Skip to main content
SpringerLink
Log in

Declaratively building behavior by means of scenario clauses

  • Original Article
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

Behavior needs to be understood from early stages of software development. In this context, incremental and declarative modeling seems an attractive approach for closely capturing and analyzing requirements without early operational commitment. A traditional choice for such a kind of modeling is a logic-based approach. Unfortunately, in many cases, the formal description and validation of properties result in a daunting task, even for trained people. Moreover, some authors established some practical limitations with temporal logics expressive power. In this work, we present omega-feather weight visual scenarios (\(\omega\)-FVS) a declarative language, not founded on temporal logics, but on simple graphical scenarios, powerful enough to express \(\omega\)-regular properties. The notation is equipped with declarative semantics based on morphisms, and a tableau procedure is given enabling the possibility of automatic analysis.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23
Fig. 24
Fig. 25
Fig. 26
Fig. 27
Fig. 28
Fig. 29
Fig. 30
Fig. 31
Fig. 32

Similar content being viewed by others

Notes

  1. Rule scenarios represent the FVS’s version of Conditional scenarios available in VTS [12].

References

  1. Alfonso A, Braberman V, Kicillof N, Olivero A (2004) Visual timed event scenarios. In: 26th ICSE’04, pp 168–177

  2. Areces C, Hoffmann G, Denis A (2010) Modal logics with counting. In: 17th workshop on logic, language, information and computation, Brazil. Springer, Berlin, Heidelberg, pp 98–109

  3. Asteasuain F, Braberman V (2010) Specification patterns can be formal and also easy. In: The 22nd international conference on software engineering and knowledge engineering (SEKE), pp 430–436

  4. Autili M, Inverardi P, Pelliccione P (2007) Graphical scenarios for specifying temporal properties: an automated approach. ASE 14(3):293–340

    Google Scholar 

  5. Autili M, Pelliccione P (2008) Towards a graphical tool for refining user to system requirements. In: Electronic notes in theoretical computer science (ENTCS), vol 211, pp 147–157

  6. Bianculli D, Ghezzi C, Pautasso C, Senti P (2012) Specification patterns from research to industry: a case study in service-based applications. In: Proceedings of the 2012 international conference on software engineering. IEEE Press, pp 968–976

  7. Bloem R, Cavada R, Eisner C, Pill I, Roveri M, Semprini S (2004) Manual for property simulation and assurance tool (deliverable 1.2/4–5). In: Technical report, PROSYD Project, Technical Report

  8. Boker U, Chatterjee K, Henzinger TA, Kupferman O (2011) Temporal specifications with accumulative values. In: 26th annual IEEE symposium on logic in computer science (LICS), 2011. IEEE, pp 43–52

  9. Bosscher D, Polak I, Vaandrager F (1994) Verification of an audio control protocol. In: Formal techniques in real-time and fault-tolerant systems. Springer, Berlin, Heidelberg, pp 170–192

  10. Bouajjani A, Lakhnech Y, Yovine S (1996) Model checking for extended timed temporal logics. In: Formal techniques in real-time and fault-tolerant systems. Springer, Berlin, Heidelberg, pp 306–326

  11. Braberman V, Garbervestky D, Kicillof N, Monteverde D, Olivero A (2009) Speeding up model checking of timed-models by combining scenario specialization and live component analysis. In: Formal modeling and analysis of timed systems. Springer, Berlin, Heidelberg, pp 58–72

  12. Braberman V, Kicillof N, Olivero A (2005) A scenario-matching approach to the description and model checking of real-time properties. IEEE TSE 31(12):1028–1041

    Google Scholar 

  13. Clarke E, Grumberg O, Peled D (1999) Model checking. Springer, New York

    Google Scholar 

  14. “Buchi online Store”. In: http://buchi.im.ntu.edu.tw/index.php/browse/index/

  15. Cobleigh R, Avrunin G, Clarke L (2006) User guidance for creating precise and accessible property specifications. In: Proceedings of the 14th ACM SIGSOFT international symposium on foundations of software engineering. ACM, p 218

