Refinement of abstract features allows removal of classifier

[AaronGreenhouse]

Checking of abstract feature refinement allows the classifier to be removed. This is wrong, and allows violation of rule (L6):

Abstract feature declarations with data component classifier reference must only be refined to abstract features, or concrete features with a data component classifier reference, i.e., data ports, event data ports, or data access features.

Clearly an edge case has been missed, because verification does check that classifiers in the refinement are compatible with the original classifier.

I have the test package

package TestAbstractFeatureRefinement
public
	Data D
	end D;
	
	Data D2 extends D
	end D2;
	
	Data E
	end E;

	Bus B
	end B;
	
	system SrcSys
		features
			f0: out feature D;
		properties
			Classifier_Substitution_Rule => Type_Extension;
	end SrcSys;
	
	system SrcSys1 extends SrcSys
		features
			f0: refined to out feature D2; -- good subtype
	end SrcSys1;
	
	system SrcSys2 extends SrcSys
		features
			f0: refined to out feature E; -- bad, not subtype
	end SrcSys2;
	
	system SrcSys3 extends SrcSys
		features
			f0: refined to out data port D; -- good, same type
	end SrcSys3;
	
	system SrcSys4 extends SrcSys
		features
			f0: refined to out data port D2; -- good subtype
	end SrcSys4;
	
	system SrcSys5 extends SrcSys
		features
			f0: refined to out data port E; -- bad not subtype
	end SrcSys5;
	
	system SrcSys6 extends SrcSys
		features
			f0: refined to in data port D; -- bad, changed direction
	end SrcSys6;
	
	system SrcSys7 extends SrcSys
		features
			f0: refined to out data port; -- should not be allowed?  removed type
	end SrcSys7;

	system SrcSys8 extends SrcSys
		features
			f0: refined to out event port; -- should not be allowed?  removed type -- not supposed to have event here at all
	end SrcSys8;

	system SrcSys88 extends SrcSys
		features
			f0: refined to provides data access D; -- bad, changes direction
	end SrcSys88;



	
	system SrcSysNoDir
		features
			f0: feature D;
		properties
			Classifier_Substitution_Rule => Type_Extension;
	end SrcSysNoDir;


	system SrcSys9 extends SrcSysNoDir
		features
			f0: refined to provides data access; -- should not be allowed?  removed type
	end SrcSys9;

	system SrcSys10 extends SrcSysNoDir
		features
			f0: refined to provides data access D; -- good, same type
	end SrcSys10;

	system SrcSys11 extends SrcSysNoDir
		features
			f0: refined to provides data access D2; -- good, subtype
	end SrcSys11;

	system SrcSys12 extends SrcSysNoDir
		features
			f0: refined to provides data access E; -- bad,  not subtype
	end SrcSys12;
	
	system SrcSys13 extends SrcSysNoDir
		features
			f0: refined to provides bus access; -- should not be allowed?  removed type
	end SrcSys13;

	system SrcSys14 extends SrcSysNoDir
		features
			f0: refined to provides bus access D; -- bad!
	end SrcSys14;

	system SrcSys15 extends SrcSysNoDir
		features
			f0: refined to provides bus access B; -- bad!
	end SrcSys15;
end TestAbstractFeatureRefinement;

Currently there are warnings when refinement changes to an incompatible classifier, but not when the classifier is removed alltogether.

[AaronGreenhouse]

The problem (and the checking code) are not specific to abstract features.

