Skip to main content
SpringerLink
Log in

Unified verification and monitoring of executable UML specifications

A transformation-free approach

  • Special Section Paper
  • Published:
Software and Systems Modeling Aims and scope Submit manuscript

Abstract

The increasing complexity of embedded systems renders software verification more complex, requiring monitoring and formal techniques, like model-checking. However, to use such techniques, system engineers usually need formal expertise to express the software requirements in a formal language. To facilitate the use of model-checking tools by system engineers, our approach uses a UML model interpreter through which the software requirements can directly be expressed in UML as well. Formal requirements are encoded as UML state machines with the transition guards written in a specific observation language, which expresses predicates on the execution of the system model. Each such executable UML specification can model either a Büchi automaton or an observer automaton, and is synchronously composed with the system, to follow its execution during model-checking. Formal verification can continue at runtime for all deterministic observer automata used during offline verification by deploying them on real embedded systems. Our approach has been evaluated on multiple case studies and is illustrated, in this paper, through the user interface model of a cruise-control system. The automata-based verification results are in line with the verification of the equivalent LTL properties. The runtime overhead during monitoring is proportional to the number of monitors.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Notes

  1. HOA format: http://adl.github.io/hoaf/.

  2. Implementation of a cardiac defibrillator: https://github.com/Pyponou/defibrillator.

  3. OBP2: https://www.obpcdl.org.

  4. In comparison with [10], this observer has been refined to be independent of the vehicle engine implementation.

  5. Lean Prover: https://leanprover.github.io/.

  6. GitHub repository: https://github.com/ValentinBesnard/emi-verifying-and-monitoring-uml-models.

  7. Xtend: https://www.eclipse.org/xtend/.

  8. The difference that can be observed with our paper [10] is due to the fact that we have improved the abstraction of the environment model.

References

  1. Autili, M., Inverardi, P., Pelliccione, P.: Graphical scenarios for specifying temporal properties: an automated approach. Autom. Softw. Eng. 14(3), 293–340 (2007). https://doi.org/10.1007/s10515-007-0012-6

    Article  Google Scholar 

  2. Babiak, T., Křetínský, M., Řehák, V., Strejček, J.: LTL to Büchi automata translation: fast and more deterministic. In: Flanagan, C., König, B. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, pp. 95–109. Springer, Berlin, Heidelberg (2012). https://doi.org/10.1007/3-540-44585-4_6

    Chapter  MATH  Google Scholar 

  3. Baier, C., Katoen, J.P.: Principles of Model Checking (Representation and Mind Series). MIT Press, Cambridge (2008). https://doi.org/10.5555/1373322

    Book  MATH  Google Scholar 

  4. Barringer, H., Goldberg, A., Havelund, K., Sen, K.: EAGLE Does Space Efficient LTL Monitoring. Pre-Print CSPP-25 (2003)

  5. Bauer, A., Leucker, M., Schallhart, C.: Runtime verification for LTL and TLTL. ACM Trans. Softw. Eng. Methodol. 20(4), 14:1-14:64 (2011). https://doi.org/10.1145/2000799.2000800

    Article  Google Scholar 

  6. Besnard, V., Brun, M., Dhaussy, P., Jouault, F., Olivier, D., Teodorov, C.: Towards one model interpreter for both design and deployment. In: 3rd International Workshop on Executable Modeling (EXE 2017). Austin, United States (2017)

  7. Besnard, V., Brun, M., Jouault, F., Teodorov, C., Dhaussy, P.: Embedded UML model execution to bridge the gap between design and runtime. In: Mazzara, M., Ober, I., Salaün, G. (eds.) Software Technologies: Applications and Foundations, pp. 519–528. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-04771-9_38

    Chapter  Google Scholar 

  8. Besnard, V., Brun, M., Jouault, F., Teodorov, C., Dhaussy, P.: Unified LTL verification and embedded execution of UML models. In: ACM/IEEE 21th International Conference on Model Driven Engineering Languages and Systems (MODELS ’18). Copenhagen, Denmark (2018). https://doi.org/10.1145/3239372.3239395

