Formal verification of UML stateFormal verification of UML statediagrams: a Petri net based approachdiagrams: a Petri net based approach

Christine Choppy, Kais Klai, Hacene ZidaniChristine Choppy, Kais Klai, Hacene Zidani

LIPN, Universite Paris 13, FranceLIPN, Universite Paris 13, France

UML& FM 2010UML& FM 2010

OutlineOutline

Introduction Introduction Approach Approach Related works Related works Example Example Transformation Algorithm Transformation Algorithm Formal verification Formal verification Conclusion & Perspectives Conclusion & Perspectives

2

Introduction

GoalGoal Combine expressive power and formal verification for complex systems design UML, expressive modelling language:

graphical semi formal widespread in industry

UML semantics lacks formality

Associated formal models are proposed (here state diagrams are studied) So as to use mathematical reasoning & tools

Here: Hierarchical Coloured Petri Nets (HCPNs) and model checking tools Modularity: how to link HCPNs associated with the different state diagrams

3

Approach

4

A

B

C

D

E

F

Event [cond] / action

Transformation rules

A

E

F

C

D

B

Verification using model-checking

Properties(LTL, CTL)satisfied ?

OKOK

Valid UML modelValid UML model

NONO

CorrectionsCorrectionsCounterexample

Related works

LimitsLimits Shatz et al.: Size of the associated coloured Petri net Complex format of arc labels (<type, flag>) The way a composite state is transformed Add one place for each event

Large size of the generated Petri net

Pettit & Gomaa : Integration of CPNs in OO architecture Here: Subset of state diagrams: actions generate events, … Modular transformation, hierarchical coloured Petri nets Properties expressed in temporal logic (LTL, CTL), model checking

5

Example

Gas station (Customer state diagram)Gas station (Customer state diagram)

6

Idle

Paid GradeSelected

RequestCancel NozzlePressed

PickUpChange

exit/ChangePickedUp

/Pay

PumpReady/Cancel

PumpReady/SelectGrade

PumpReceiveGrade/Cancel

PumpReceiveGrade/PressNozzle

GetChange

GetChange

NoChange

Customer

Example

Gas station (Pump state diagram)Gas station (Pump state diagram)

7

Idle

Pay

ReadytoFill

entry/PumpReady

Cancel

GradeSelected

entry/PumpReceiveGrade

ChangeExists

entry/GetChange

NoChange

entry/NoChange

FillingDone

FillingStarted

SelectGrade

ChangePickedUp

CancelPressNozzle

Pump

Algorithm

Main transformation (general)Main transformation (general)

8

A A

B

B

Tevent

Events

event[condition]

[condition]/action

action-event

Algorithm

Main transformation (entry action)Main transformation (entry action)

9

Events

A

Bentry/action

action-event

A

B

T

Algorithm

Main transformation (exit action)Main transformation (exit action)

10

Events

action-event

A

B

T

B

Aexit/action

Algorithm

Main transformation (composite state)Main transformation (composite state)

11

A

C

D

A

CompositePlace

T

Algorithm

Composite state transformation (sequential)Composite state transformation (sequential)

12

A

B

C

D

A

C

D

B

A

Composite

place

T1

B

T2

T2

T1

Algorithm

Composite state transformation (concurrent)Composite state transformation (concurrent)

13

A

B

C

D

E

F

A

E

F

C

D

B

A

Composite

place

T1

B

T2

T1

T2

Algorithm

Transformation of a choice pointTransformation of a choice point

14

state 1

state 3

state 2

Choice Point

[condition1]

[condition2]

state1

state2 state3

[condition1] [condition2]

Algorithm

Transformation of a junction pointTransformation of a junction point

15

state 1

state 4

state 3

state 2

Junction points

[condition1]

[condition2]

state1

state3 state4

[condition1] [condition2]

state2

Tool implementation

16

Papyrus UMLPapyrus UML(CEA-LIST)(CEA-LIST)

UML DiagramsTransformationTransformation

UML to CPN (LIPN)UML to CPN (LIPN)

CPN-AMI, PRODCPN-AMI, PROD(LIP6, etc)(LIP6, etc)

HCPNmodel

Properties tobe checked

Properties satisfied ?Properties satisfied ?

