MINERVA Metamodelbased Intuitive Editors with Reports and Visualizations

MINERVA (Metamodel-based Intuitive Editors with Reports and Visualizations of Analysis) Laura A. Campbell Advisor: Dr. Betty H. C. Cheng Software Engineering and Network Systems Lab Michigan State University This work has been supported in part by NSF grants EIA-0000433, CDA-9700732, CDA-9617310, CCR-9633391, CCR-9901017, and DARPA grant No. F 30602 -96 -1 -0298 managed by Air Force’s Rome Laboratories, Eaton Corporation, and a Motorola doctoral fellowship.

MINERVA Overview • Extends previous work (see Hydra) that attaches formal semantics to informal graphical object-oriented modeling notations (such as UML) in order to automatically generate formal specifications for a number of target languages. • Investigates the integration of different techniques for automatically analyzing the graphical diagrams via their formal specifications with existing analysis tools. • Explores visualization of analysis results within the context of the original graphical diagrams, augmentation of the diagrams with added information, and report generation.

Hydra Overview • MINERVA, a complementary system to Hydra, is designed both as a graphical front-end to the Hydra tool and as a visualization environment for analysis results. • Underlying the Hydra tool is a general framework for attaching semantics to Unified Modeling Language (UML) graphical diagrams via formal languages. • Hydra parses a textual representation of an integrated collection of UML diagrams comprising a model of a software system. • Hydra then generates appropriate formal specifications.

Architecture of MINERVA Diagram reports Diagram in Do. ME 2 format UML 1 UML diagram editors Plug-ins Visualization commands [1] Unified Modeling Language [2] MINERVA is built atop Do. ME, Honeywell’s Domain Model Editing utility (www. htc. honeywell/dome) [3] Hydra Intermediate Language HIL 3 Analysis results (processed) Perl scripts Analysis reports Analysis results (raw)

Using MINERVA Analysis results UML MINERVA Diagram reports HIL Hydra Spec* Analysis tool Analysis reports * Hydra can automatically generate formal specifications for a number of target languages, including VHDL and Promela. The analysis tool used would be appropriate for the target language.

Diagram Well-Formedness • MINERVA’s graphical class and state diagram editors prevent the construction of diagram components that are inconsistent with the syntax for that type of diagram. • MINERVA checks for structural anomalies within diagrams, such as missing start states or the presence of “sinks” (states that cannot be exited, or “deadlock” states). • Hydra performs checks for structural inconsistencies between diagrams, such as use of an instance variable or signal/message without it having been declared, or expecting a signal/message that no object sends.

Structural Analysis • Structural analysis ensures that UML diagrams are well-formed prior to generating any formal specifications. • MINERVA handles graphoriented analyses (within a diagram) while Hydra performs parser/compiler-oriented analyses (between diagrams). • Early elimination of such errors enables more effective use of “heavy-duty” specification analysis tools. feedback MINERVA HIL Hydra Spec Analysis tool feedback

Behavioral Analysis • After formal specifications are generated, analyses such as simulation or model checking may be applied. • Model checking is, in general, an exhaustive technique that checks properties against the entire state space of a model, giving a counterexample when verification fails. • MINERVA visualizes analysis results within the context of the original UML diagrams. MINERVA HIL Hydra Spec Analysis tool feedback

Formal Specification Analysis • Simulation enables validation of behavioral requirements and debugging of the system design. • Model checking can find deadlocks, test system invariants against the model, and verify temporal claims. – Deadlock usually indicates a communication protocol error between objects in the system. – System invariants may check that a value never falls outside a certain range or that an object never enters a particular state. – Temporal claims usually test properties such as “something always happens, ” “something never happens, ” or “one thing happening leads to another thing happening. ”

Analysis Results in Context • A formal specification of a collection of UML diagrams is one step removed from its original representation and usually loses structural information. • The analysis results output by formal specification tools such as Bell Labs’ model checker SPIN are often cryptic, and execute steps at a much finer granularity than depicted in UML diagrams. • For these reasons, we try to eliminate structural errors prior to generating specifications and visualize analysis results at a more abstract level within the UML diagrams.

Visualizations • Within the original UML diagrams, MINERVA highlights structural anomalies and inconsistencies so that the user may quickly correct such errors. • Trace data from simulations or counterexamples from model checking can be used to animate existing state diagrams. Work is in progress to automatically generate collaboration and sequence diagrams from trace data to augment the playback of state diagram execution. • MINERVA generates reports in human-readable textual format for inclusion in documentation.

State Diagram • State diagrams depict object behavior: events on transitions (arcs) can cause a change of state (rounded rectangles). • By instrumenting the HIL (Hydra Intermediate Language) representation, MINERVA can gather feedback about states, transitions, or both from the simulation and counterexample traces. As states are entered or transitions are taken, MINERVA highlights them in the diagram. Microprocessor set. Error Working reset Waiting for reset [count=0]/count: =100; ^Error. Handler. error; ^Microprocessor. reset Error. Handler Counting down Handling errors Watchdog error ^Microprocessor. set. Error;

Collaboration Diagram • Collaboration diagrams depict communication between objects (rectangles) with message pathways (directed lines). • While state diagrams describe how objects communicate via events, the actual pathway between them is not visualized. • When playing back trace data, MINERVA highlights message pathways as they are used and may display object attributes or contents of an object’s queue. Microprocessor Q: {reset, set. Error} 2: reset Watchdog count=100 1: error Error. Handler 3: set. Error

Sequence Diagram • Sequence diagrams are both the complement to state diagrams and the isomorphic equivalent of collaboration diagrams, depicting a single sequence of message sends and receives (directed arrows) over time (a vertical line per object). • Message ordering and race conditions can be visualized with sequence diagrams. The Microprocessor will deadlock due to an unexpected sequence. Micro. Error Handler Watchdog Counting down Working Handling errors error reset set. Error

Report Generation • MINERVA can generate textual reports based either on trace data gathered from analysis tools or on the original UML diagrams comprising the system. • Reports based on trace data are the textual equivalent of animated playback of a trace sequence and are a useful complement to diagrams in documentation. • Reports based on the UML diagrams include rough metrics for judging system complexity and a comprehensive listing of all elements in the system to aid in the construction of a data dictionary.

Applications and Future Work • Together with Hydra, MINERVA has been used to model a Smart Cruise Control system in Promela and to display both structural and behavioral errors within the original UML diagrams. • Current investigations include using MINERVA and Hydra to model an Electronically Controlled Steering system to validate the analysis and visualization techniques. • Futher use of MINERVA, Hydra, and existing analysis tools will suggest improvements for the ease-of-use and errorchecking capabilities of both MINERVA and Hydra.