  16. Dalal S, Jain A, Karunanithi N, Leaton J, Lott C, Patton G, Horowitz B (1999) Model-based testing in practice. In: Proceedings of the 21st international conference on software engineering. ACM, pp 285–294

  17. David S, Orni A (2005) Property-by-example guide: a handbook of psl/sugar examples-prosyd deliverable d1. 1/3

  18. De Alfaro L, Henzinger T (2001) Interface automata. ACM SIGSOFT Softw Eng Notes 26(5):120

    Article  Google Scholar 

  19. Dillon L, Kutty G, Moser L, Melliar-Smith P, Ramakrishna Y (1994) A graphical interval logic for specifying concurrent systems. ACM Trans Softw Eng Methodol (TOSEM) 3(2):131–165

    Article  MATH  Google Scholar 

  20. D’Ippolito N, Braberman V, Piterman N, Uchitel S (2010) Synthesis of live behaviour models. In: Proceedings of the 18th ACM SIGSOFT international symposium on foundations of software engineering. ACM SIGSOFT

  21. Dwyer M, Avrunin G, Corbett J “Specification Patterns Web Site”. In: http://patterns.projects.cis.ksu.edu/documentation/patterns.shtml

  22. Dwyer M, Avrunin G, Corbett J (1999) Patterns in property specifications for finite-state verification. In: Proceedings of the 21st international conference on software engineering ICSE, vol 99

  23. Eisner C, Fisman D (2006) A practical introduction to PSL (series on integrated circuits and systems). Springer, Secaucus

    Google Scholar 

  24. Fritz C, Wilke T (2002) State space reductions for alternating büchi automata quotienting by simulation equivalences. In: FST TCS 2002: foundations of software technology and theoretical computer science. Springer, pp 157–168

  25. Gary MR, Johnson DS (1979) Computers and intractability: a guide to the theory of np-completeness. W. H. Freeman and Company, San Francisco

  26. Giannakopoulou D, Magee J (2003) Fluent model checking for event-based systems. In: Proceedings of the 9th European software engineering conference. ACM, p 266

  27. Harel D, Marelly R Playing with time: On the specification and execution of time-enriched lscs. In: MASCOTS ’02. IEEE computer society, pp 193–202

  28. Holzmann G (2002) The logic of bugs. ACM Softw Eng Notes 27(6):87

    Article  Google Scholar 

  29. IEEE-Commission et al (2005) Ieee standard for property specification language (psl). Tech. rep., Technical report, IEEE, 2005. IEEE Std 1850-2005

  30. Konrad S, Cheng B (2005) Real-time specification patterns. In: Proceedings of the 27th ICSE. ACM, pp 372–381

  31. Kupferman O, Piterman N, Vardi M (2001) Extended temporal logic revisited. In: CONCUR 2001 concurrency theory, pp 519–535

  32. Lamsweerde AV (2001) Goal-oriented requirements engineering: a guided tour. In: RE’01—international joint conference on RE

  33. Linn J (1993) RFC1508: generic security service application program interface RFC Editor United States

  34. Luckham D (2011) Event processing for business: organizing the real-time enterprise. Wiley, Hoboken

    Google Scholar 

  35. McCarthy J, Hayes P (1968) Some philosophical problems from the standpoint of artificial intelligence. Stanford University

  36. [MS-NNS] (2008) NET NegotiateStream Protocol Specification v2.0. http://msdn.microsoft.com/en-us/library/cc236723.aspx, July (2008)

  37. Noda N, Kishi T (2006) An aspect-oriented modeling mechanism based on state diagrams. In: 9th international workshop on AOM

  38. Pelov N, Denecker M, Bruynooghe M (2007) Well-founded and stable semantics of logic programs with aggregates. Theory Pract Logic Program 7(3):301

    Article  MathSciNet  MATH  Google Scholar 

  39. Piterman N, Pnueli A, Sa’ar Y (2006) Synthesis of reactive (1) designs. In: Lecture notes in computer science, vol 3855, p 364