  9. Besnard, V., Teodorov, C., Jouault, F., Brun, M., Dhaussy, P.: A model checkable UML soccer player. In: 3rd Workshop on Model-Driven Engineering Tools, pp. 211–220. Munich, Germany (2019)

  10. Besnard, V., Teodorov, C., Jouault, F., Brun, M., Dhaussy, P.: Verifying and monitoring uml models with observer automata. In: ACM/IEEE 22th International Conference on Model Driven Engineering Languages and Systems (MODELS ’19), pp. 161–171. Munich, Germany (2019). https://doi.org/10.1109/MODELS.2019.000-5

  11. Bochot, T., Virelizier, P., Waeselynck, H., Wiels, V.: Model checking flight control systems: the Airbus experience. In: 2009 31st International Conference on Software Engineering—Companion Volume, pp. 18–27 (2009). https://doi.org/10.1109/ICSE-COMPANION.2009.5070960

  12. Bodden, E., Lam, P., Hendren, L.: Clara: a framework for partially evaluating finite-state runtime monitors ahead of time. In: Barringer, H., Falcone, Y., Finkbeiner, B., Havelund, K., Lee, I., Pace, G., Roşu, G., Sokolsky, O., Tillmann, N. (eds.) Runtime Verification, pp. 183–197. Springer, Berlin, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16612-9_15

    Chapter  MATH  Google Scholar 

  13. Boniol, F., Wiels, V.: The landing gear system case study. In: ABZ 2014: The Landing Gear Case Study, pp. 1–18. Springer, Cham (2014)

  14. Brumbulli, M., Gaudin, E., Teodorov, C.: Automatic verification of BPMN models. In: 10th European Congress on Embedded Real Time Software and Systems (ERTS 2020). Toulouse, France (2020)

  15. Chen, F., D’Amorim, M., Roşu, G.: A formal monitoring-based framework for software development and analysis. In: Davies, J., Schulte, W., Barnett, M. (eds.) Formal Methods and Software Engineering, pp. 357–372. Springer, Berlin, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30482-1_31

  16. Ciccozzi, F.: From models to code and back: a round-trip approach for model-driven engineering of embedded systems. Mälardalen University, Embedded Systems. Ph.D. thesis (2014)

  17. Ciccozzi, F., Malavolta, I., Selic, B.: Execution of UML models: a systematic review of research and practice. Softw. Syst. Model. (2018). https://doi.org/10.1007/s10270-018-0675-4

    Article  Google Scholar 

  18. de Moura, L., Kong, S., Avigad, J., van Doorn, F., von Raumer, J.: The lean theorem prover (system description). In: Felty, A.P., Middeldorp, A. (eds.) Automated Deduction—CADE-25, pp. 378–388. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21401-6_26

    Chapter  Google Scholar 

  19. Dhaussy, P., Le Roux, L., Teodorov, C.: Vérification formelle de propriétés : Application de l’outil OBP au cas d’étude CCS. Génie logiciel 109 (2014)

  20. Diot, C., de Simone, R., Huitema, C.: Communication Protocols Development Using ESTEREL (1994)

  21. Drusinsky, D.: The temporal rover and the ATG rover. In: Havelund, K., Penix, J., Visser, W. (eds.) SPIN Model Checking and Software Verification, pp. 323–330. Springer, Berlin, Heidelberg (2000). https://doi.org/10.1007/10722468_19

    Chapter  MATH  Google Scholar 

  22. Duret-Lutz, A., Poitrenaud, D.: SPOT: an extensible model checking library using transition-based generalized Büchi automata. In: Proceedings of The IEEE Computer Society’s 12th Annual International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems, MASCOTS ’04, pp. 76–83. IEEE Computer Society, Washington, DC, USA (2004). https://doi.org/10.1109/MASCOT.2004.1348184

  23. Ferretti, J., Di Pietro, L., De Maria, C.: Open-source automated external defibrillator. HardwareX 2, 61–70 (2017). https://doi.org/10.1016/j.ohx.2017.09.001

    Article  Google Scholar 

  24. Gaiser, A., Schwoon, S.: Comparison of algorithms for checking emptiness on Büchi automata. In: Hlinený, P., Matyáš, V., Vojnar, T. (eds.) Annual Doctoral Workshop on Mathematical and Engineering Methods in Computer Science (MEMICS’09), OpenAccess Series in Informatics (OASIcs), vol. 13, pp. 18–26. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany (2009). https://doi.org/10.4230/DROPS.MEMICS.2009.2349

  25. Gastin, P., Oddoux, D.: Fast LTL to Büchi automata translation. In: Berry, G., Comon, H., Finkel, A. (eds.) Computer Aided Verification, pp. 53–65. Springer, Berlin, Heidelberg (2001). https://doi.org/10.1007/3-540-44585-4_6

    Chapter  Google Scholar 

  26. Halbwachs, N., Lagnier, F., Raymond, P.: Synchronous observers and the verification of reactive systems. In: Nivat, M., Rattray, C., Rus, T., Scollo, G. (eds.) Algebraic Methodology and Software Technology, vol. AMAST’93, pp. 83–96. Springer, London (1994). https://doi.org/10.1007/978-1-4471-3227-1_8

  27. Havelund, K., Roşu, G.: Synthesizing monitors for safety properties. In: Katoen, J.P., Stevens, P. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, pp. 342–356. Springer, Berlin, Heidelberg (2002). https://doi.org/10.1007/3-540-46002-0_24

    Chapter  MATH  Google Scholar 

  28. Havelund, K., Roşu, G.: Efficient monitoring of safety properties. Int. J. Softw. Tools Technol. Transf. 6(2), 158–173 (2004). https://doi.org/10.1007/s10009-003-0117-6

    Article  Google Scholar 

  29. Havelund, K., Roşu, G.: Monitoring Java programs with Java pathexplorer. Electronic Notes in Theoretical Computer Science 55(2), 200–217 (2001). https://doi.org/10.1016/S1571-0661(04)00253-1. RV’2001, Runtime Verification (in connection with CAV ’01)

  30. Hili, N., Bagherzadeh, M., Jahed, K., Dingel, J.: A model-based architecture for interactive run-time monitoring. Softw. Syst. Model. (2020). https://doi.org/10.1007/s10270-020-00780-y

    Article  Google Scholar 

  31. Holzmann, G.J., Joshi, R.: Model-driven software verification. In: Graf, S., Mounier, L. (eds.) Model Checking Software, pp. 76–91. Springer, Berlin, Heidelberg (2004)

    Chapter  Google Scholar 

  32. Iyenghar, P., Pulvermueller, E., Westerkamp, C., Wuebbelmann, J., Uelschen, M.: Model-Based Debugging of Embedded Software Systems, pp. 107–132. Springer, New York (2017). https://doi.org/10.1007/978-1-4614-2266-2_5

    Book  Google Scholar 

  33. Jouault, F., Besnard, V., Le Calvar, T., Teodorov, C., Brun, M., Delatour, J.: Designing, animating, and verifying partial UML models. In: ACM/IEEE 23rd International Conference on Model Driven Engineering Languages and Systems (MODELS ’20), MODELS ’20. Virtual Event, Canada (2020). https://doi.org/10.1145/3365438.3410967

  34. Jouault, F., Delatour, J.: Towards fixing sketchy UML models by leveraging textual notations: application to real-time embedded systems. In: Brucker, A.D., Dania, C., Georg, G., Gogolla, M. (eds.) OCL 2014, OCL and Textual Modeling: Applications and Case Studies, vol. 1285, pp. 73–82. Valencia, Spain (2014)

