=Paper=
{{Paper
|id=Vol-2019/modevva_5
|storemode=property
|title=Adding Random Operations to OCL
|pdfUrl=https://ceur-ws.org/Vol-2019/modevva_5.pdf
|volume=Vol-2019
|authors=Antonio Vallecillo,Martin Gogolla
|dblpUrl=https://dblp.org/rec/conf/models/VallecilloG17
}}
==Adding Random Operations to OCL==
https://ceur-ws.org/Vol-2019/modevva_5.pdf
Adding Random Operations to OCL
Antonio Vallecillo Martin Gogolla
Universidad de Málaga, Spain University of Bremen, Germany
av@lcc.uma.es gogolla@informatik.uni-bremen.de
Abstract—This paper presents an extension of OCL to allow could give different results for the two calls of any(),
modellers to deal with random numbers and probability distri- although USE [4] (and every other OCL evaluator that we are
butions in their OCL specifications. We show its implementation aware of) gives the same result for both calls. But there are
in the tool USE and discuss some advantages of this new feature
for the validation and verification of models. also other OCL operations that introduce non-deterministic,
random-like effects, for example, when one converts a col-
I. I NTRODUCTION lection without order into an order-aware collection, e.g.,
There are many situations in which there is a degree of in Bag{7,8,7}->asSequence(). However, randomness
uncertainty about some aspects, features or properties of the also involves returning different (valid) values in separate
system to be modelled. For example, if we are modelling a executions of the operations.
community of human beings, what is the percentage of female The paper is organized in 7 sections. After this introduction,
persons that we want to include in our models? How many of Sect. 2 provides an overview of what OCL currently offers and
them are expected to be left-handed? This may be important what should be required. Then, Sect. 3 and Sect. 4 describe the
in order to generate the models that will be used during the OCL extensions to deal with random numbers and probability
testing, validation and verification processes so that they are distributions, respectively. Section 5 illustrates the proposal
as much accurate and representative as possible. Similarly, with a couple of examples, and Sect. 6 gives details about
assuming that we are modelling a manufacturing system with how the new OCL operations have been implemented. Finally,
UML and OCL [10], how to handle the requirements that Sect. 7 concludes and outlines some lines of future work.
orders are received following an exponential distribution, or
II. R ANDOMNESS IN OCL
that 0.5 % of the parts are produced with some kind of defect?
In most modelling and simulation environments, the use Non-determinism and random-like behavior is
of random numbers and probability distributions are used to already present in OCL mainly through collections
combine definite knowledge (female, male; left-handed, right- operations asSequence() and any() [8]. More precisely,
handed) with an uncertain view on the result or the population OCL defines any() as follows: Returns any element in the
for a test case. Expectations and assumptions that remain source collection for which body evaluates to true. Returns
uncertain or imprecise at high-level, are made precise and invalid if any body evaluates to invalid for any element,
can be realized by stating the corresponding percentages, or otherwise if there are one or more elements for which body
the probability distributions that some properties or param- is true, an indeterminate choice of one of them is returned,
eters follow. In this way, confidence on the validation and otherwise the result is invalid.
verification processes can be increased by experimenting with Then, the OCL standard [8, 11.9.1] formally specifies it as
different percentages (that have different likelihoods) and by follows:
inspecting the results obtained. Likewise, random numbers source−>any ( iterator | body ) =
are used to generate test models with varying sizes and source−>select ( iterator | body )−>asSequence ( )−>first ( )
characteristics, in order to increase the coverage of the test As we can see, it bases its indeterminism in the behaviour of
cases. operation asSequence(), which is defined for general type
In this paper, we present an extension to OCL that allows Collection and returns a Sequence that contains all the
modellers to handle random numbers in their specifications, elements from self, in an order dependent on the particular
as well as probability distributions. We show its implemen- concrete collection type. Its specification is as follows:
tation in the tool USE [4], [5] (UML-based Specification
p o s t : result−>forAll ( elem | self−>includes ( elem ) )
Environment), and discuss some examples for the validation p o s t : self −>forAll ( elem | result−>includes ( elem ) )
and verification of models.
Non-determinism and random-like behavior is already For example, for a given Set it returns a Sequence that
present in OCL, for example, through the operation any(). contains all the set elements, in undefined order.
Most proof-theoretic OCL approaches, such as [1] or [3] p o s t : result−>forAll ( elem | self−>includes ( elem ) )
p o s t : self−>forAll ( elem | result−>count ( elem ) = 1 )
do not speak about the evaluation of equations involv-
ing any(), for example, Set{7,8}->any(true) = As mentioned above, despite in theory this allows any OCL
Set{7,8}->any(true). In principle, an OCL evaluator evaluator to return a different value for the same Set every
�time it is executed, in practice this does not happen and the However, specifying this property in OCL deserves its own
same element is always returned. line of research [2] and it is postponed for future work.