  40. Pnueli A (1977) The temporal logic of programs. In: 18th annual symposium on foundations of computer science, 1977. IEEE, pp 46–57

  41. Pnueli A (1986) Applications of temporal logic to the specification and verification of reactive systems: a survey of current trends. Current trends in Concurrency pp 510–584

  42. Post A, Hoenicke J (2012) Formalization and analysis of real-time requirements: a feasibility study at bosch. In: VSTTE, pp 225–240

  43. Post A, Menzel I, Hoenicke J, Podelski A (2012) Automotive behavioral requirements expressed in a specification pattern system: a case study at bosch. Requir Eng 17(1):19–33

    Article  Google Scholar 

  44. R, RW, Viggers K (2004) Implementing protocols via declarative event patterns. In: ACM sigsoft international symposium on FSE (FSE-12), pp 158–169

  45. Sánchez C, Leucker M (2010) Regular linear temporal logic with past. In: Verification, model checking, and abstract interpretation. Springer, pp 295–311

  46. Sengupta B, Cleaveland R (2002) Triggered message sequence charts. In: SIGSOFT FSE, pp 167–176

  47. Sibay G, Uchitel S, Braberman V (2008) Existential live sequence charts revisited. In: Proceedings of ICSE. ACM New York, pp 41–50

  48. Smith M, Holzmann G, Etessami K (2001) Events and constraints: a graphical editor for capturing logic requirements of programs. In: Proceedings of fifth IEEE international symposium on requirements engineering, 2001. IEEE, pp 14–22

  49. Smith R, Avrunin G, Clarke L, Osterweil L (2002) Propel: an approach supporting property elucidation. ICSE 24:11–21

    Article  Google Scholar 

  50. Somenzi F, Bloem R (2000) Efficient büchi automata from ltl formulae. In: Computer aided verification. Springer, pp 248–263

  51. Tsay Y, Chen Y, Tsai M, Wu K, Chan W (2007) Goal: A graphical tool for manipulating büchi automata and temporal formulae. In: Tools and algorithms for the construction and analysis of systems, pp 466–471

  52. Tsay Y, Tsai M, Chang J, Chang Y (2011) Büchi store: an open repository of büchi automata. In: Tools and algorithms for the construction and analysis of systems pp 262–266

  53. Uchitel S, Kramer J, Magee J (2002) Negative scenarios for implied scenario elicitation. In: Proceedings of FSE ’02. ACM Press, pp 109–118

  54. Utting M, Legeard B (2007) Practical model-based testing: a tools approach. Morgan Kaufmann, San Francisco

    Google Scholar 

  55. Van Harmelen F, Lifschitz V, Porter B (2008) Handbook of knowledge representation, vol 1. Elsevier Science, San Diego

    MATH  Google Scholar 

  56. Vardiy M, Wolperz P (1994) Reasoning about infinite computations

  57. Veanes M, Schulte W (2008) Protocol modeling with model program composition. In: Lecture notes in computer science, vol 5048, p 324

  58. Wolper P (1983) Temporal logic can be more expressive. Inf Control 56(1–2):72–99

    Article  MathSciNet  MATH  Google Scholar 

  59. Wolper P, Vardi M, Sistla A (1983) Reasoning about infinite computation paths. In: 24th annual symposium on foundations of computer science, 1983. IEEE, pp 185–194

  60. Wu Z (2007) On the expressive power of qltl. In: Proceedings of the 4th international conference on theoretical aspects of computing. Springer, pp 467–481

Download references

Acknowledgments

This work was partially funded by ANPCYT PICT 1774/11 and 0724/12, UBACYT W0813 and 0384,MEALS 295261, PIP 112 201301 00688 CO and UNDAVCyT 2014. Víctor Braberman is also affiliated to CONICET.