  35. Jouault, F., Teodorov, C., Delatour, J., Le Roux, L., Dhaussy, P.: Transformation de modèles UML vers Fiacre, via les langages intermédiaires tUML et ABCD. Génie Logiciel 109, 21–27 (2014)

    Google Scholar 

  36. Kane, A.: Runtime Monitoring for Safety-Critical Embedded Systems (2015). https://doi.org/10.1184/R1/6721376.v1

  37. Kim, M., Viswanathan, M., Kannan, S., Lee, I., Sokolsky, O.: Java-MaC: a run-time assurance approach for Java programs. Form. Methods Syst. Des. 24(2), 129–155 (2004)

    Article  Google Scholar 

  38. Knapp, A., Merz, S., Rauh, C.: Model checking timed UML state machines and collaborations. In: Damm, W., Olderog, E.R. (eds.) Formal Techniques in Real-Time and Fault-Tolerant Systems, pp. 395–414. Springer, Berlin, Heidelberg (2002). https://doi.org/10.1007/3-540-45739-9_23

    Chapter  Google Scholar 

  39. Knapp, A., Wuttke, J.: Model checking of UML 2.0 interactions. In: Kühne, T. (ed.) Models in Software Engineering, pp. 42–51. Springer, Berlin, Heidelberg (2007). https://doi.org/10.1007/978-3-540-69489-2_6

    Chapter  Google Scholar 

  40. Kripke, S.A.: Semantical analysis of modal logic i normal modal propositional calculi. Math. Logic Q. 9(5–6), 67–96 (1963). https://doi.org/10.1002/malq.19630090502

    Article  MathSciNet  MATH  Google Scholar 

  41. Leroux, L., Delatour, J., Dhaussy, P.: Modélisation UML d’un régulateur de vitesse automobile. Génie Logiciel 109, (2014)

  42. Liu, S., Liu, Y., Sun, J., Zheng, M., Wadhwa, B., Dong, J.S.: USMMC: a self-contained model checker for UML state machines. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2013, pp. 623–626. ACM, New York, NY, USA (2013). https://doi.org/10.1145/2491411.2494595

  43. Mekki, A., Ghazel, M., Toguyeni, A.: Validating Time-constrained Systems Using UML Statecharts Patterns and Timed Automata Observers, vol. VECoS’09, pp. 112–124. BCS Learning & Development Ltd., Swindon, UK (2009)

  44. Ober, I., Graf, S., Ober, I.: Validation of UML models via a mapping to communicating extended timed automata. In: Graf, S., Mounier, L. (eds.) Model Checking Software, pp. 127–145. Springer, Berlin, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24732-6_9

    Chapter  Google Scholar 

  45. Ober, I., Graf, S., Ober, I.: Validating timed UML models by simulation and verification. Int. J. Softw. Tools Technol. Transf. 8(2), 128–145 (2006). https://doi.org/10.1007/s10009-005-0205-x

    Article  Google Scholar 

  46. OMG: Action Language for Foundational UML (Alf) (2017). www.omg.org/spec/ALF/1.1/PDF

  47. OMG: Precise Semantics of UML State Machines (2017). https://www.omg.org/spec/PSSM/1.0/Beta1/PDF

  48. OMG: Semantics of a Foundational Subset for Executable UML Models (2017). https://www.omg.org/spec/FUML/1.3/PDF

  49. OMG: Unified Modeling Language (2017). https://www.omg.org/spec/UML/2.5.1/PDF

  50. Pike, L., Goodloe, A., Morisset, R., Niller, S.: Copilot: a hard real-time runtime monitor. In: Barringer, H., Falcone, Y., Finkbeiner, B., Havelund, K., Lee, I., Pace, G., Roşu, G., Sokolsky, O., Tillmann, N. (eds.) Runtime Verification, pp. 345–359. Springer, Berlin, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16612-9_26

    Chapter  Google Scholar 

  51. Queille, J.P., Sifakis, J.: Specification and Verification of Concurrent Systems in CESAR, pp. 216–230. Springer, Berlin, Heidelberg (2008)

    MATH  Google Scholar 

  52. Reger, G., Cruz, H.C., Rydeheard, D.: MarQ: monitoring at runtime with QEA. In: Baier, C., Tinelli, C. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, pp. 596–610. Springer, Berlin, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46681-0_55

    Chapter  Google Scholar 

  53. Roşu, G., Bensalem, S.: Allen linear (interval) temporal logic—translation to LTL and monitor synthesis. In: Ball, T., Jones, R.B. (eds.) Computer Aided Verification, pp. 263–277. Springer, Berlin, Heidelberg (2006). https://doi.org/10.1007/11817963_25

    Chapter  Google Scholar 

  54. Roşu, G., Chen, F., Ball, T.: Synthesizing monitors for safety properties: this time with calls and returns. In: Leucker, M. (ed.) Runtime Verification, pp. 51–68. Springer, Berlin, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89247-2_4

    Chapter  Google Scholar 

  55. Tan, L., Kim, J., Sokolsky, O., Lee, I.: Model-based testing and monitoring for hybrid embedded systems. In: Proceedings of the 2004 IEEE International Conference on Information Reuse and Integration, 2004. IRI 2004, pp. 487–492 (2004)

  56. Teodorov, C., Dhaussy, P., Le Roux, L.: Environment-driven reachability for timed systems. Int. J. Softw. Tools Technol. Transf. 19(2), 229–245 (2017). https://doi.org/10.1007/s10009-015-0401-2

    Article  Google Scholar 

  57. Teodorov, C., Le Roux, L., Drey, Z., Dhaussy, P.: Past-Free[ze] reachability analysis: reaching further with DAG-directed exhaustive state-space analysis. Softw. Test. Verif. Reliab. 26(7), 516–542 (2016). https://doi.org/10.1002/stvr.1611.Stvr.1611

    Article  Google Scholar 

  58. Torres Lopez, C., Gurdeep Singh, R., Marr, S., Gonzalez Boix, E., Scholliers, C.: Multiverse Debugging: Non-deterministic Debugging for Non-deterministic Programs. ECOOP. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2019). https://doi.org/10.4230/LIPIcs.ECOOP.2019.27

Download references

Acknowledgements

This work has been partially funded by Davidson Consulting. The authors especially thank David Olivier for his advice and industrial feedback. This project has been supported by the French Directorate General of Armaments (DGA), the European Regional Development Fund (ERDF) of the EU, the Brittany Region, the Departmental Council of Finistère and Brest Mètropole as part of the Cyber-SSI project within the framework of the Brittany 2015-2020 State-Region Contract (CPER).

Author information

Authors and Affiliations

  1. ERIS, ESEO-TECH, Angers, France

    Valentin Besnard, Frédéric Jouault & Matthias Brun

  2. Lab-STICC UMR CNRS 6285 ENSTA Bretagne, Brest, France

    Ciprian Teodorov & Philippe Dhaussy

Authors
  1. Valentin Besnard
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ciprian Teodorov
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Frédéric Jouault
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Matthias Brun
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Philippe Dhaussy
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Valentin Besnard.

Additional information

Communicated by Tao Yue, Man Zhang, and Silvia Abrahao.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Additional information about the motivating example

This appendix gives more detailed information on the motivating example used in this paper. “Appendix A.1” describes the context used to model the system and its environment as realistically as possible and the system behavior that has been captured in the design model. “Appendix A.2” presents the formal properties that have been expressed on this model using PUSMs or the LTL formalism.

1.1 Description of the motivating example

To apply our approach to the motivating example, we have designed a UML model of a CCI. The composite structure diagram of this model is shown in Fig. 11. The Main class is the root composite class of the model. It contains the cci part, which is the system under study, and the env part that models its environment. Both parts communicate by exchanging signals through ports.