The problem is that when it comes to other collections, the In addition, we need seeds. Operation srand() permits
OCL specification of any() seems to be wrong, since it only knowing and changing the seed for the random number
works for Set and Bag collections because for the other two generator. It is defined over Integers:
there is no indeterminism at all. More precisely, for Bag it may c o n t e x t I n t e g e r : : srand ( ) : I n t e g e r
work, since operation asSequence() returns a Sequence
that contains all the elements from self, in undefined order. Then, given an integer n, if n > 0 then n.srand() starts
a new random sequence with n as the new seed (the seed is
p o s t : result−>forAll ( elem |
self−>count ( elem ) = result−>count ( elem ) ) an integer), and returns the value of the previous seed. To
p o s t : self −>forAll ( elem | accommodate to the current possibilities of USE, we decided
self−>count ( elem ) = result−>count ( elem ) )
to restrict to integer values below 107 . Thus, this operation
However, the behaviour of asSequence() is completely takes the given value modulo 107 . If n <= 0, this operation
deterministic for collections OrderedSet and Sequence. generates a seed automatically using the current time and other
For the former, the operation returns a Sequence that con- system values.
tains all the elements from self, in the same order. To illustrate how these operations work, the following listing
p o s t : Sequence { 1 . . self . size ( )}−>
shows their results when executed in USE:
forAll ( i | result−>at ( i ) = self−>at ( i ) ) use> ? 1 . rand ( )
−> 0 . 0 9 1 5 2 8 6 0 8 1 1 5 1 2 5 5 3 : Real
Similarly for Sequence collections, where use> ? 2 . rand ( )
−> 1 . 8 3 7 1 3 9 7 3 6 4 7 9 4 9 1 2 : Real
asSequence() returns the Sequence identical to use> ? 2 . rand ( )
the object itself. This operation exists for convenience −> 0 . 6 6 4 6 4 0 1 4 7 2 3 0 2 7 1 2 : Real
use> ? 2 . rand ( )
reasons. −> 1 . 5 4 1 7 6 4 9 5 1 0 7 8 0 3 3 4 : Real
p o s t : result = self use> ? 2 . rand ( )
−> 0 . 9 9 0 2 1 2 3 3 3 6 3 9 1 6 7 : Real
use> ? 2 . rand ( )
This means that any() applied to a Sequence or an −> 1 . 6 7 6 0 7 0 7 5 6 2 8 1 9 5 7 : Real
OrderSet will always return its first element, and not use> ? 2 . rand ( )
−> 1 . 8 3 5 6 4 5 4 6 4 1 1 8 6 4 8 : Real
an indeterminate choice of one of them as its specification use> ? 1 . srand ( )
requires. −> 32783 : I n t e g e r
use> ? 1 . srand ( )
This is why we propose the following specification for −> 1 : I n t e g e r
operation any(), which does not have this problem: use> ? 0 . srand ( )
−> 1 : I n t e g e r
p o s t : self−>includes ( result ) use> ? 0 . srand ( )
−> 2297549 : I n t e g e r
use> ? 0 . srand ( )
−> 3220924 : I n t e g e r
III. S PECIFYING RANDOM NUMBERS IN OCL use> ? 0 . srand ( )
−> 3666729 : I n t e g e r
Random numbers are generated by extending OCL
type Real with an operation called rand(). If
x.oclIsOfType(Real) then x.rand() returns a IV. P ROBABILITY D ISTRIBUTIONS IN OCL
random Real number between 0 and x. Using the random number generator operation, it is easy
c o n t e x t Real : : rand ( ) : Real to build the most commonly used distribution probability
p o s t indeterminism : functions:
i f self > 0 . 0 t h e n
( 0 . 0 <= result ) and ( result < self ) context Real : : normalDistr ( s : Real ) : Real
e l s e i f self < 0 . 0 t h e n context Real : : pdf01 ( ) : Real
( result <= 0 . 0 ) and ( self < result ) context Real : : pdf ( m : Real , s : Real ) : Real
e l s e / ∗ self = 0 . 0 ∗ / result = self context Real : : cdf01 ( ) : Real
endif context Real : : cdf ( m : Real , s : Real ) : Real
endif context Real : : expDistr ( ) : Real
For example 1.rand() returns a random number in the in- They are all defined as extensions to type Real. With this,
terval [0..1). If you need a number in the interval [a..b) if x is a real number, then
you can use the expression “a + (b-a).rand().” • x.normalDistr(s) returns a value of a Nor-
Note that every invocation of rand() operation may return mal (Gaussian) distribution N (x, s) (for example
a different number, and that randomness requires an addi- 0.normalDistr(1) returns the value of a N (0, 1)
tional requirement to the postcondition (indeterminism) distribution),
