Model Checking for an Executable Subset of UML

Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories, Lucent Technologies

Motivations • Executable subsets of UML – Widely applied to model software system designs; – Have well-defined execution semantics; – Enable early verification of design models. • Model checking can potentially improve the reliability of executable design models.

x. UML: An Executable Subset of UML • A system consists of interacting class instances; • Class instances communicate mainly through asynchronous message passing with buffering; • State models are extended with state actions; • State transitions are enabled by messages; • System executions follow asynchronous interleaving semantics.

A Sample x. UML State Model State Transition State Action Message Type State

Model Checking x. UML Models x. UML Model x. UML Query x. UML-to-S/R Translation S/R Model S/R Query x. UML Level Error Report Generation COSPAN Error Track Model Checking with COSPAN Model Checker Legend: Data Process Input Output

COSPAN Model Checker and S/R Automaton Language • COSPAN is a synchronous model checker and inputs models and queries formulated in S/R. • In S/R, a system is a synchronous parallel composition of its components modeled as processes. Process Output Process Input Process State Space

x. UML Level Query Formulation Proposition Semantic Constructs of x. UML Model DECLARE Joint_2_in_Move_EE <<Joint 2>> $Move_EE; DECLARE Recovery_Called <<Recovery 1>> recovery_status = 1; NEVER (Joint_2_in_Move_EE AND Recovery_Called); Instantiation of Temporal Template

x. UML-to-S/R Model Translation • Maps class instances to S/R processes; • Models asynchrony with synchrony; – An S/R process as global execution scheduler; – Message buffers by separate S/R processes; • Simulates dynamic creation of class instances; • Bounds infinite state spaces of x. UML models.

State Space Reductions in Model Translation • Static partial order reduction (SPOR); • Translating static attributes to constants; • Reducing the send and consumption of a self message into a single state transition; • Ranging variables to facilitate symbolic model checking (SMC).

Error Trace Analysis Support • Visualize errors via simulation driven by error traces.

Effectiveness of State Space Reductions • A liveness property to be checked on online ticket sale system; • x. UML model translated to two S/R models with SPOR on or off; • Two S/R models checked by COSPAN with SMC on or off. SPOR SMC Memory Usage Time Usage Off Out of Memory N/A Off On 113. 73 M 44736. 5 S On Off 17. 3 M 6668. 3 S On On 74. 0 M 1450. 3 S

Conclusions and Future Work • An approach to model checking of x. UML models is defined and implemented. • Non-trivial x. UML models have been checked. – A robot control system; – An online ticket sale system. • Integrated state space reduction that supports verifying larger models is being developed.