## Automated Analysis of Multi-View Software Architectures

Chih-Hong Cheng fortiss GmbH Munich, Germany cheng@fortiss.org Yassine Hamza Technische Universität München Munich, Germany yassine.hamza@tum.de Harald Ruess fortiss GmbH Munich, Germany ruess@fortiss.org

## ABSTRACT

Software architectures usually are comprised of different views for capturing static, runtime, and deployment aspects. What is currently missing, however, are formal validation and verification techniques of multi-view architecture in very early phases of the software development lifecycle. The main contribution of this paper therefore is the construction of a single formal model (in Promela) for certain stylized, and widely used, multi-view architectures by suitably interpreting and fusing sub-models from different UML diagrams. Possible counter-examples produced by model checking are fed back as test scenarios for debugging the multi-view architectural model. We have implemented this algorithm as a plug-in for the Enterprise Architect development tool, and successfully used SPIN model checking for debugging some industrial architectural multi-view models by identifying a number of undesirable corner cases.

## **KEYWORDS**

multi-view architecture analysis, SPIN model checker

#### ACM Reference format:

Chih-Hong Cheng, Yassine Hamza, and Harald Ruess. 2016. Automated Analysis of Multi-View Software Architectures. In Proceedings of ACM Conference, Washington, DC, USA, July 2017 (Conference'17), 4 pages. DOI: 10.1145/nnnnnnnnnnnn

DOI: 10.1145/ IIIIIIIIIIIIIIIIIIIIIIIIII

## **1 INTRODUCTION**

Software architectures usually are comprised of different views for capturing static, runtime, and deployment aspects [1, 4]. The static/component view describes the logical decomposition of the system into building blocks (e.g., packages, components, classes), whereas the runtime view describes the behavior and interaction of the building blocks as runtime elements in the running system, using diagrams such as sequence diagrams, activity diagrams, or state machines, and the deployment view shows how software is assigned to hardware processing and communication elements.

Conference'17, Washington, DC, USA

© 2016 ACM. 978-x-xxxx-x/YY/MM...\$15.00

DOI: 10.1145/nnnnnnnnnnnn

In the current state-of-the-practice, architectural models are analyzed in early phases in the software development cycle, mainly by means of manual and resource-intensive review frameworks such as the *Architectural Trade-off Analysis Method* (ATAM) [4]. What is currently missing, however, are formal analysis techniques of multi-view architectures for early and automated detection of, say, unwanted behavior due to under-specification.

In this paper, we therefore reconstruct a single model of a multi-view architecture, which is suitable for formal analysis, by fusing sub-models of different views in UML diagrams [15], as provided, for example in architectural development tools such as Enterprise Architect. Our fusion algorithm proceeds by taking deployment views as skeletons to offer basic communication structure over processes and channels in the actual system. The concrete behavior of each deployed software component — as documented in the static view — is captured by run-time views. One notable challenge is to cope with under-specification among views, as dynamic architectural views often only capture certain scenarios but not the complete component behavior and all possible interactions. To this end, *semantic extrapolation* is needed for constructing a model-checkable verification model and we enumerate possible extrapolation strategies.

We have implemented our fusion algorithm as a plugin for Enterprise Architect (EA). This plug-in generates verification models in the Promela language, which are used as inputs to the SPIN model checker [6]. Counter-examples generated by the model-checkers are used as test cases for debugging the multi-view architectural model. We evaluated this EA plug-in in early phases of developing two missioncritical distributed software systems in industrial projects, and successfully identified undesired corner cases due to under-specification in the model.

(Related work) There is a rich literature on the verification of UML-like diagrams. For example, refinement of activity diagrams has been based on LTL model checking [13], and state machine diagrams have been translated to hierarchical automata as the basis for model checking [11, 14, 16]. Moreover, sequence diagrams have a straightforward correspondence to communicating processes and process algebras [3, 10, 17]. Use case diagrams can be checked for consistency or containment by means of viewing them as programs with constraints [7] or by a translation into activity diagrams [8]. Lastly, using annotations such as UML Marte profile [5], one may verify extra-functional properties such as timing [12]. In contrast to these approaches we are analyzing multi-view architectural models, which include static, runtime, and deployment views, being restricted to a certain stylized use and linking between

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org.