expressed above. This is why operation any() is not enough • x.pdf01() returns a value of the distribution function
to implement random numbers. Randomness also requires P DF (x) of a Gaussian Distribution N (0, 1), i.e., with
that the sequence of results obtained by consecutive calls mean=0 and σ = 1,
to operation rand() contains no recognizable patterns or • x.pdf(m,s) returns a value of the distribution function
regularities—i.e., that the sequence is statistically random [7]. P DF (x) of a N (m, s),
� Object diagram
P:Producer
T:Tray C:Consumer
x=0
x=1 x=2
y=0
y=0 y=0
counter=3
cap=3 counter=3
meanProductionTime=5.0
Item1:Item S:Tray
Fig. 1. Class diagram for the production system. x=3 x=3
y=0 y=0
productionTime=2.537489273455895 cap=3
defective=false
• x.cdf01() returns a value of the cumulative distri- polished=true
bution function CDF (x) of a Gaussian Distribution
Item3:Item
N (0, 1), Item2:Item
x=3 x=3
• x.cdf(m,s) returns a value of the cumulative distribu- y=0
y=0
tion function CDF (x) of a N (m, s), and productionTime=2.943935931267827 productionTime=4.957766186962824
defective=false
• x.expDistr() returns a value of an exponential dis- defective=false
polished=false polished=true
tribution with mean x, i.e., Exp(1/x), or 0.0 if x=0.0.
V. T WO S IMPLE E XAMPLES
Fig. 2. Object diagram after producing three items.
A. A Production System
To illustrate our proposal let us suppose first a simple
production system whose metamodel is depicted in Fig. 1. One possible result of executing the system after the pro-
Producers produce items that are placed in trays (bounded duction of 3 items is shown in Fig. 2.
buffers), from where consumers collect them when informed
that elements are ready (by operation elementReady()), B. A Social Network
polish them, and finally place them in the storage trays. We Random numbers can also be used to determine other
want to simulate the system with some uncertainty about the parameters of the system, or even the number of objects that
time producers take generating items and the probability of we would like to have in our test models.
producers and consumers to introduce defects when handling In Fig. 3 a simple model of a social network is shown. For
the items. validation purposes, two object diagrams (shown in Fig. 4)
For example, suppose that we want producers to produce have been generated by operation generate() using the
items according an exponential distribution with mean 5.0, proposed random features. The generated object diagrams
and that the probability of machines to introduce defects is differ with respect to attribute values and the structure that
0.05. Using our OCL extension and its implementation in USE is defined by the Friendship links.
the description of operations Producer::produce() and The definition of operation generate() is given below.
Consumer::elementReady() is as follows: The example demonstrates that, with the newly introduced
produce ( ) : Item OCL features, the generation of test cases showing different
begin
result : = new Item ; characteristics is supported.
self . counter : = self . counter + 1 ;
result . productionTime : = generate ( numObj : Int , numLink : Int )
self . meanProductionTime . expDistr ( ) ; begin
result . polished : = false ; declare i : Int ,
result . defective : = p , q : Profile ,
i f 1 . rand ( ) < 0 . 0 5 t h e n true ps : Seq ( Profile ) ;
e l s e false ps : = Sequence {};
endif ; for i in Sequence { 1 . . numObj} do
end p : = new Profile ;
elementReady ( ) ps : = ps−>including ( p ) ;
begin p . firstN : =
declare it : Item ; names−>at ( 1 + names−>size ( ) . rand ( ) . floor ( ) ) ;
it : = self . input . get ( ) ; end ;
it . polished : = i f 1 . rand ( ) < 0 . 0 5 t h e n false for i in Sequence { 1 . . numLink} do
e l s e true p : = ps−>at ( 1 + ps−>size ( ) . rand ( ) . floor ( ) ) ;
endif ; q : = ps−>at ( 1 + ps−>size ( ) . rand ( ) . floor ( ) ) ;
it . defective : = it . defective or i f p . inviter−>excludes ( q ) and
( i f 1 . rand ( ) < 0 . 0 5 t h e n true p . invitee−>excludes ( q ) t h e n
e l s e false insert ( p , q ) into Friendship
endif ) ; end ;
self . storageTray . put ( it ) ; end ;
self . counter : = self . counter + 1 ; end
end
�
0
return Random . srand ( $self ) % 1000000
else
return Random . srand ( ) % 10000000
end
]]>
Fig. 3. Class diagram for the Social Network.
