40 likes | 186 Views
Formal Verification of UML Diagrams. Jeffrey Smith: Sanders and Northeastern University Mieczyslaw Kokar: Northeastern University, College of Engineering Ken Baclawski: Northeastern University, College of Computer Science. Bridge Between CASE and Formal Development Paradigms. Process.
E N D
Formal Verification of UML Diagrams Jeffrey Smith: Sanders and Northeastern University Mieczyslaw Kokar: Northeastern University, College of Engineering Ken Baclawski: Northeastern University, College of Computer Science Bridge Between CASE and FormalDevelopment Paradigms Process Core MetaModel UML Graphical Domain (Application in UML form) UML Semantics (UML Semantics Guide contents) ModelElement Gen (ME) 4. Map to UML metamodel Name : Name • Formalize common CASE spec language (UML), • Automate transformation from UML to formal representation Computer-aided formally-developed spec/sw CASE-based spec/sw ownedElement * namespace 0.1 Translation Example - UML Graphical Domain Namespace TR (ME) Presentation Course generalization 1 1..1 2. Automatic translation to Slang Disadvantages Advantages Advantages Disadvantages Generalization GeneralizableElement pres_ID : String subtype * isRoot : Boolean isLeaf : Boolean isAbstract : Boolean {frozen} * supertype Discriminator : Name • Complex, diverse and unsupported tools • Complex languages/math • Lack of trained engineers • Unproven scalability • Provably correct software • Code generation • Code refinement • Theorem proving • Spec/SW composition • Uniform graphical user interface • Modern SE methodologies (OO, state, etc) • Reverse engineering • Common large-scale development paradigm • Inconsistent specification • “Shell” sw only specialization 1 1..1 GT (MME) level Lecture Student 1. Formalization of UML student_collection student ID : Integer * {ordered} 2 1..1 1 1..* {ordered} type associationEnd AssociationEnd * Instance Association 1 * connection Classifier classifier UML Formal Domain (Application in Slang form) UML Formal Semantics (UML semantics in Slang form) isOrdered : Boolean aggregation : AggregationKind mulitplicity : Multiplicity changeable : ChangeableKind Motivation Objective specification participant * * • Verification of translation correctness left to tool developers or programmers • CASE tools don’t enforce syntax/semantics • CASE tools can only do partial translation to a programming language • UML is semi-formal and inconsistent • Develop provably correct UML to formal language translator with respect to UML intended meaning • Ensure that the class of metamodels of a theory, obtained as a translation of any UML diagram, is a subclass of models of the theory of the UML metamodel • for each translation: • UML metamodel theory theory representing UML diagram Object 3. Find morphisms type Attribute Class Theorem 1: D ME in D GT(Gen(ME)) Theorem 2: D ME in D M: GT(Gen(ME))|D TR(ME) Corollary 2.1: D ME M: colimit(GT(Gen(D))) TR(D) * 1 initialValue : Expr M is a Morphism; GT is Ground Truth UML to Formal Spec Translation Rules Model Element - Spec Rule - Every Model Element in UML, specified in the UML Semantics Guide, translates to a spec containing a sort, both having the same name as the ModelElement. Specification Constraint to Op/Axiom Rule - For each specification constraint, add an associated op in the spec corresponding to the UML object that contains this specification constraint. Specify the constraint in an axiom associated with the op. UML Diagram to Colimit of Specs Rule - For each UML diagram, specify each metamodel element, as defined in the previous rules, and build the entire diagram, in a bottom-up fashion, using colimits. Constraints are specified at each level of the construction. Generalization - Generalization Instance Spec Rule - Translate each generalizable element of a generalization to a separate instance of a generalizable element spec, filling in each of the generalizable element constraints as ops, axioms and theorems of each generalizable element spec. Translate each generalization to a separate instance of a generalization spec, identifying which of the two generalizable element instances represent the subtype and supertype ``is-a" relationship. Form a colimit of the generalizable element subtype and supertype instances with an instance of the GENERALIZABLE ELEMENT- GENERALIZATION-COLIMIT spec (in the UML Formal Semantics), filling in the constraints associated with the generalizable element and generalization relations as ops and axioms. Association - Association Instance Spec Rule - Translate each association end of an association to a separate instance of an association end spec, filling in each of the association end constraints as ops, axioms and theorems of the association end spec. Translate the association to a separate instance of the association spec, identifying the classifiers associated with each association end as the source and target of the association. Form a diagram, that links the source ASSOCIATIONEND spec with its ASSOCIATION spec, into an instance of the ASSOC-SOURCE diagram, filling in the specs and sorts of the association end