Figure 1: Example of a stylized multi-view software architecture model.

views. We therefore do not address or even try to solve the general multi-view consistency problem for UML [9].

## 2 MULTI-VIEW SOFTWARE ARCHITECTURE AND VIEW LINKING

Using architectural development tools such as Enterprise Architect (EA), the designer may maintain links among multiple views by creating components in the static view, by building runtime and deployment view using components in the static view, and by associating each diagram with a component or a sub-structure.

Figure 1 illustrates these concepts using a simple architectural example.<sup>1</sup> There are three software components SC1, SC2, and SC3 in the static view. In the deployment view, three devices Device1, Device2, Device3 are included in the final deployed system, where for each device, the underlying software components are created (using drag-and-drop in EA) as an *instantiation* of components in the static view. For example, for the Device2 in Figure 1, C2 is an instance of the software component SC1 from the static view.

For each software component in the static view there is a state machine or activity diagram in the behavioral view, where each of the states provides behavioral scenarios for different execution modes (for example, normal and error modes). Behavior and interaction in each state (or mode) are expressed in terms of scenarios expressed as sequence diagrams. In Figure 1, for example the behavior of component SC1 is refined to StateMachine1, where internally, State1 is further refined into SequenceDiagram1. Notice also that in SequenceDiagram1, the actor act<sub>0</sub> is surrounded by a dashed component. This is often used in UML modeling as a modeling trick to capture system boundary. Such a boundary allows modeling the interaction of multiple instantiations of the same component, as commonly seen in fault-tolerant systems where redundancy and distributed voting are applied.

#### Chih-Hong Cheng, Yassine Hamza, and Harald Ruess

| Elements                     | Meaning                    | Corresponding Promela con-     |
|------------------------------|----------------------------|--------------------------------|
|                              |                            | struct                         |
| Messages                     | Set of message with con-   | <pre>mtype = {abc, def};</pre> |
| $\{abc, def\}$               | tents                      |                                |
| chan1                        | Synchronous channel        | chan chan1 = [0] of            |
| $\in Channels$               |                            | mtype;                         |
| chan2[3]                     | Asynchronous channel       | chan chan2 = [3] of            |
| $\in Channels$               | named $chan2$ with buffer  | mtype;                         |
|                              | size 3                     |                                |
| Action                       | Program label "S3",        | S3:                            |
| (Label: S3)                  | move to next action in     |                                |
|                              | the process                |                                |
| Action                       | Non-deterministically      | int i;                         |
| $(Goto{S3, S4})$             | jump to label $S3$ or $S4$ | select (i : 01);               |
|                              |                            | if                             |
|                              |                            | :: i != 1 -> goto S3           |
|                              |                            | :: i == 1 -> goto S4           |
|                              |                            | fi;                            |
| Action                       | Send message abc to        | chan1 !abc;                    |
| $\langle chan1   abc  angle$ | channel chan1              |                                |
| Action                       | Receive message def from   | chan2 ?def;                    |
| ⟨chan2 ?def⟩                 | channel chan2              |                                |

 Table 1: Constructs in verification model and their corresponding formulation in Promela.

We are now providing a formal signature for these multiview architectural concepts; hereby, A.B is used to denote the projection of A with respect to B. A *multi-view architectural model* Arch is a triple  $\langle ComponentView, RuntimeView, \rangle$ 

DeploymentView $\rangle$ . ComponentView consists of set of software components where  $SC_i \in ComponentView$  can again be refined to a set of components; for expressing, for example, a "uses" structure. For the purposes of this paper, such a hierarchical component view can always considered to be in flattened form. The DeploymentView is a pair  $\langle Devices, Network \rangle$ of sets. First, every device Device<sub>i</sub>  $\in$  Devices is a set itself of instantiated software components, and for every  $C_i \in Device_i$ is of type  $SC_j$  where  $SC_j \in ComponentView$ . We use  $C_i$ .type to denote the typing information. Second, pairs of devices Device<sub>i</sub>, Device<sub>j</sub>  $\in$  Network, where Device<sub>i</sub>, Device<sub>j</sub>  $\in$  Devices, are interpreted as directed (from left-to-right) edges between devices. Finally, the RuntimeView is a quadruple  $\langle$ StateMachines, SequenceDiagrams, map $_{SC \to State}, map_{State \to Seq} \rangle$ .