If self is positive then srand() starts a new random
sequence with self as new seed (the seed is integer), and
it returns the current seed. Given that Ruby’s initial seed is
a huge integer number that cannot be handled by USE, this
operation takes the modulo with 107 . If self is equal or less
than 0 then the operation uses the default Ruby srand()
operation that generates a seed automatically using the time
and other system values.
Finally, we have also implemented the probability distri-
butions mentioned in Sect. 3 and show some of them in the
following listing.
Fig. 4. Object diagrams with random links.
Let us describe now how we have implemented this ex-
tension in USE. First, USE provides an extension mecha-
nism that permits adding operations to basic types. Folder
oclextensions in the USE directory permits adding new
files with the signature of the new operations, and their
implementation in Ruby [9].
Real.xml) in the oclextensions folder:
Math . sqrt ( $self )
]]>
12
srand() operations is simple: 0 . 5 i f z == 0 . 0
� i f z > 0.0 [5] M. Gogolla and F. Hilken. Model Validation and Verification Options
e = true in a Contemporary UML and OCL Analysis Tool. In Proc. Model-
else lierung’2016, pages 203–218. GI, LNI 254, 2016.
e = false [6] Pontus Johnson, Johan Ullberg, Markus Buschle, Ulrik Franke, and
z = −z
end
Khurram Shahzad. P2AMF: Predictive, Probabilistic Architecture Mod-
z = z . to_f eling Framework, pages 104–117. Springer, 2013.
z2 = z ∗ z [7] M.G. Kendall and B. Babington Smith. Randomness and random
t = q = z ∗ Math . exp( −0.5 ∗ z2 ) / ( Math . sqrt ( 2 ∗ Math : : sampling numbers. Journal of the Royal Statistical Society, 101(1):147–
,→PI ) ) 166, 1938.
3 . step ( 1 9 9 , 2 ) do | i | [8] OMG. Object Constraint Language (OCL), version 2.4. Object
prev = q Management Group, December 2014. OMG formal/2014-02-03.
t ∗= z2 / i [9] D. Thomas. Programming Ruby 1.9 & 2.0. Pragmatic Bookshelf, 4
q += t
i f q <= prev
edition, 2013.
return ( e ? 0 . 5 + q : 0 . 5 − q ) [10] J. Warmer and A. Kleppe. The Object Constraint Language: Getting
end Your Models Ready for MDA. Addison-Wesley, 2nd Edition, 2004.
end
e ? 1.0 : 0.0
end
cdf01 ( ( $self−$m ) / $s )
]]>
VII. C ONCLUSIONS
In this paper we have introduced a simple extension of
OCL to deal with random numbers and probability dis-
tributions in OCL specifications. It uses the USE exten-
sion mechanisms to implement the new operations, em-
ploying the underlying Ruby implementation and some of
its supported functions. All files and operations described
here can be downloaded from https://www.dropbox.com/s/
2j9tgejbj507id0/oclextensions.zip?dl=0. To our knowledge, the
only similar proposal is [6], a modelling framework for the
predictive analysis of architectural properties.
Counting on these new operations offers interesting benefits
to model developers and testers. For example, they are now
able to capture some assumptions of the real world that
correspond to stochastic events, or for which there is little
information. We are also able to generate random sets of
models, and models with random values in their elements’
attributes, thus permitting richer input test suites for achieving
model-based testing.
Our current plans for extensions of this work include the
experimentation with larger case studies, in order to analyze
the applicability and expressiveness of our approach, and
the addition of further probability distributions that could be
required in other situations.
Acknowledgments. This work was supported by Research
Project TIN2014-52034-R.
R EFERENCES
[1] T. Baar. Non-deterministic Constructs in OCL: What Does any() Mean.
In Proc. 12th Int. SDL Forum, LNCS 3530, pages 32–46, 2005.
[2] Robert Bill, Achim D. Brucker, Jordi Cabot, Martin Gogolla, Antonio
Vallecillo, , and Edward D. Willink. Workshop in ocl and textual
modelling. report on recent trends and panel discussions. In Proc. of
STAF 2017 Satellite Events, LNCS. Springer, 2017.
[3] A.D. Brucker and B. Wolff. HOL-OCL: A Formal Proof Environment
for UML/OCL. In Proc. FASE’08, LNCS 4961, pages 97–100, 2008.
[4] M. Gogolla, F. Büttner, and M. Richters. USE: A UML-based specifi-
cation environment for validating UML and OCL. Science of Computer
Programming, 69:27–34, 2007.
