Abstract. We describe a prototype tool, hugo/RT, that is designed to automatically verify whether the timed state machines in a UML model interact according to scenarios specified by time-annotated UML collaborations. Timed state machines are compiled into timed automata that exchange signals and operations via a network automaton. A collaboration with time constraints is translated into an observer timed automaton. The model checker uppaal is called upon to verify the timed automata representing the model against the observer timed automaton. 1

Abstract. We present in this paper a technique and a tool for validating operational UML models by simulation and verification of dynamic properties. With respect to language coverage, our approach takes into consideration most of the structural and behavioral characteristics of classes and their interplay. We tackle issues like the combination of operations, state machines, inheritance and polymorphism, with a particular run-tocompletion and concurrency semantics. This is an important point, as many previous approaches applying model checking to UML put limiting conditions on the models. The UML dialect considered here also includes a set of extensions for expressing timing, which were defined in detail in [18]. For writing properties about models, we introduce UML observer objects. Observers are both easy to use – they reuse existing concepts of UML, and powerful — they are equivalent to linear temporal logic. Our approach is implemented by a tool built on top of an XMI repository. The tool is connected to several commercial and non-commercial UML editors, and to other model checking tools. 1

version of CD_PLAYER The verification with abstraction of events works as follows. Given a model M composed by a set of statecharts and a sequence diagram SD, we proceed by constructing and checking a more abstract model M* against an abstract sequence diagram SD* until deciding about the satisfaction of SD against M, or until finding specific errors (phases 2 and 3 in our proposed methodology). The abstraction in both diagrams is done using the same abstract events. The verification of undesired behaviors (Phase 3) is done directly: If M* does not verify SD*, then M does not verify SD. Therefore, M can be employed to continue the development cycle (e.g. code generation). For example, let us assume that the simulation of statecharts in Figure 2 exhibits too many unexpected errors, probably because it is a very early version. If we want to have a minimum confidence about its correctness, we could try to check sequence diagrams considering the number of events that the actor and the system send, without taking care about the events themselves. For instance, the sequence diagram in Figure 8 (left) shows a non-desirable SD (it is forbidden for this system to start the music automatically after inserting the CD; the user is required to explicitly push the button play.) Figure 8 (right) shows its corresponding abstract version (SD*). The model checker will now report that the system (using the statechart in Figure 7) will never produce a sequence of abstract events like the one in Figure 8 (right), and we could conclude that the initial system never produces a sequence like the one in Figure 8 (left). It is worth noting that the computational effort in verifying the abstract version has been reduced with respect to the verification of the initial model. In...

Object-oriented modeling plays an increasing role in the design of embedded controllers. Formal verification can be applied in order to give evidence for meeting safety critical requirements. The “Rhapsody UML Verification Environment”supportsverificationofsafetyandliveness requirements for embedded controllers, developed within the Unified Modeling Language (UML). The verification environmentis integratedin thedesign tool “Rhapsody in C++ ” offered by the company I-Logix. This paper discusses how UML models are transformed into a format usable for the VIS model checker, shows the specification and verification on a simple example and explains how the tool can be used to help determining the memory resources of a model. 1.

Abstract. We present a strategy for automatic formal verification of Live Sequence Chart (LSC) specifications against UML models in the semantics of [7] employing the symmetry-based technique of Query Reduction [18, 34, 44] and the abstraction technique Data-type Reduction [34]. Altogether this allows for automatic formal verification without providing finite bounds on the numbers of objects created during a run of the system. Our presentation is grounded on a specific formal interpretation of LSCs for the UML domain in terms of [7] which is rich enough to in particular express properties about objects which are created only during activation of the LSC. 1

The “Unified Modeling Language ” (UML [1]) is generally accepted as the de facto standard notation for the analysis and design of object-oriented software systems. It provides diagrams for the description of static, dynamic, and architectural aspects of systems at different levels of detail. In particular, dynamic aspects of system behavior can be specified with the help of interaction (i.e., collaboration or sequence) diagrams that describe single system runs. A more operational view is provided by UML state machines, a variant of the Statechart notation introduced by Harel [2], that are associated with instances of classes. The UML deliberately encourages the use of redundant descriptions of the same aspects of a system, for example during different phases of software development. This redundancy generates an obvious opportunity for verification and validation techniques to ensure the consistency of these descriptions. Moreover, formal methods are generally most beneficial when applied to abstract descriptions. We describe an ongoing project to develop a set of tools, tentatively called HUGO, where model checking technology is applied to relate UML state machines and interaction diagrams. Considering the state machine view as the “model ” and the interaction view as the “property”, model checking can be used to ensure that a system run as specified by the interaction diagram can indeed be realised by a set of interacting state machines. In some cases, the absence of errors can be expressed as the impossibility to realise certain “erroneous ” interactions. As is typical for applications of model checking, we concentrate on the control part of UML models and largely abstract from the data manipulations. While verification technology such as model checking can reveal errors in system designs, coding errors during later implementation stages may still occur. Since state machines can specify an object’s behavior in full detail, we propose to generate code directly from the UML model. Ideally, formal analysis and code generation are applied to the same model, raising the confidence in the correctness of the resulting system.

We present a technique and a tool for model-checking operational UML models based on a mapping of object oriented UML models into a framework of communicating extended timed automata - in the IF format - and the use of the existing model-checking and simulation tools for this format.

Service-oriented architectures (SOA) provide a flexible and dynamic platform for implementing business solutions. In this paper, we address the modeling of such architectures by refining business-oriented architectures, which abstract from technology aspects, into service-oriented ones, focusing on the ability of dynamic reconfiguration (binding to new services at runtime) typical for SOA. The refinement is based on conceptual models of the platforms involved as architectural styles, formalized by graph transformation systems. Based on a refinement relation between abstract and platform-specific styles we investigate how to realize business-specific scenarios on the SOA platform by automatically deriving refined, SOA-specific reconfiguration scenarios.

We describe how CSP-OZ, an integrated formal method combining the process algebra CSP with the specification language Object-Z, can be linked to standard software engineering languages, viz. UML and Java. Our aim is to generate a significant part of the CSP-OZ specification from an initially developed UML model using a UML profile for CSP-OZ, and afterwards transform the formal specification into assertions written in the Java Modelling Language JML complemented by CSP jassda . The intermediate CSP-OZ specification serves to verify correctness of the UML model, and the assertions control at runtime the adherence of a Java implementation to these formal requirements. We explain this approach using the case study of a "holonic manufacturing system" in which coordination of transportation and processing is distributed among stores, machine tools and agents without central control.

Two translations from activity diagrams to the input language of NuSMV, a symbolic model verifier, are presented. Both translations map an activity diagram into a finite state machine and are inspired by existing statechart semantics. The requirements-level translation defines state machines that can be efficiently verified, but are a bit unrealistic since they assume the perfect synchrony hypothesis. The implementation-level translation defines state machines that cannot be verified so efficiently, but that are more realistic since they do not use the perfect synchrony hypothesis. To justify the use of the requirements-level translation, we show that for a large class of activity diagrams and certain properties, both translations are equivalent: regardless of which translation is used, the outcome of model checking is the same. Moreover, for linear stutteringclosed properties, the implementation-level translation is equivalent to a slightly modified version of the requirements-level translation. We use the two translations to model check data integrity constraints for an activity diagram and a set of class diagrams that specify the data manipulated in the activities. Both translations have been implemented in two tools. We discuss our experiences in applying both translations to model check some large example activity diagrams.