Formally Verifying Behaviour of fUML Models Using CSP. by Abdelhalim, Islam E.
University o f Surrey 
Faculty of Engineering and Physical Sciences 
Departm ent o f Computing
PhD Thesis
Formally Verifying Behaviour of 
fUML Models Using GSR
by
Islam E. A bdelha lim
Supervisor; Prof Steve Schneider 
Co-supervisor: Dr Helen Treharne
Surrey, 2012
ProQuest Number: 27558180
All rights reserved
INFORMATION TO ALL USERS 
The qua lity  of this reproduction  is d e p e n d e n t upon the qua lity  of the copy subm itted.
In the unlikely e ve n t that the au tho r did not send a co m p le te  m anuscrip t 
and there are missing pages, these will be no ted . Also, if m ateria l had to be rem oved,
a no te  will ind ica te  the de le tion .
uest
ProQuest 27558180
Published by ProQuest LLO (2019). C opyrigh t of the Dissertation is held by the Author.
All rights reserved.
This work is protected aga inst unauthorized copying under Title 17, United States C o de
M icroform  Edition © ProQuest LLO.
ProQuest LLO.
789 East Eisenhower Parkway 
P.Q. Box 1346 
Ann Arbor, Ml 4 81 06 - 1346
Contents
Contents i
List of Figures v
List of Tables vii
1 Introduction 9
1.1 Motivation .............................................................................................  9
1.1.1 Problem defin ition ...............................................................   9
1.1.2 O b jec tiv e ..........................   10
1.1.3 General approach.........................................................................  11
1.2 C ontributions.............................................................................................. 12
1.3 Thesis structure....................................................  14
2 Background Concepts 17
2.1 Formal methods ........................................................................................17
2.2 C S P ....................  19
2.2.1 Semantic m o d e ls ............................................................................. 20
2.2.2 Tool support  .......................................................................... 22
2.3 fU M L .......................................................................................................... 22
2.3.1 Differences between fUML and U M L 2 ........................................23
2.3.2 Example of an fUML activity d ia g ra m ........................................24
2.3.3 Genericity of the execution model ................................................26
2.3.4 Inter-objects communication mechanism in fUML...................... 27
2.3.5 Tool s u p p o r t .............................. ........................ ......................... 29
2.4 Model Driven Engineering.................................................... 29
2.5 Case stud ies.............................................................    30
2.5.1 Tokeneer ID Station subsystem ..........................  31
2.5.2 Gas Station S y s te m ....................................................................... 33
2.5.3 Cruise Control S ystem .................................................................... 34
CONTENTS
2.6 S u m m a ry ................................................................................................... 36
M odels Form alization and  O ptim ization:
L ite ra tu re  Review  37
3.1 Form alization.............................................................................................38
3.1.1 Semi-formal language ................................................................... 38
3.1.2 Formal la n g u a g e ............................................................................ 40
3.1.3 Transformation m echan ism ..........................................................41
3.1.4 Transformation objective .............................................................42
3.1.5 Formalization observations ......................................................... 48
3.2 O p tim iza tion .............................................................................................49
3.2.1 LTS optim ization............................................................................ 50
3.2.2 Formal model op tim iza tion ..........................................................52
3.2.3 Optimization observations............................................................. 53
3.3 S u m m a ry ................................................................................................... 54
fXJML M odel Form alization 57
4.1 Approach overview .............................................................................   . 58
4.1.1 Selected languages and tools .......................................................58
4.1.2 The framework of the approach....................................................59
4.1.3 Observed issues addressing ..........................................................60
4.2 The Model Form alizer............................................................................. 61
4.2.1 fUML to CSP mapping r u l e s .......................................................61
4.2.2 Modelling the fUML inter-object communication mecha­
nism in CSP  71
4.2.3 Objects creation and destruc tion .....................' ........................ 78
4.2.4 Putting the Model Forrnalizer’s processes to g e th e r ...................80
4.3 Testing the Model Form alizer.................................................................81
4.4 The formalization of the TIS fUML m odel........................................... 82
4.4.1 TIS fUML a c tiv itie s ...................................................................... 83
4.4.2 TIS CSP formalization................................................................... 84
4.4.3 Deadlock checking results with one u s e r .................................... 86
4.4.4 Deadlock checking results with two users .................................. 88
4.5 S u m m a ry ................................................................................................... 90
B ehavioural C onsistency Checking of U M L /fU M L  M odels 91
5.1 Approach overview ....................................................................................93
5.2 Extending the Model F o rm alize r........................................................... 94
5.3 Formalizing the TIS UML/fUML models...............................................97
5.4 Behavioural consistency checking........................................................... 98
5.5 S u m m a ry ..................................................................................................101
CONTENTS iii
6 Form alization  and  M odel Checking Feedback 103
6.1 Extending the formalization framework for fe e d b a c k ....................... 104
6.2 The Formalizability Checker..................................................................106
6.2.1 The implementation of the Formalizability Checker.......... 108
6.2.2 The Formalization R e p o rt...................  109
6.3 The UML Sequence Diagram G e n e ra to r ........................................... 109
6.3.1 The implementation of the UML Sequence Diagram Gen­
erator ...........................................................................................110
6.4 The Model Debugger............................................................................. 113
6.4.1 Preparing the information for the Model Debugger . . . . .  114
6.4.2 The implementation of the Model Debugger...........................116
6.5 S u m m a ry ................................................................................................ 116
7 Form alized fUM L M odels O p tim ization  117
7.1 Extending the framework for optimization  ..................... 118
7.2 The Optimization A dvisor..................... 120
7.2.1 fUML-Opti-Rule(l): Detecting self-sending s ig n a ls .......... 121
7.2.2 fUML-0pti-Rule(2): Detecting unacknowledged signals . . 123
7.3 The Model Optimizer .................................................  124
7.3.1 CSP-Opti-Rule(l): Removing passive processes......................125
7.3.2 CSP-0pti-Rule(2): Removing abandoned events .................. 126
7.3.3 CSP-0pti-Rule(3): Toggling internal choices .........................133
7.4 Proving the rules independence...........................  135
7.5 S u m m a ry ...................................................................................................139
8 T he In teg ra ted  Fram ew ork and  C om pass 141
8.1 The integrated fram ew ork.................................   142
8.2 The framework implementation: C om pass..................................  144
8.3 Using C om pass..........................................................................................145
8.3.1 Diagrams d ra w in g ......................................  145
8.3.2 Behavioural consistency checking   . . . 145
8.3.3 Deadlock check ing ........................................................................ 148
8.4 Compass accreditation............................................................................. 151
8.5 Summary  ........................................ 152
9 Conclusion and  F u tu re  W ork 153
9.1 Conclusion ................................................................................. 153
9.2 Contributions su m m a ry ...............  156
9.3 L im ita tio n s .............................................................................................   159
9.4 Future w o rk .......................................................................................   160
A T he Case S tudies UM L, fUM L and  C SP M odels 165
CONTENTS
B CSP M eta-m odel 168
C ETL Form alization R ules
C.l Operations ......................................................................................   169
C.2 R ules.................................................................................................................171
D Form alizability  Checker Checks 175
E Test M achine Specification 177
B ibliography 179
List of Figures
1.1 An abstracted framework for the approach..................................................11
2.1 Translation to and from fUML (from [88])..................................................23
2.2 UserActivity - Sample fUML activity d iagram ........................................... 26
2.3 Object activation s t r u c tu re ..........................................  28
2.4 TIS class diagram ...................................................   32
2.5 GSS class d ia g ra m ...........................................................................................34
2.6 CCS class d ia g ra m ...........................................................................................35
3.1 Semi-formal to formal model transformation  .................................. 37
3.2 Strong bisimulation equivalence (from [101])...............................................50
4.1 Approach framework architecture....................................................  59
4.2 The Model Formalizer internal architecture  ............................................67
4.3 Map-Rule(l) for transforming activities to CSP localized processes . . 68
4.4 Map-Rule(2) for SendSignalAction to a CSP subprocess.........................70
4.5 The event pool as a controlled buffer  ...........................  74
4.6 Controlled Buffer’s first and general n o d es .................................................. 74
4.7 Controlled Buffer with three n o d e s ...............................................................75
4.8 The buffer controller process for a three nodes event p o o l ......................76
4.9 Controlled N odes..........................     76
4.10 Application of Chase function........................................................................ 77
4.11 The complete definition of the Controlled Buffer  ............................ 77
4.12 The S Y S T E M ................................................................................................. 81
4.13 Testing an aspect from the inter-object communication.................   82
4.14 Segment of the Door Controller A ctiv ity .................................................. 83
4.15 The corresponding CSP process for the Door Controller activity Segment 85
5.1 Formalization framework a rc h ite c tu re ....................................  93
5.2 Map-Rule(ll) ETL and meta-models  .................  96
vi LIST OF FIGURES
5.3 Door Controller UML state d ia g ra m ..............................   98
5.4 Corresponding CSP process for the Door Controller state diagram . . 99
6.1 Formalization approach architecture with feedback.................................105
6.2 The automatically generated UML sequence diagram from FDR2 counter­
example ............................................................................................................ I l l
6.3 Detecting loops in the counter-example ................................................... 113
6.4 Finding the inconsistency using the Model D ebugger..............................114
7.1 The integration of the optimization components.......................................119
7.2 Part of the Pump object a c t iv ity .................................. ..................... ... . 122
7.3 The Meter object a c tiv ity ............................................................................ 123
7.4 fUML example to check fUML-Opti-Rnle(l)............................................. 136
7.5 fUML example to check fUML-Opti-Rule( 2 ) ............................................. 136
7.6 fllML example to check CSP-Opti-Rule(l)................................................ 137
7.7 fUML example to check CSP-0pti-Rule(2)................................................ 138
7.8 fUML example to check CSP-0pti-Rule(3)................................................ 138
8.1 The integrated fram ework............................................................................ 142
8.2 Compass - Checking UML/fUML consistency.......................................... 146
8.3 Debugging the inconsistency source using Com pass.................................147
8.4 Compass - iUML Model Deadlock Checking............................................. 148
8.5 Compass - Optimization Report and Disabling Options ........................150
B.l CSP Meta-model from [117]......................................................................... 168
List of Tables
4.1 The fUML to CSP Map-Rules ....................................................  64
5.1 The UML state diagram to CSP Map-Rules ............................................ 95
6.1 Some of the Formalizability Checker c h e c k s ............................................. 107
6.2 Sample of the Object-to-Class mapping table for the TIS subsystem . 110
6.3 FDR2 output and the corresponding SDX representation .................... I l l
6.4 Sample CSP-to-UML/fUML Mapping Table.... .......................................... 115
9.1 Epsilon in numbers .................. 156
D.l The rest Formalizability Checker checks  .....................   175
VII
Abstract
Transforming UML models into a formal representation to check certain proper­
ties has been addressed many times in the literature. However, the lack of auto­
matic formalization for executable UML models and provision of model checking 
results as modeller-friendly feedback has inhibited the practical use of such ap­
proaches in real life projects. In this work we address those issues by performing 
the automatic formalization of the fUML (Foundational subset for executable 
UML) models into CSP (Communicating Sequential Processes) without any in­
teraction with the modeller, who should be isolated from the formal methods 
domain. We mainly consider the formalization of systems that depend on asyn­
chronous communication between components in order to allow checking of the 
dynamic concurrent behaviour of systems.
We introduce also a novel approach for optimizing the generated CSP model using 
a group of mathematically proved optimization rules. The approach includes also 
providing the modeller with optimization advice for the fUML model to maximize 
the reduction in the state space.
We design an integrated framework that handles the formalization, feedback and 
optimization tasks. It is implemented as a plugin to MagicDraw (the CASE tool 
we use) that we call Compass which depends on Epsilon as a model transforma­
tion tool that utilizes the MDE (Model Driven Engineering) approach. Compass 
depends on FDR2 to perform the model checking for the CSP models.
In order to validate the approach and its implementation (Compass), we check 
three non-trivial case studies modelled in fUML. The formalization and the op­
timization results show the success for achieving our work objective.
Declaration
This thesis and the work to which it refers are the results of my own efforts. Any 
ideas, data, images or text resulting from the work of others (whether published 
or unpublished) are fully identified as such within the work and attributed to 
their originator in the text, bibliography or in footnotes. This thesis has not 
been submitted in whole or in part for any other academic degree or professional 
qualification.
