5) with two non-hierarchical CPNs which correspond to SD and TD transformations. So, we recall the ... study (Access Control Server system). All the formal ...
FORMAL VERIFICATION OF UML2 DYNAMIC DIAGRAMS BASED ON PETRI NETS
Formal Verification of UML2 Dynamic Diagrams based on Petri Nets Abstract: The computer systems are increasingly invading our daily lives from the simplest applications such as audio files reading to the most critical ones like cars and airplanes. For the critical systems, the validation by the formal verification is required. In this paper, we aim to ensure an improvement of the Unified Modeling Language (UML), which is the de facto standard, with formal semantics for verification finality. For the first part, we have analyzed and revised the theoretical foundations of the existing formal verification approaches used by UML, their profiles and the basic concepts of the Petri Nets (PN). For the second part, we have created a novel hierarchical approach of formalization in order to verify the UML2 Interaction Overview Diagrams (IOD). Then, we have developed temporal formalisms based on the UML2 timing diagrams (TD), explained by illustrative examples. Based on these, we have proposed a novel hierarchical approach which is dedicated to Real Time Systems (RTS) and based on the use of the temporal extension of the Object Constraints language (OCL/realtime or OCL/RT), the UML MARTE profile and the timed computation Tree logic (TCTL) which is given by the Model Checking technique after the model’s transformation. Finally, we have applied all the proposed formalisms to a case study, in order to ensure its logical and temporal efficiency. Keywords: MARTE UML; Petri Nets; Verification; Real Time Systems; OCL; TCTL.
1 Introduction During the early phases of the software engineering life cycle and with the increasing of the system’s complexity, it has become crucial to conduct the software product construction’s phases, in order to identify different gaps and avoid ambiguities. Successive controls should meet a good specific modeling approach to features expected and described on the specification. A good strategy of modeling should necessarily be adapted to any system category, especially in the case of critical systems (real time, embedded real time, etc.) which seem to be difficult to verify temporal constraints (reliability, security, time of communication, etc) and their cost of failure. In this case, the formal verification of generated models is still considered as necessary. In this context, U M L1 is heavily used in industry with the proliferation of its new profiles dedicated to the modeling of complex systems; besides, the difficulty of modeling RTS promoted several real-time profiles proposition. UML offers a variety of diagrams used to model a system with different solutions. However, it lacks a clear and correct syntax with imprecise semantics. Users agree with the interpretation of several well-known concepts; meanwhile other concepts had some limitations mainly tight to a semantic inconsistency that requires verification. In literature, several works have dealt with the emergence of UML and mathematical formalism such as 1 https://www.omg.org/
Copyright © 201X Inderscience Enterprises Ltd.
2
author
transition systems (PN, automata, etc.) or the specification and verification languages (B, Z, etc.) to demonstrate the desired specific aspects. In (Storrle (2004a) and Storrle (2004b)), authors have formally combined the simplicity of using UML diagrams to prove the compliance of functional and non-functional properties. Other formal verification approaches have focused on the study of the dynamic view of UML, but few results were reported specifically on the verification of new UML2 dynamic diagrams (TD and IOD). In this paper, we aim to establish a set of approaches based on these combined with different PN extensions (colored, hierarchical, temporal and timed). The choice of TD as a variant of interaction is adequate to describe and combine all the states of the system objects in a temporal context. We believe as well that all of these interactions can enhance the modeling of a real-time system together in a hierarchical structure given by an IOD. So, we formally describe these based on PN formalisms and verify them using model checking techniques after the model’s transformation. To facilitate this step, we offer for the UML designer, a translation tool for deriving TCTL formulae from OCL/RT constraints. We aim to formulate all temporal properties using TCTL temporal logics derived from OCL/RT constraints. All temporal constraints are described using MARTE annotations. The rest of this paper is organized as follows: Firstly, we are going to define our motivation and goals for this proposed work, so, we will describe in the next Section the basic concepts needed to achieve it. In Section 4, we will outline some related works. Section 5 proposes a hierarchical formalization approach to formally verify the IOD using Sequence Diagrams (SD) and TD as interaction variants. In Section 6, we will present two formal verification approaches using temporal extensions of PN and derived from TD using CPN (Colored PN) tools and Romeo2 model-checker. Then, we use the UML MARTE profile to specify the system’s temporal constraints. Next, the verification results are given using TCTL formulae, derived from OCL/RT constraints and explored using Romeo. All proposed formalisms are applied by illustrative examples where we properly formulate temporal properties. In Section 8, we will demonstrate a combination of all proposed formalisms in a hierarchical way and applied the proposed solution to a basic industrial case study (Integrated Modular avionics IMA - Based Systems Airborne), to ensure its proper logical functioning. Finally, Section 9 summarizes and concludes this paper.
2 Motivation and goals Our strategy is based on the choice of new UML diagrams and their adequate specification models developed to give models verification. Based on this, we generate the dynamic models and the formalization of properties basis the temporal logic. To achieve the property result, we analyze them using the model checker tools. So, our first challenge is given by the lack of UML2 dynamic aspects unified approaches. In this concern, few works were interested in the formal verification of IOD and TD. Indeed, temporal constraints on these diagrams were not fully explored. Thus, UML gives the opportunity to emerge these using the MARTE profile annotations for meeting RTS requirements. In this case, the formal verification of all temporal properties is needed. Finally, in order to increase UML diagrams expressiveness, we analyze few works using OCL/RT constraints of the desired temporal properties formulation, which we explore and transcribe using TCTL. Usually, our proposed strategy is given as follows (see Figure 1). 2 https://romeo.rts-software.org
Formal Verification of UML2 Dynamic Diagrams based on Petri Nets
3
Figure 1: General strategy of work
3 Basic concepts In this section, we introduce the basic concepts needed in our proposed work, named: IOD, TD, MARTE, OCL/RT, PN extensions, formal verification techniques.
3.1 UML2 IOD and TD IOD as a new UML2 dynamic diagram shows a hierarchical nature and gives the system’s analyst the possibility to represent all system’s behavior with many interaction variants. The IOD offers the work on several levels of abstractions to facilitate the system’s complexity verification. It takes the same form of UML2 activities with a different semantic interpretation. In addition, more elements can be used in the IOD such as interaction use and duration constraint. To design RTS, UML2 introduces a novel TD which consists on the merge of different elements such as lifeline, state, message, temporal and duration constraints. The TD life line shows the change of an item’s state over time, while the state represents the set of the attributes values of an object. The duration constraint expresses the maintain time of the object state and the temporal constraint represents the time where each state transition can be released. Finally, a message represents a communication link between two life lines.
3.2 UML2 real time profiles: MARTE case In literature, several UML2 real time profiles have been proposed. Among these, we mention the following: the QFTP profile (Quality of Service and Fault Tolerance specification) for modeling temporal aspects (performance, scheduling, etc.), the SPT profile (Schedulability, Performance and Time) for modeling and analysis the non functional temporal aspects of RTS and embedded RTS, the DAMRTS profile (Dependability Analysis Model for RTS) for
4
author
checking time and probabilistic properties and the Timed UML-RT-LOTOS environment for modeling and verifying the Embedded RTS. MARTE profile is a new typical real time profile. It offers new features for the standard UML in order to express temporal constraints (non functional properties, execution platforms, resource allocation, quantifiable notions of time, etc) and to strengthen the scheduling and the performance concepts. Its architecture consists of three main packages: Foundation package, Design Model and Analysis Model. In our work, we use some MARTE annotations (see Table 1): Table 1 MARTE annotations
MARTE profile annotation RessourceUsage CommunicationMedia
Temporal specification Duration of execution task Communication delay
3.3 OCL/RT The Object Constraint Language OCL UML OCL (OMG, http://http://www.omg.org) is a precise text language not a programming one, using for describing the formal constraints. Each OCL constraint should be attached into a context denoted by SELF, to express an invariant constraint which must be true for all instances at any time. In our work, OCL can not offer a sufficient mean to specify Real-Time constraints over the TD. Therefore, we will employ the OCL/RT Garcia et al. (2008) as a temporal extension of the basic OCL that can more specify temporal properties.
3.4 Mathematics formalisms and languages: PN case UML has informal semantics making it difficult to be deployed as a formal verification approach. It gives the possibility to reason rigorously based on a mathematical logic, a computer program or electronic equipment. All these try to give a more formal appearance to the model’s semantics and dedicated to the system’s specification and verification, such as formalisms (labeled transition system, state finite machine, PN, etc.) and language (Algebra formal specification, model checking, programming, etc.). In our work, we are interested in PN formalisms for its diversity and appropriate extensions (temporal, recursive, colored Jensen (2007), Stochastic, etc.) applied on UML diagrams, its capability to ensure the modeling of complex applications dependability (aeronautics, industry, etc.) and for its expression analysis. However, PN gives the possibility for a modular analysis based on its hierarchical extension.
3.5 Formal verification techniques: temporal logics and model-checking In literature, there are several techniques of formal verifications (equivalence tests, specifications by animation, etc) where each one tried to give a formal specification from the source model and therefore generated a model where its properties verification may be possible. Temporal logics are also techniques which are developed to make formal specification models. The first qualitative class offers an implicit and exact time which is limited on power of expression (CTL, LTL, etc). The second quantitative class (timed temporal logic) offers an explicit temporal aspect and gives the exact time of occurrence of
Formal Verification of UML2 Dynamic Diagrams based on Petri Nets
5
specific state (TLTL Zhang (1994), MITL Alur et al. (1996) and TCTL Yovine (1998), etc.). The model checking technique is primarily based on the accessible state’s space construction where its property verification is possible, especially for timed temporal properties, crossing all these states. Temporal logic formulae are evaluated either on a trace (linear logic) or on a branching tree (tree logic). The trace of the base assessment indicates that the formula is evaluated on the model possible execution while in the evaluation on a branching tree could reason about all possible future developments.
4 Related works In this part, we describe some similar existing formal verification approaches related to our context of work. To introduce the different contributions, we specially focused on the works of (Hansen et al. (2010), Andrade et al. (2009), Kangle et al. (2010), Bouabana (2009), Boufenara et al. (2014), Mieg and Hillah (2008), Baresi et al. (2010), Campos and Merseguer (2006) and Berardi et al. (2005)) proposing formal verification approaches based on UML dynamic diagrams. However, a few of works are interested on the formal verification of the IOD (Andrade et al. (2009), Bouabana (2009) and Baresi et al. (2010)) and none of them has used the TD formalism for describing RTS specification. In Baresi et al. (2010), the authors attempted to translate the IOD constructs in terms of temporal logics. In Andrade et al. (2009), the authors proposed a formal verification on IOD using TPN. In Bouabana (2009), the authors have formally verified the IOD based on HCPNs, using CPN Tools model checker. All desired properties were expressed using the CTL logic derived from OCL invariants. These analyzed approaches have focused mainly of IOD verification in a single hierarchical level, which does not use its performance; in addition, their interaction nodes refer only to SD. In this case, we firstly propose to extend these works by considering a multi level of hierarchy. We offer a first formal hierarchical approach of IOD into HCPNs, using TD formalism as interaction node. This contribution can be described with similar works and is given in Table 2: Table 2 Comparative studies of first work
Contribution
Hierarchical PN
Multi level formalism
Yes
CPN Tools model checker No
No
Temporal interaction proposition No
Andrade et al. (2009) Bouabana (2009) (Louati et al. (2014) and Louati et al. (2013))
Yes
Yes
No
No
Yes
Yes
Yes
Yes
In the next step, we have noticed that the analyzed similar works have not explored the TD on the context of these approaches. Thus, we will propose two new formalisms to formally verify the TD based temporal extensions of PN (TPN, TCPN). So, we describe temporal properties using MARTE and we give a formal description of OCL/RT constraints
6
author
into TCTL temporal logic and TPN-TCTL model checker. These comparative studies are presented in Table 3. Furthermore, temporal properties transformation based on temporal logic and derived from OCL/RT constraints were not explored. In this context, we describe OCL/RT constraints on UML IOD and TD to describe it. The Romeo model checker is used to generate the result of the properties verification. All contributions process is illustrated by the Figure 3.
Figure 2: Main works related to our second and third contributions (FV (Formal Verification), TL (Temporal logic), RTS (Real-Time Systems), HCPN (Hierarchical CPN))
5 Hierarchical approach for deriving HCPN from UML IOD From the similarity of the used models (IOD and HCPN) which are presented with a hierarchical nature and modular design, we present our first contribution which consists on a hierarchical approach to formalize and verify the IOD based on HCPN. Firstly, we formally describe the basic concepts and hierarchical formalisms. Secondly, we define the needed and different transformation rules. Finally, we apply our approach to ATM system authenticate step. To make this, we define a novel function ΩH (Equation 2) based on the Ω function (Equation 1, Bouabana (2009)) to support the model hierarchical level. We recall also a function Φ (Equation 3 and Bouabana (2009)) for transforming all the SD constructs on a none-hierarchical CPN. Indeed, we propose a new function to transform a TD model into a none-hierarchical CPN, this is presented in the next section (Section 6). In below, we give an example of IOD construct translation into HCPN constructs which consists on the transformation of IODn with n = 0 in a HCPN prime page (Equation 4). All the formal
Formal Verification of UML2 Dynamic Diagrams based on Petri Nets
7
Figure 3: All contributions process description and transformation rules are given in our previous work (Louati et al. (2014) and Louati et al. (2013)). Ω : n0 ∪ N F ∪ I ∪ B ∪ D ∪ E → partition(P g ∪ P ∪ T ∪ SubT r ∪ A ∪ C) (1) ΩH : SIOD ∪ N i ∪ N F ∪ B ∪ D ∪ I ∪ E → partition(P g ∪ P ∪ T s ∪ SubT r ∪ A ∪ C)(2) Φ : Lf ∪ M sg ∪ Beg ∪ End ∪ P tx ∪ F ind ∪ Lost ∪ Alt ∪ Op ∪ P ar ∪ Loop −→ partition(P g ∪ P ∪ T ∪ SubT r ∪ A ∪ C)
(3)
If IODn andlevel(IOD) = 0thenpg0 = Createpage();
(4)
To apply our approach, we describe the authenticate step of ATM system (see Figure 4). After introducing his personal number code, the system performs the user’s authentication. When it is valid, the menu is displayed. However, the system performs two other new authentications before failure case. Since the IOD is the main diagram, its hierarchical level is 0. In a hierarchical way, we refine the behavior of the interaction node Identification through another IOD which corresponds to hierarchical level 1. In this latter case, two interaction nodes which are Pin Test and Eject Card are respectively refined through an SD and TD. After applying the rules mentioned above, a HCPN model is obtained (see Figure 5) with two non-hierarchical CPNs which correspond to SD and TD transformations. So, we recall the verification properties such as the reset test and we called the InitialHomeMarking () function which returns a Boolean result that we can we generate a true test. Also, the deadlock and the dead transition tests are respectively verified using the ListDeadMarkings() the ListDeadTIs() functions. In what is next, we will try to apply this approach on RTS, for this, we propose to transform a TD diagram into different temporal extensions of PN.
