Nils Przigoda · Robert Wille Judith Przigoda · Rolf Drechsler Automated Validation & Verifi cation of UML/ OCL Models Using Satisfi ability Solvers Automated Validation & Verification of UML/OCL Models Using Satisfiability Solvers Nils Przigoda • Robert Wille Judith Przigoda • Rolf Drechsler Automated Validation & Verification of UML/OCL Models Using Satisfiability Solvers 123 NilsPrzigoda RobertWille MobilityDivision JohannesKeplerUniversityLinz SiemensAG Linz,Austria Braunschweig,Germany RolfDrechsler JudithPrzigoda AGRechnerarchitektur UniversityofBremen UniversityofBremen Bremen,Germany Bremen,Germany Cyber-PhysicalSystems DFKIGmbH,Bremen,Germany ISBN978-3-319-72813-1 ISBN978-3-319-72814-8 (eBook) https://doi.org/10.1007/978-3-319-72814-8 LibraryofCongressControlNumber:2017961733 ©SpringerInternationalPublishingAG2018 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof thematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology nowknownorhereafterdeveloped. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbook arebelievedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsor theeditorsgiveawarranty,expressorimplied,withrespecttothematerialcontainedhereinorforany errorsoromissionsthatmayhavebeenmade.Thepublisherremainsneutralwithregardtojurisdictional claimsinpublishedmapsandinstitutionalaffiliations. Printedonacid-freepaper ThisSpringerimprintispublishedbySpringerNature TheregisteredcompanyisSpringerInternationalPublishingAG Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland Preface Only four decades after the first manned flight to the moon, a common device such as a smartphone consists of more complex technology than the “high-end” computersthatcontrolledtheApollo11spacemission.Thesameholdsforsoftware which became more complex at an even higher rate. Consequently, the design of such systems became a tremendously hard, difficult, and expensive problem. To cope with this, modeling languages such as UML and SysML were introduced as description means to describe quasi-blueprints in early stages of the design flow. These modeling languages hide implementation details while providing a formal baseforthefirstsystemanalysis. However, in order to benefit from this abstraction, it has to be ensured that theresultingmodelsareapplicable(motivatingvalidation)andcorrect(motivating verification). But even at this high level of abstraction, this remains a complex problem. Accordingly, researchers heavily investigated the validation and verifi- cation of UML/OCL models as well as models described in similar languages. Solutionswhicharebasedonso-calledsatisfiabilitysolversfindparticularinterests duetotheircapabilitytocompletelycoverlargesearchspacesina—consideringthe usuallyexponentialcomplexity—ratherefficientfashion. This book provides a comprehensive description of such methods and their application—including a general flow that utilizes a formalization of UML/OCL. While the presented flow focuses on using satisfiability solvers, how the provided descriptions can additionally be used for any other automatic reasoning engine is alsodescribed.Furthermore,forabroadvarietyofvalidationandverificationtasks, theapplicationoftheproposedflowisdescribed.Additionally,thebookalsobriefly covers how nonfunctional properties such as timing constraints can be handled withinthedescribedflow. A case study demonstrates the possibilities and applicability of the presented approaches and shows that there is still a gap between the UML/OCL models and the following design steps. In order to address this problem, finally, an approach is presented which verifies an implementation against its model. This enables the designer to transfer validation and verification results to the following lower abstractionlevels. v vi Preface ThisbookistheresultofseveralyearsofintensiveresearchattheUniversityof Bremen, Germany; DFKI GmbH Bremen, Germany; the Johannes Kepler Univer- sity Linz, Austria; and, recently, Siemens AG in Braunschweig, Germany. During thistime,weexperiencedbroadsupportfrommanypeopleforwhichwewouldlike tothankthemverymuch.Mostimportantly,wearethankfultotherespectivegroups in Bremen, Linz, and Braunschweig for providing a comfortable and inspirational environment from which some authors benefit until today. Particular thanks go to (inalphabeticalorder)ChristophHilken,FrankHilken,JannisStoppe,JanPeleska, JonasGomesFilho,JuliaSeiter,MartinGogolla,MathiasSoeken,PabloGonzález de Aledo, Pablo Sánchez Espeso, Philipp Niemann, and Ulrich Kühne for the very productive collaboration that resulted in research papers which are partially coveredinthisbook.Withrespecttofunding,weareindebtedtothanktheGerman ResearchFoundation(DFG)whichsupportedtheresearchsummarizedinthisbook throughtheReinhartKoselleckprojectundergrantno.DR287/23-1,theGraduate School SyDe funded by the German Excellence Initiative within the University of Bremen’sinstitutionalstrategy,andtheGermanMinistryofEducationandResearch (BMBF)fortheirsupportthroughtheprojectsSPECifICundergrantno.01IW1300 and SELFIE under grant no. 01IW16001. Besides that, the Siemens AG Mobility DivisionsponsoredascholarshipforNilsPrzigoda’sPhDthesisleadingtoseveral results which formed the basis for this book. Finally, we would like to thank Springerand,inparticular,Charles“Chuck”Glaser,formakingthisbookpossible. Braunschweig,Germany NilsPrzigoda Linz,Austria RobertWille Bremen,Germany JudithPrzigoda Bremen,Germany RolfDrechsler October2017 Contents 1 Introduction .................................................................. 1 2 AFormalInterpretationofUML/OCL ................................... 7 2.1 TypeSystem............................................................. 8 2.2 ClassesandModels..................................................... 10 2.3 ObjectsandSystemStates.............................................. 14 2.4 Invariants,Pre-,andPostconditions.................................... 16 2.5 DecisionProblems...................................................... 19 2.5.1 BooleanSatisfiability........................................... 19 2.5.2 SatisfiabilityModuloTheories................................. 22 3 ASymbolicFormulationforModels....................................... 25 3.1 AGeneralFlowforAutomaticVerificationandValidation........... 27 3.2 TransformingaModelintoaSymbolicFormulation.................. 30 3.2.1 TransformingAttributes........................................ 31 3.2.2 TransformingAssociations..................................... 40 3.2.3 HandlingaFixedandVariableNumberofObjects........... 44 3.2.4 HandlingNullandInvalid...................................... 49 3.2.5 TransformingOCLConstraints................................ 53 3.3 AddingVerificationTasks .............................................. 83 3.3.1 StructuralVerificationTasks ................................... 83 3.3.2 BehavioralVerificationTasks.................................. 85 3.4 OtherApproachesforModelValidationandVerification............. 92 4 StructuralAspects ........................................................... 95 4.1 DebuggingInconsistentModels........................................ 96 4.1.1 ProblemFormulation........................................... 97 4.1.2 PreviouslyProposedSolutions................................. 98 4.1.3 ProposedApproach............................................. 100 4.1.4 ImplementationandEvaluation................................ 103 vii viii Contents 4.1.5 Comparison with Other Approaches, Also from DifferentFields ................................................. 108 4.1.6 ExampleofUse................................................. 109 4.2 AnalyzingInvariantIndependence..................................... 110 4.2.1 IndependenceinFormalModels............................... 111 4.2.2 AnalysisforInvariantIndependence........................... 113 4.2.3 ProposedSolution .............................................. 115 4.2.4 ExperimentalEvaluation ....................................... 118 4.3 RelationtoSimilarApproachesUsedinSAT/SMTSolving ......... 121 5 BehavioralAspects........................................................... 125 5.1 RestrictingStateTransitionsUsingFrameConditions................ 126 5.1.1 RelatedWork.................................................... 127 5.1.2 IntegratingFrameConditionsintheSymbolicFormulation.. 128 5.1.3 DerivingFrameConditionsfromtheAST .................... 138 5.2 MovingontoConcurrentBehaviorintheSymbolicFormulation.... 144 5.2.1 ProblemFormulationandRelatedWork ...................... 144 5.2.2 HandlingContradictoryConditions............................ 151 5.2.3 ImplementationandApplication............................... 