- StateMachines is the set of state machines with each element  $SM_i := states_i, s_{0i}, tran_i$  having a set of states  $states_i$ , an initial state  $s_{0i}$  and the set of transitions  $stran_i$ . We use  $SM_i$ .s to denote a state s in state machine  $SM_i$ .
- SequenceDiagrams is the set of sequence diagrams. Again for simplifying formulation, let elements in sequence diagrams be variable-free, straight-line (i.e., no if-else or while) programs. An element SeqDiagram  $\in$  SequenceDiagrams is a tuple Act, act<sub>0</sub>, where Act is the set of actors and act<sub>0</sub> is the one that is in the system boundary (cf. act0 in Figure 1). Each actor act<sub>i</sub>  $\in$  Act is a tuple  $\langle$ type<sub>i</sub>, Msg<sub>i</sub> $\rangle$  where type<sub>i</sub>  $\in$ ComponentView indicates the typing of the actor by referencing the element in component view, and Msg is the finite concatenation of messages msg<sub>i0</sub>msg<sub>i1</sub>...msg<sub>ik</sub>, where forall j = 0, ..., k, msg<sub>ik</sub>  $\in \{!, ?\} \times \{$ syn, asyn $\} \times \Sigma \times$ Act. In message msg<sub>ik</sub>,  $\{!, ?\}$  indicates if the message is being sent

<sup>&</sup>lt;sup>1</sup> For the example in Figure 1, a model in Enterprise Architect (freely available for model viewing) which maintains such symbolic links can be downloaded at https://www.dropbox.com/s/hg8jiddxh6rs5xs/NFM\_Model.eap. We also refer readers to https://youtu.be/9Mg\_2UH5vDM for a video showing how the link of views are maintained under Enterprise Architect, together with how our prototypical tool automatically generates verification models in Promela form.