I agree that the University has the right to submit my work to the plagiarism 
detection service TurnitinUK for originality checks. Whether or not drafts have 
been so-assessed, the University reserves the right to require an electronic version 
of the final document (as submitted) for assessment as above.
Acknowledgments
I have been very fortunate that so many people have supported me in different 
ways during my PhD studies, and I would like to acknowledge all of them.
A, special thanks to my main supervisor. Prof Steve Schneider, for his continu­
ous support and guidance during the three years with his enormous knowledge 
in my PhD field. I also wish to thank my co-supervisor. Dr Helen Treharne, 
for her support from day one and her invaluable help and contribution to our 
publications.
I could not have this quick start without the support from Dr Edward Turner 
who helped me in my research’s early stages to master the tools that I used along 
my research. Also many thanks to Mr James Sharp who helped me a lot to 
implement the fUML inter-object communication mechanism in CSP.
Many thanks to Prof Michael Goldsmith, Prof Bill Roscoe and Mr Philip Arm­
strong for discussion about implementing buffers in CSP. Thanks also to Prof 
Jim Woodcock for his discussion about the Tokeneer project, and Mr Ian Wilkie 
for his helpful information about fUML.
I am very grateful also to the University of Surrey/ Computing Department and 
its head. Prof Steve Schneider then Prof Anthony Ho, for their generosity to 
grant me a full scholarship to pursue my PhD studies. Many thanks also to the 
department’s administrative staff, Mrs Maggie Burton, Mrs Jan O’Connor and 
Mrs Judy Lowe, as well as all my colleagues in the department who participated 
in preparing such a perfect and productive environment for my study.
Finally, I would like to thank my parents who supported me by all means during 
all the stages of my education until the PhD. Also words cannot express how 
I am grateful to my wife who was standing by my side all the time to prepare 
the ideal environment for progression and success. I am very grateful also to 
my parents-in-law who were encouraging and supporting me along my studies. I 
cannot forget also my sons, Abdelrahman and Hamza, who were providing me a 
fruitful reason to complete my study.
Achievements
Most of the work in this thesis has been published as follows:
Journal paper:
□ Islam Abdelhalim, Steve Schneider and Helen Treharne. An Integrated Frame­
work for Checking the Behaviour of f  UML Models Using CSP. International Jour­
nal on Software Tools for Technology Transfer (STTT), Springer Berlin /  Heidel­
berg, Pages 1-22. 10.1007/sl0009-012-0243-0. 2012.
In ternational conferences:
□ Islam Abdelhalim, James Sharp, Steve Schneider and Helen Treharne. For­
mal Verification of Tokeneer Behaviours Modelled in fUML Using CSP. In Pro­
ceedings of the 12th International Conference on Formal Engineering Methods 
(ICFEMTO), Shanghai, China, Volume 6447 of LNCS, Pages 371-387, Springer, 
2010.
□ Islam Abdelhalim, Steve Schneider and Helen Treharne. Towards a Prac­
tical Approach to Check UML/fUML Models Consistency Using CSP. In Pro­
ceedings of the 13th International Conference on Formal Engineering Methods 
(ICFEM’ll ) ,  Durham, UK, Volume 6991 of LNCS, Pages 33-48, Springer, 2011.
□ Islam Abdelhalim, Steve Schneider and Helen Treharne. An Optimization 
Approach for Effective Formalized fUML Model Checking. In Proceedings of 
the 10th International Conference on Software Engineering and Formal Meth­
ods (SEFMT2), Thessaloniki, Greece, Springer, 2012.
Local conferences:
□ Islam Abdelhalim, Steve Schneider, Helen Treharne and James Sharp. Formal 
Verification of System Behaviours Modelled in fUML using CSP || B. Poster in 
the 7th Annual PhD Conference, University of Surrey, Department of Computing, 
2010 (BEST POSTER AWARD).
□ Islam Abdelhalim, Steve Schneider and Helen Treharne. Formal Verification 
of f  UML Models Using CSP. 8th Annual PhD Conference, University of Surrey, 
Department of Computing, 2011 (BEST PAPER PRESENTATION AWARD).
Chapter 1
Introduction
1.1 Motivation
The software development process of the safety-critical systems is massively com­
plex and difficult. Methodologies have been developed over the last 40 years, but 
still difficult to get right first time. The Ariane 5 disaster [5] is one of the most 
infamous examples of such failures in history resulting in a loss of more than $370 
million. Flight 501, which took place on the 4^  ^ of June 1996, was the first, and 
unsuccessful, test flight of the European Ariane 5 launch system. Due to an error 
in the software design the rocket veered off its flight path 37 seconds after launch 
and was destroyed.
Another recent example is the Toyota Prius brake problems in 2010 [20]. Due 
to a software bug, the vehicle’s Anti-lock Brake System (ABS) does not respond 
immediately for the driver input (less than a one-second lag). This means that a 
vehicle going 60 mph will have traveled nearly another 90 feet before the brakes 
begin to take hold. Toyota has recalled thousands of the sold Prius cars worldwide 
to do the software update. The company estimated its loss to be around $2 billion 
due to such recalls.
1.1.1 Problem definition
Having faults within the system model can cause massive loss of time and money 
during the implementation, testing and support phases to rectify these design 
errors. In other cases such design errors can cause a total failure of the project
9
10 CHAPTER 1. INTRODUCTION
as occurred with Ariane 5.
To avoid such problems, formal methods can be used to describe systems using 
mathematical rigour, and thus be able to analyze and verify models before being 
implemented. As an implementation for that concept, many formal languages 
have been developed for use within formal models.
Although those languages are supported with software tools that automate or 
interactively support the formal analyses and verification process, a considerable 
amount of mathematical knowledge and formal language awareness are needed 
to build the formal model and interactively prove theories against it.
Surveys have shown that using formal methods in industrial projects radically 
improves the overall quality, while the negative effect on the cost and time is 
small [126].
On the other hand, semi-formal languages in general and UML (Unified Modelling 
Language) [87] in particular have become very popular and well accepted for 
modelling systems specifications and design. UML provides various diagrams that 
are used to describe the system structure and behaviours from several viewpoints. 
However, UML models are just diagrams and cannot be analyzed or verified 
against certain behaviours to ensure conformance with functional correctness. 
Also there is no mechanism to ensure consistency between the model’s different 
views (diagrams). The UML CASE tools (e.g., MagicDraw [71] or Enterprise 
Architect [113]) main responsibility are to ensure eonformance with the UML 
syntax, leaving the semantics (informally described in the UML standard) to be 
followed by the modeller. In other words, it is the modeller responsibility to 
ensure that the model does not violate the UML standard semantics.
It is obvious that we have one problem (systems modelling) and two different 
approaches (formal and semi-formal modelling); both of them have advantages 
and disadvantages. What we aim to do in this work is to make use of both to 
provide a comprehensive approach which allows modellers to analyze and verify 
their models without the need for specialist mathematical knowledge.
1.1.2 Objective
To address the problem defined in the previous section, we proposed the following 
general objective to this PhD:
“To allow software engineers to formally verify systems modelled in a 
semi-formal language automatically, without the need for specialist mathematical
1.1. MOTIVATION 11
knowledge and in an effective and practical way”
1.1.3 General approach
The general approach of our work is to model the system using a semi-formal 
language and then transform the semi-formal model into a formal representation 
automatically. Consequently, this formal representation can be analyzed and 
verified using another tool that handles the model checking. Finally, for any 
error found, the model checking results (model checker output) are translated 
back to a modeller-friendly format that allows the modeller to identify the error 
cause. The approach isolates the modeller from dealing with the formal domain 
either during building the model or understanding the model checking results.
The formalization process in this work means transforming the semi-formal model 
into a formal one. The formalization is not limited to the semi-formal diagrams 
only, as it includes another aspects that exist in the semi-formal language stan­
dard. For example, representing the logic of the inter-object communication 
mechanism of the semi-formal model using the formal language. In some cases 
the formalizer (formalization tool) needs to take decisions on behalf of the mod­
eller to complete the formalization process. This should be done only if this 
decision is not precisely defined in the semi-formal standard.
In this work we use fUML (Foundational subset for executable UML) [88] as a 
semi-formal modelling language. The OMG (Object Management Group) [3] has 
developed the fUML specification with the purpose of enabling compliant mod­
els to be transformed into various executable forms for verification, integration, 
and deployment. On the formal side, we use the process algebraic specification 
language GSP (Gommunicating Sequential Processes) [106] as a formal language 
and FDR2 (Failures-Divergences Refinement) [41] as a model checker. Figure 1.1 
shows an abstracted framework for the approach.
M
Modeller
Semi-formal
Model ------►
(fUML)
 Model Formalization
Formal
-------► Model
(CSP)
Modeller-Friendly
Report
Modeller-Friendly 
Feedback Generation
Model Checker
Output
/ (counter-example)
Mode
Checker
FDR2)
Figure 1.1: An abstracted framework for the approach
12 CHAPTER 1. INTRODUCTION
Having the fUML model formalized into CSP allows for its checking against 
generic or non-generic properties. In this work, we focus on checking the dead­
lock freedom of an fUML model as a generic system property, and the UML/fUML 
consistency checking as a non-generic property. The proposed formalization ap­
proach is flexible enough to support more properties in the future (i.e., it is not 
built for those two properties only).
One distinguished point in this approach is that we consider asynchronous inter­
object communication. According to [39], asynchronous systems are closer to 
their implementation. They also relatively simpler and cheaper compared to the 
synchronous ones which require rigour synchronization of both communication 
sides. Our formalization includes the formal representation of the fUML asyn­
chronous inter-object communication mechanism. Unlike the UML2 standard 
[87], the fUML standard includes a detailed speciflcation about how objects com­
municate asynchronously with each other via signals.
To meet the effectiveness term in our work’s objective, the model checking time 
should be within appropriate limits. Also the state explosion problem that may 
happen during the model checking should be minimized as much as possible. For 
that reason, our approach considers applying some optimization techniques to re­
duce the model checking time. The semi-automated optimization approach makes 
use of having a constrained CSP model (as it follows certain formalization rules) 
to apply effective optimization rules that reduce the state space substantially.
Finally, to meet the practical term in our work’s objective, we implement this 
approach in the form of a software application called “Compass” that performs 
the formalization and the optimization automatically. Compass is developed to 
run under a modelling environment so the modeller can check the UML/fUML 
models seamlessly.
We investigate our approach using three case studies to verify the formalization 
and the optimization approaches. We have developed the fUML models of those 
case studies based on their existing specifications or another semi-formal models 
(e.g., xUML [73] or SysML [86]). The size of the three case studies is proportional 
to the real-life projects.
1.2 Contributions
Although much research exists on translating UML models to various formal 
representations, we have identified several issues that may inhibit the practical 
use of that research (explained in Chapter 3). Outlined below are the main
1.2. CONTRIBUTIONS 13
contributions of our approach to address those issues and achieve our work’s 
objective:
Using fUML as a semi-formal language
To our knowledge, ours is the first attempt to formalize the fUML standard. 
fUML benefits from a standardized meta-model which we can use in our auto­
matic model transformation. Also the transformation can be done from fUML 
without imposing restrictions on the model (as the restrictions are already in­
cluded in the standard due to its executable nature). If we were using UML2 we 
would have needed to impose a group of restrictions (or use a specific profile) to 
allow the automatic formalization.
Formalizing and evaluating the fUML inter-object com m unication mech­
anism
As outlined in the previous section, our focus is on formalizing the asynchronous 
systems. Formalizing (transformation from semi-formal to formal representation) 
these kinds of systems to analyze their behaviours has been addressed in a lim­
ited way in the reviewed literature due to the lack of a well-defined specification 
of such a communication mechanism in the semi-formal language standard. The 
well-defined specification of the asynchronous communication mechanism in the 
fUML standard helped us to achieve a contribution in this area by formalizing it 
into CSP.
The fUML standard also incorporates a degree of genericity by defining explicit 
semantic variation points. Which means that a particular execution engine can 
realize specific semantics for those points by providing specifications for them. 
Part of the inter-object communication mechanism in fUML has been left to be a 
semantic variation point (namely, the event dispatching schedule). The choice of 
the implementation of such a point may affect the execution model of the system. 
We use formal model checking to evaluate an implementation of the inter-object 
communication mechanism and its compatibility with an fUML model.
