutation, Aliasing, Viewpoints, Modular Reasoning, and Weak Behavioral Subtyping

Existing work on behavioral subtyping either ignores aliasing or restricts the behavior of additional methods in a subtype and only allows one to use invariants and history constraints in reasoning. This prevents many useful subtype relationships; for example, a type with immutable objects (e.g., immutable sequences), cannot have a behavioral subtype with mutable objects (e.g., mutable arrays). Furthermore, the associated reasoning principle is not very useful, since one cannot use the pre- and postconditions of methods. Weak behavioral subtyping permits more behavioral subtype relationships, does not restrict the behavior of additional methods in subtypes, and allows the use of pre- and postconditions in reasoning. The only cost is the need to restrict aliases so that objects cannot be manipulated through the view of more than one type

Transforming ASN.1 Specifications into CafeOBJ to assist with Property Checking

The adoption of algebraic specification/formal method techniques by the networks' research community is happening slowly but steadily. We work towards a software environment that can translate a protocol's specification, from Abstract Syntax Notation One (ASN.1 - a very popular specification language with many applications), into the powerful algebraic specification language CafeOBJ. The resulting code can be used to check, validate and falsify critical properties of systems, at the pre-coding stage of development. In this paper, we introduce some key elements of ASN.1 and CafeOBJ and sketch some first steps towards the implementation of such a tool including a case study.Comment: 8 pages, 12 figure