Download presentation
Presentation is loading. Please wait.
1
Model Checking for an Executable Subset of UML
Fei Xie1, Vladimir Levin2, and James C. Browne1 1Dept. of Computer Sciences, UT at Austin 2Bell Laboratories, Lucent Technologies Our project is to provide model checking support for an executable subset of UML.
2
Motivations Executable subsets of UML
Widely applied to model software system designs; Have well-defined execution semantics; Enable early verification of design models. Model checking can potentially improve the reliability of executable design models. The motivations behind our project are: First, software system designs modeled in executable subsets of UML are fully executable; Second, model checking can potentially improve the reliability of executable design models.
3
xUML: An Executable Subset of UML
A system consists of interacting class instances; Class instances communicate mainly through asynchronous message passing with buffering; State models are extended with state actions; State transitions are enabled by messages; System executions follow asynchronous interleaving semantics. The executable UML subset we select is xUML, which is industrially supported and applied. It has well defined action semantics and executable semantics.
4
A Sample xUML State Model
State Transition State Action Here is a sample xUML state model. A state model is composed of states, state actions, and state transitions. A state action is associated with a state and is executed upon entry to the state. A state transition is enabled by a message. For instance, the state transition from State 4 to State 1 is enabled by a message of the type J9. Message Type State
5
Model Checking xUML Models
xUML Query xUML Level Error Report xUML-to-S/R Translation Error Report Generation The figure shows how we model check xUML models. An xUML models and an xUML level queries are automatically translated into an S/R model and an S/R query. The S/R query is checked on the S/R model by the COSPAN model checker. Upon the detection of a bug, the error track generated by COSPAN is automatically mapped into an xUML level error report. S/R Model S/R Query S/R Query COSPAN Error Track Model Checking with COSPAN Model Checker Legend: Input Output Data Process
6
COSPAN Model Checker and S/R Automaton Language
COSPAN is a synchronous model checker and inputs models and queries formulated in S/R. In S/R, a system is a synchronous parallel composition of its components modeled as processes. Process Process Output COSPAN is an industrial model checker. COSPAN inputs the S/R automaton language. In S/R, a system is a parallel composition of processes. Each process has a state space, outputs, and inputs. S/R has a clock-driven synchronous semantics. In the first stage of each logic clock cycle, each process sets its outputs. In the second stage of the logic clock cycle, each process inputs from some outputs of other processes and moves to a new state upon the inputs. Process Input Process State Space
7
xUML Level Query Formulation
Proposition Semantic Constructs of xUML Model DECLARE Joint_2_in_Move_EE <<Joint 2>> $Move_EE; DECLARE Recovery_Called <<Recovery 1>> recovery_status = 1; NEVER (Joint_2_in_Move_EE AND Recovery_Called); Writing queries in S/R is tedious and hard to learn. Therefore, we support query specification on the xUML level. This slide shows an xUML level query. The first line defines a proposition on an xUML model, which is true if and only if Joint 2 is in the Move_EE state. The second line defines another proposition in the same way. The third line instantiates a temporal template in the logic with the two propositions. As a whole, the query claims that the two propositions are never true at the same time. Instantiation of Temporal Template
8
xUML-to-S/R Model Translation
Maps class instances to S/R processes; Models asynchrony with synchrony; An S/R process as global execution scheduler; Message buffers by separate S/R processes; Simulates dynamic creation of class instances; Bounds infinite state spaces of xUML models. The asynchronous interleaving semantics of xUML and the synchronous parallel semantics of S/R make the translation from xUML to S/R a non-trivial process. Class instances are translated into S/R processes. The asynchrony is modeled by synchrony. The dynamic creation of class instances is also simulated. Additionally, for some xUML models, we have to bound their infinite state spaces. This requires some inputs from the designers.
9
State Space Reductions in Model Translation
Static partial order reduction (SPOR); Translating static attributes to constants; Reducing the send and consumption of a self message into a single state transition; Ranging variables to facilitate symbolic model checking (SMC). State space reductions are another focus of our research. We embed several reductions in the translation.
10
Error Trace Analysis Support
Visualize errors via simulation driven by error traces. As I mentioned, an error track generated by COSPAN can be automatically mapped to an error report on the xUML level. To make debugging easier, we also support visualization of a design error. A test case can be automatically generated from the error track and used to drive a simulation in a visual simulator provided by the xUML visual editor.
11
Effectiveness of State Space Reductions
A liveness property to be checked on online ticket sale system; xUML model translated to two S/R models with SPOR on or off; Two S/R models checked by COSPAN with SMC on or off. SPOR SMC Memory Usage Time Usage Off Out of Memory N/A On 113.73M S 17.3M 6668.3S 74.0M 1450.3S Case studies demonstrated the effectiveness of state space reductions we applied. The slide shows the statistics of checking a liveness property on an online ticket sale system. The xUML model of the system is translated into two S/R models, one with SPOR on and the other with SPOR off. The two S/R models are checked by COSPAN with SMC on or off. It can be observed that both SPOR and SMC achieved significant reduction on the model checking complexity. The combined application of SPOR and SMC achieved the best time usage.
12
Conclusions and Future Work
An approach to model checking of xUML models is defined and implemented. Non-trivial xUML models have been checked. A robot control system; An online ticket sale system. Integrated state space reduction that supports verifying larger models is being developed. Two major case studies have been conducted, one on a robot control system and the other on an online ticket sale system. Currently, we are working on an integrated state space reduction framework, which, we hope, will enable us to verify larger xUML models.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.