Author information

Authors and Affiliations

  1. Departamento de Computación, Facultad de Ciencias Exactas y Naturales, Universidad de Buenos Aires, Pabellon I, Ciudad Universitaria, C1428EGA, Buenos Aires, Argentina

    Fernando Asteasuain & Víctor Braberman

  2. Ing. en Informática, Departamento de Tecnología y Administración, Universidad Nacional de Avellaneda, Mario Bravo 1460, Piñeyro, 1870, Buenos Aires, Argentina

    Fernando Asteasuain

Authors
  1. Fernando Asteasuain
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Víctor Braberman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fernando Asteasuain.

Appendices

Appendix 1: Demonstration lemma on tableau states characterization

We will know prove Lemma 7.1 detailed in Sect. 7.3. This lemma relates traces of the system and states of the built automaton. In essence, the lemma says that every trace leading to a given state can be matched, at least, in one of the situations in that state. What is more, this matching is maximal

Lemma .1

(Tableau states characterization) Given a rule R: \(f:A \rightarrow C, e:A^{'} \rightarrow A, e^{i}:C^{i} \rightarrow C, i \in [1..k]\) morphisms, a state S of the automaton obtained for R and a trace t leading to S, then \(\exists\) a situation \(\eta , \eta \in S\), including morphisms: \(g_i:A^{'} \rightarrow C^{i}, i \in [1..k]\), and \(\exists h: A^{'} \rightarrow t, h_i:C_i \rightarrow t (i \in [1..k])\) such that

  • Condition 1: \(h_i \circ g_i = h\)

  • Condition 2: \(\forall w: A^{'} \rightarrow C^{'}, e^{'}: C^{'} \rightarrow C\), where \(w,e,e^{'}\) and f satisfy conditions 1, 2, and 3 from Definition 7.1, if \(\exists p: C^{'} \rightarrow t\) such that \(p \circ w = h\) then \(\exists i\) (\(p=g_i\)).

Proof

Note that the lemma is equivalent to \(\forall\) trace t and \(\forall\) state S such that t leads to S, condition 1 and condition 2 of the lemma hold. This is due to the fact that all the states are reachable. Thus, we will prove this formulation using an induction proof on the length of a given trace t. For the base case, we consider a trace with length = 0. We need to prove that \(\exists\) a situation \(\eta , \eta \in S\), including morphisms: \(g_i:A^{'} \rightarrow C^{i}, i \in [1..k]\), and \(\exists h: A^{'} \rightarrow t, h_i:C_i \rightarrow t (i \in [1..k])\) such that the conditions of the lemma hold. We can prove that the initial state of the automata \(S^0\) is the desired state S. The initial state \(S^0\) contains a situation including the empty morphism (i.e., a morphism from \(\emptyset \rightarrow \emptyset\)). This situation is actually the expected situation \(\eta\). What is more, the empty morphism also constitutes the morphisms h and \(h_i\) wanted, since t has length = 0. Therefore it can be trivially seen that \(h_i \circ g_i = h\), satisfying condition 1 of the lemma. Condition 2 is also satisfied, since the only valid morphism for a trace t with length = 0 is the empty morphism, which is present in the initial state \(S^0\).