and association names with their instantiated values. Similarly, form a diagram, that links the target ASSOCIATIONEND spec with its ASSOCIATION spec, into an instance of the ASSOC-TARGET diagram. Next, form a diagram that combines these two diagrams with diagrams that will link the source and target CLASSIFIER specs with the source and target association ends, respectively. This is done by forming a colimit of these association ends, classifiers and association specs into an instance of the ASSOCIATION-CLASSIFIER-COLIMIT spec, filling in the constraints associated with association end, classifier and association relations, as ops and axioms. Aggregation - Aggregation Instance Rule - Treat aggregation as an association, labeling the association end corresponding to the aggregate end (the side with the hollow or filled in diamond) with the type of aggregation, according to the UML Semantics Guide. Class, Instance and Object Formalization Rules - Translate each class to an instance of a class spec, implementing the specialization of the inherited name constraint from the ModelElement metamodel element and the isRoot, isLeaf and isAbstract constraints from the Classifier metamodel element. Translate each instance to an instance of an INSTANCE spec, implementing the specialization of the inherited name constraint from the ModelElement metamodel element. Translate each object to an instance of an OBJECT spec, implementing the specialization of the inherited name constraint from the Instance metamodel element (which, in turn, was inherited from the ModelElement metamodel element). Attribute Rule - Translate each attribute to an instance of a ATTRIBUTE spec, implementing its specific initialValue constraint and the inherited name constraint from the ModelElement metamodel element. Form a diagram, that links the CLASS spec with its ATTRIBUTE spec, into an instance of the ATTRIBUTE-TYPE diagram (in the UML Formal Semantics), filling in the specs and sorts of the Class and Attribute names with their instantiated values. Q = {model elements of diagram D}, B = {attributes in D}, S = {association in D} P = {metamodel elements}, A = {meta-attributes}, R = {meta-associations}, C = {consistency constraints on P, A & R} One-Step Transformation dump parse : Q P : B A Q BaseElements, : S R Q2 UML Diagram Export Format Parse Tree Intermediate Structure O-Slang Parse Tree O-Slang Structure Slang Parse Tree Slang Structure Programming Language Parse Tree Intermediate Structure Intermediate Code Executable Code UML Graphical Domain UML Semantics symbol table parse translate symbol table translate parse symbol table • Let D be a UML diagram with respect to the Core Metamodel CM, then: • Theorem 1: The triple GT = (, , ) is a formalism of CM in Slang • Theorem 2: There exists a verification morphism from GT to TR(D) • Corollary 2.1: There exists a verification morphism from • colimit({(q) | q Q} | D) to colimit({((q)) | q Q} | D) parse code generate Q B S symbol table P A R optimize generate TR = GT= Transformation Pipeline spec op diagram spec op diagram UML Diagram Intermediate Structure (REI Model) Slang Structure Programming Language Parse Tree Intermediate Structure Intermediate Code Executable Code Simplified Transformation Pipeline translate UML Formal Domain UML Formal Semantics parse code generate TR(D) GT (Q) symbol table colimit({(q) | q Q} | D) colimit({((q)) | q Q} | D) optimize generate Correctness Theorem Refinement
Translation Example - UML Formal Domain Translation Example - UML Formal Semantics spec LECTURE is sort Lecture op name: Lecture -> String axiom fa(a: Lecture) name(a) = "Lecture" theorem Lecture-name is fa(a: Lecture, b: Lecture) (name(a) = "Lecture" & name(b) = "Lecture") op isLeaf: Lecture -> Boolean axiom fa(a: Lecture) isLeaf(a) = true theorem Lecture-isLeaf is fa(a: Lecture, b: Lecture) (isLeaf(a) = true & isLeaf(b) = true) op isRoot: Lecture -> Boolean axiom fa(a: Lecture) isRoot(a) = false theorem Lecture-isRoot is fa(a: Lecture, b: Lecture) (isRoot(a) = false & isRoot(b) = false) op isAbstract: Lecture -> Boolean axiom fa(a: Lecture) isAbstract(a) = false theorem Lecture-isAbstract is fa(a: Lecture, b: Lecture) (isAbstract(a) = false & isAbstract(b) = false) end-spec spec COURSE is sort Course op name: Course -> String axiom fa(a: Course) name(a) = "Course" theorem Course-name is fa(a: Course, b: Course) (name(a) = "Course" & name(b) = "Course") op isLeaf: Course -> Boolean axiom fa(a: Course) isLeaf(a) = true theorem Course-isLeaf is fa(a: Course, b: Course) (isLeaf(a) = true & isLeaf(b) = true) op isRoot: Course -> Boolean axiom fa(a: Course) isRoot(a) = true theorem Course-isRoot is fa(a: Course, b: Course) (isRoot(a) = true & isRoot(b) = true) op isAbstract: Course -> Boolean axiom fa(a: Course) isAbstract(a) = false theorem Course-isAbstract is fa(a: Course, b: Course) (isAbstract(a) = false & isAbstract(b) = false) end-spec spec PRESENTATION is sort Presentation op name: Presentation -> String axiom fa(a: Presentation) name(a) = "Presentation" theorem Presentation-name is fa(a: Presentation, b: Presentation) (name(a) = "Presentation" & name(b) = "Presentation") op isLeaf: Presentation -> Boolean axiom fa(a: Presentation) isLeaf(a) = false theorem Presentation-isLeaf is fa(a: Presentation, b: Presentation) (isLeaf(a) = false & isLeaf(b) = false) op isRoot: Presentation -> Boolean axiom fa(a: Presentation) isRoot(a) = true theorem Presentation-isRoot is fa(a: Presentation, b: Presentation) (isRoot(a) = true & isRoot(b) = true) op isAbstract: Presentation -> Boolean axiom fa(a: Presentation) isAbstract(a) = true theorem Presentation-isAbstract is fa(a: Presentation, b: Presentation) (isAbstract(a) = true & isAbstract(b) = true) end-spec spec STUDENT is sort Student op name: Student -> String axiom fa(a: Student) name(a) = "Student" theorem Student-name is fa(a: Student, b: Student) (name(a) = "Student" & name(b) = "Student") op isLeaf: Student -> Boolean axiom fa(a: Student) isLeaf(a) = true theorem Student-isLeaf is fa(a: Student, b: Student) (isLeaf(a) = true & isLeaf(b) = true) op isRoot: Student -> Boolean axiom fa(a: Student) isRoot(a) = true theorem Student-isRoot is fa(a: Student, b: Student) (isRoot(a) = true & isRoot(b) = true) op isAbstract: Student -> Boolean axiom fa(a: Student) isAbstract(a) = false theorem Student-isAbstract is fa(a: Student, b: Student) (isAbstract(a) = false & isAbstract(b) = false) end-spec spec PRES_ID-ATTRIBUTE is sort pres_ID-attribute op name: pres_ID-attribute -> String axiom fa(a: pres_ID-attribute) name(a) = "pres_ID" theorem pres_ID-name is fa(a: pres_ID-attribute, b: pres_ID-attribute) (name(a) = "pres_ID" & name(b) = "pres_ID") op pres_ID: pres_ID-attribute -> String axiom fa(a: pres_ID-attribute) pres_ID(a) = "" theorem pres_ID-initialValue is fa(a: pres_ID-attribute, b: pres_ID-attribute) (pres_ID(a) = "" & pres_ID(b) = "") end-spec diagram PRES_ID-ATTRIBUTE is nodes T1: TRIV, T2: TRIV, PAIR, PRESENTATION, PRES_ID-ATTRIBUTE arcs T1 -> PRESENTATION: {e -> Presentation}, T1 -> PAIR: {e -> Left}, T1 -> PAIR: {e -> Right}, T1 -> PRES_ID-ATTRIBUTE: {e -> pres_ID-attribute} end-diagram spec ID-ATTRIBUTE is sort ID-attribute op name: ID-attribute -> String axiom fa(a: ID-attribute) name(a) = "ID" theorem ID-name is fa(a: ID-attribute, b: ID-attribute) (name(a) = "ID" & name(b) = "ID") op ID: ID-attribute -> Integer axiom fa(a: ID-attribute) ID(a) = "" theorem ID-initialValue is fa(a: ID-attribute, b: ID-attribute) (pres_ID(a) = "" & pres_ID(b) = "") end-spec diagram ID-ATTRIBUTE is nodes T1: TRIV, T2: TRIV, PAIR, STUDENT, ID-ATTRIBUTE arcs T1 -> STUDENT: {e -> Student}, T1 -> PAIR: {e -> Left}, T1 -> PAIR: {e -> Right}, T1 -> ID-ATTRIBUTE: {e -> ID-attribute} end-diagram spec LECTURE-AE-STUDENT is sort Lecture-AE-Student op name: Lecture-AE-Student -> String axiom fa(a: Lecture-AE-Student) name(a) = "student_collection" theorem Lecture-AE-Student-name is fa(a: Lecture-AE-Student, b: Lecture-AE-Student) (name(a) = "student_collection" & name(b) = "student_collection") op multiplicity: Lecture-AE-Student -> Nat, Nat axiom fa(a: Lecture-AE-Student) multiplicity(a) = (1,1) theorem Lecture-AE-Student-multiplicity is fa(a: Lecture-AE-Student, b: Lecture-AE-Student) (multiplicity(a) = (1,1) & multiplicity(b) = (1,1)) op isNavigable: Lecture-AE-Student -> Boolean axiom fa(a: Lecture-AE-Student) isNavigable(a) = true theorem Lecture-AE-Student-isNavigable is fa(a: Lecture-AE-Student, b: Lecture-AE-Student) (isNavigable(a) = true & isNavigable(b) = true) op aggregate: Lecture-AE-Student -> String axiom fa(a: Lecture-AE-Student) aggregate(a) = "aggregate" theorem Lecture-AE-Student-aggregate is fa(a: Lecture-AE-Student, b: Lecture-AE-Student) (aggregate(a) = "aggregate" & aggregate(b) = "aggregate") op changeable: Lecture-AE-Student -> String axiom fa(a: Lecture-AE-Student) changeable(a) = "none" theorem Lecture-AE-Student-changeable is fa(a: Lecture-AE-Student, b: Lecture-AE-Student) (changeable(a) = "none" & changeable(b) = "none") op isOrdered: Lecture-AE-Student -> Boolean axiom fa(a: Lecture-AE-Student) isOrdered(a) = false theorem Lecture-AE-Student-isOrdered is fa(a: Lecture-AE-Student, b: Lecture-AE-Student) (isOrdered(a) = false & isOrdered(b) = false) end-spec spec STUDENT-AE-LECTURE is sort Student-AE-Lecture op name: Student-AE-Lecture -> String axiom fa(a: Student-AE-Lecture) name(a) = "student" theorem Student-AE-Lecture-name is fa(a: Student-AE-Lecture, b: Student-AE-Lecture) (name(a) = "student" & name(b) = "student") op multiplicity: Student-AE-Lecture -> Nat, Nat axiom fa(a: Student-AE-Lecture) multiplicity(a) = (0,*) theorem Student-AE-Lecture-multiplicity is fa(a: Student-AE-Lecture, b: Student-AE-Lecture) (multiplicity(a) = (0,*) & multiplicity(b) = (0,*)) op isNavigable: Student-AE-Lecture -> Boolean axiom fa(a: Student-AE-Lecture) isNavigable(a) = true theorem Student-AE-Lecture-isNavigable is fa(a: Student-AE-Lecture, b: Student-AE-Lecture) (isNavigable(a) = true & isNavigable(b) = true) op aggregate: Student-AE-Lecture -> String axiom fa(a: Student-AE-Lecture) aggregate(a) = "none" theorem Student-AE-Lecture-aggregate is fa(a: Student-AE-Lecture, b: Student-AE-Lecture) (aggregate(a) = "none" & aggregate(b) = "none") op