Im plem entation decision errors detection
Analysing the formalized fUML models allowed for detecting errors that could 
appear due to implementation decisions. That is mainly because fUML is a low 
level (executable) modelling language, and thus all the implementation decisions 
should appear in the fUML model. Most of the reviewed work focuses on the 
specification and design errors, except those who depended on xUML (Executable 
UML) [73] as a semi-formal language.
A bstract/E xecutable models consistency checking
Our approach includes the formalization of the UML state diagrams (beside the 
fUML model formalization) which can be used to describe the abstract behaviour
14 CHAPTER T INTRODUCTION
of the object. One of our contributions is that we check the behavioural consis­
tency between such abstract model and its corresponding executable one repre­
sented as an fUML activity diagram.
O b jec ts’ buffers op tim ization
Our work provides a novel technique to represent the objects’ buffers for the inter­
object communication mechanism in CSP. The new technique is more efficient 
than our initial attempts which inhibited us from compiling and analysing the 
large CSP models using FDR2. We are grateful to Michael Goldsmith for helping 
us achieve this contribution [44].
O ptim ization  for th e  form alization
The novel optimization approach that we introduce in this work is not generic. It 
is a specialized approach that is designed for generated formal models (i.e., auto­
matically generated from a semi-formal model based on a group of formalization 
rules). This specialization allowed for substantial reduction in the state space. 
Most of the reviewed literature in the formalization field does not consider the 
optimization issue.
M odel checking feedback
Providing a modeller-friendly feedback to the modeller to isolate him from the 
formal domain has been addressed to a limited extent in the literature. We 
address this issue in our work in a practical way that helps the modeller to 
understand the source of the problem (if found) within his UML/fUML model. 
One of the novel techniques that we use to address this issue is that we change 
the provided feedback based on the checked property.
1.3 Thesis structure
This thesis consists of nine chapters and four appendices. Chapter 2 gives a 
background about the formal language that will be used in this work (CSP [106]). 
The chapter focuses on the aspects and notations that will be used within the 
other chapters. It also introduces the fUML modelling language with some details 
about the fUML inter-object communication mechanism. The three case studies 
that we will consider are introduced at the end of this chapter.
Chapter 3 is a comprehensive literature review about the work that relates semi- 
formal languages to formal methods. The chapter categorizes the reviewed work 
based on different aspects; the semi-formal language, the formal language, the 
transformation technique and the formalization objective. The literature review 
includes also the work related to formal methods optimization. Finally, we con-
1.3. THESIS STRUCTURE 15
elude our observations by listing the points that have been covered in a limited 
way in the literature.
Chapter 4 explains our formalization approach to achieve our work’s objective. 
It starts with an overview about the approach and its framework. Most of the 
chapter focuses on one component in the framework which is the Model Formal­
izer. This includes the fUML-to-CSP mapping rules and how we modelled the 
fUML inter-object communication mechanism into CSP. At the end of the chap­
ter we discuss the model checking results of applying the approach on the first 
case study TIS (Tokeneer ID Station subsystem).
Chapter 5 shows how we extend our formalization approach to include the be­
havioural consistency checking between the UML/fUML models. The extension 
is mainly in the Model Formalizer component to be able to formalize the UML 
state diagrams as well. This includes the description of the additional fUML-to- 
CSP mapping rules. We use the same TIS case study to validate this extension.
Chapter 6 describes the various types of feedback that can be provided to the 
modeller during the formalization and after the model checking. The generation 
of such feedbacks requires adding three more components to the framework. The 
chapter describes those components in full detail and their relationship with the 
checked property. The chapter also introduces a new component, the Formal­
izability Checker, which makes sure that the input UML/fUML model can be 
formalized before being processed by the Model Formalizer.
Chapter 7 explains our optimization approach and how it fits within the formal­
ization framework. This includes the description of the optimization components 
which apply the optimization rules. We also include the mathematical proofs of 
those rules to validate their correctness with respect to the checked property. The 
chapter describes also the modifications that we made in the Model Formalizer 
component to handle the optimization approach. We use a second case study 
Cas Station system (CSS) for the validation of the new components.
Chapter 8 describes the integrated framework that includes all the previous com­
ponents. The chapter describes also how we implemented this framework as a 
software tool (Compass) that allows the modeller to model check his UML/fUML 
models without changing the modelling environment. The chapter includes screen 
shots from Compass while using it to model check our third case study, a Cruise 
Control System (CCS), for further validation.
Chapter 9 concludes all the achievements and the contributions included in this 
work. Finally, the chapter gives a brief description about our future work in this 
field.
16 CHAPTER 1. INTRODUCTION
Appendix A includes the UML, fUML and CSP models for the three case studies. 
Appendix B includes the CSP meta-model. Appendix C includes the used scripts 
to represent the formalization rules. Appendix D includes the Formalizability 
Checker checks. Finally, Appendix E includes the technical specification of the 
machine (computer) that we use to conduct the model checking in this research.
Chapter 2
Background Concepts
This chapter introduces briefly some basic concepts and techniques that we use 
in this work. The chapter also introduces the case studies that we use to verify 
and realize our approaches.
Section 2.1, introduces the concept of the formal methods describing how it can 
be useful along the software life cycle different phases, and the tool support 
for using them. Section 2.2, describes the CSP formal language which will be 
used extensively in this work. The section also illustrates the different semantic 
models for CSP and its tools support. Section 2.3, introduces the fUML semi- 
formal language with much detail. Section 2.4, gives a brief overview about the 
Model Driven Engineering approach and one tool that implements it. Finally, 
Section 2.5 introduces the three case studies that we will use in this work.
2.1 Formal methods
Formal methods are mathematical techniques, often supported by tools, for devel­
oping software and hardware systems [126]. Research in formal methods began in 
the 1960s [40, 52] and is still continuing with work which focuses on establishing 
mathematical rigour for analysing and verifying models during the requirements, 
design, implementation, and testing phases.
In the requirements phase, formal methods are used to represent the informal 
requirements (natural language) into a precise format. This in turn allows check­
ing, for example, completeness and consistency automatically using proof tools.