8
author
Figure 4: Case study modeling (First contribution)
Figure 5: HCPN analysis and verification
6 Temporal approaches for deriving TCPN and TPN from TD constructs In this section, we will propose two novel’s approaches which consist on formalization and verification of TD based on temporal PN extensions. Firstly, we define a formalization of TD into timed CPN (TCPN) constructs; secondly, we propose a formalization of TD in terms of time PN (TPN).
6.1 Deriving TCPN from TD constructs The model’s analysis and verification are assured using CPN Tools. For this, we develop an automatic tool to implement a set of translation rules. This approach is applied to a case study (Access Control Server system). All the formal description and transformation rules
Formal Verification of UML2 Dynamic Diagrams based on Petri Nets
9
are given in our work Louati et al. (2013). For this, we propose a novel function θ (Equation 5) which consists on the transformation of TD constructs on TCPN. In below, we show an example of construct’s transformation (see Figure 6). It consists on the transformation of a TD lifeline into TCPN state; we give also its correspondent transformation rule (see Equation 6).
Figure 6: Deriving state from TD life line) θ : Lf ∪ M sg ∪ State ∪ Dc ∪ T c −→ partition(P g ∪ P ∪ T ∪ SubT r ∪ A ∪ E ∪C ∪ G ∪ T emp ∪ E ∪ If )
(5)
letlfi ∈ Lf ; createplace(pi ) ∈ P ; θ : Lf −→ P ; θ(lfi ) = pi ;
(6)
After inserting his card, the user is invited to grab his access code. The system’s checking step gave the access authorization on the room when he presented a validity card and the code accuracy; else, the user is secondly invited to grab his code and restart the authentication process.
Figure 7: Use case and class diagrams By Figures (Figure 7 and 8), we illustrate UML models such as a use case and class diagrams to show the static relation of user and system. Otherwise and to describe temporal
10
author
Figure 8: Correspondent TD diagram interaction of them, we give a TD diagram. We recall the verification properties such as the reset test and we called the InitialHomeMarking () function which returns a Boolean result, that we can finally generate a true test. Also, the deadlock and the dead transition properties are respectively verified using the ListDeadMarkings () the ListDeadTIs () functions. Next, we will try to apply this approach on RTS systems, for this, we propose to transform a TD diagram based on different temporal extensions of PN. In our work, we describe a quantitative property to define the temporal properties. We will choose to reformulate constraints in terms of a timed temporal logic on a finite system. CPN Tools does not treat explicit duration concepts, the time is implicitly represented. As it doesn’t offer the possibility of this logic; we propose on the next part, the formalization of TD elements in terms of TPN models and its verification using the Romeo model checker.
Figure 9: TCPN analysis and verification
6.2 Deriving TPN from TD constructs Here, we try to formalize and verify the TD diagram into TPN model using Romeo model checker. So, our approach is applied to a case study; the webpage loading process. All
Formal Verification of UML2 Dynamic Diagrams based on Petri Nets
11
desired properties for verification are expressed using TPN-TCTL formulae and will be next presented (section 7). In this context, we use the RessourceUsage MARTE annotation to design the TD duration constraint. The formal description of used models are given in our previous work presented in (Louati et al. (2015)).
Figure 10: TD’s MARTE annotation design Therefore, we define the function F (see Equation 8. For each TD construct (see Table 3), we make the equivalent TPN element. F : Lf ∪ P t ∪ M sg ∪ State ∪ Dc ∪ T c → partition(T ∪ P ∪ A ∪ W ∪ m0 ∪ I)(7) A TD message and each life line are transformed into TPN places which respectively correspond to initial states of the TD objects. The temporal constraint is converted into TPN transition with time interval [min; max]. To express different semantics of temporal and duration constraints, we assume that the duration one can be presented into three transitions and two places. In fact, when the transition T 1 is executed, the generated token is remained in place P 1 until the transition T 2 will be fired. After that, the transition T 3 is executed (see Figure 11).