changeable: Student-AE-Lecture -> String axiom fa(a: Student-AE-Lecture) changeable(a) = "none" theorem Student-AE-Lecture-changeable is fa(a: Student-AE-Lecture, b: Student-AE-Lecture) (changeable(a) = "none" & changeable(b) = "none") op isOrdered: Student-AE-Lecture -> Boolean axiom fa(a: Student-AE-Lecture) isOrdered(a) = true theorem Student-AE-Lecture-isOrdered is fa(a: Student-AE-Lecture, b: Student-AE-Lecture) (isOrdered(a) = true & isOrdered(b) = true) end-spec spec LECTURE-AE-COURSE is sort Lecture-AE-Course op name: Lecture-AE-Course -> String axiom fa(a: Lecture-AE-Course) name(a) = "level" theorem Lecture-AE-Course-name is fa(a: Lecture-AE-Course, b: Lecture-AE-Course) (name(a) = "level" & name(b) = "level") op multiplicity: Lecture-AE-Course -> Nat, Nat axiom fa(a: Lecture-AE-Course) multiplicity(a) = (1,1) theorem Lecture-AE-Course-multiplicity is fa(a: Lecture-AE-Course, b: Lecture-AE-Course) (multiplicity(a) = (1,1) & multiplicity(b) = (1,1)) op isNavigable: Lecture-AE-Course -> Boolean axiom fa(a: Lecture-AE-Course) isNavigable(a) = true theorem Lecture-AE-Course-isNavigable is fa(a: Lecture-AE-Course, b: Lecture-AE-Course) (isNavigable(a) = true & isNavigable(b) = true) op aggregate: Lecture-AE-Course -> String axiom fa(a: Lecture-AE-Course) aggregate(a) = "none" theorem Lecture-AE-Course-aggregate is fa(a: Lecture-AE-Course, b: Lecture-AE-Course) (aggregate(a) = "none" & aggregate(b) = "none") op changeable: Lecture-AE-Course -> String axiom fa(a: Lecture-AE-Course) changeable(a) = "none" theorem Lecture-AE-Course-changeable is fa(a: Lecture-AE-Course, b: Lecture-AE-Course) (changeable(a) = "none" & changeable(b) = "none") op isOrdered: Lecture-AE-Course -> Boolean axiom fa(a: Lecture-AE-Course) isOrdered(a) = false theorem Lecture-AE-Course-isOrdered is fa(a: Lecture-AE-Course, b: Lecture-AE-Course) (isOrdered(a) = false & isOrdered(b) = false) end-spec spec COURSE-AE-LECTURE is sort Course-AE-Lecture op name: Course-AE-Lecture -> String axiom fa(a: Course-AE-Lecture) name(a) = "" theorem Course-AE-Lecture-name is fa(a: Course-AE-Lecture, b: Course-AE-Lecture) (name(a) = "" & name(b) = "") op multiplicity: Course-AE-Lecture -> Nat, Nat axiom fa(a: Course-AE-Lecture) multiplicity(a) = (1,1) theorem Course-AE-Lecture-multiplicity is fa(a: Course-AE-Lecture, b: Course-AE-Lecture) (multiplicity(a) = (1,1) & multiplicity(b) = (1,1)) op isNavigable: Course-AE-Lecture -> Boolean axiom fa(a: Course-AE-Lecture) isNavigable(a) = true theorem Course-AE-Lecture-isNavigable is fa(a: Course-AE-Lecture, b: Course-AE-Lecture) (isNavigable(a) = true & isNavigable(b) = true) op aggregate: Course-AE-Lecture -> String axiom fa(a: Course-AE-Lecture) aggregate(a) = "none" theorem Course-AE-Lecture-aggregate is fa(a: Course-AE-Lecture, b: Course-AE-Lecture) (aggregate(a) = "none" & aggregate(b) = "none") op changeable: Course-AE-Lecture -> String axiom fa(a: Course-AE-Lecture)changeable(a) = "frozen" theorem Course-AE-Lecture-changeable is fa(a: Course-AE-Lecture, b: Course-AE-Lecture) (changeable(a) = "frozen" & changeable(b) = "frozen") op isOrdered: Course-AE-Lecture -> Boolean axiom fa(a: Course-AE-Lecture) isOrdered(a) = false theorem Course-AE-Lecture-isOrdered is fa(a: Course-AE-Lecture, b: Course-AE-Lecture) (isOrdered(a) = false & isOrdered(b) = false) end-spec spec LECTURE-STUDENT-AGGREGATION is sort Lecture-Student-Aggregation, Lecture, Student op name: Lecture-Student-Aggregation -> String axiom fa(a: Lecture-Student-Aggregation) name(a) = "Lecture-Student-Aggregation" theorem Lecture-Student-Aggregation-name is fa(a: Lecture-Student-Aggregation, b: Lecture-Student-Aggregation) (name(a) = "Lecture-Student-Aggregation" & name(b) = "Lecture-Student-Aggregation") op isLeaf: Lecture-Student-Aggregation -> Boolean axiom fa(a: Lecture-Student-Aggregation) isLeaf(a) = true theorem Lecture-Student-Aggregation-isLeaf is fa(a: Lecture-Student-Aggregation, b: Lecture-Student-Aggregation) (isLeaf(a) = true & isLeaf(b) = true) op isRoot: Lecture-Student-Aggregation -> Boolean axiom fa(a: Lecture-Student-Aggregation) isRoot(a) = true theorem Lecture-Student-Aggregation-isRoot is fa(a: Lecture-Student-Aggregation, b: Lecture-Student-Aggregation) (isRoot(a) = true & isRoot(b) = true) op isAbstract: Lecture-Student-Aggregation -> Boolean axiom fa(a: Lecture-Student-Aggregation) isAbstract(a) = true theorem Lecture-Student-Aggregation-isAbstract is fa(a: Lecture-Student-Aggregation, b: Lecture-Student-Aggregation) (isAbstract(a) = true & isAbstract(b) = true) op make-association: Lecture, Student -> Lecture-Student-Aggregation op first: Lecture-Student-Aggregation -> Lecture op second: Lecture-Student-Aggregation -> Student axiom first(make-association(d, e)) = d axiom second(make-association(d, e)) = e constructors {make-association} construct Lecture-Student-Aggregation theorem p = make-association(first(p), second(p)) end-spec diagram LECTURE-STUDENT-ASSOC-SOURCE is nodes T1: TRIV, T2: TRIV, PAIR, LECTURE-STUDENT-AGGREGATION, LECTURE-AE-STUDENT arcs T1 -> LECTURE-STUDENT-AGGREGATION: {e -> Lecture-Student-Aggregation}, T1 -> P1: {e -> Right}, T2 -> P1: {e -> Left}, T2 -> LECTURE-AE-STUDENT: {e -> Lecture-AE-Student} end-diagram diagram LECTURE-STUDENT-ASSOC-TARGET is nodes T1: TRIV, T2: TRIV, PAIR, LECTURE-STUDENT-AGGREGATION, STUDENT-AE-LECTURE arcs T1 -> LECTURE-STUDENT-AGGREGATION: {e -> Lecture-Student-Aggregation}, T1 -> P1: {e -> Right}, T2 -> P1: {e -> Left}, T2 -> STUDENT-AE-LECTURE: {e -> Student-AE-Lecture} end-diagram spec LECTURE-STUDENT-AGGREGATION-COLIMIT is import colimit of diagram nodes T1: TRIV, T2: TRIV, T3: TRIV, T4: TRIV, T5: TRIV, T6: TRIV, T7: TRIV, T8: TRIV, P1: PAIR, P2: PAIR, P3: PAIR, P4: PAIR, LECTURE, STUDENT, LECTURE-AE-STUDENT, STUDENT-AE-LECTURE, LECTURE-STUDENT-AGGREGATION arcs T1 -> P1: {e -> Right}, T2 -> P1: {e -> Left}, T1 -> LECTURE: {e -> Lecture}, T2 -> LECTURE-AE-STUDENT: {e -> Lecture-AE-Student}, T3 -> P2: {e -> Right}, T4 -> P2: {e -> Left}, T3 -> LECTURE-AE-STUDENT: {e -> Lecture-AE-Student}, T4 -> LECTURE-STUDENT-AGGREGATION: {e -> Lecture-Student-Aggregation}, T5 -> P3: {e -> Right}, T6 -> P3: {e -> Left}, T5 -> LECTURE-STUDENT-AGGREGATION: {e -> Lecture-Student-Aggregation}, T6 -> STUDENT-AE-LECTURE: {e -> Student-AE-Lecture}, T7 -> P4: {e -> Right}, T8 -> P4: {e -> Left}, T7 -> STUDENT-AE-LECTURE: {e -> Student-AE-Lecture}, T8 -> STUDENT: {e -> Student} end-diagram axiom OCL1 is fa(a: Lecture-AE-Student, b:Student-AE-Lecture) name(a) = name(b) => a = b axiom OCL2 is fa(a: Lecture-AE-Student, b:Student-AE-Lecture) ((aggregate(a) = "aggregate") or (aggregate(a) = "composite") => (aggregate(b) = "none") or ((aggregate(b) = "aggregate") or (aggregate(b) = "composite") => (aggregate(a) = "none")) axiom OCL3 is fa(a: Lecture-Student-Aggregation) Lecture = first(a) & Student = second(a) axiom OCL4 is fa(a: Lecture, b:Student) name(a) = name(b) => a = b end-spec spec LECTURE-COURSE-ASSOCIATION is sort Lecture-Course-Association, Lecture, Course op name: Lecture-Course-Association -> String axiom fa(a: Lecture-Course-Association) name(a) = "Lecture-Course-Association" theorem Lecture-Course-Association-name is fa(a: Lecture-Course-Association, b: Lecture-Course-Association) (name(a) = "Lecture-Course-Association" & name(b) = "Lecture-Course-Association") op isLeaf: Lecture-Course-Association -> Boolean axiom fa(a: Lecture-Course-Association) isLeaf(a) = true theorem Lecture-Course-Association-isLeaf is fa(a: Lecture-Course-Association, b: Lecture-Course-Association) (isLeaf(a) = true & isLeaf(b) = true) op isRoot: Lecture-Course-Association -> Boolean axiom fa(a: Lecture-Course-Association) isRoot(a) = true theorem Lecture-Course-Association-isRoot is fa(a: Lecture-Course-Association, b: Lecture-Course-Association) (isRoot(a) = true & isRoot(b) = true) op isAbstract: Lecture-Course-Association -> Boolean axiom fa(a: Lecture-Course-Association) isAbstract(a) = true theorem Lecture-Course-Association-isAbstract is fa(a: Lecture-Course-Association, b: Lecture-Course-Association) (isAbstract(a) = true & isAbstract(b) = true) op make-association: Lecture, Course -> Lecture-Course-Association op first: Lecture-Course-Association -> Lecture op second: Lecture-Course-Association -> Course axiom first(make-association(d, e)) = d axiom second(make-association(d, e)) = e constructors {make-association} construct Lecture-Course-Association theorem p = make-association(first(p), second(p)) end-spec diagram LECTURE-COURSE-ASSOC-SOURCE is nodes T1: TRIV, T2: TRIV, PAIR, LECTURE-COURSE-ASSOCIATION, LECTURE-AE-COURSE arcs T1 -> LECTURE-COURSE-ASSOCIATION: {e -> Lecture-Course-Association}, T1 -> P1: {e -> Right}, T2 -> P1: {e -> Left}, T2 -> LECTURE-AE-COURSE: {e -> Lecture-AE-Course} end-diagram diagram LECTURE-COURSE-ASSOC-TARGET is nodes T1: TRIV, T2: TRIV, PAIR, LECTURE-COURSE-ASSOCIATION, COURSE-AE-LECTURE arcs T1 -> LECTURE-COURSE-ASSOCIATION: {e -> Lecture-Course-Association}, T1 -> P1: {e -> Right}, T2 -> P1: {e -> Left}, T2 -> COURSE-AE-LECTURE: {e -> Course-AE-Lecture} end-diagram spec LECTURE-COURSE-ASSOCIATION-COLIMIT is import colimit of diagram nodes T1: TRIV, T2: TRIV, T3: TRIV, T4: TRIV, T5: TRIV, T6: TRIV, T7: TRIV, T8: TRIV, P1: PAIR, P2: PAIR, P3: PAIR, P4: PAIR, LECTURE, COURSE, LECTURE-AE-COURSE, COURSE-AE-LECTURE, LECTURE-COURSE-ASSOCIATION arcs T1 -> P1: {e -> Right}, T2 -> P1: {e -> Left}, T1 -> LECTURE: {e -> Lecture}, T2 -> LECTURE-AE-COURSE: {e -> Lecture-AE-Course}, T3 -> P2: {e -> Right}, T4 -> P2: {e -> Left}, T3 -> LECTURE-AE-COURSE: {e -> Lecture-AE-Course}, T4 -> LECTURE-COURSE-ASSOCIATION: {e -> Lecture-Course-Association}, T5 -> P3: {e -> Right}, T6 -> P3: {e -> Left}, T5 -> LECTURE-COURSE-ASSOCIATION: {e -> Lecture-Course-Association}, T6 -> COURSE-AE-LECTURE: {e -> Course-AE-Lecture}, T7 -> P4: {e -> Right}, T8 -> P4: {e -> Left}, T7 -> COURSE-AE-LECTURE: {e -> Course-AE-Lecture}, T8 -> COURSE: {e -> Course} end-diagram axiom OCL1 is fa(a: Lecture-AE-Course, b:Course-AE-Lecture) name(a) = name(b) => a = b axiom OCL2 is fa(a: Lecture-AE-Course, b:Course-AE-Lecture) ((aggregate(a) = "aggregate") or (aggregate(a) = "composite") => (aggregate(b) = "none") or ((aggregate(b) = "aggregate") or (aggregate(b) = "composite") => (aggregate(a) = "none")) axiom