17
18 CHAPTER 2. BACHGROHND CONCEPTS
In the design phase, formal methods can be used in different ways for analysing 
the formal design and checking certain properties. Also it can be used to check 
refinement between the abstract formal requirements and the design model which 
contains more details. In the implementation phase, formal methods can be used 
for code generation. For example, Méry et al. [74] developed a tool that automati­
cally translates from Event-B [11] specification to a target programming language 
(C, C-7-f, Java and C#). Finally, formal methods can play an important role 
during the testing phase. For example, Ho are in [53] described the use of formal 
assertions for testing in contrast to program proving.
Formal methods have been used in different types of industrial projects across 
various sectors. These types include: real-time applications, distributed systems, 
transaction processing and high data volume. According to the survey [126] by 
Woodcock et a l, the usage of formal methods in the industrial projects massively 
increases the project quality (92%), while the negative effect on the project overall 
time and cost was very limited (12% and 7% respectively).
One or two dozen of formal languages have been created to support the theoretical 
concepts of formal methods. Most of those languages are supported by software 
tools to automate model checking and proving. In this work we use the process 
algebra Communicating Sequential Processes (CSP) [106] which is introduced in 
the following section. Many other formal languages used in our research area are 
introduced in Chapter 3.
Tools that automate the formal model analysis and verifying can be categorized 
in the following main categories:
M odel checkers: which build a state space based on the input mathe­
matical model, and then exhaustively explore all the states and transitions 
to check if the model satisfies generic (e.g., deadlock or livelock) or given 
properties.
Although model checkers are used mainly with finite models, they may face 
the state explosion problem if the model to be checked is too large. For 
that reason smart symmetric reduction techniques can be used to reduce 
the state space and decrease the computation time. For example, there are 
several symmetric reduction techniques that are implemented in the ProB 
model checker [67] such as: permutation flooding [68], nauty [118], and hash 
value [69].
P ro o f checkers: uses theorem provers to check certain properties (pred­
icates) against the formal model. The theorem prover is a computer pro­
gram that can prove mathematical theorems. Proving theorems is not a
2.2. CSP 19
fully automated process; it needs mathematical experience to interactively 
complete the proving through the proof checker.
Our work focuses more on using model checkers, as our work’s objective is to 
develop an approach that requires no mathematical knowledge to deal with it 
(see Section 1.1.2).
On the other hand, semi-formal languages have a precise syntax and non-rigorous 
semantics (i.e., the semantics is described in text only). As a result of this, semi- 
formal languages do not support automatic proving or checking against proper­
ties, as their main purpose is to visualize the system’s model.
2.2 CSP
Communication Sequential Processes (CSP) [106] is a modelling language that 
allows the description of systems of interacting processes using few language 
primitives. It has proved to be suitable at the level of: requirement specification, 
design specification, and also for the formal analysis of systems. CSP provides 
a well-established, theoretically thoroughly studied, and in industry applied for­
malism for the modelling and verification of concurrent systems [100].
In CSP, processes execute and interact by means of performing events drawn from 
a universal set S. Some events are of the form c.v, where c represents a channel 
and V represents a value being passed along that channel. Our work considers 
the following subset of the CSP syntax;
P ::= a —)• P  I c?x —> P{x)  | d\v —> P  
c\v7x : E  -)• P{x)  I Pi □ P2 
P i n  P2 I P i II P2 I P i  II P2 I P  \  A
A B A
let Ni = Pi , . . .  , Nn = Pn within P
if b then Pi else P 2  | RX • F{x)
STOP
The CSP process a P  initially allows event a to occur and then behave subse­
quently as P . The input process c?x —>■ P{x) will accept a value x along channel 
c (corresponding to performance of the event c.x) and then behave subsequently 
as P{x).  The output process civ P will output v along channel c (correspond­
ing to performance of the event c.v) and then behave as P . Processes interact by
20 CHAPTER 2. HACHGROHND CONCEPTS
synchronising on the events c.v. Channels can have any number of message fields, 
as a combination of input and output values, for example: c\v7x : E  —^ P[x).  
Also x can be constrained to be a value from the set E.
The choice Pi □ P 2 offers an external choice between processes Pi and P2 whereby 
the choice is made by the environment. Conversely, Pi □ P2 makes an internal 
choice between the two processes.
The parallel combination Pi || P 2 executes P\ and P2 in parallel. Pi can
perform only events in the set A, P2 can perform only events in the set B,  and they
must simultaneously engage in (i.e., synchronise on) events in the intersection of
A and B.  The interface parallel P% || P 2 requires synchronization only on those
a
events in the common set (interface) A. P% j| P2  is equivalent to Pi || P2 ,
a{Pi)  a{P2)
where Pi and P 2 synchronize on the intersection between their alphabets’ sets.
The process P \  A behaves like P except that the events from A have been 
internalized. In other words, all these events are removed from the interface of 
the process and no other process will be able to engage with them.
The l e t . . .  within statement defines P with local definitions Ni = P i. The condi­
tional choice if  b then Pi else P2 behaves as P% or P2 depending on the evaluation 
of the condition b. The process • F[x)  expresses the recursive call, where x 
is a process variable. Finally, STO P  is the simplest process which never does 
anything and never communicates.
2.2.1 Sem antic models
The CSP semantic models are the different ways that allow us to describe how 
processes behave with the environment. In this work we use two semantic models 
which have been described in [106]:
• Traces model
• Stable failures model
Traces m odel
Processes in CSP interact with their environment (another process, user, or com­
bination of both) through events in their interface. From one point of view of the 
process execution, two processes are considered to be equal if they behave with 
their environment in the same way. In other words, if the two processes produce 
exactly the same sequences of external events. In CSP those sequences are called
2.2. CSP 21
set of traces. For example, the process a b c STOP  has (a, 6, c) as a 
possible trace, but not (a, c, h) (i.e., it cannot perform c before b by any means).
Based on that concept, process P  is refined by process Q if the set of all possible 
traces that can be generated from process Q are a subset (or equal) to the traces 
that can be generated from process P. This definition can be expressed with the 
following notation;
P Ç t  Q
Stable failures model
In some cases the traces model are not sufficient to distinguish between CSP 
processes. For example, the processes P  and Q produces the same set of traces 
{(),(a),(6)}, yet process P  uses external choice and process Q uses internal 
choice.