Fig. 11
figure 11

Composite structure diagram of the CCI model

Full size image

Environment abstraction The env part contains a buttons object that models the different buttons (i.e., start, stop, inc, dec, set, pause, resume) that can be manipulated, as well as the three pedals (i.e., clutchPedal, brakePedal, throttlePedal) that can be pressed or released by the driver. According to Fig. 1, both the PhysicalVehicle and the ControlLoop are also parts of the environment. In our UML model, they have been abstracted as the engine object. In a real vehicle, the CCS will try to adjust the speed of the vehicle to the cruise speed given by the CCI, but, due to physical constraints (e.g., road profile, air friction), it is not always possible for the CCS to maintain the vehicle at the user-set speed. To take that into account, the engine does not make any correlation between the cruise speed given as input and the current speed it returns. As a result, the speed can go non-deterministically from 0 to 100 km/h in one step. This abstraction enables to consider a superset of all possible cases for the verification activity.

Fig. 12
figure 12figure 12

State machines of the CCI model

Full size image

System under test The cci part describes the system that we want to verify. This system aims at sending new setpoints (i.e., the current value of the cruise speed) to the engine according to user actions and the current speed of the vehicle. The behavior of active objects contained in the cci is defined by state machines presented in Fig. 12. The fine-grained behavior of these state machines is described with our action language described in Sect. 4.2 of this paper. The controller (Fig. 12a) receives events from buttons and from pm (the pedals manager in Fig. 12b), which is connected to the three pedals (clutchPedal, breakPedal, and ThrottlePedal) through ports. Based on these events, the controller determines the status of the CCS and delegates generation of output events to both actuation and csm (cruise speed manager) objects. The actuation (Fig. 12c) sends On and Off signals to, respectively, activate the control loop when the CCS is engaged (i.e., the CCS is turned on and acts on the engine), and deactivate the control loop when the CCS is turned off or disengaged (i.e., the CCS is turned on but does not act on the engine). The cruise speed manager (Fig. 12d) computes the value of the cruise speed according to buttons events filtered by the controller, and sends new setpoints each time the actuation requests it. On all these state machines, some additional self-transitions (i.e., transitions that start and end in the same state) may be needed to explicitly ignore some events according to the event dispatching strategy chosen by the model interpreter.

1.2 Formal properties

For the CCI, the six formal properties have been expressed as PUSMs from the system requirements expressed in Sect. 2. In addition to the previously introduced PUSMs (cf. Fig. 6 for R1, Fig. 2 for R2 and R4, and Fig. 7 for R6), state machines of PUSMs representing a Büchi automaton for R3 and a deterministic observer automaton for R5 are shown in Fig. 13.

Fig. 13
figure 13

State machines of PUSMs for the CCI

Full size image

To verify the three requirements R1, R2, and R3 at the same time, the mechanism in Sect. 5.2 has also been used to generate one Büchi automaton that checks all three requirements. The state machine of this PUSM is shown in Fig. 14.

Fig. 14
figure 14

Combination of all PUSMs in one that checks R1, R2, and R3

Full size image

For our experiments, all system requirements have also been specified in LTL. The resulting LTL properties are:

  1. 1.
    figure y
  2. 2.
    figure z
  3. 3.
    figure aa
  4. 4.
    figure ab
  5. 5.
    figure ac
  6. 6.
    figure ad

Atomic propositions involved in these LTL properties are defined such as |atom| where atom is one of the labeled predicates (cf. “Appendix C”) defined using our observation language.

Action and observation languages operators

This appendix presents operators of the action language used for system modeling and of the observation language used for property specification. These operators are brought together in four languages depending on whether they have reading or writing access to model attributes or internal runtime data of the model interpreter. These four languages are the expression language, the effect language, the expression language extension, and the effect language extension. The action language gathers operators of the expression language and of the effect language, while the observation language gathers operators of the expression language and its extension. All these languages rely on external data declared and defined in UML models. Figure 15 presents the metamodel of global references that can be used to refer to UML elements.

Fig. 15
figure 15

Metamodel of references

Full size image

1.1 Expression language

The expression language is employed to model guards of state machine transitions. For this purpose, any C expression without side effect on model execution can be used. As shown in Fig. 16, four additional operators are added to C language constructs. This (with C macro this) is used to access the current execution context (typically the context of an object). Get is used to navigate the model (e.g., to get a model attribute). At is employed to access an element at a specific index (e.g., when a model attribute is a sequence). Call is used to call side-effect free methods. In the general case, the corresponding C macros can be obtained by putting the name of metaclasses in upper case and changing the definition style from camel case to snake case. For instance, GET is the macro associated with the Get metaclass.

Fig. 16
figure 16

Metamodel of additional operators of the expression language

Full size image

1.2 Effect language

The effect language is used to perform actions as effects of state machine transitions. Any C statement can be used to perform this task. Figure 17 shows that several operators have also been defined : Set to assign a new value to a model attribute and SetAt to assign a new value at a specific index in a sequence. Inc, IncAt, Dec, and DecAt can be used to increment or decrement a model attribute. However, these four operators are not shown in Fig. 17 because they only provide syntactic sugar for both Set and SetAt operators. Send is used to send an event to another UML object and Call is used to call methods that have side-effects.

Fig. 17
figure 17

Metamodel of additional operators of the effect language

Full size image

1.3 Expression language extension

Additional operators provided by the expression language extension are presented in Fig. 18. With this extension, it is possible to access the type of the current object, its state machine, its event pool (i.e., the set of events received by the object), and the current transition being fired. More specifically, it is possible to check if the current object is a given object (IsObject) or an instance of a given class (IsTypeOf). IsInState checks if the current state of an active object is a given state of its state machine. TransitionExp relates to the current transition being fired to know if its source (TransitionHasSource) or its target (TransitionHasTarget) is a given state, or if this transition is a given transition (IsTransition).

As shown in Fig. 19, several operators are also available to introspect the content of event pools. It is possible to know if the event pool is empty (EpIsEmpty) or full (EpIsFull), to get the number of events currently stored (EpGetLength), to get the first event (i.e., the oldest one) (EpGetFirst), to get the event at a given index (EpGetAt), and to get the last event (i.e., the newest one) (EpGetLast). Two other operators can also be used to check if the event pool of an object contains an occurrence of a specific event received on a given port (EpContainsWithPort), or on any port (EpContains).

Regarding more relaxed navigation rules, ROOT_instMain give access to the Main composite structure instance containing system objects. ROOT_instProp gives access to the Prop composite structure instance containing PUSMs. All system objects and PUSMs can be accessed from these two objects using eponymous C macros (i.e., ROOT_instMain and ROOT_instProp). GetActivePeer gives a direct access to active objects (e.g., objects of the environment) connected to the other end of communication links without the need to explicitly navigate the model through UML ports.

This extension also provides two operators to facilitate formal verification: ObserverFail to check if an observer automaton detects a failure in a given configuration, and Deadlock that becomes true when the system execution results in deadlock.

Fig. 18
figure 18

Metamodel of additional operators of the expression language extension

Full size image
Fig. 19
figure 19

Metamodel of event pool operators of the expression language extension

Full size image

List of atomic propositions

This section sums up all the atomic propositions that have been used in this paper for model verification. For each atomic proposition, we give its meaning in natural language ([NL]), its intuition in a pseudo-code ([PC]) with dotted notation, and the corresponding predicate expressed with our observation language ([OL]).

figure ae

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Besnard, V., Teodorov, C., Jouault, F. et al. Unified verification and monitoring of executable UML specifications. Softw Syst Model 20, 1825–1855 (2021). https://doi.org/10.1007/s10270-021-00923-9

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10270-021-00923-9

Keywords

CR Subject Classification

Search

Navigation