Figure 11: Duration constraint’s transformation Next, we propose to illustrate our approach with an example. Specifically, we propose to study the process of a website loading page. We begin with describing the model. Then, we show how to transform it to TPN. Firstly, we highlight the process analysis. We assume that the corresponding UML class diagram is composed of JavaServer Page (JSP), DataAccess, Servlet, DNSResolver, WebBrowser and WebUser classes. Moreover, we describe the behavior model of all classes through a UML TD diagram (see Figure 12) (all case study specifications and class diagram are described in Louati et Barkaoui. (2016). So, we try to formally describe and verify the resulting TPN model (see Figure 13) using
12
author Table 3 TD TPN transformation rules
Rule 1 2 3 4 5
TD constructs life line interaction point message state duration constraint
6
temporal constraint
Equivalent TPN element place initial marking m0 TPN transition + time interval [0;0] communication place Place TPN transition + time interval [min; max], 2 places + 2 transitions with time interval [0;0] tpn transition + time interval [min;max]
the Romeo model checker. All initial states relevant on UML classes (idle and waiting) are transformed into input places. Temporal properties are directly expressed on UML diagrams using OCL/RT and translated into TCTL formulae (all properties formalization and verification will be presented on the next section (Section 7) where we will present the derivation of TPN-TCTL from OCL/RT). So, we place a token into the initial TPN. After several steps, it moves to the marking step, this is done by several chips.
Figure 12: TD model design
7 Deriving TPN-TCTL from OCL/RT constraints In this section, we firstly describe a set of deriving steps of TPN-TCTL from OCL/RT constraints. Next, we apply all specifications to a case study related to Section 6.
7.1 Deriving steps Here, we discuss some works related OCL formalization and present a contribution which consists on the transformation of OCL/RT constraints in terms of TCTL and TPN-TCTL
Formal Verification of UML2 Dynamic Diagrams based on Petri Nets
13
temporal logics. In Bouabana (2006), the authors formally expressed the specific properties and translate OCL constraints into CTL temporal logic formulae using CPN Tools and PROD model checker. In our work, we seek to describe a property as expression OCL/RT constraints to define our needs; we choose to define constraints into temporal logic formulae with delay on a finite system Eshuis (2002). In this case, CPN Tools does not offer the possibility of this temporal logic class; we propose a second transformation of TD in terms of TPN as we seek to define as temporal logic TPN-TCTL using Romeo. During the constraint formulation and for the lacking of UML modeler on the formal analysis, we will propose a new approach to translate OCL/RT constraints into TCTL and TPN-TCTL temporal logics. All the formal description and transformation rules of this approach are given in our previous work Louati et Barkaoui. (2016). In this work, we propose to derive TCTL formulae from OCTRT constraints using MARTE UML profile. Indeed, we apply some predefined functions related to OCL meta-model such as OclPath(), OcLconfig() and OclAny(), so, we also used new temporal operators such as pre() and post() operators. For each OCL invariant ’inv’, the temporal logic formula should be started by AG "Always Globally", where the configuration of min and max bounded time interval are included (min and max should be integer). The denoted ’self’ in OCTRT constraint means the set of all instances taken on the formula context. The modeler can check all his temporal properties which are tight to the vivacity (liveness in number 4), the accessibility (number 1 and 2) and also the deadlock (number 5). The OCL "Exists" operator is transformed into "E" quantifier, "ForAll" operator is transformed into "G" quantifier, "Exists(Exists)" is converted into "EF" predicate and "ForAll(ForAll)" is transformed into "AG" predicate. Table 4 OCL/RT constraints and equivalent TPN-TCTL formulae
Num 1 2 3 4 5
OCL/RT constraints inv:self@post[min,max]→ Exists(a,b:OclPath|b→ ForAll(a)) inv:self@post[min,max]→ Exists(a,b:OclPath|b→ Exists(a)) inv:self@post[min,max]→ ForAll(a,b:OclPath|b→ ForAll(a)) inv:self@post[min,max]→ ForAll(a,b:OclPath|b→ Exists(a)) inv:self@post[min,max]→ Exists(a:OclPath|a→ (Next(a) → isActive()))
TPN-TCTL formula AG(b → EG[min,max] (a)) AG(b → EF[min,max] (a)) AG(b → AG[min,max] (a)) AG(b → AF[min,max] (a)) AG[min,max] (a → notdeadlock)
7.2 Model Verification (Section 6) Next, we take part with some temporal properties described using TCTL formulas Addouche et al. (2005): Property1: Deadlock freeness for all execution process within 27ms(10 − 3sec). In OCL/RT, this is expressed as follows: Context WebUser Inv : Self @post[0, 27] → Exists(leta : Self :: Idle|N ext(a) → isActive()) The corresponding TCTL formulas can be described as follows: AG[0; 27](not(M (3) >= 1) ⇒ notdeadlock)
14
author
Property2: Checking the execution of TPN model. Informal description: We prefer to receive the page’s result loading process in 27ms, after the Web User inputs the URL addresses. In OCL/RT, this is expressed as follows: Context WebUser Inv : Self @post[0, 27] → Exists(letb = Self :: W ebU serIdle, leta = Self :: W ebU serV iewing|b → Exists(a)) The corresponding TCTL formulas can be described as follows: AG(EF [0; 27](M (3) = 1 ⇒ M (1) = 0) PS: 1 and 3 are the index of marking associated by Romeo to respectively WebUserIdle and WebUserViewing places.
