A formal verification framework for SysML activity diagrams
Introduction
A major challenge in software and systems development process is to advance error detection at early stages of their life-cycles. It has been shown that the cost of repairing a software flaw during maintenance is approximately 500 times higher than fixing it at early design phases (Baier and Katoen, 2008). Fig. 1 depicts bugs introduction, detection, and repair costs during software life cycle. It shows that only 15% of flaws are detected in the initial design phase, whereas the cost of fixing them at this phase is extremely beneficial as compared to fixing them at the testing phase. Therefore, an ambitious challenge is to accelerate the verification process of a product based on its design artifacts.
In system and software engineering, SysML (Systems Modeling Language) (OMG, 2007a) is a standard modeling language used for system applications. It reuses a subset of UML (Unified Modeling Language) packages (OMG, 2007b) and extends others with specific systems’ engineering features such as probability. Mainly, it covers four perspectives on systems modeling: structure, behavior, requirement, and parametric diagrams (OMG, 2007a.) Particularly, SysML activity diagrams are behavioral diagrams used to model system behaviors at various levels of abstraction (Holt and Perry, 2007.) In addition, they support systems composition by call behavior and send/receive artifacts. To verify these diagrams, the existing approaches (Andrade et al., 2009, Baldan et al., 2005, Banti et al., 2011, Carneiro et al., 2008, Debbabi et al., 2010, Elmansouri et al., 2011, Eshuis, 2006, Jansen et al., 2002, Jansen et al., 2003, Rafe et al., 2009) ignore probabilistic features, systems composition, and, they do not show the preservation of the system requirements while they use model-checking in general. In addition, they do not either formalize or prove the soundness.
Model checking is a formal automatic verification technique for finite state concurrent systems that checks temporal logic specifications on a given model. In addition to qualitative verification, quantitative verification techniques based on probabilistic model checkers (Baier and Katoen, 2008) have recently gained popularity. Probabilistic model checking offers the capability for interpreting probabilistically the satisfiability of a given property on systems that inherently exhibit probabilistic behavior. In our work, we use the PRISM probabilistic symbolic model checker (Kwiatkowska et al., 2011).
PRISM checks probabilistic specifications over probabilistic models. The specifications can be expressed either in the probabilistic computation tree logic (PCTL) (Baier and Katoen, 2008, Forejt et al., 2011) or in a continuous stochastic logic. The models can be described using the PRISM language as discrete-time Markov chains, continuous-time Markov chains, Markov decision processes (MDPs), or probabilistic timed automata. PRISM also supports probabilistic automata (PAs), but for simplicity, it refers to them by MDPs (Forejt et al., 2011). For the verification efficiency, the constructed models can be stored as binary decision diagrams (BDDs) and multi-terminal BDDs (MTBDDs). In addition, PRISM has built-in symmetry reduction and implements iterative numerical computations to overcome the state explosion problem (Baier and Katoen, 2008, Forejt et al., 2011).
Framework. In this paper, we are interested in the formal verification of probabilistic systems modeled as SysML activity diagrams. These diagrams can call and communicate with other diagrams and allow for probabilistic behavior specification. The overview of our proposed framework is depicted in Fig. 2. It takes a composition of SysML activity diagrams and PCTL properties as input.
Our framework is based on representing SysML activity diagrams to an equivalent PRISM model. The PRISM model checker verifies PCTL properties on the resulting model. And, we extract the adequate semantics model related to SysML activity diagrams. Then, we present the underlying semantics related to the produced PRISM model. Furthermore, we show that the relation between both semantics preserves the satisfiability of PCTL properties. In summary, the main contributions of this paper are described as follows.
- 1.
Developing an adequate semantics to capture formally SysML activity diagrams behaviors,
- 2.
Proposing a semantics for the used PRISM model.
- 3.
Proposing a mapping approach that transforms SysML activity diagrams into the PRISM input language.
- 4.
Implementing and applying our approach on real systems.
Motivation Example. An Automated Teller Machine (ATM) is a system that interacts with a potential customer via a specific interface and communicates with the bank over an appropriate communication protocol. This is modeled as SysML activity diagram that is depicted in Fig. 3(a). A user that requests a service from the ATM has to insert an ATM card (the action InsertCard) and enter a personal identification number (the action EnterPIN). Both information need to be sent to the bank for validation. This operation is represented in Fig. 3(b) by another SysML activity diagram that is called from the action CheckCard. If the credentials of the customer are not valid, the card will be ejected out (the action EjectCard). More specifically, the main diagram (Fig. 3) calls three diagrams in three different actions: Check Card, Authorize, and Transaction. The property to check is to measure the probability of authorizing a transaction after inserting a card. After applying our approach, we found that the probability value to satisfy this requirement is 0.84.