P = a ^  STOP  □ & -> STOP  
Q = a ^  STOP  n 6 -> STOP
According to [106], the traces model is not appropriate when checking liveness 
properties, which are concerned with the behaviour a process is guaranteed to 
produce. The stable failures model is another semantic model that identifies the 
CSP process with set of pairs (traces and stable failures) associated with this 
process. A stable failure is a trace together with a set that might all be refused 
after that trace. Based on this approach P produces the following stable failures:
{((>.{}). ((«). {}). ({«). {“}). ({«>. {*’}). ((“>. {“. 6}), 
(W. {}). (W, {«}). (W ,  W ) ,  (W, {a, 6})}
While process Q produces the following:
{(0^ {a}), (0, {&}), ((a), {a, 6}), ((&), {a, &})}
It is obvious to notice that the stable failure model shows the discrimination 
between the processes because of the extra information associated with each 
process (e.g., Q can refuse {a} after () whereas P  cannot). This in turns allows 
additional specifications to be analyzed.
22 CBAPTER 2. BACKGROUND CONCEPTS
2.2.2 Tool support
CSP is supported by group of model and proof checkers tools. The best known 
model checker is FDR2 [41] (Failure Divergence Refinement) which has been 
available as a commercial product for more than 20 years. Also, ProB [67] is 
another example of a model checker that supports: CSP [106], B [10], Event- 
B [11] and CSP||B [107].
On the other hand, interactive theorem proving tools have also been developed, 
which complement the model checking techniques. In 1990 Camilleri [27] started 
this approach. In 1997 Tej et al. [115] published a corrected Failure-Divergence 
model for CSP implemented in the theorem prover Isabelle/HOL. Isobe et al. [58] 
presented in 2005 the CSP-Prover proof checker.
Our work is based mainly on FDR2 for verifying the system’s model behaviour. 
For example, FDR2 allows deadlock checking by performing tests to determine 
whether the process can reach a state in which no further action is possible. 
If a deadlock can occur, a trace (counter-example) leading to that deadlock is 
generated for debugging. FDR2 also allows processes to be compared with an 
abstract specification in order to check if the refinement properties are satisfied, 
and a counter-example is generated in case of failure.
2.3 fUML
As defined by OMG, fUML (Foundational Subset for Executable UML) acts as an 
intermediary between “surface subsets” of UML models and platform executable 
languages (e.g., Java) [88]. fUML models are executable models, which means 
they can be used by code-generators to generate full executable code directly 
from the models, or model-interpreters that rely on a virtual machine to directly 
read and run the models (e.g., fUML Reference Implementation [76]). Figure 2.1 
illustrates the concept of translating from the UML to fUML (rnodel-to-model 
transformation), and from fUML to the target platform language (model-to-text 
transformation).
2.3. FUML 23
fUML 
^  Subset
Surface 
(UML Subsets)
^  Platform 
Language
Figure 2.1: Translation to and from fUML (from [88])
fUML can be used to define a systems’ structural and behavioural semantics. 
Class diagrams and activity diagrams are used to represent the structural and 
the behavioural semantics respectively.
2.3.1 Differences between fUML and UML2
The standard defines the fUML by specifying the modifications to the original 
abstract syntax (of UML2) of the class and activity diagrams, which allows fUML 
models to be transformed to various executable forms. These modifications are 
specified in clause 7 of the standard by merging and excluding some packages 
in UML2 superstructure specifications [87]. For example, the following pack­
ages have been excluded from the UML2 abstract syntax: AssociationClasses, 
Dependencies, Interfaces, and PowerTypes.
Also additional constraints have been defined in the fUML standard, which will 
be combined with constraints already specified in UML2. For example, this is an 
additional constraint to any class:
“Only active classes may have classifier behaviours”
Listed below are some differences that have an impact on to the fUML mod­
els used within this work. All of the differences below are related to activity 
diagrams:
• Central buffer nodes are excluded from fUML because they were judged to 
be unnecessary for the computational completeness of fUML.
• Variables are excluded because the passing of data between actions can be 
achieved using object flows.
24 CHAPTER 2. BACKGROUND CONCEPTS
• Exception handlers are not included because exceptions are not included in 
njML.
• An expansion region may not have output pins (as an additional constraint 
to the ExpansionRegion).
• Opaque actions are excluded since, being opaque, they cannot be executed.
• Value pins are excluded because they are redundant with using value spec­
ifications to specify values.
The operational semantics of fUML is an executable model with methods written 
in Java, with a mapping to activity diagrams. The declarative semantics of fUML 
is specified in first order logic and based on PSL (Process Specification Language).
fUML is nearer to code (implementation) than abstract design models, to allow 
automatic generation of executable code. This means that the implementation 
details (decisions) appear in the fUML. In contrast, the UML design models in 
most of the cases are more abstract leaving the implementation details to the 
coder.
As our focus in this work is to analyze the system behaviours (not only the be­
haviour of each object separately), we have chosen to use the fUML standard in 
this research, compared to UML, because it has a clear specification about how 
objects are communicating with each other (the inter-object object communica­
tion mechanism). The UML standard does not include this kind of specification 
because it is not an executable modelling language.
Compared to the Executable UML (xUML) [73], fUML has simpler inter-object 
communication mechanism specification, which means that its formalization will 
lead to a relatively uncomplicated formal model. Also, having a formal declara­
tive and behavioural semantics of the fUML standard makes it more strict mod­
elling language compared to xUML. This in turns reduces the gap between the 
semi-formal and the formal models, and thus more direct formalization process. 
Finally, the unavailability of the xUML meta-model drives us to choose the fUML 
standard which has a published meta-model that can be used within the Model 
Driven Engineering (MDE) frameworks.
2.3.2 Example of an fUML activity diagram
fUML is a relatively a new standard (version 1.0 released in February 2011), and 
the unavailability of clear examples and case studies made it very hard to picture
2.3. FUML 25
how fUML models should look. For that reason we are dedicating this subsection 
to illustrate fUML models’ look and feel by the following part of a small example.
The considered fUML model describes a security system that controls the access 
to a secured enclave. To access this enclave, users should request an access using 
an electronic panel (UserPanel). The UserPanel communicates with the other 
system’s components and gets back to the user with the accessibility decision 
(allowed or denied).
