Model Checking for an Executable Subset of UML

1
Model Checking for an Executable Subset of UML

• Fei Xie1, Vladimir Levin2, and James C. Browne1
• 1Dept. of Computer Sciences, UT at Austin
• 2Bell Laboratories, Lucent Technologies

2
Motivations

• Executable subsets of UML
• Widely applied to model software system designs
• Have well-defined execution semantics
• Enable early verification of design models.
• Model checking can potentially improve the
  reliability of executable design models.

3
xUML An Executable Subset of UML

• A system consists of interacting class instances
• Class instances communicate mainly through
  asynchronous message passing with buffering
• State models are extended with state actions
• State transitions are enabled by messages
• System executions follow asynchronous
  interleaving semantics.

4
A Sample xUML State Model
State Transition
State Action
Message Type
State
5
Model Checking xUML Models
xUML Model
xUML Query
xUML Level Error Report
xUML-to-S/R Translation
Error Report Generation
S/R Model
S/R Query
S/R Query
COSPAN Error Track
Model Checking with COSPAN Model Checker
Legend
Input
Output
Data
Process
6
COSPAN Model Checker and S/R Automaton Language

• COSPAN is a synchronous model checker and inputs
  models and queries formulated in S/R.
• In S/R, a system is a synchronous parallel
  composition of its components modeled as
  processes.

Process Output
Process
Process Input
Process State Space
7
xUML Level Query Formulation
Proposition
Semantic Constructs of xUML Model

• DECLARE Joint_2_in_Move_EE ltltJoint 2gtgt Move_EE
• DECLARE Recovery_Called ltltRecovery 1gtgt
  recovery_status 1
• NEVER (Joint_2_in_Move_EE AND Recovery_Called)

Instantiation of Temporal Template
8
xUML-to-S/R Model Translation

• Maps class instances to S/R processes
• Models asynchrony with synchrony
• An S/R process as global execution scheduler
• Message buffers by separate S/R processes
• Simulates dynamic creation of class instances
• Bounds infinite state spaces of xUML models.

9
State Space Reductions in Model Translation

• Static partial order reduction (SPOR)
• Translating static attributes to constants
• Reducing the send and consumption of a self
  message into a single state transition
• Ranging variables to facilitate symbolic model
  checking (SMC).

10
Error Trace Analysis Support

• Visualize errors via simulation driven by error
  traces.

11
Effectiveness of State Space Reductions

• A liveness property to be checked on online
  ticket sale system
• xUML model translated to two S/R models with SPOR
  on or off
• Two S/R models checked by COSPAN with SMC on or
  off.

SPOR SMC Memory Usage Time Usage
Off Off Out of Memory N/A
Off On 113.73M 44736.5S
On Off 17.3M 6668.3S
On On 74.0M 1450.3S
12
Conclusions and Future Work

• An approach to model checking of xUML models is
  defined and implemented.
• Non-trivial xUML models have been checked.
• A robot control system
• An online ticket sale system.
• Integrated state space reduction that supports
  verifying larger models is being developed.