For modelling withFor modelling withUML2. Open-source toolUML2. Open-source toolintegrated within Eclipseintegrated within Eclipse

XSLT:XSLT: functional language functional language for XML documentsfor XML documents

transformationtransformationJAVA:JAVA: transformation transformation

algorithmalgorithm

Integrates several Integrates several verification tools for Petri netsverification tools for Petri nets

Example

Gas station (Customer Petri net 1)Gas station (Customer Petri net 1)

17

Customer

Idle PaidGrade

Selected

RequestCancel

NozzlePressed

PickUpChange

/Pay

PumpReady/Cancel

PumpReady/SelectGrade

PumpReceiveGrade/PressNozzle

PumpReceiveGrade/Cancel

GetChange

GetChange

NoChange

Example

Gas station (Pump Petri net 2)Gas station (Pump Petri net 2)

18

Pump

Idle GradeSelected

Readyto

Fill

FillingStarted

ChangeExists

FillingDone

NoChange

Pay

Cancel

SelectGrade

PressNozzle

Cancel

ChangePickedUp

Example

Gas station (Petri net 3)Gas station (Petri net 3)

19

T2

Idlep GradeSelectedp

ReadytoFill

FillingStarted

ChangeExists

FillingDone

NoChange

E1E2

E3

E5 E2

E4E6

E7

E8E8

E9

Idlec PaidGrade

Selectedc

RequestCancel

NozzlePressed

PickUpChange

E1

E2

E5E3

E4

E2

E6

E6

E7

E9

E7

E8

E8

Events

T1 T3

T4

T5

T6

T7

T8

T9

T11

T12

T13

T14

T15

T16

T17

T18

T19

T20

Formal Verification

Gas station example (1)Gas station example (1)

20

The customer may choose the gas gradeafter (s)he paid

¬¬ GradeSelectedc UU Paid

Property satisfied

Formal Verification

Gas station example (2)Gas station example (2)

21

If the customer paid (s)he eventually will be promptedto choose the gas grade

GG (Paid ⇒ F GradeSelectedc)

Property not satisfied !

Formal Verification

Gas station example (3)Gas station example (3)

22

The customer may always cancel the request

AGAG (EF RequestCancel)

Property satisfied

UML model update

State diagram update (customer)State diagram update (customer)

23

Idle

Paid GradeSelected

RequestCancel NozzlePressed

PickUpChange

exit/ChangePickedUp

/Pay PumpReady/Cancel

PumpReady/SelectGrade

PumpReceiveGrade/CancelPumpReceiveGrade/PressNozzle

GetChange

GetChange

NoChange

Customer

PumpReady/Cancel

Update of the properties

Correction of the not satisfied propertiesCorrection of the not satisfied properties

24

If the customer paid (s)he will eventually be promptedto choose the gas grade if (s)he did not cancel the request

GG [Paid ⇒ F (GradeSelectedc ∨ RequestCancel)]

Property satisfied

Conclusion et Perspectives

ConclusionConclusion

Framework for the formal verification of UML state diagrams New transformation algorithm of UML state diagrams to hierarchical coloured

Petri nets Modular transformation Restricted to a subset of state diagrams (event generating actions, …) Size of the net Formal verification to check properties of the state diagrams Gas station example: some expected properties not satisfied led to correct the

model Real size case study (part of air traffic control system) underway

25

Conclusion et Perspectives

PerspectivesPerspectives

Other case studies Extend transformation algorithm to process other concepts of state diagrams

(other actions, history, etc) Take other languages for expressing properties into account (Object Constraint

Logic): translate OCL formula to formula used in the model checking tool,and translate back counter-examples when property not satisfied

Formal verification of other UML diagrams (collaboration, activity, …etc)

26