Now we prove the lemma for a trace with length = n + 1, assuming that the conditions holds for traces with length = n, which constitutes the Induction Hypothesis. We will note as \(t_{n+1}\) an arbitrary trace with length n + 1, and \(t_{n}\) the trace \(t_{n+1}\) without its last element (noted as minterm m). In order to prove the lemma for \(t_{n+1}\) we need to see that \(\forall\) state \(S^{'}\), where \(t_{n+1}\) leads to \(S^{'}\), \(\exists\) a situation \(\eta ^{'}\), including morphisms \(g_i^{'}\), such that both conditions of the lemma hold. Due to the equivalence between traces and trace scenarios (see Definition 3.7), we can see trace \(t_{n+1}\) as a succession of minterms. We know by the induction hypothesis that for \(t_{n} \exists\) a situation \(\eta , \eta \in S\), including morphisms: \(g_i:A^{'} \rightarrow C^{i}, i \in [1..k]\), and \(\exists h: A^{'} \rightarrow t_{n}, h_i:C_i \rightarrow t_{n}\) such that the conditions of the lemma hold. The candidate situation \(\eta ^{'}\) is the situation that the tableau algorithm builds upon \(\eta\) when calculating the advances by minterm m. When obtaining successor states of state S in lines 5 and 6 of Algorithm 1, all the situations in the state are “advanced” considering all possible matches. In particular, situation \(\eta\) will be considered. When advancing a situation, all its morphisms are advanced in lines 2 of Algorithms 2 and 3, considering any possible matching in the antecedent and consequents of the rule for a given minterm. That is, morphisms \(g_i: A^{'} \rightarrow C^{i}\) will be advanced considering minterm m. Algorithms 2 and 3 compute advances by calculating advances in a configuration, which has been previously defined in Sect. 7.1. Let be \(A ^{''}\) and \(C^{''i}\) the configurations obtained through \(A ^{'} \mathop {\longrightarrow }\limits ^{m} A^{''}\) and \(C^{i} \mathop {\longrightarrow }\limits ^{m} C^{''i}\) respectively. Morphisms \(g_i^{'} \in \eta ^{'}\) are equal to morphisms \(g_i \in \eta\) for those elements \(\in A ^{'}\), and for those new elements in the antecedent (those in \(A^{''}\)\(A ^{'}\)) morphisms \(g_i^{'}\) relates them to the new elements in the consequent (those in \(C^{''i}- C^{i}\)).

Given a state \(S^{'}\) containing a situation \(\eta ^{'}\) build as explained, we now build the candidates morphisms \(h^{'}\) and \(h_i^{'}\) upon morphisms h and \(h_i\) as follows. \(h^{'}(x)= h(x), \forall x \in A^{'}\) and \(h^{'}(x)= n+1, \forall x \in A^{''}-A^{'}\). Note that n + 1 is the last position of trace \(t_{n+1}\), which is labeled with minterm m. Similarly, \(h_i^{'}(x)= h_i(x), \forall x \in C^{i}\) and \(h^{'}(x)= n+1, \forall x \in C^{''i}-C^{i}\).

Now we prove that the candidates \(g_i^{'}, h^{'}\) and \(h_i^{'}\) satisfy both conditions of the lemma. To prove condition 1, we need to see that \(h_i^{'} \circ g_i^{'} = h^{'}\). By definition, all the candidates \(g_i^{'}, h^{'} h_i^{'}\) behave exactly like \(g_i, h\) and \(h_i\) for those elements in \(A ^{'}\). We also know by the induction hypothesis that \(h_i \circ g_i = h\). Therefore, we only need to prove that \(h_i^{'} \circ g_i^{'} = h^{'}\) for the new elements added by the processing of minterm m. That is, for those points in \(A^{''}\)\(A^{'}\). We know by definition that \(h^{'}\) relates these points to n + 1. Following the definition of \(g_i^{'}\), we know that the new elements in the antecedent are related to the new elements in the consequent \(C^{''i}\). And by definition, \(h^{'}\) relates these points to n + 1. Therefore, \(h_i^{'} \circ g_i^{'} = h^{'}\) and condition 1 is satisfied.

To prove condition 2 we proceed as follows. We assume that the maximality condition does not hold for \(t_{n+1}\). Therefore, there exists situation \(\eta ^{'}\) such that \(\exists\) state \(S^{'}, t_{n+1}\) leads to \(S^{'}, \eta ^{'} \not \in S^{'}\). We know that the range of \(\eta ^{'}\) includes minterm m, the last minterm of \(t_{n+1}\). Otherwise, \(\eta ^{'}\) would have been a situation for \(t_{n}\), which is an absurd since by know by the induction hypothesis that the maximality condition holds for \(t_{n}\). Lets considerate a situation \(\eta\) that eliminates n + 1 from the situation \(\eta ^{'}\). That is, it removes all the pairs that are related to n + 1. It is easy to see that \(\eta\) is a situation of \(t_n\). Consequently, we know by the induction hypothesis that \(\forall\) state S, where \(t_n\) leads to \(S, \eta \in S\). However, since the algorithm advances all possible situations in each state, \(\eta ^{'}\) would have been included in one of the successors of S when calculating the processing of minterm m. This contradicts our assumption, so we are forced to conclude that the maximality conditions hold for a traces \(t_{n+1}\), and condition 2 is satisfied. Since both conditions hold, the lemma is demonstrated. \(\square\)

