M INERVA (Metamodel-based Intuitive Editors with Reports and Visualizations of Analysis) Laura A. Campbell Advisor: Dr. Betty H.C. Cheng Software Engineering and Network Systems Lab Michigan State University This work has been supported in part by NSF grants EIA , CDA , CDA , CCR , CCR , and DARPA grant No. F managed by Air Force’s Rome Laboratories, Eaton Corporation, and a Motorola doctoral fellowship.
M INERVA Overview Extends previous work (see Hydra) that attaches formal semantics to informal graphical object-oriented modeling notations (such as UML) in order to automatically generate formal specifications for a number of target languages. Investigates the integration of different techniques for automatically analyzing the graphical diagrams via their formal specifications with existing analysis tools. Explores visualization of analysis results within the context of the original graphical diagrams, augmentation of the diagrams with added information, and report generation.
Hydra Overview M INERVA, a complementary system to Hydra, is designed both as a graphical front-end to the Hydra tool and as a visualization environment for analysis results. Underlying the Hydra tool is a general framework for attaching semantics to Unified Modeling Language (UML) graphical diagrams via formal languages. Hydra parses a textual representation of an integrated collection of UML diagrams comprising a model of a software system. Hydra then generates appropriate formal specifications.
Architecture of M INERVA UML 1 Diagram in DoME 2 format Diagram reports Analysis reports Visualization commands HIL 3 Analysis results (raw) Analysis results (processed) UML diagram editors Plug-ins Perl scripts [1] Unified Modeling Language [2] M INERVA is built atop DoME, Honeywell’s Domain Model Editing utility ( [3] Hydra Intermediate Language
Using M INERVA M INERVA Hydra Analysis tool UMLHIL Analysis results Diagram reports Analysis reports Spec* * Hydra can automatically generate formal specifications for a number of target languages, including VHDL and Promela. The analysis tool used would be appropriate for the target language.
Diagram Well-Formedness M INERVA ’s graphical class and state diagram editors prevent the construction of diagram components that are inconsistent with the syntax for that type of diagram. M INERVA checks for structural anomalies within diagrams, such as missing start states or the presence of “sinks” (states that cannot be exited, or “deadlock” states). Hydra performs checks for structural inconsistencies between diagrams, such as use of an instance variable or signal/message without it having been declared, or expecting a signal/message that no object sends.
Structural Analysis Structural analysis ensures that UML diagrams are well-formed prior to generating any formal specifications. M INERVA handles graph- oriented analyses (within a diagram) while Hydra performs parser/compiler-oriented analyses (between diagrams). Early elimination of such errors enables more effective use of “heavy-duty” specification analysis tools. M INERVA Hydra Analysis tool HIL Spec feedback
Behavioral Analysis After formal specifications are generated, analyses such as simulation or model checking may be applied. Model checking is, in general, an exhaustive technique that checks properties against the entire state space of a model, giving a counterexample when verification fails. M INERVA visualizes analysis results within the context of the original UML diagrams. M INERVA Hydra Analysis tool HIL Spec feedback
Formal Specification Analysis Simulation enables validation of behavioral requirements and debugging of the system design. Model checking can find deadlocks, test system invariants against the model, and verify temporal claims. –Deadlock usually indicates a communication protocol error between objects in the system. –System invariants may check that a value never falls outside a certain range or that an object never enters a particular state. –Temporal claims usually test properties such as “something always happens,” “something never happens,” or “one thing happening leads to another thing happening.”
Analysis Results in Context A formal specification of a collection of UML diagrams is one step removed from its original representation and usually loses structural information. The analysis results output by formal specification tools such as Bell Labs’ model checker SPIN are often cryptic, and execute steps at a much finer granularity than depicted in UML diagrams. For these reasons, we try to eliminate structural errors prior to generating specifications and visualize analysis results at a more abstract level within the UML diagrams.
Visualizations Within the original UML diagrams, M INERVA highlights structural anomalies and inconsistencies so that the user may quickly correct such errors. Trace data from simulations or counterexamples from model checking can be used to animate existing state diagrams. Work is in progress to automatically generate collaboration and sequence diagrams from trace data to augment the playback of state diagram execution. M INERVA generates reports in human-readable textual format for inclusion in documentation.
State Diagram State diagrams depict object behavior: events on transitions (arcs) can cause a change of state (rounded rectangles). By instrumenting the HIL (Hydra Intermediate Language) representation, M INERVA can gather feedback about states, transitions, or both from the simulation and counterexample traces. As states are entered or transitions are taken, M INERVA highlights them in the diagram. Working Waiting for reset Counting down Handling errors Microprocessor Watchdog ErrorHandler reset setError [count=0]/count:=100; ^ErrorHandler.error; ^Microprocessor.reset error ^Microprocessor.setError;
Collaboration Diagram Collaboration diagrams depict communication between objects (rectangles) with message pathways (directed lines). While state diagrams describe how objects communicate via events, the actual pathway between them is not visualized. When playing back trace data, M INERVA highlights message pathways as they are used and may display object attributes or contents of an object’s queue. Microprocessor Q: {reset, setError} Watchdog count=100 ErrorHandler 1: error 2: reset 3: setError
Sequence Diagram Sequence diagrams are both the complement to state diagrams and the isomorphic equivalent of collaboration diagrams, depicting a single sequence of message sends and receives (directed arrows) over time (a vertical line per object). Message ordering and race conditions can be visualized with sequence diagrams. The Microprocessor will deadlock due to an unexpected sequence. Micro.Watchdog Error Handler Working Counting down Handling errors error reset setError
Report Generation M INERVA can generate textual reports based either on trace data gathered from analysis tools or on the original UML diagrams comprising the system. Reports based on trace data are the textual equivalent of animated playback of a trace sequence and are a useful complement to diagrams in documentation. Reports based on the UML diagrams include rough metrics for judging system complexity and a comprehensive listing of all elements in the system to aid in the construction of a data dictionary.
Applications and Future Work Together with Hydra, M INERVA has been used to model a Smart Cruise Control system in Promela and to display both structural and behavioral errors within the original UML diagrams. Current investigations include using M INERVA and Hydra to model an Electronically Controlled Steering system to validate the analysis and visualization techniques. Futher use of M INERVA, Hydra, and existing analysis tools will suggest improvements for the ease-of-use and error- checking capabilities of both M INERVA and Hydra.