OCL3 is fa(a: Lecture-Course-Association) Lecture = first(a) & Course = second(a) axiom OCL4 is fa(a: Lecture, b:Course) name(a) = name(b) => a = b end-spec spec PRESENTATION-LECTURE-GENERALIZATION is sorts Presentation-Lecture-Generalization, Lecture op name: Presentation-Lecture-Generalization -> String axiom fa(a: Presentation-Lecture-Generalization) name(a) = "Presentation-Lecture-Generalization" theorem Presentation-Lecture-Generalization-name is fa(a: Presentation-Lecture-Generalization, b: Presentation-Lecture-Generalization) (name(a) = "Presentation-Lecture-Generalization" & name(b) = "Presentation-Lecture-Generalization") op discriminator: Presentation-Lecture-Generalization -> String axiom fa(a: Presentation-Lecture-Generalization) discriminator(a) = "") theorem Presentation-Lecture-Generalization-discriminator is fa(a: Presentation-Lecture-Generalization, b: Presentation-Lecture-Generalization) (discriminator(a) = "" & discriminator(b) = "") op isa: Lecture -> Presentation-Lecture-Generalization axiom fa(a: Lecture) isa(a) = Presentation-Lecture-Generalization) theorem Presentation-Lecture-Generalization-isa is fa(a: Lecture, b: Lecture) (isa(a) = Presentation-Lecture-Generalization & isa(b) = Presentation-Lecture-Generalization) op no-isa: Presentation-Lecture-Generalization -> String axiom fa(a: Presentation-Lecture-Generalization) no-isa(a) = "Presentation" theorem Presentation-Lecture-Generalization-no-isa is fa(a: Presentation-Lecture-Generalization, b: Presentation-Lecture-Generalization) (no-isa(a) = "Presentation" & no-isa(b) = "Presentation") end-spec spec PRESENTATION-LECTURE-GENERALIZATION-COLIMIT is import colimit of diagram nodes T1: TRIV, T2: TRIV, T3: TRIV, T4: TRIV, P1: PAIR, P2: PAIR, PRESENTATION, LECTURE, PRESENTATION-LECTURE-GENERALIZATION arcs T1 -> P1: {e -> Left}, T1 -> LECTURE: {e -> Lecture}, T2 -> P1: {e -> Right}, T2 -> PRESENTATION-LECTURE-GENERALIZATION: {e -> Lecture}, T3 -> P2: {e -> Left}, T3 -> PRESENTATION-LECTURE-GENERALIZATION: {e -> Presentation-Lecture-Generalization}, T4 -> P2: {e -> Right}, T4 -> PRESENTATION: {e -> Presentation} end-diagram axiom OCL5 is fa(a: Presentation, b:Presentation-Lecture-Generalization) isRoot(a) = no-isa(b) => "" axiom OCL6 is fa(a: Presentation) isLeaf(a) = false axiom OCL7 is fa(a: Presentation, b:Presentation-Lecture-Generalization) name(a) = no-isa(b) end-spec % Part 1 specs - each of the meta-classes in the Core Metamodel ---- spec PAIR is sorts Pair, Left, Right op make-pair: Left, Right -> Pair op left: Pair -> Left op right: Pair -> Right axiom (equal (left (make-pair d e)) d) axiom (equal (right(make-pair d e)) e) constructors {make-pair} construct Pair theorem (equal p (make-pair (left p) (right p))) axiom unique is (and (and (fa (a: Left) (ex (b: Right p: Pair) (and (equal (Left p) a) (equal (Right p) b)))) (implies (fa (a: Left b1: Right b2: Right p1: Pair p2: Pair) (and (and (and (equal (Left p1) a) (equal (Left p2) a)) (equal (Right p1) b1)) (equal (Right p2) b2))) (and (equal p1 p2) (equal b1 b2)))) (and (fa (a: Right) (ex (a: Left p: Pair) (and (equal (Left p) a) (equal (Right p) b)))) (implies (fa (a1: Left a2: Left p1: Pair p2: Pair b: Right) (and (and (and (equal (Left p1) a1) (equal (Left p2) a2)) (equal (Right p1) b1)) (equal (Right p2) b2))) (and (equal p1 p2) (equal a1 a2))))) end-spec spec MODELELEMENT is sort ModelElement op name : ModelElement -> String axiom name is (fa (a: ModelElement b: ModelElement) (equal (name a) (name b))) end-spec spec ATTRIBUTE is sorts Attribute, Expr op name : Attribute -> String axiom name is (fa (a: Attribute b: Attribute) (equal (name a) (name b))) op initialValue : Attribute -> Expr axiom initialValue is (fa (a: Attribute b: Attribute) (equal (initialValue a) (initialValue b))) end-spec spec INSTANCE is sort Instance op name : Instance -> String axiom name is (fa (a: Instance b: Instance) (equal (name a) (name b))) end-spec spec OBJECT is sort Object op name : Object -> String axiom name is (fa (a: Object b: Object) (equal (name a) (name b))) end-spec spec GENERALIZATION is sorts Generalization, Specialization op name : Generalization -> String axiom name is (fa (a: Generalization b: Generalization) (equal (name a) (name b))) op discriminator : Generalization -> String axiom discriminator is (fa (a: Generalization b: Generalization) (equal (discriminator a) (discriminator b))) op isa : Specialization -> Generalization axiom isa is (fa (a: Specialization b: Specialization) (equal (isa a) (isa b))) op no-isa : Generalization -> String axiom no-isa is (fa (a: Generalization b: Generalization) (equal (no-isa a) (no-isa b))) end-spec spec NAMESPACE is sort Namespace op name : Namespace -> String axiom name is (fa (a: Namespace b: Namespace) (equal (name a) (name b))) end-spec spec GENERALIZABLEELEMENT is sort GeneralizableElement op name : GeneralizableElement -> String axiom name is (fa (a: GeneralizableElement b: GeneralizableElement) (equal (name a) (name b))) op isRoot : GeneralizableElement -> Boolean axiom isRoot is (fa (a: GeneralizableElement b: GeneralizableElement) (equal (isRoot a) (isRoot b))) op isLeaf : GeneralizableElement -> Boolean axiom isLeaf is (fa (a: GeneralizableElement b: GeneralizableElement) (equal (isLeaf a) (isLeaf b))) op isAbstract : GeneralizableElement -> Boolean axiom isAbstract is (fa (a: GeneralizableElement b: GeneralizableElement) (equal (isAbstract a) (isAbstract b))) end-spec spec CLASSIFIER is sort Classifier op name : Classifier -> String axiom name is (fa (a: Classifier b: Classifier) (equal (name a) (name b))) op isRoot : Classifier -> Boolean axiom isRoot is (fa (a: Classifier b: Classifier) (equal (isRoot a) (isRoot b))) op isLeaf : Classifier -> Boolean axiom isLeaf is (fa (a: Classifier b: Classifier) (equal (isLeaf a) (isLeaf b))) op isAbstract : Classifier -> Boolean axiom isAbstract is (fa (a: Classifier b: Classifier) (equal (isAbstract a) (isAbstract b))) end-spec spec CLASS is sort Class op name : Class -> String axiom name is (fa (a: Class b: Class) (equal (name a) (name b))) op isRoot : Class -> Boolean axiom isRoot is (fa (a: Class b: Class) (equal (isRoot a) (isRoot b))) op isLeaf : Class -> Boolean axiom isLeaf is (fa (a: Class b: Class) (equal (isLeaf a) (isLeaf b))) op isAbstract : Class -> Boolean axiom isAbstract is (fa (a: Class b: Class) (equal (isAbstract a) (isAbstract b))) end-spec spec ASSOCIATION is sort Association, Source, Target op name : Association -> String axiom name is (fa (a: Association b: Association) (equal (name a) (name b))) op isRoot : Association -> Boolean axiom isRoot is (fa (a: Association b: Association) (equal (isRoot a) (isRoot b))) op isLeaf : Association -> Boolean axiom isLeaf is (fa (a: Association b: Association) (equal (isLeaf a) (isLeaf b))) op isAbstract : Association -> Boolean axiom isAbstract is (fa (a: Association b: Association) (equal (isAbstract a) (isAbstract b))) op make-association: Source, Target -> Association op first: Association -> Source op second: Association -> Target axiom (equal (first (make-association d e)) d) axiom (equal (second(make-association d e)) e) constructors {make-association} construct Association theorem (equal p (make-association (first p) (second p))) end-spec spec ASSOCIATIONEND is sorts AssociationEnd op isNavigable: AssociationEnd -> Boolean axiom isNavigable is (fa (a: AssociationEnd b: AssociationEnd) (equal (isNavigable a) (isNavigable b))) op isOrdered: AssociationEnd -> Boolean axiom isOrdered is (fa (a: AssociationEnd b: AssociationEnd) (equal (isOrdered a) (isOrdered b))) op name: AssociationEnd -> String axiom name is (fa (a: AssociationEnd b: AssociationEnd) (equal (name a) (name b))) op aggregate: AssociationEnd -> String axiom aggregate is (fa (a: AssociationEnd b: AssociationEnd) (equal (aggregate a) (aggregate b))) op multiplicity: AssociationEnd -> Nat, Nat axiom multiplicity is (fa (a: AssociationEnd b: AssociationEnd) (equal (multiplicity a) (multiplicity b))) op changeable: AssociationEnd -> String axiom changeable is (fa (a: AssociationEnd b: AssociationEnd) (equal (changeable a) (changeable b))) end-spec % Part 2 diagrams - diagrams that implement each link between pairs of meta-classes - diagram ASSOCIATION-END-TYPE is nodes T1:TRIV, T2:TRIV, PAIR, ASSOCIATIONEND, CLASSIFIER arcs T1 -> ASSOCIATIONEND: {e -> AssociationEnd}, T1 -> PAIR: {e -> Left}, T2 -> PAIR: {e -> Right}, T2 -> CLASSIFIER {e -> Classifier} end-diagram diagram SPEC-PARTICIPANT is nodes T1:TRIV, T2:TRIV, PAIR, ASSOCIATIONEND, CLASSIFIER arcs T1 -> ASSOCIATIONEND: {e -> AssociationEnd}, T1 -> PAIR: {e -> Left}, T2 -> PAIR: {e -> Right}, T2 -> CLASSIFIER: {e -> Classifier} end-diagram diagram GEN-SUBTYPE is nodes T1:TRIV, T2:TRIV, PAIR, GENERALIZABLEELEMENT, GENERALIZATION arcs T1 -> GENERALIZABLEELEMENT: {e -> GeneralizableElement}, T1 -> PAIR: {e -> Left}, T2 -> PAIR: {e -> Right}, T2 -> GENERALIZATION: {e -> Specialization} end-diagram diagram GEN-SUPERTYPE is nodes T1:TRIV, T2:TRIV, PAIR, GENERALIZABLEELEMENT, GENERALIZATION arcs T1 -> GENERALIZABLEELEMENT: {e -> GeneralizableElement}, T1 -> PAIR: {e -> Left}, T2 -> PAIR: {e -> Right}, T2 -> GENERALIZATION: {e -> Generalization} end-diagram diagram OWNED-EL-NAMESPACE is nodes T1:TRIV, T2:TRIV, PAIR, MODELELEMENT, NAMESPACE arcs T1 -> MODELELEMENT: {e -> ModelElement}, T1 -> PAIR: {e -> Left}, T2 -> PAIR: {e -> Right}, T2 -> NAMESPACE: {e -> Namespace} end-diagram diagram ASSOC-SOURCE is nodes T1:TRIV, T2:TRIV, PAIR, ASSOCIATION, ASSOCIATIONEND arcs T1 -> ASSOCIATION: {e -> Source}, T1 -> PAIR: {e -> Left}, T2 -> PAIR: {e -> Right}, T2 -> ASSOCIATIONEND: {e -> AssociationEnd} end-diagram diagram ASSOC-TARGET is nodes T1:TRIV, T2:TRIV, PAIR, ASSOCIATION, ASSOCIATIONEND arcs T1 -> ASSOCIATION: {e -> Target}, T1 -> PAIR: {e -> Left}, T2 -> PAIR: {e -> Right}, T2 -> ASSOCIATIONEND: {e -> AssociationEnd} end-diagram diagram INSTANCE-CLASSIFIER is nodes T1:TRIV, T2:TRIV, PAIR, INSTANCE, CLASSIFIER arcs T1 -> INSTANCE: {e -> Instance}, T1 -> PAIR: {e -> Left}, T2 -> PAIR: {e -> Right}, T2 -> CLASSIFIER: {e -> Classifier} end-diagram diagram ATTRIBUTE-TYPE is nodes T1:TRIV, T2:TRIV, PAIR, CLASS, ATTRIBUTE arcs T1 -> CLASS: {e -> Class}, T1 -> PAIR: {e -> Left}, T2 -> PAIR: {e -> Right}, T2 -> ATTRIBUTE: {e -> Attribute} end-diagram % Part 3 constraints - colimit specs necessary to describe the OCL constraints - spec ASSOCIATION-CLASSIFIER-COLIMIT is import colimit of diagram nodes T1: TRIV, T2: TRIV, T3: TRIV, T4: TRIV, T5: TRIV, T6: TRIV, T7: TRIV, T8: TRIV, P1: PAIR, P2: PAIR, P3: PAIR, P4: PAIR, C1: CLASSIFIER, C2: CLASSIFIER, AE1: ASSOCIATIONEND, AE2: ASSOCIATIONEND, ASSOCIATION arcs T1 -> P1: {e -> Right}, T2 -> P1: {e -> Left}, T1 -> C1: {e -> Classifier}, T2 -> AE1: {e -> AssociationEnd}, T3 -> P2: {e -> Right}, T4 -> P2: {e -> Left}, T3 -> AE1: {e -> AssociationEnd}, T4 -> ASSOCIATION: {e -> Association}, T5 -> P3: {e -> Right}, T6 -> P3: {e -> Left}, T5 -> ASSOCIATION: {e -> Association}, T6 -> AE2: {e -> AssociationEnd}, T7 -> P4: {e -> Right}, T8 -> P4: {e -> Left}, T7 -> AE2: {e -> AssociationEnd}, T8 -> C2: {e -> Classifier} end-diagram % The AssociationEnds must have a unique name within the association axiom OCL1 is (fa(a: AE1.AssociationEnd b: AE2.AssociationEnd) (implies (equal (AE1.name a) (AE2.name b)) (equal AE1.a AE2.b))) % At most one AssociationEnd may be an aggregate or a composite axiom OCL2 is (fa(a: AE1.AssociationEnd b: AE2.AssociationEnd) (or (implies (or (equal (AE1.aggregate AE1.a) "aggregate") (equal (AE1.aggregate AE1.a) "composite")) (equal (AE2.aggregate AE2.b) "none")) (implies (or (equal (AE2.aggregate AE2.b) "aggregate") (equal (AE2.aggregate AE2.b) "composite")) (equal (AE1.aggregate AE1.a) "none")))) % The connected Classifiers of the AssociationEnds should be included % in the Namespace of the association axiom OCL3 is (fa(a: Association) (and (equal C1.Classifier (first a)) (equal C2.Classifier (second a)))) % No opposite AssociationEnds may have the same name within the Classifier axiom OCL4 is (fa(a: C1.Classifier b: C2.Classifier) (implies (equal (C1.name a) (C2.name b)) (equal C1.a C2.b))) end-spec spec GENERALIZABLEELEMENT-GENERALIZATION-COLIMIT is import colimit of diagram nodes T1: TRIV, T2: TRIV, T3: TRIV, T4: TRIV, P1: PAIR, P2: PAIR, GESUB:GENERALIZABLEELEMENT, GESUPER:GENERALIZABLEELEMENT, GENERALIZATION arcs T1 -> P1: {e -> Right}, T1 -> GESUB: {e -> GeneralizableElement}, T2 -> P1: {e -> Left}, T2 -> GENERALIZATION: {e -> Specialization}, T3 -> P2: {e -> Right}, T3 -> GENERALIZATION: {e -> Generalization}, T4 -> P2: {e -> Left}, T4 -> GESUPER: {e -> GeneralizableElement} end-diagram % A root cannot have any Generalizations axiom OCL5 is (fa(a: GESUPER.GeneralizableElement b: Generalization) (implies (GESUPER.isRoot a) (equal (no-isa b.Generalization) ""))) % No GeneralizableElement can have a supertype Generalization to an % element which is a leaf axiom OCL6 is (fa(a: GeneralizableElement) (equal (GESUPER.isLeaf GESUPER.a) false)) % The supertype must be included in the Namespace of the Generalization axiom OCL7 is (fa(a: GESUPER.GeneralizableElement b: Generalization) (equal (GESUPER.name GESUPER.a) b.Generalization)) end-spec
Example of Browsing Rose/UML Objects Portion of Specware’s Parse and Type/Theorem Checking Sample Debug Screen of Lecture UML Diagram Transformation Software GUI
Formal Verification of UML Diagrams Future Work Jeffrey Smith: Sanders and Northeastern University Mieczyslaw Kokar: Northeastern University, College of Engineering Ken Baclawski: Northeastern University, College of Computer Science Specware Graphical View of the Object-Instance-Generalization Specification • Expand on the set of meta-tools - future expansions include: • Translation of OCL constraints into a form consistent with math foundation • A metamodel analyzer that identifies metamodel elements, meta-attributes, meta-generalizations and meta-associations and helps with the identification of morphisms between these meta-elements and specific UML Formal Domain output • More of UML than existing core metamodel • Translation from a wider set of CASE tools • Extension of the UML Formal Domain to the level of Specware programming language primitives, supporting the potential of direct UML translation to any source code provided by Specware • Use of a wider set of theorem provers than currently built into Specware • Expansion of a CASE tool’s forward and reverse engineering functionality by including the UML Formal Domain as an intermediate representation to support richer and more complete code generation • Include reflective OCL constraints by either basing formalization on naïve set theory or building reflectivity into Specware • Contribute to future revisions of UML by streamlining redundant functionality and helping to improve the form and content of new revisions • Creation of semantics for commonly used rule based systems and translation of the UML form of these rules (and associated actions) to verifiably compose large business and military AI Systems • Develop the relationship between other theory based models, e.g. the one developed by Hartrum and Deloach,and the UML Formal Semantics constructed in this research Summary Formal Methods Systems CASE Tools Formalize UML - UML contributions Viable UML to Formal Methods translation Automation of human intensive processes UML Sample Execution