Abstract. We present in this paper a technique and a tool for validating operational UML models by simulation and verification of dynamic properties. With respect to language coverage, our approach takes into consideration most of the structural and behavioral characteristics of classes and their interplay. We tackle issues like the combination of operations, state machines, inheritance and polymorphism, with a particular run-tocompletion and concurrency semantics. This is an important point, as many previous approaches applying model checking to UML put limiting conditions on the models. The UML dialect considered here also includes a set of extensions for expressing timing, which were defined in detail in [18]. For writing properties about models, we introduce UML observer objects. Observers are both easy to use – they reuse existing concepts of UML, and powerful — they are equivalent to linear temporal logic. Our approach is implemented by a tool built on top of an XMI repository. The tool is connected to several commercial and non-commercial UML editors, and to other model checking tools. 1

Object-oriented modeling plays an increasing role in the design of embedded controllers. Formal verification can be applied in order to give evidence for meeting safety critical requirements. The “Rhapsody UML Verification Environment”supportsverificationofsafetyandliveness requirements for embedded controllers, developed within the Unified Modeling Language (UML). The verification environmentis integratedin thedesign tool “Rhapsody in C++ ” offered by the company I-Logix. This paper discusses how UML models are transformed into a format usable for the VIS model checker, shows the specification and verification on a simple example and explains how the tool can be used to help determining the memory resources of a model. 1.

Abstract. We present a strategy for automatic formal verification of Live Sequence Chart (LSC) specifications against UML models in the semantics of [7] employing the symmetry-based technique of Query Reduction [18, 34, 44] and the abstraction technique Data-type Reduction [34]. Altogether this allows for automatic formal verification without providing finite bounds on the numbers of objects created during a run of the system. Our presentation is grounded on a specific formal interpretation of LSCs for the UML domain in terms of [7] which is rich enough to in particular express properties about objects which are created only during activation of the LSC. 1

The “Unified Modeling Language ” (UML [1]) is generally accepted as the de facto standard notation for the analysis and design of object-oriented software systems. It provides diagrams for the description of static, dynamic, and architectural aspects of systems at different levels of detail. In particular, dynamic aspects of system behavior can be specified with the help of interaction (i.e., collaboration or sequence) diagrams that describe single system runs. A more operational view is provided by UML state machines, a variant of the Statechart notation introduced by Harel [2], that are associated with instances of classes. The UML deliberately encourages the use of redundant descriptions of the same aspects of a system, for example during different phases of software development. This redundancy generates an obvious opportunity for verification and validation techniques to ensure the consistency of these descriptions. Moreover, formal methods are generally most beneficial when applied to abstract descriptions. We describe an ongoing project to develop a set of tools, tentatively called HUGO, where model checking technology is applied to relate UML state machines and interaction diagrams. Considering the state machine view as the “model ” and the interaction view as the “property”, model checking can be used to ensure that a system run as specified by the interaction diagram can indeed be realised by a set of interacting state machines. In some cases, the absence of errors can be expressed as the impossibility to realise certain “erroneous ” interactions. As is typical for applications of model checking, we concentrate on the control part of UML models and largely abstract from the data manipulations. While verification technology such as model checking can reveal errors in system designs, coding errors during later implementation stages may still occur. Since state machines can specify an object’s behavior in full detail, we propose to generate code directly from the UML model. Ideally, formal analysis and code generation are applied to the same model, raising the confidence in the correctness of the resulting system.

We present a technique and a tool for model-checking operational UML models based on a mapping of object oriented UML models into a framework of communicating extended timed automata - in the IF format - and the use of the existing model-checking and simulation tools for this format.

Abstract. In this paper we describe an approach for real-time modeling in UML focusing on analysis and verification of time and scheduling related properties. We show that the use of timed events, representing instant of state changes, provides the right level of abstraction for reasoning about timed computations. This is also, at notation level, the choice of the OMG UML Real-Time Profile. We complete this profile by identifying important events and duration expressions. One originality of the approach presented here, is that it provides a formal semantics of the time related primitives in terms of timed automata with urgency. An interesting point is that this time extension is independent of the dynamic semantics of the functional part. 1

Software architectures and modular composition help in constructing large-scale software systems. Current programming languages provide only insufficient support for software architecture. “Architectural programming ” overcomes the problem of architectural erosion in implementations by integrating concepts of software architecture into programming languages. We present the new programming language JAVA/A as an instance for Java-based architectural programming and show how JAVA/A integrates architectural notions such as components, connectors, and assemblies into Java. A main asset of JAVA/A is its underlying abstract component model which provides the basis for reasoning about software components and assemblies. We give a formalisation of the abstract component model in terms of transition systems and states as algebras, and prove a consistency result for assemblies.

It is well known that errors introduced early in the development process are commonly the most expensive to correct. The increasingly popular model-driven architecture (MDA) exacerbates this problem by propagating these errors automatically to design and code. This paper describes a round trip engineering process that supports the specification of a UML model using CASE tools, the analysis of specified natural language properties, and the subsequent model refinement to eliminate errors uncovered during the analysis. This process has been implemented in SPIDER, a tool suite that enables developers to specify and analyze a UML model with respect to behavioral properties specified in terms of natural language. 1.

The textual Object Constraint Language (OCL) is primarily intended to specify restrictions over UML class diagrams, in particular class invariants, operation pre-, and postconditions. Based on several improvements in the definition of the language concepts in last years, a proposal for a new version of OCL has recently been published [43]. That document provides an extensive OCL semantic description that constitutes a tight integration into UML. However, OCL still lacks a semantic integration of UML Statecharts, although it can already be used to refer to states in OCL expressions.

Abstract. We present a technique and a tool for model-checking operational UML models based on a mapping of object oriented UML models into a framework of communicating extended timed automata- in the IF format- and the use of the existing model-checking and simulation tools for this format. We take into account most of the structural and behavioral characteristics of classes and their interplay and tackle issues like the combination of operations, state machines, inheritance and polymorphism, with a particular semantic profile for communication and concurrency. The UML dialect considered here, also includes a set of extensions for expressing timing. Our approach is implemented by a tool importing UML models via an XMI repository, and thus supporting several commercial and non-commercial UML editors. For user friendly interactive simulation, an interface has been built, presenting feedback to the user in terms of the original UML model. Model-checking and model exploration can be done by reusing the existing IF state-of-the-art validation environment. 1