Appendix 2: .NET NegotiateStream protocol example modeled in \(\omega\)-FVS

In this appendix we model the behavior of the client and the server of the .NET NegotiateStream protocol following its specification document [36]. The modeling assumptions described in Sect. 6.3 also apply to this appendix.

2.1 Client behavior modeled in \(\omega\)-FVS

The most important sections of the specification document describing the client behavior are: section 3.1.4 Higher-Layer Triggered Events and section 3.1.5 Message Processing Events and Sequencing rules. The first one includes the subsections 3.1.4.1 Application Invocation of the .NET NegotiateStreamProtocol, 3.1.4.2 Application Request to Send Data, and 3.1.4.3 Application Request to Close Stream. The second one includes different subsections focused on the information exchanged over the different states of the stream: section 3.1.5.1, which is focused on the CreatingSecurityToken state, section 3.1.5.2, which is focused on the WaitingForHandshakeMessage state, section 3.1.5.3, which is focused on the ProcessingFinalToken state, section 3.1.5.4, which is focused on the WaitingForHandshakeDone state, and finally section 3.1.5.5, which is focused on the Authenticated state. In what follows we describe the client’s behavior.

We start with three requirements extracted from the Application Invocation of the .NET NegotiateStreamProtocol stage:

  • Initial requirement: Uninitialized is the initial state of the stream.

  • R1: If an application invocation is received when the stream state is not equal to Unitialized, an error must be returned to the application.

  • R2: If the function returns GSS_S_Complete the implementation must set the stream state to CreatingSecurityToken.

The rules in Fig. 33 model these requirements. As mentioned before, we use the event AnyOtherStreamState to represent the disjunction of all the others state events apart from the ghost event mentioned in the rule. For the rules in Fig. 33 the event AnyOtherStreamState its representing any other state than Uninitialized. More concretely, the rule at the top of the figure addresses the initial requirement: the Uninitialized state must be the initial state. The second rule addresses requirement R1, specifying that an ERROR event should occur if the application is invoked in an invalid state. The rule at the bottom of the figure tackles requirement R2. When the GSS-API returns the GSS_S_Complete value, the stream enters the CreatingSecurityToken state.

Fig. 33
figure 33

Rules modeling the initial state and requirements R1 and R2

Full size image

Similar to requirement R1, requirement R3 says the data transmission can only start, while the stream state is in the authenticated state. This requirement belongs to the Application Request to Send Data stage and it is shown in Fig. 34:

  • R3: If the application requests data to be transferred while not in the Authenticated state, an error must be returned.

Fig. 34
figure 34

Rules modeling requirement R3

Full size image

The last subsection of the Sect. 3.1.4 Higher-Layer Triggered events deals with the application request to close a stream. This is described in requirement R4 (shown in Fig. 35 ). Since the application can, at any time request that the stream to be closed, be use the event AnyStreamState to represent the disjunction of all possible states of the stream.

  • R4: When a request to close the stream is received, the stream state must be set to Closed. The application can at any time request that the stream be closed.

Fig. 35
figure 35

Rule modeling requirement R4

Full size image

We now describe the behavior of the client as detailed in section 3.1.5 Message Processing Events and Sequencing rules of the specification document.

2.1.1 Message processing events and sequencing rules: client side

The following requirements deal with the message processing events and sequencing rules while the stream state is CreatingSecurityToken, as detailed in section 3.1.5.1 of the specification document. In this case, the GSS-API returns any of three possible outcomes: ERROR, to report that an error has occurred, GSS_S_Complete to indicate the end of the negotiation, or GSS_S_Continue_Needed to indicate that further negotiation is needed. The rule in the top of Fig. 35 describes these assumptions. Requirements R5, R6, and R7 handle the expected behavior for any possible outcome value.