Figure 13: Resulting TPN model
8 Case study and applications Next, we will combine all proposed approaches based on a case study, where we will establish a hierarchical approach to formally verify RTS, using an IOD and a set of interactions modeling TD. In order to illustrate our approach, we propose to use a fragment of a real case study. Here, we define and apply our approach (Louati et al. (2014) and Louati et al. (2015)) for RTS verification. We use the UML MARTE annotations for describing the temporal constraints and we propose a hierarchical structure given by an IOD and a set of TD. The desired properties to be checked are expressed using TCTL and TPNTCTL logics and derived from OCT/RT constraints Flake and Mueller (2002) using Romeo model checker. To apply our experiments, we referred to a case study (Integrated Modular Avionics/Airborne Systems), an asynchronous RTS for ensuring its logical and temporal efficiency. In this section, we give a general overview of the proposed approach for verifying UML models specifications based on TPN. Firstly, we assume that the system behavior is described through the UML2 class, deployment, IOD and TD diagrams. Secondly, we use MARTE annotations in order to describe execution latencies and the communication’s delays. Thereafter, OCL/RT constraints can be described. Thirdly, UML2 diagrams with
Formal Verification of UML2 Dynamic Diagrams based on Petri Nets
15
MARTE annotations are automatically transformed into TPN model and the OCL/RT constraints are translated into TCTL formulae and evaluated using Romeo model checker. The proposed process is illustrated below (see. Figure 14).
Figure 14: The proposed process
8.1 Deriving TPN from UML IOD and TD In this section, we illustrate the graphical transformation rules of IOD nodes with UMLMARTE annotations into TPN. Firstly, we define a mapping function G that transforms a given IOD into TPN elements. This function is given as follows: F : n0 ∪ N F ∪ B ∪ D ∪ I ∪ E → partition(T ∪ P ∪ A ∪ W ∪ m0 ∪ I)
(8)
8.1.1 IOD Initial and final nodes An initial point is called a starting place P i of TPN model. The final one is called a final place P f . To be connected to the first TPN component, P i must be relied to a starting transition T i with time interval [0; 0]. P f is relied to a final transition T f . As follows, the graphical transformation of these is illustrated (see Figure 15). We have to mention that P i is represented by P 0 in the IOD model.
Figure 15: Mapping initial and final states
8.1.2 TD components and communication delay Using the transformation rules, we have transcribed each TD interaction node to Sub TPNs. To rely between them, we describe the delay as a duration constraint by a transition with the time interval [min; max](T 2), Communication link between TD interaction nodes with
16
author
Figure 16: Mapping TD components delay transformation in order to define the communication link between the interaction nodes of the IOD (see. Figure 16) For the synchronization between Sub-TPNs, we use T 1 and T 3 transitions with time interval [0; 0] and P 1, P 2 places.
