Object-oriented distributed computing is becoming increasingly important for critical infrastructure in society. In standard object-oriented models, objects synchronize on method calls. These models may be criticized in the distributed setting for their tight coupling of communication and synchronization; network delays and instabilities may locally result in much waiting and even deadlock. The Creol model targets distributed objects by a looser coupling of method calls and synchronization. Asynchronous method calls and high-level local control structures allow local computation to adapt to network instability. Object variables are typed by interfaces, so communication with remote objects is independent from their implementation. The inheritance and subtyping relations are distinct in Creol. Interfaces form a subtype hierarchy, whereas multiple inheritance is used for code reuse at the class level. This paper presents the Creol syntax, operational semantics, and type system. It is shown that runtime type errors do not occur for well-typed programs.

Abstract. We present in this paper a technique and a tool for validating operational UML models by simulation and verification of dynamic properties. With respect to language coverage, our approach takes into consideration most of the structural and behavioral characteristics of classes and their interplay. We tackle issues like the combination of operations, state machines, inheritance and polymorphism, with a particular run-tocompletion and concurrency semantics. This is an important point, as many previous approaches applying model checking to UML put limiting conditions on the models. The UML dialect considered here also includes a set of extensions for expressing timing, which were defined in detail in [18]. For writing properties about models, we introduce UML observer objects. Observers are both easy to use – they reuse existing concepts of UML, and powerful — they are equivalent to linear temporal logic. Our approach is implemented by a tool built on top of an XMI repository. The tool is connected to several commercial and non-commercial UML editors, and to other model checking tools. 1

We describe the semantics of statecharts as implemented in the current version of the Rhapsody tool. In its original 1996 version this was among the first executable semantics for object-oriented statecharts, and many of its fundamentals have been adopted in the Unified Modeling Language (UML). Due to the special challenges of object-oriented behavior, the semantics of statecharts in Rhapsody di#ers from the original semantics of statecharts in Statemate. Two of the main di#erences are: (i) in Rhapsody, changes made in a given step are to take e#ect in the current step and not in the next step; (ii) in Rhapsody, a step can take more than zero time. This paper constitutes the first description of the executable semantics of Rhapsody, highlighting the di#erences from the Statemate semantics and making an e#ort to explain the issues clearly but rigorously, including the motivation for some of the design decisions taken.

Object-oriented modeling plays an increasing role in the design of embedded controllers. Formal verification can be applied in order to give evidence for meeting safety critical requirements. The “Rhapsody UML Verification Environment”supportsverificationofsafetyandliveness requirements for embedded controllers, developed within the Unified Modeling Language (UML). The verification environmentis integratedin thedesign tool “Rhapsody in C++ ” offered by the company I-Logix. This paper discusses how UML models are transformed into a format usable for the VIS model checker, shows the specification and verification on a simple example and explains how the tool can be used to help determining the memory resources of a model. 1.

Abstract. We present a strategy for automatic formal verification of Live Sequence Chart (LSC) specifications against UML models in the semantics of [7] employing the symmetry-based technique of Query Reduction [18, 34, 44] and the abstraction technique Data-type Reduction [34]. Altogether this allows for automatic formal verification without providing finite bounds on the numbers of objects created during a run of the system. Our presentation is grounded on a specific formal interpretation of LSCs for the UML domain in terms of [7] which is rich enough to in particular express properties about objects which are created only during activation of the LSC. 1

We present a technique and a tool for model-checking operational UML models based on a mapping of object oriented UML models into a framework of communicating extended timed automata - in the IF format - and the use of the existing model-checking and simulation tools for this format.

Actor-based modeling is known to be an appropriate approach for representing concurrent and distributed systems. Rebeca is an actor-based language with a formal foundation, based on an operational interpretation of the actor model. We develop a front-end tool for translating a subset of Rebeca to SMV in order to model check Rebeca models. Automated modular verification and abstraction techniques are supported by the tool.

The aim of this work is to provide a formal foundation for the unambiguous description of real-time, reactive, embedded systems in UML. For this application domain, we define the meaning of basic class diagrams where the behavior of objects is described by state machines. These reactive objects may communicate by means of asynchronous signals and synchronous operation calls. The notion of a thread of control is captured by a so-called activity group, which is a set of objects which contains exactly one active object and where at most one object may be executing. Explicit timing is realized via local clocks and an urgency predicate on transitions. We define a formal semantics for this kernel language, based on the run-to-completion paradigm. We show that this combination of communication primitives and execution mechanism gives rise to a large number of questions and discuss the decisions taken in the proposed semantics. The resulting semantics has been defined in the typed logic of the interactive theorem prover PVS.

In this paper we present the state/event-based temporal logic µUCTL which is a logic oriented towards a natural description of dynamic properties of UML models. This logic allows to specify the basic properties that a runtime system configuration should satisfy and to combine these basic predicates with logic and temporal operators which allow to take into consideration also the events performed by the system when evolving from one system configuration to another. Doubly Labelled Transition Systems are the semantic domain for µUCTL. The logic is supported by a prototypical verification environment under development at ISTI built around the ”on the fly” UMC model checker.

Abstract. We present a technique and a tool for model-checking operational UML models based on a mapping of object oriented UML models into a framework of communicating extended timed automata- in the IF format- and the use of the existing model-checking and simulation tools for this format. We take into account most of the structural and behavioral characteristics of classes and their interplay and tackle issues like the combination of operations, state machines, inheritance and polymorphism, with a particular semantic profile for communication and concurrency. The UML dialect considered here, also includes a set of extensions for expressing timing. Our approach is implemented by a tool importing UML models via an XMI repository, and thus supporting several commercial and non-commercial UML editors. For user friendly interactive simulation, an interface has been built, presenting feedback to the user in terms of the original UML model. Model-checking and model exploration can be done by reusing the existing IF state-of-the-art validation environment. 1