  • R5: If the GSS_Init_sec_context returns a status of GSS_S_Complete, the stream state must be set to WaitingForHandshakeDone.

  • R6: If the GSS_Init_sec_context returns a status of GSS_S_Continue_Needed, the stream state must be set to WaitingForHandshakeMessage.

  • R7: If the GSS_Init_sec_context returns a status of ERROR, the stream state must be set to Uninitialized.

Rules in Fig. 36 model requirements R4, R5 and R6. The first rule describes the possible outcomes using three different consequents (one for each option), and the rules below that one reflect the expected change of state.

Fig. 36
figure 36

Rules modeling requirements R5, R6, and R7

Full size image

The requirements extracted from the section 3.1.5.2 of the specification document, which is focused on the WaitingForHandshakeMessage state, are described next and shown as rules in Fig. 37.

  • R8: Upon the receipt of a message HandshakeInProgress, the stream state must be set to CreatingSecurityToken.

  • R9: Upon the receipt of a message HandshakeDone, the stream state must be set to ProcessingFinalToken.

  • R10: Upon the receipt of a message of ERROR, the stream state must be set to Closed.

Fig. 37
figure 37

Rules modeling requirements R8, R9, and R10

Full size image

Section 3.1.5.3 of the specification document focuses on the ProcessingFinalToken state. In this case, if the GSS-API returns a value of GSS_S_Complete, this indicates that the negotiation succeeded and the stream state enters the Authenticated state so that data transmission can be initiated. Otherwise, the stream state is set to Uninitialized. These are requirements R11 and R12, which are shown in Fig. 38.

Fig. 38
figure 38

Rules modeling requirements R11 and R12

Full size image

We now model requirements extracted from section 3.1.5.4, focused on the WaitingForHandshakeDone state of the specification document. These requirements (requirements R13 and R14) involve the end of the negotiation, either because a HandshakeDone event has been received (indicating that the negotiation is over and data transmission can begun) or because an error has occurred.

  • R13: If the message has a handshakeId of HandshakeDone, the stream state must be set to Authenticated.

  • R14: If the message has a handshakeId of ERROR, the stream must be set to Closed.

Rules in Fig. 39 reflect the expected behavior denoted in requirements R13 and R14.

Fig. 39
figure 39

Rules modeling requirements R13 and R14

Full size image

Finally, the client behavior is completed with section 3.1.5.5 Receiving Data in the Authenticated state of the specification document. Requirement R15 says that stream state keeps the Authenticated state while data are being transmitted (represented by the eventsSendData and ReceiveData). The rule for this requirement is shown in Fig. 40.

Fig. 40
figure 40

Rules modeling requirement R15

Full size image

2.2 Server behavior modeled in \(\omega\)-FVS

Section 3.2 Server details of the specification document describes the behavior of the server. Regarding the server’s perspective, the possible states for the stream are: Uninitialized, CreatingSecurityToken, WaitingForHandshakeMessage, ProcessingFinalToken, Authenticated, and Closed. Section 3.2.4 Higher-Layer triggered events of the specification document describes how the server may be invoked, when it can transfer data, and when it accepts to close the stream. These behavior is covered by subsections 3.2.4.1 Application Invocation, 3.2.4.2 Application Request to Send Data, and 3.2.4.3 Application Request to Close Stream. In what follows, we introduce several rules in our language to model each one of them.

Three requirements can be extracted from the section 3.2.4.1 Application Invocation. Those are:

  • R16: Uninitialized is the initial state of the stream.

  • R17: If an application invocation is received when the stream state is not equal to Unitialized, an error must be returned to the application.

  • R18: If the function returns GSS_S_Complete, the implementation must set the stream state to WaitingForHandshakeMessage.

Rules in Fig. 41 exhibit the expected behavior of requirements R16, R17 and R18.