Automated Analysis of Multi-View Software Architectures

Algorithm 1: View fusing algorithm : Multi-view architecture model: Input (ComponentView, RuntimeView, DeploymentView) Output : Verification model: Processes, Channels, Messages 1 for each SeqDiagram  $\in$  RuntimeView.SequenceDiagrams do for  $act_i = SC_i, Msg_i \in SeqDiagram.Act$  do 2  $\mathsf{Messages} := \mathsf{Messages} \cup \mathsf{Msg}_i ;$ s for each  $Device_i, Device_j \in Deployment View. Network do$ | Channels = Channels  $\cup$  {chan<sub>Device<sub>i</sub>  $\rightarrow$  Device<sub>j</sub>}</sub> 4 5 for each  $Device_i \in DeploymentView.Device do$ for  $C_j, C_k \in Device_i$  do Channels = Channels  $\cup$  {chan<sub>C<sub>i</sub>  $\rightarrow$  C<sub>k</sub>};</sub> 6 7 foreach  $Device_i \in DeploymentView.Device do$ for each  $C_i \in Device_i$  do 8 | let SM<sub>j</sub> = map<sub>SC \to SM</sub>C<sub>j</sub>.type; 9 10 let  $\Pr_i := \langle \text{Goto}\{s_0\} \rangle$ , where  $s_0$  be the initial state of  $SM_i$ ; for each State  $s \in SM_i$ .states do 11 12  $\Pr_i := \Pr_i \cdot \langle \text{Label: s} \rangle;$  $\mathsf{let} \; \mathsf{SeqDiagram}_{j} = \mathsf{Act}_{j}, \mathsf{act}_{0j} := \mathsf{map}_{State \to Seq} \mathsf{s};$ 13 for each message  $\kappa$ , syn,  $\sigma$ , act'  $\in$  act<sub>0j</sub>. Msg, 14  $\kappa \in \{"!", "?"\}$  do if  $\kappa = "!"$  then 15  $|\operatorname{Pr}_j := \operatorname{Pr}_j \cdot \langle \operatorname{chan}_{\mathsf{C}_j \to \mathsf{C}_k} ! \sigma \rangle$ , where  $\mathsf{C}_k \in \operatorname{Device}_i$  s.t. 16  $C_k$ .type = act'.type;  $\mathsf{Pr}_j := \mathsf{Pr}_j \cdot \langle \mathsf{chan}_{\mathsf{Device}_i \to \mathsf{Device}_k} ! \sigma \rangle, \text{ where }$ 17 $C_k \in \text{Device}_k \text{ s.t. } i \neq j \text{ and } C_k.\text{type} = \text{act}'.\text{type};$ else 18  $\mathsf{Pr}_j \coloneqq \mathsf{Pr}_j \cdot \langle \mathsf{chan}_{\mathsf{C}_k \to \mathsf{C}_j} ? \sigma \rangle, \text{ where } \mathsf{C}_k \in \mathsf{Device}_i \text{ s.t.}$ 19  $C_k$ .type = act'.type;  $\mathsf{Pr}_j := \mathsf{Pr}_j \cdot \langle \mathsf{chan}_{\mathsf{Device}_k \to \mathsf{Device}_i} ? \sigma \rangle, \text{ where }$ 20  $C_k \in Device_k \text{ s.t. } i \neq j \text{ and } C_k.type = act'.type$ \* Jump to successor in state-machine diagram. \*/  $\Pr_i := \Pr_i \cdot \langle \text{Goto} \{ s' \mid s' \in \text{SM}_i.\text{trans} \} \rangle;$ 21 Processes :=  $Processes \cup \{Pr_i\}$ 22

(!) or received (?), {syn, asyn} indicates synchronous/asynchronous message passing,  $\Sigma$  is used to capture all possible message contents, and the last item is the entity being communicated. Consider act0 in Figure 1, it is represented as (SC1, !, syn, abc, act2?, syn, def, act2).

- map<sub>SC→SM</sub> maps an element in ComponentView to a state machine in StateMachines. For the example in Figure 1, map<sub>SC→SM</sub>SC1 = StateMachine1.
- map<sub>State→Seq</sub> maps a state in a state machine to zero or one sequence diagram, where if map<sub>SC→State</sub>SC<sub>i</sub> = SM<sub>j</sub> and if for state s<sub>j</sub> in state machine SM<sub>j</sub> we have map<sub>State→Seq</sub>s<sub>j</sub> = SeqDiagram<sub>k</sub> = ⟨Act<sub>k</sub>, act<sub>k</sub> = type<sub>k</sub>, Msg<sub>k</sub>⟩, then type<sub>k</sub> = SC<sub>i</sub>. For the example in Figure 1, map<sub>State→Seq</sub>StateMachine1.State1 = SequenceDiagram1.

## **3 MULTI-VIEW FUSION**

Based on signatures for multi-view architectural models as defined above, we are now describing the process of providing a behavioral semantics based on fusing multiple views. A *verification model* is a triple Messages, Channels, Processes,

#### Conference'17, July 2017, Washington, DC, USA

```
1
                                               // By line 1-2
     mtype = { abc, def };
...
2
     chan Network1_Device2toDevice1Channel = [0] of {mtype};
3
     chan Network1_Device2toDevice3Channel = [0] of {mtype};
4
     chan Network1_Device1toDevice2Channel =
                                               [0] of {mtype};
5
     chan Network1_Device3toDevice2Channel = [0] of {mtype};
. . .
6
    active proctype Device2_C2(){
                                            // By line 7,8,22
7
      /* Jump to initial state*/
8
      goto State1;
                                                // By line 10
9
                                                // By line 12
      State1:
10
        /* Contents from sequence diagram */
        Network1_Device2toDevice1Channel!abc; // By line 17
11
12
        Network1_Device2toDevice3Channel!abc;
        Network1_Device1toDevice2Channel?def; // By line 20
13
        Network1 Device3toDevice2Channel?def:
14
15
        /* Implement the transition*/
                                                // By line 21
16
        goto State2;
17
      State2:
        /* ... (details omitted) ... */
18
19
        goto Statel;
20
```

# Figure 2: Verification model in Promela form, by running Algorithm 1 over the example in Figure 1.

where Messages is the set of messages, Channels is the set of (synchronous or asynchronous-with-fixed-buffer) channels, and Processes is a set of processes. Hereby, each process Process is a sequence of atomic *actions*, including labels, nondeterministic goto primitives, and message send/receive. The semantics of a verification model is based on Promela [6]. For the purpose of reference, however, we are listing some correspondence of constructs in the architectural model and corresponding verification models in Table 1.

Now, the workflow presented in Algorithm 1 translates a multi-view architecture into a formal verification model. For ease of explanation assume all message passing to be synchronous for now. Lines 1 and 2 in Algorithm 1 collect all messages by scanning all actors in the given sequence diagrams. Next, lines 3 and 4 define device-to-device channels by scanning through the given network element, and lines 5 and 6 define point-to-point channels within a device. Lines 7 to 11 start instantiating processes for every deployed software component in the deployment view, where the process starts by moving to the initial state (line 10). The for-loop in Line 11 traverses through the state-machine diagram, establishes a label for entry (line 12), and creates outgoing transitions to successor states (line 21). Internally, the algorithm jumps to the corresponding sequence diagram (line 13), and tries to parse each message being sent or received (line 14) into the corresponding channel (line 16-20), where, by probing the deployment view, messages are communicated in the internal channel if the source and destination components are located in the same device (line 16, 19). Otherwise, intra-device channels are used for communication (line 17, 20). Notice that the algorithm simply communicates with all the components having the same type, provided that they are supported by the communication architecture in the deployment view. This provides the basis for the so-called extrapolation in standard UML semantics, as discussed below.

For the example in Figure 1, we use the generated verification model in Figure 2 to explain the concept, where comments in Figure 2 indicates corresponding actions done in Algorithm 1. Notice that the presentation of the translation algorithm is simplified in that it does not support variables, branches and loops. These kinds of extensions are straightforward and are also supported in our prototype implementation.

Most interestingly, lines 16-20 in Figure 1 make various assumptions about the architectural model under consideration, and *semantic extrapolation* is used to determine choices being made during the translation. Such a semantic extrapolation, due to lack of proper semantics in (combining) UML and sometimes due to underspecification in modeling, can be explicitly stated and controlled. Table 2 enumerates some important cases and corresponding strategies for semantic extrapolation in order to complete translation.

## 4 EVALUATION AND CONCLUDING REMARKS

We have implemented a plug-in for the Enterprise Architect development tool based on the presented translation. We summarize our findings on using this tool in the architectural design and analysis for two industrial developments.

- The first case study is a modular adaptive automotive runtime environment. Since this platform has been designed to be fault-tolerant, we annotate possible faults in the deployment view, such as power-outage of a device (fail silent) or lost communication messages. Our tool translates these faults annotation by non-deterministically injecting faults into the generated verification model. In one deployment scenario, a counter-example generated by the SPIN model checker demonstrates that the overall system does not function correctly whenever there are certain faults during start-up, thereby preventing consensus to be reached between computing nodes.
- Our second case study is a control automation architecture based on the concept of micro-services and a cloud platform. Again, test cases as generated from SPIN model checking of the fused Promela model were instrumental in debugging and improving the design at an early phase in the development.

On the other hand, we have also been experiencing a number of "automation surprises" due to implicit assumptions on the architecture and the generated fused model. For example, the fused model does not capture the fact that service handlers may be viewed as a non-terminating whileloop program that can handle various requests using switch statements, even though (at least) some designers made such an implicit assumption. These kinds of automation surprises might be hard to avoid when applying formal analysis to architectural notations with ambiguous semantics.

It would be most interesting to specify some of the encodings presented here also in a theorem proving environment such as PVS, and to experimentally compare the proposed semantic extrapolation of the behavior of architectural designs with logic- and constraint-based approaches for partially specified systems.

| Under-specification scenarios            | Mitigation strategies          |
|------------------------------------------|--------------------------------|
| In the deployment view, allow compo-     | Allow / Disallow / Trigger     |
| nents within a device to communicate     | the designer for actions       |
| with each other?                         |                                |
| Operation over variables both in a state | Variable operations over vari- |
| of a state-machine diagram and in the    | ables in a state should appear |
| refinement sequence diagram of that      | {before, after} actions in se- |
| state?                                   | quence diagram                 |
| Unclear requirement in communication     | Use pre-defined value / Trig-  |
| buffer size, for asyn. communication?    | ger the designer for actions   |
| An actor sends to one entity in the      | Send to all entities / Send to |
| sequence diagram, while multiple re-     | one randomly selected entity   |
| ceivers exists in the deployment view?   | / Trigger exception            |

Table 2: Semantic extrapolation for handling underspecification in diagrams; the underlined items are strategies used in creating the Promela model in Figure 2.

### REFERENCES

- [1] The Arc42 portal: http://www.arc42.com.
- [2] Enterprise architect: http://www.sparxsystems.com.au/.
- [3] M. Ait\_Oubelli, N. Younsi, A. Amirat, and A. Menasria. From UML 2.0 sequence diagrams to Promela code by graph transformation using Atom 3. In: *CIIA*, 2011.
- [4] L. Bass, P. Clenents, and R. Kazman. Software architecture in practice, 3rd edition. Pearson Education, 2011.
- [5] S. Gérard and B. Selic. The UML-Marte standardized profile. IFAC Proceedings Volumes, 41(2):6909–6913, 2008.
- [6] G. J. Holzmann. The SPIN model checker: Primer and reference manual. Addison-Wesley, 2004.
- [7] R. Klimek and P. Szwed. Formal analysis of use case diagrams. In: Computer Science, 11:115–131, 2010.
- [8] G. Kösters, H.-W. Six, and M. Winter. Validation and verification of use cases and class models. In: *REFSQ*, 2001.
- [9] A. Knapp and T. Mossakowski. Multi-view Consistency in UML. In: arXiv:1610.03960, 2016.
- [10] V. Lima, C. Talhi, D. Mouheb, M. Debbabi, L. Wang, and M. Pourzandi. Formal verification and validation of UML 2.0 sequence diagrams using source and destination of messages. In: *EPTCS*, 254:143–160, 2009.
- [11] S. Liu, Y. Liu, E. André, C. Choppy, J. Sun, B. Wadhwa, and J.-S. Dong. A formal semantics for complete UML state machines with communications. In: *iFM*, pages 331–346. Springer, 2013.
- [12] A. Louati, K. Barkaoui, and C. Jerad. Temporal Properties Verification of Real-Time Systems Using UML/MARTE/OCL-RT, In: Formalisms for Reuse and Systems Integration, pages 133–147. Springer, 2015.
- [13] F. UL Muram, H. Tran, and U. Zdun. Automated mapping of UML activity diagrams to formal specifications for supporting containment checking. *FESCA*, EPTCS 147:93–107, 2014.
- [14] A. Niewiadomski, W. Penczek, and M. Szreter. Towards checking parametric reachability for UML state machines. In: *PSI*, pages 319–330. Springer, 2009.
- [15] J. Rumbaugh, I. Jacobson, and G. Booch. The Unified Modeling Language Reference Manual. Pearson Higher Education, 2004.
- [16] T. Schäfer, A. Knapp, and S. Merz. Model checking UML state machines and collaborations. *ENTCS*, 55(3):357–369, 2001.
- [17] S. Sieverding, C. Ellen, and P. Battram. Sequence diagram test case specification and virtual integration analysis using timed-arc Petri nets. In: *FESCA*, EPTCS 108:17–32, 2013.