Here is Aadl2JavaValidator.checkFeatureRefinementClassifierSubstitution():

	private void checkFeatureRefinementClassifierSubstitution(Feature feature) {
		if (!Aadl2Util.isNull(feature.getRefined())) {
			Classifier refinedCl = feature.getClassifier();
			Classifier originalCl = feature.getRefined().getClassifier();
			if (!Aadl2Util.isNull(refinedCl) && !Aadl2Util.isNull(originalCl)) {
				checkClassifierSubstitutionMatch(feature, originalCl, refinedCl);
			}
		}
	}

This example with data ports shows the problem:

package TestPortRefinement
public
	Data D
	end D;
	
	Data D2 extends D
	end D2;
	
	Data D3 extends D2
	end D3;
	
	Data E
	end E;

	Bus B
	end B;
	
	system SrcSys
		features
			f0: out data port D;
		properties
			Classifier_Substitution_Rule => Type_Extension;
	end SrcSys;
	
	system SrcSys1 extends SrcSys
		features
			f0: refined to out data port D2; -- good subtype
	end SrcSys1;
	
	system SrcSys2 extends SrcSys
		features
			f0: refined to out data port E; -- bad, not subtype
	end SrcSys2;
	
	system SrcSys3 extends SrcSys
		features
			f0: refined to out data port D; -- good, same type
	end SrcSys3;
	
	system SrcSys7 extends SrcSys
		features
			f0: refined to out data port; -- should not be allowed?  removed type
	end SrcSys7;
	
	
	
	system x1 extends SrcSys1
		features
			f0: refined to out data port; -- should not be allowed?  removed type
	end x1;
	
	system x2 extends SrcSys1
		features
			f0: refined to out data port D; -- bad, D is not a subtype
	end x2;
	
	system x3 extends SrcSys1
		features
			f0: refined to out data port D2;  -- good, same type
	end x3;
	
	system x4 extends SrcSys1
		features
			f0: refined to out data port D3; -- good, subtype
	end x4;
	
	system x5 extends SrcSys1
		features
			f0: refined to out data port E; -- bad, not related
	end x5;
	
	
	system y extends SrcSys7
		features
			f0: refined to out data port E; -- should be bad, sys7 removed the classifier, E is not compatible with the original classifier D
	end y;
	
end TestPortRefinement;

[AaronGreenhouse]

The problem is also present with subcomponent refinement:

	private void checkSubcomponentRefinementClassifierSubstitution(Subcomponent subcomponent) {
		if (!Aadl2Util.isNull(subcomponent.getRefined())) {
			ComponentClassifier refinedCl = subcomponent.getClassifier();
			ComponentClassifier originalCl = subcomponent.getRefined().getClassifier();
			if (!Aadl2Util.isNull(refinedCl) && !Aadl2Util.isNull(originalCl)) {
				checkClassifierSubstitutionMatch(subcomponent, originalCl, refinedCl);
			}
		}
	}

package TestSubcomponentRefinement
public
	system S
	end S;
	
	system S1 extends S
	end S1;
	
	system S2 extends S1
	end S1;
	
	system Other
	end Other;
	
	
	
	system Top
	end Top;
	
	system implementation Top.i
		subcomponents
			s: system S;
		properties
			Classifier_Substitution_Rule => Type_Extension;
	end Top.i;
	
	system implementation Top.i1 extends Top.i
		subcomponents
			s: refined to system ; -- should be bad, dropping the classifier
	end Top.i1;
	
	system implementation Top.i2 extends Top.i
		subcomponents
			s: refined to system S1; --Good
	end Top.i2;
	
	system implementation Top.i3 extends Top.i
		subcomponents
			s: refined to system Other; -- bad
	end Top.i3;
	
	
	
	
	system implementation Top.i4 extends Top.i2
		subcomponents
			s: refined to system ; -- should be bad, dropping the classifier
	end Top.i4;
	
	system implementation Top.i5 extends Top.i2
		subcomponents
			s: refined to system S; -- should be bad
	end Top.i5;
	
	system implementation Top.i6 extends Top.i2
		subcomponents
			s: refined to system S2; -- good
	end Top.i6;

	system implementation Top.i7 extends Top.i2
		subcomponents
			s: refined to system Other; -- bad
	end Top.i7;



	system implementation Top.i10 extends Top.i4
		subcomponents
			s: refined to system Other; -- should be bad
	end Top.i10;
end TestSubcomponentRefinement;