Fig. 41
figure 41

Rules modeling requirements R16, R17, and R18

Full size image

Section 3.2.4.2 Application Request to Send Data of the specification documents introduces requirement R20, which is modeled in the rule of Fig. 42:

  • R19: If the application requests data to be transferred while not in the Authenticated state, an error must be returned.

Fig. 42
figure 42

Rules modeling requirement R19

Full size image

Finally, 3.2.4.3 Application Request to Close Stream details how and when a request to close the stream can be issued. This introduces requirement R20, which is described next and shown in the rule of Fig. 43.

  • R20: When a request to close the stream is received, the stream state must be set to Closed. The application can at any time request that the stream be closed.

Fig. 43
figure 43

Rule modeling requirement R20

Full size image

2.3 MessageProcessing events and sequencing rules: server side

Section 3.2.5 MessageProcessing Events and Sequencing Rules of the specification document describe how the server’s state evolves. This section includes four subsections: 3.2.5.1 WaitingForHandshakeMessage State, 3.2.5.2 CreatingSecurityToken State, 3.2.5.3 ProcessingFinalToken State and 3.2.5.4 Authenticated State. In what follows, we model each one of them.

Three requirements can be extracted from section 3.2.5.1 WaitingForHandshakeMessage State of the specification document. Those are:

  • R21: Upon the receipt of a message HandshakeInProgress, the stream state must be set to CreatingSecurityToken.

  • R22: Upon the receipt of a message HandshakeDone, the stream state must be set to ProcessingFinalToken.

  • R23: Upon the receipt of a message of ERROR, the stream state must be set to Closed.

Rules in Fig. 44 reflect the behavior for requirements R21, R22, and R23.

Fig. 44
figure 44

Rules modeling requirements R21, R22, and R23

Full size image
Fig. 45
figure 45

Rules modeling requirements R24, R25, and R26

Full size image

Section 3.2.5.2 CreatingSecurityToken State of the specification document introduces three new requirements. Those are:

  • R24 If the GSS_Init_sec_context returns a status of GSS_S_Complete, the stream state must be set to Authenticated.

  • R25: If the GSS_Init_sec_context returns a status of GSS_S_Continue_Needed, the stream state must be set to WaitingForHandshakeMessage.

  • R26: If the GSS_Init_sec_context returns a status of ERROR, the stream state must be set to Uninitialized.

Rules in Fig. 45 model requirements R24, R25, and R26. The first rule describes the possible outcomes using three different consequents (one for each option), and the rules below that one reflect the expected change of state.

Fig. 46
figure 46

Rules modeling requirements R27 and R28

Full size image
Fig. 47
figure 47

Rules modeling requirement R29

Full size image

Section 3.2.5.3 ProcessingFinalToken State of the specification document introduces two new requirements (shown in Fig. 46). Those are

  • R27 If the GSS_Init_sec_context returns a status of GSS_S_Complete, the stream state must be set to Authenticated.

  • R28: If the GSS_Init_sec_context returns a status of ERROR, the stream state must be set to Uninitialized.

Finally, section 3.2.5.4 of the specification document deals with the information exchanged in the Authenticated state. This behavior is analogs to that presented when modeling the client: The stream state keeps the Authenticated state, while data are being transmitted (represented by the eventsSendData and ReceiveData). The rule for this requirement (R29) is shown in Fig. 47.

2.4 Translation of \(\omega\)-FVS rules into Büchi automata

We now conclude this appendix showing a simplified version (in not showing accepting states) of the automata generated using the tableau algorithm described in Sect. 7. Figure 48 shows the automaton describing the behavior of the client, whereas Fig. 49 reflects the behavior of the server. In order to favor readability, ghosts events are shown in italics, whereas actual events are not.

Fig. 48
figure 48

The automaton built by the tableau for the client behavior

Full size image
Fig. 49
figure 49

The automaton built by the tableau for the server behavior

Full size image

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Asteasuain, F., Braberman, V. Declaratively building behavior by means of scenario clauses. Requirements Eng 22, 239–274 (2017). https://doi.org/10.1007/s00766-015-0242-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-015-0242-2

Keywords

Search

Navigation