Paper organization. The remainder of this paper is organized as follows. Section 2 surveys the existing related work. The preliminaries needed for our work are presented in the next section. Section 4 describes and formalizes SysML activity diagrams. The semantics of PRISM models is presented in Section 5. The transformation algorithm is detailed in Section 6 and its soundness is proved in Section 7. Section 8 describes the experimental results. Finally, Section 9 concludes this paper and provides hints on the possible future works.
Section snippets
Related work
In this section, we cite the state-of-the-art related to the formalization and the verification of UML sequence, state machine, activity diagrams, and SysML diagrams. Then, we compare our framework to the existing ones.
Preliminaries
In this section, we describe SysML activity diagrams as presented in the OMG standard (OMG, 2007a). In addition, we present the probabilistic automata as a probabilistic modeling formalism and PCTL as a probabilistic temporal logic. These can further help understanding the functionality of SysML activity diagrams and formalizing them later on.
SysML activity diagram formalization
In this section, we formalize SysML activity diagrams by providing an adequate calculus that helps to formalize and prove the soundness of our approach.
PRISM formalization
In this section, we formalize PRISM by presenting its syntax and semantics. In our formalization, we focus more on the probabilistic automata model in PRISM.
Generally, a probabilistic system “S” that is described as a PRISM program “P” that comprises a set of n modules (), the state of each one is defined by the evaluation of a countable set of finite-ranging local variables. The global state of the system is the evaluation of the local variables () and the global ones () denoted by
The verification approach
This section describes the transformation of SysML activity diagrams into a PA written in PRISM input language. Algorithm 1 illustrates the transformation algorithm T that takes as input and returns its PRISM code image denoted by . The diagram is visited using a depth-first search procedure and the algorithm’s output produces PRISM synchronized modules. The algorithm is described as follows. First, the initial node is pushed into the stack of nodes denoted by nodes (line 5).
The transformation soundness
Our aim is to prove the soundness of the transformation algorithm T by showing that the proposed algorithm preserves the satisfiability of PCTL properties. Let be a NuAC term and is its corresponding PA constructed by the NuAC operational semantics denoted by such that . The function is defined previously to implement the transformation rules in order to produce a PRISM program such that . For the program , let be its corresponding PA constructed by the PRISM
Implementation and experimental results
In this section, we apply our verification framework on the online shopping system (Gomaa, 2011) and the Real Time Streaming Protocol (RTSP) 1 hypothetical application. The related SysML activity diagrams are modeled on Topcased2 then mapped into Prism code via our Java implementation. In the purpose of providing experimental results demonstrating the efficiency and
Conclusion
In this paper, we presented a formal verification framework to improve the model checking of SysML activity diagrams. To verify these diagrams, we have devised an approach that maps a set of SysML activity diagrams composed by call behavior and communication artifacts into the input language of the probabilistic model checker PRISM. We proposed a calculus dedicated to these diagrams that captures precisely their underlying semantics. In addition, we formalized PRISM language by showing its
References (39)
- et al.
An accessible verification environment for uml models of services
Journal of Symbolic Computation
(2011) - et al.
Formal verification and validation of UML 2.0 sequence diagrams using source and destination of messages
Electronic Notes in Theoretical Computer Science
(2009) - et al.
UML automatic verification tool with formal methods
Electronic Notes in Theoretical Computer Science
(2005) - et al.
Principles of model checking
(2008) - OMG. 2007. OMG Systems Modeling Language (OMG SysML) Specification. Object Management Group. OMG Available...
- OMG. 2007 OMG Unified Modeling Language: Superstructure 2.1.2. Object Management...
- et al.
SysML for systems engineering
(2007) - Andrade, E., Maciel, P., Callou, G., & Nogueira, B. (2009). A methodology for mapping SysML activity diagram to time...
- et al.
Specifying and verifying UML activity diagrams via graph transformation
- Carneiro, E., Maciel, P., Callou, G., Tavares, E., & Nogueira, B. (2008). Mapping SysML state machine diagram to time...