(***************************************************************************** * Featherweight-OCL --- A Formal Semantics for UML-OCL Version OCL 2.4 * for the OMG Standard. * http://www.brucker.ch/projects/hol-testgen/ * * Employee_DesignModel_OCLPart.thy --- OCL Contracts and an Example. * This file is part of HOL-TestGen. * * Copyright (c) 2012-2013 Université Paris-Sud, France * 2013 IRT SystemX, France * * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are * met: * * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. * * * Neither the name of the copyright holders nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ******************************************************************************) header{* The Employee Design Model (OCL) *} theory Employee_DesignModel_OCLPart imports Employee_DesignModel_UMLPart begin text {* \label{ex:employee-design:ocl} *} section{* Standard State Infrastructure *} text{* Ideally, these definitions are automatically generated from the class model. *} section{* Invariant *} text{* These recursive predicates can be defined conservatively by greatest fix-point constructions---automatically. See~\cite{brucker.ea:hol-ocl-book:2006,brucker:interactive:2007} for details. For the purpose of this example, we state them as axioms here. *} axiomatization inv_Person :: "Person \ Boolean" where A : "(\ \ (\ self)) \ (\ \ inv_Person(self)) = ((\ \ (self .boss \ null)) \ ( \ \ (self .boss <> null) \ (\ \ ((self .salary) `\ (self .boss .salary))) \ (\ \ (inv_Person(self .boss))))) " axiomatization inv_Person_at_pre :: "Person \ Boolean" where B : "(\ \ (\ self)) \ (\ \ inv_Person_at_pre(self)) = ((\ \ (self .boss@pre \ null)) \ ( \ \ (self .boss@pre <> null) \ (\ \ (self .boss@pre .salary@pre `\ self .salary@pre)) \ (\ \ (inv_Person_at_pre(self .boss@pre))))) " text{* A very first attempt to characterize the axiomatization by an inductive definition - this can not be the last word since too weak (should be equality!) *} coinductive inv :: "Person \ (\)st \ bool" where "(\ \ (\ self)) \ ((\ \ (self .boss \ null)) \ (\ \ (self .boss <> null) \ (\ \ (self .boss .salary `\ self .salary)) \ ( (inv(self .boss))\ ))) \ ( inv self \)" section{* The Contract of a Recursive Query *} text{* The original specification of a recursive query : \begin{ocl} context Person::contents():Set(Integer) post: result = if self.boss = null then Set{i} else self.boss.contents()->including(i) endif \end{ocl} *} consts dot_contents :: "Person \ Set_Integer" ("(1(_).contents'('))" 50) axiomatization where dot_contents_def: "(\ \ ((self).contents() \ result)) = (if (\ self) \ = true \ then ((\ \ true) \ (\ \ (result \ if (self .boss \ null) then (Set{self .salary}) else (self .boss .contents()->including(self .salary)) endif))) else \ \ result \ invalid)" consts dot_contents_AT_pre :: "Person \ Set_Integer" ("(1(_).contents@pre'('))" 50) axiomatization where dot_contents_AT_pre_def: "(\ \ (self).contents@pre() \ result) = (if (\ self) \ = true \ then \ \ true \ (* pre *) \ \ (result \ if (self).boss@pre \ null (* post *) then Set{(self).salary@pre} else (self).boss@pre .contents@pre()->including(self .salary@pre) endif) else \ \ result \ invalid)" text{* These \inlineocl{@pre} variants on methods are only available on queries, \ie, operations without side-effect. *} section{* The Contract of a Method *} text{* The specification in high-level OCL input syntax reads as follows: \begin{ocl} context Person::insert(x:Integer) post: contents():Set(Integer) contents() = contents@pre()->including(x) \end{ocl} *} consts dot_insert :: "Person \ Integer \ Void" ("(1(_).insert'(_'))" 50) axiomatization where dot_insert_def: "(\ \ ((self).insert(x) \ result)) = (if (\ self) \ = true \ \ (\ x) \ = true \ then \ \ true \ \ \ ((self).contents() \ (self).contents@pre()->including(x)) else \ \ ((self).insert(x) \ invalid))" end