8.2 Model description To highlight our proposed method and to show its effectiveness, we apply it in a classic real-time asynchronous system (RTS) derived from the IMA-Based Airborne System. The system is composed of a Sender, which represents a data-collecting sensor and two Receivers which embedded two calculators A and B, as shown in Figure 18. The router represents a virtual link of Avionics FullDupleX (AFDX). The sender uses the router to send the input data of computation. Furthermore, in order to describe the whole behavior of the system, we use an IOD as shown in Fig. 9. A simple protocol is implemented based on handshake paradigm. Based on the asynchronous message-driven pattern, the Sender will frequently give out data to the two Receivers using the communication network, which is constrained by transmission delays. The receivers will perform a computation. Actually, the redundant controller design necessitates that the output of the two available receivers at the same time in each working cycle; otherwise, it cannot correctly unify the redundant command. In this situation, our mission is to check the computation time between the calculators A and B. Since it is difficult to respect a strict immediate timing with an explicit local synchronization, a time tolerance is defined. For that, we consider that the two time instants are coincident where they fall into the same time window (equals to tolerance) and given by the equation as follows: | T (ActiveReceiver) − T (P assiveReceiver) |≤ β
(9)
where β represents the min time tolerance for coincidence between the outputs time execution of two receivers. We implement a naive protocol in which the two Receivers are distinguished by respectively setting active and passive modes. The active one, after getting its data from the Sender, sends an asynchronous notification to the passive one and automatically waits for fixed time duration to launch its computation. The passive one will start its redundant computation once it gets the notification from its active master. The transmission of the notification of message is also provided by the AFDX. The waiting time of the active receiver and the network jitter modification should be validated. Model transformation into TPN verification of concurrent systems is a complex task that requires powerful models and efficient analysis techniques. Model checking is one of the
Formal Verification of UML2 Dynamic Diagrams based on Petri Nets
17
Figure 17: Static Relation (class and deployment diagrams)
Figure 18: Real Time Asynchronous System: IMA-Based Airborne System most popular verification techniques of concurrent systems. In this framework, the behavior of a system is represented by a finite (or infinite) transition system and properties to be verified are expressed in either a standard temporal logic (LTL,CTL, CTL*), or in its time extension (MITL, TCTL). Properties are checked by exploring the transition system. In this paper, we consider TCTL for TPN for which temporal operators are extended with a time
18
author
Figure 19: Correspondent TPN model interval, specifying a temporal constraint on the ring sequences. For the TPN model, we use the mapping of IOD, TD and UML-MARTE annotations, we generate the corresponding TPN(see Figure 19). Our aim is to check that the final marking can always be reached with considering all temporal and duration constraints. In order to check TCTL properties, the modeler is invited to write his temporal property in the form of OCL/RT constraints. The latter is transformed into temporal logic formula. Then, we use the Romeo Model Cheker to verify it. For properties verification, we take part with some temporal properties described in temporal OCL and we give its correspondent formula: Property1: Deadlock freeness for all execution process within 42ms. In OCL/RT, this is expressed as follows: Context Sender Inv : Self @post[0, 42] → Exists(letp : Self :: Idle|N ext(p) → isActive()) The corresponding TCTL formulas can be described as follows: AG[0; 42](not(M (1) >= 1) ⇒ notdeadlock) Property2: We would like to check the final execution of the TPN model and termination of final computing in 42ms, after the beginning sending process. In OCL/RT, this is expressed as follows: Context Sender Inv : Self @post[0, 42] → Exists(letp1 = ActiveReceiver :: F inalComputation− Active, letp2 = P assiveReceiver :: F inalComputationP assive, letq = Self :: Idle|(p1, p2) → Exists(q)) The corresponding TCTL formulas can be described as follows: AG(EF [0; 42](M (1) = 1 ⇒ (M (27) = 0andM (28) = 0))) PS: 1, 27 and 28 are the tagged indexes associated by Romeo to respectively Idle, FinalComputationActive and FinalComputationPassive places (Idle is the initial state of the Sender Class).
9 Conclusion In this paper, we developed a novel hierarchical approach of formalization for Real Time Systems (RTS) in order to verify UML2 dynamics diagrams. In particular, we explored the basic concepts of Interaction Overview Diagrams (IOD) and timing diagrams (TD) which are transformed into different Petri Nets extensions. Then, each one is applied by an illustrative example. The temporal extension of the Object Constraints language (OCL/RT) and the UML MARTE profile are used for the description of temporal properties and
Formal Verification of UML2 Dynamic Diagrams based on Petri Nets
19
constraints and formally verified using TCTL formulae. Our approach is applied to an original case study. As future directions, we will propose the migration of TPN models into Time Open Workflow Nets, by meaning to show the different specifications of interactions between all model’s objects using interface places. Next, we will try to experiment the exploration of cycles in TPN models. Until now, we experimented the time computing on a single cycle, we have to loop these in order to reduce the tolerance size.
References Storrle, H.(2004) ‘Semantics and verification of data flow in uml2 activities’, IEEE Proceedings of Press Visual Languages and Formal Methods, pp. 38–52. Storrle, H.(2004) ‘Semantics of control flow in uml2 activities’, IEEE Proceedings of Symposium on Visual Languages, Human Centric Computing, pp. 235–242. Louati, A., Barkaoui, K. and Jerad, C. (2014) ’Time properties Verification of UML/MARTE Real-Time Systems’, International workshop of Formal Methods Integration, pp.386– 393. Hansen, H., Ketema, J., Luttik, B., Mousavi, M. and Van de Pol, J. (2010) ’Towards model checking executable uml specifications in mcrl2’, Proceedings of International Conference on Innovations in Systems and Software Engineering, Vol. 6, pp.83–90. Andrade, E., Maciel, P., Callou, G. and Nogueiras, B. (2009) ’A methodology for mapping sysml activity diagram to time petri net for requirement validation of embedded real-time systems with energy constraints’, IEEE Digital society, pp.266–271. Kangle, C., Zongyuan, Y., Jinkui, X. and Kaiyu, W. (2009) ’Unifying modeling and simulation based on uml timing diagram and uppaal’, 2nd IEEE International Conference on Computer Modeling and Simulation, pp.615–620. Bouabana-Tebibel, T. (2009) ’Semantics of the interaction overview diagram’, IEEE Proceedings on Information Reuse and Integration, pp.283–287. Boufenara, S., Belala, F., Barkaoui, K. and Boucheneb, H. (2014) ’Transactional petri nets : A semantic framework for uml2 activities’, Journal of Critical Computing Based Systems, Vol. 5, pp.5–23. Mieg, Y. and Hillah, L. (2008) ’Uml behavioral consistency checking using instantiable petri nets’, Journal of Innovations in systems and software engineering, Vol. 4, pp.293–300. Baresi, L., Morzenti, A., Motta, A. and Rossi, M. (2010) ’From interaction overview diagrams to temporal logic’, Proceedings of the International Workshops and Symposia at MODELS, Vol. 6627, pp.90–104. Campos, J. and Merseguer, J. (2006) ’On the integration of uml and petri nets in software development’, 27th International Conference on Applications and Theory of Petri Nets and Other Models of Concurrency, Vol. 4024, pp.19–36. Berardi, D., Calvanese, D. and DeGiacomo, D. (2005) ’Reasoning on uml class diagrams’, Journal of Artificial Intelligence, Vol. 168, pp.70–118.
20
author
Flake, S. and Mueller, W. 2002 ’A uml profile for real time constraints with the ocl’, 5th International Conference on Model Engineering, Concepts and Tools, pp.179–195. Bouabana-Tebibel, T. (2006) ’Formal validation with ocl’, IEEE Proceedings on Systems Man and Cybernetics, pp.2731–2736. Eshuis, R. (2002) ’Validation des diagrammes d’activité pour la modélisation du Workflow’, PhD thesis, Université Twente, Hollande. Louati, A., Barkaoui, K. and Jerad, C. (2015) ’Temporal Properties Verification of Real-Time Systems Using UML/MARTE/OCL-RT’, Formalisms for Reuse and Systems Integration, pp.133–147. Louati, A. and Barkaoui, K. (2016) ’Formal Verification of UML2 Timing Diagrams Based on Petri Nets’, International Journal of Information Systems in the Service Sector, Vol. 8, No. 2, pp.87–97. Louati, A., Jerad, C. and Barkaoui, K. (2014) ’Formalization and Verification of Hierarchical Use of Interaction Overview Diagrams using Timing Diagram’, International Journal of Soft Computing and Software Engineering, Vol. 3, No. 3, pp.205–211. Louati, A., Jerad, C. and Barkaoui, K. (2013) ’On CPN-based Verification of Hierarchical Formalization of UML2 Interaction Overview Diagrams’, 5th International IEEE Conference on Modeling, Simulation and Applied Optimization, pp.1–6. Jensen, K. 2007 ’Special section on colored petri nets’, Journal on Software Tools for Technology Transfer, Vol. 9, pp.209–212. Zhaoxia, H. and Shatz, S. 2004 ’Mapping uml diagrams to a petri net notation for system simulation’, 16th International Conference on Software Engineering and Knowledge Engineering, pp.213–219. Addouche, N., Antoine, C. and Montmain, J. 2005 ’Combining extended uml models and formal methods to analyze real time systems’, 24th International Conference of Computer Safety, Reliability and Security, Vol. 3688, pp.24–36. Moshe, Y. V. 2007 ’Linear Time Model Checking: Automata Theory in Practice’, Computing Department, Rice University, Houston. Choppy, C., Klai, K. and Zidani, H. 2011 ’Formal verification of uml state diagrams: a petri net based approach’, ACM SIGSOFT Software Engineering Notes, Vol. 36, pp.1–8. Seok Min, H., Chung, S. M. and Choi, J. Y. 2013 ’Deriving system behavior from uml state machine diagram’, Journal of Universal Computer Science Applied to Missile Project, Vol. 19, pp.53–77. Zhang, Y. 1994 ’A Foundation for the Design and Analysis of Robotic Systems and Behaviors’, PhD thesis, Department of Computer Science, University of British Columbia, Canada. Alur, R., Feder, T. and Henzinger, T. 1996 ’The benefits of relaxing punctuality’, Journal of the ACM, Vol. 43, pp.116–146. Yovine, S. 1998 ’Model checking timed automata’, Springer Verlag.
Formal Verification of UML2 Dynamic Diagrams based on Petri Nets
21
Profile for MARTE: Modeling and analysis of Real Time Embedded Systems (2012), OMG, http://http://www.omg.org. Garcia, D.C., Cengarle, M.V., Szasz, N. 2008 ’UML2.0 Interactions with OCL/RT Constraints’, Forum on Specification, Verification and Design Languages., Vol. 43, pp.167–172.
