Safety-Liveness Semantics forUML 2.0 Sequence Diagrams

Radu Grosu SUNY at Stony Brook

Joint work with Scott A. Smolka

• Convenient way of describing interaction among reactive systems, i.e.:

- Systems where termination is rather an error than an expected behavior.

• Have become an integral part of all modern software engineering design methods:

- SDL and ROOM MSC (message sequence charts), UML SD (sequence diagrams).

Scenario-Based Specifications

Reactive Systems

Commercial Aircraft

Medical devices

Household devicesTelecommunication

Nuclear PowerPlants

Automobiles

UML 2.0 SD Simplified Syntax

m nb

sd ackname of SD body of SD

process name process lifeline

receive event send event

message

Positive SD: describes traces that are valid and should be possible

UML 2.0 SD Simplified Syntax

negative qualification

Negative SD: describes traces that are invalid and should not be

possible

m nc

neg sd nack

UML 2.0 SD Simplified Syntax

m na

sd init

m nb

sd ack

m nc

neg sd nack

sd iod

initrefack

nackref

ref

High level SD (IOD)

synchronous/asynchronous sequencing

UML 2.0 SD Full Syntax

m n

a

sd nsd

neg m na

neg sd ng

ngref

sd nsd

sd asd

a

bref

ref

m n

a

sd asd

b

alt

m na

sd a

m nb

sd b

UML 2.0 SD Semantics?

m na

sd rs

This is not a reactive system!

What about asynchronous message passing?

m:n!a n:m?a

Lang(rs) = {m:n!a n:m?a}

rs

Closed world semantics:

Positive SD Semantics?

m na

sd rs m:n!a n:m?a

Büchi automaton!

L(rs) = {* m:n!a * n:m?a }

rs

What about refinement?

tau transitions

Positive SD and Refinement?

m na

sd rsm:n!a n:m?a

Liveness Büchi automaton!

rs

liveness closurem n

b

sd rs,

~m:n!a ~n:m?a

chaos closure

L(rs) = {* ~m:n!a (,), * m:n!a * ~n:m?a (,), * n:m?a * m:n!a * n:m?a (,) }

Negative SD Semantics?

m nc

neg sd nack

Safety Büchi automaton!

L(nack) = { , * n:m!c , * ~n:m!c (,), * n:m!c * ~m:n!c (,) }

n:m!c m:n?c

nack

n:m!c m:n?cnack

,

~m:n?c~n:m!ccomplement + safety closure

High Level SD Semantics

sd iod

initrefack

nackref

ref

initnack

ack

initack

Positive SD:

- remove all negative nodes and all their associated transitions.

initnack

ack

Negative SD:

- turn negative nodes into accepting sink nodes. Others nonaccepting.

HSD Positive Semantics

,

~m:n!a ~n:m?a

m:n!a n:m?aliod n:m!b m:n?c

,

~n:m!b ~m:n!c

m:n!a n:m?a piod n:m!b n:m!b

init ack

m:n!a n:m?aniod

init

nack

ack

n:m?cn:m!c

n:m!b n:m?b

HSD Negative Semantics

m:n!a n:m?asiod n:m!c

~n:m?c

n:m!b

n:m?b ~n:m?b

~n:m!c~n:m?a~m:n!a

,

HSD Semantics

• Parallel composition of:

- Liveness Büchi automaton- Safety Büchi automaton

• Example:

- Iod automaton: iod = liod siod - Note: Lang(iod) = Lang(liod) Lang(siod)

SD Refinement

• Definition: Let S1 and S2 be two SDs. Then:

- S1 S2 iff Lang(S1) Lang(S2)

• Theorem: Let S, T and U be three bounded SD and assume that S* and T* are bounded,

too. Then:

1. if S T then U S U T

2. if S T then (S)* (T)*

3. if S T then S + U T + U and U + S U + T4. if S T then S || U T || U and U || S U || T

Examples of Refinement

initref initref ackrefSequential:

ackref Alternative:

ack

nackref

ref

Examples of Refinement

Star?initref ackrefinitref

ack

nackref

refinitref

ackrefinitrefStar:

Related Work

• PA and PO (Mauw, Alur, Muscholl, Peled, …): – Not compositional. Not interested in compositionality.

• Live SC (Damm, Harel, Kugler):– Elegant, alternative AT solution. Departure from UML.

• Triggered MSC (Cleaveland, Sengupta): – Prescriptive/constraint-based. Must preorder.

• STAIRS (Haugen, Stoelen):– Open semantics. Not fully formalized.

• Other semantics (Broy, Knapp, Krüger,…):– Also depart from closed world semantics.

Conclusions

• Presented an Automata-theoretic semantics that solves in a simple and elegant way one of the main open questions about UML 2.0 SD:

– How to assign a precise meaning to a set of SD without compromising refinement?

• Provides a direct technique for checking SD refinement in a compositional way.

• Supports the development of a general purpose MC for property and refinement checking.

Rough Complexity Analysis

• Translation of HSD to Pos/Neg FA:

- linear time (in the size of the HSD).

• Translation of Pos/Neg FA to Safe/Live BA:

- exponential due to flattening,

• Complementation hard:

- double exponential due to BA.

• In practice:

- avoid flattening for synchronous sequencing? - special kind of BA with simple complementation.