Presentation on theme: "Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,"— Presentation transcript:
Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories, Lucent Technologies
Motivations Executable subsets of UML –Widely applied to model software system designs; –Have well-defined execution semantics; –Enable early verification of design models. Model checking can potentially improve the reliability of executable design models.
xUML: An Executable Subset of UML A system consists of interacting class instances; Class instances communicate mainly through asynchronous message passing with buffering; State models are extended with state actions; State transitions are enabled by messages; System executions follow asynchronous interleaving semantics.
A Sample xUML State Model State Action State State Transition Message Type
Model Checking xUML Models xUML ModelxUML Query xUML-to-S/R Translation S/R ModelS/R Query Model Checking with COSPAN Model Checker S/R QueryCOSPAN Error Track Error Report Generation xUML Level Error Report Data Process InputOutput Legend:
COSPAN Model Checker and S/R Automaton Language COSPAN is a synchronous model checker and inputs models and queries formulated in S/R. In S/R, a system is a synchronous parallel composition of its components modeled as processes. Process Output Process State Space Process Input
xUML Level Query Formulation DECLARE Joint_2_in_Move_EE > $Move_EE; DECLARE Recovery_Called > recovery_status = 1; NEVER (Joint_2_in_Move_EE AND Recovery_Called); Proposition Instantiation of Temporal Template Semantic Constructs of xUML Model
xUML-to-S/R Model Translation Maps class instances to S/R processes; Models asynchrony with synchrony; –An S/R process as global execution scheduler; –Message buffers by separate S/R processes; Simulates dynamic creation of class instances; Bounds infinite state spaces of xUML models.
State Space Reductions in Model Translation Static partial order reduction (SPOR); Translating static attributes to constants; Reducing the send and consumption of a self message into a single state transition; Ranging variables to facilitate symbolic model checking (SMC).
Error Trace Analysis Support Visualize errors via simulation driven by error traces.
Effectiveness of State Space Reductions SPORSMCMemory UsageTime Usage Off Out of MemoryN/A OffOn113.73M44736.5S OnOff17.3M6668.3S On 74.0M1450.3S A liveness property to be checked on online ticket sale system; xUML model translated to two S/R models with SPOR on or off; Two S/R models checked by COSPAN with SMC on or off.
Conclusions and Future Work An approach to model checking of xUML models is defined and implemented. Non-trivial xUML models have been checked. –A robot control system; –An online ticket sale system. Integrated state space reduction that supports verifying larger models is being developed.