154 6 TimingAspects............................................................... 159 6.1 PreliminariesAboutClocksandTicks................................. 161 6.2 AGenericRepresentationofCCSLConstraints ...................... 163 6.2.1 DeterminingtheGenericRepresentation...................... 164 6.2.2 DiscussionandApplicationoftheGenericRepresentation .. 168 6.3 ValidationofClockConstraintsAgainstInstantRelations ........... 172 6.3.1 MotivationandProposedIdea ................................. 173 6.3.2 Implementation ................................................. 175 6.3.3 ApplicationandEvaluation .................................... 180 7 ReducingInstanceSizeswithGroundSettingProperties............... 183 7.1 ConsideredRunningExample.......................................... 184 7.1.1 ConsideredScenario............................................ 184 7.1.2 CorrespondingUML/OCLModel ............................. 185 7.2 TransformationofOCLInvariantsandResultingProblem........... 187 7.2.1 TransformationofOCLInvariants............................. 187 7.2.2 ConsequencesandResultingProblem......................... 190 7.3 GroundSettingPropertiesforEfficientTransformationofOCL..... 191 7.3.1 GroundSettingProperties...................................... 191 7.3.2 EfficientTransformationofOCL .............................. 193 7.4 DiscussionandRelatedWork .......................................... 194 7.5 ImplementationandEvaluation ........................................ 196 7.5.1 Implementation ................................................. 196 7.5.2 Evaluation....................................................... 197 Contents ix 8 Re-utilizingVerificationResultsofUML/OCLModels.................. 201 8.1 WhatCanBeVerifiedWhere?—ACaseStudy ....................... 202 8.1.1 ConsideredAccessControlSystem............................ 202 8.1.2 ResultingModel ................................................ 203 8.1.3 VerificationoftheModel....................................... 205 8.1.4 ImplementationoftheModel .................................. 210 8.1.5 ComparisontotheFormalModel.............................. 213 8.1.6 OpenIssues ..................................................... 217 8.2 VerifyingImplementationsAgainstTheirFormalSpecification...... 217 8.2.1 EnvisionedDesignFlow........................................ 218 8.2.2 GeneralIdea..................................................... 220 8.2.3 RepresentationoftheImplementation......................... 222 8.2.4 Evaluation....................................................... 227 9 Conclusion.................................................................... 235 AppendixA ClassInheritance ................................................ 239 AppendixB AnSMTInstancewithanUnknownResult .................. 241 AppendixC ContradictoryXORDefinitions................................ 243 References......................................................................... 245 Nomenclature B BDftrue;falseg N NDf0;1;2;:::g Z ZDf:::;(cid:2)1;0;1;2;:::g – SymbolfornullinOCL ? SymbolforinvalidinOCL ˛(cid:2) Variablefortheattributeaoftheobject(cid:2) inthesymbolicrepresentation a ˇ Avariableindicatingifobjectsofaclasscexistornot c !(cid:3)!(cid:3)0 Variable for the operation to be executed during the transition from the systemstate(cid:3) to(cid:3)0. ı(cid:2) Definednessofanattributeaoftheobject(cid:2)inthesymbolicrepresentation a (cid:2)i=I(cid:3) AtransformedOCLexpressioniorasetofOCLexpressionsI (cid:4) Asetoflinks (cid:5) Asinglelink,i.e.,aninstanceofanassociationr (cid:5)(cid:2) Variable for possible links of role of the object (cid:2) in the symbolic rolec2 c2 representation E Thesetofallenumerations V Thesetofallvariablesofalltypes V Thesetofallvariableswiththetypet t ! Anoperationcall! D.(cid:2);o/ ˝m;(cid:3) Thesetofalloperationcalls (cid:3);4 Inheritancerelationbetweentwoclasses (cid:6) The Greek letter (cid:6) is used for a transformed value of a literal or the resultatransformedsubexpression—inbothcasescombinedaı-variable toensurethepairnotation.(cid:6);ı/ (cid:3) Asinglesystemstateofamodelm ˙ Thesetofallpossiblesystemstatesofamodelm m (cid:4) TheunderbracketisusedinSMT-LIBlistingtoshowthattermabovemust bereplacedbyaprecisevalueornumber A Attributesofaclass C Thefinitesetofclassesofamodelm xi
Description: