Safety-Liveness Semantics for UML 2.0 Sequence Diagrams Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka

Convenient way of describing interaction among reactive systems, i.e.: - Systems where termination is rather an error than an expected behavior. Have become an integral part of all modern software engineering design methods: - SDL and ROOM MSC (message sequence charts), UML SD (sequence diagrams). Scenario-Based Specifications

Reactive Systems Commercial Aircraft Medical devices Household devices Telecommunication Nuclear Power Plants Automobiles

UML 2.0 SD Simplified Syntax mn b sd ack name of SDbody of SD process nameprocess lifeline receive event send event message Positive SD: describes traces that are valid and should be possible

UML 2.0 SD Simplified Syntax negative qualification Negative SD: describes traces that are invalid and should not be possible mn c neg sd nack

UML 2.0 SD Simplified Syntax mn a sd init mn b sd ack mn c neg sd nack sd iod init ref ack nack ref High level SD (IOD) synchronous/asynchronous sequencing

UML 2.0 SD Full Syntax mn a sd nsd neg mn a neg sd ng ng ref sd nsdsd asd a b ref mn a sd asd b alt mn a sd a mn b sd b

UML 2.0 SD Semantics ? mn a sd rs This is not a reactive system! What about asynchronous message passing? m:n!an:m?a Lang(rs) = {m:n!a n:m?a} rs Closed world semantics:

Positive SD Semantics ? mn a sd rs m:n!an:m?a Büchi automaton! L(rs) = {  * m:n!a  * n:m?a   } rs What about refinement?   tau transitions 

Positive SD and Refinement? mn a sd rs m:n!an:m?a Liveness Büchi automaton! rs    liveness closure mn b sd rs ,, ~ m:n!a ~ n:m?a chaos closure  L(rs) = {  * ~ m:n!a ( ,  ) ,  * m:n!a  * ~ n:m?a ( ,  ) ,  * n:m?a  * m:n!a  * n:m?a ( ,  )  }

Negative SD Semantics ? mn c neg sd nack Safety Büchi automaton! L(nack) = {  ,  * n:m!c  ,  * ~ n:m!c ( ,  ) ,  * n:m!c  * ~ m:n!c ( ,  )  }     n:m!cm:n?c  nack n:m!cm:n?c nack ,, ~ m:n?c ~ n:m!c complement + safety closure

High Level SD Semantics sd iod init ref ack nack ref init nack ack     init ack  Positive SD: - remove all negative nodes and all their associated transitions. init nack ack   Negative SD: - turn negative nodes into accepting sink nodes. Others nonaccepting.

HSD Positive Semantics ,, ~ m:n!a ~ n:m?a  m:n!an:m?a liod n:m!bm:n?c  ,,  ~ n:m!b ~ m:n!c m:n!an:m?a piod n:m!b  initack

m:n!an:m?a niod init nack ack  n:m?cn:m!c n:m!bn:m?b HSD Negative Semantics m:n!an:m?a siod n:m!c ~ n:m?c n:m!b n:m?b ~ n:m?b    ~ n:m!c ~ n:m?a ~ m:n!a ,,

HSD Semantics Parallel composition of: -Liveness Büchi automaton -Safety Büchi automaton Example: -Iod automaton: iod = liod  siod -Note: Lang(iod) = Lang(liod)  Lang(siod)

SD Refinement Definition: Let S 1 and S 2 be two SDs. Then: - S 1  S 2 iff Lang(S 1 )  Lang(S 2 ) Theorem: Let S, T and U be three bounded SD and assume that S* and T* are bounded, too. Then: 1. if S  T then U S  U T 2. if S  T then (S)*  (T)* 3. if S  T then S + U  T + U and U + S  U + T 4. if S  T then S || U  T || U and U || S  U || T

Examples of Refinement init ref init ref ack ref  Sequential: ack ref  Alternative: ack nack ref

Examples of Refinement Star? init ref ack ref init ref   ack nack ref init ref ack ref init ref Star:

Related Work PA and PO (Mauw, Alur, Muscholl, Peled, …): –Not compositional. Not interested in compositionality. Live SC (Damm, Harel, Kugler): –Elegant, alternative AT solution. Departure from UML. Triggered MSC (Cleaveland, Sengupta): –Prescriptive/constraint-based. Must preorder. STAIRS (Haugen, Stoelen): – Open semantics. Not fully formalized. Other semantics (Broy, Knapp, Krüger,…): – Also depart from closed world semantics.

Conclusions Presented an Automata-theoretic semantics that solves in a simple and elegant way one of the main open questions about UML 2.0 SD: –How to assign a precise meaning to a set of SD without compromising refinement? Provides a direct technique for checking SD refinement in a compositional way. Supports the development of a general purpose MC for property and refinement checking.

Rough Complexity Analysis Translation of HSD to Pos/Neg FA: - linear time (in the size of the HSD). Translation of Pos/Neg FA to Safe/Live BA: - exponential due to flattening, Complementation hard: - double exponential due to BA. In practice: - avoid flattening for synchronous sequencing? - special kind of BA with simple complementation.