The fUML model of the described system consists of two kinds of diagrams: 
First, a class diagram that shows the static structure of the system and how the 
components are related to each other (association, generalization, etc.). Second, 
the model will contain several activity diagrams, each describing the behaviour 
of the system objects (those objects are instantiated from the classes included 
in the class diagram). In this research we are going to use the following fUML 
elements:
• Activity: specifies the coordination of executions of subordinate behaviours, 
using a control and data flow model. It uses parameters to receive and pro­
vide data to the invoker.
• Initial node: the first node to be executed inside the activity.
• Final node: represents the end of the activity’s behaviour.
• ValueSpecification Action: injects constants and other value specifica­
tions into behaviour.
• AddStructuralFeatureValue Action: inserts or assigns a value to the 
structural feature of an object (e.g., class attribute).
• SendSignal Action: creates signals instances and transmits them to the 
target object.
• A cceptEvent Action: forces the object execution to wait for the occur­
rence of a specific signal event.
• D ecision Node: routes the flow to one of the outgoing edges (tokens are 
not duplicated).
• Expansion Region: groups actions and executes them n times iteratively; 
where n is the length of the input expansion node (array of objects).
• Create Object: creates an object of a specific classifier.
• D estroy Object: destroys a specific object.
26 CRAPTER 2. BACKGROUND CONCEPTS
UserActivity ( selfObj : U ser, upObj : U se rP an e l )J
L .
« V a lu e S p e c if ic a t io n »  
Values(FALSE) J
I
selfObj : User I-
upObj : UserPanel
« a d d S t ru c tu ra lF e a tu r e V a lu e »  
IsQulescent := TRUE
 '
Send(AccessReq \  
>C| uest) /
Accept(
AccessAllowed,
AccessDenied)
A ccessA llow ed A ccessD en ied
I To th e  res t of the  
id iag ram  ...
Figure 2.2: UserActivity - Sample FUML activity diagram
Grouping some of those elements in the depicted control/object flow (in Fig­
ure 2.2) describes a simple situation where the user is requesting to access the 
enclave, and then waiting until the system allows or denies his request. Initially 
the user’s status (represented by the variable isQuiecsent) is set to TRUE us­
ing the action addStructuralFeatureValue. As value pins are not handled in the 
fUML standard, we use the valueSpeciflcation action to inject the boolean value 
(TRUE). The user then sends the signal AccessRequest to the UserPanel object 
(up). After that, the user waits to receive one of the two signals: AccessAllowed 
or AccessDenied.
Notice that the diagram is very similar to UML2 activity diagrams, and this is 
because fUML is a subset of UML2 with some addition constraints.
2.3.3 Genericity of the execution model
The fUML standard does not restrict certain execution paradigms, as the stan­
dard takes into account the amount of research and commercial effort done to 
deffne the execution model of the executable UML. The standard approaches 
this kind of genericity by: leaving some key semantic elements unconstrained.
2.3. FUML 27
and defining explicit semantic variation points.
It is the responsibility of the fUML execution tool to define a rigorous specification 
for each of the following semantic elements:
The semantics of time (discrete time, continuous, etc.).
The semantics , of concurrency (concurrent threads will run: sequentially 
ordered, or partial or totally parallel).
The semantics of inter-object communications mechanisms.
On the other hand, the fUML standard defines default specifications for the 
following semantic variation points:
• Event dispatch scheduling.
• Polymorphic operation dispatching.
However, certain fUML execution tools may define alternative semantics (over­
ride) for those two points by overriding their default implementation.
In this research we are concerned with the inter-object communication mecha­
nism. The next section describes its semantics and the event dispatching schedul­
ing in more detail.
2.3 .4  Inter-objects communication mechanism in fUML
This section gives an overview about the semantics of the inter-objects com­
munication in fUML. The semantics are based on the available information in 
the fUML standard [88] clause 8. In fUML inter-object communication is con­
ducted between active objects only. Active objects in fUML communicate asyn- 
chronously via signals (kind of classifier).
After an active object is instantiated, a start object behaviour action is used to 
start one or more of its classifier behaviours. When the active behaviour of an 
active object is started, an object activation is created for that object. This object 
activation handles the dispatching of asynchronous communications received by 
its active object. Figure 2.3 shows the structure related to object activation.
28 CHAPTER 2. BACKGROUND CONCEPTS
Active Object
_____________________ Waiting Event
Event Pool j Accepters
Object Activation
Figure 2.3: Object activation structure
The object activation maintains two main lists. The first list (event pool), holds 
the incoming signal instances to this object and waiting to be processed. The 
second list (waiting event accepters), holds the event accepters that have been 
registered by the executing classifier behaviour. The event accepters for an active 
object are points within the executing classifier behaviour of the object that are 
waiting for certain (signal reception) events. Currently in fUML, event accepters 
are defined only for accept event actions.
To clarify how active objects communicate asynchronously in fUML, we are listing 
below the execution steps when object A sends a signal {sigl) to object B:
1. Object B reaches an accept event action for signal sigl.
2. Object B executing classifier behaviour registers an event accepter for sigl 
and adds it to the list waiting event accepters for object B.
3. Object A sends the signal sigl to object B using the send signal action.
4. This action passes the signal sigl to the object activation of object B.
5. The object activation places sigl in the event pool of object B waiting to 
be dispatched. At this point the sending operation has been completed, 
and object A may continue execution.
6. The classifier behaviour for object activation is a simple dispatch loop. So, 
when sigl arrives to the object activation of object B, the object activation 
sends ArrivalSignal to itself after sigl is placed in the event pool.
7. The dispatch loop waits for ArrivalSignal and, when this happens, it calls 
the dispatchNextEvent operation. This operation dispatches a single signal 
instance [sigl ) from the event pool. Once this is completed, the dispatch 
loop returns to wait for another signal to arrive.
8. Once sigl is selected for dispatch, it is matched against the list of waiting 
event accepters for object B.
9. The match is found, so the signal instance is passed to the event accepter.
2.4. MODEL DRIVEN ENGINEERING . 29
The dispatchN extEvent operation defines how signals will be dispatched from the 
event pool. However, according to the fUML standard, the exact behaviour to be 
specified for this operation is a semantic variation point. The default dispatching 
behaviour is given by the concrete FIFOGetNextEventStrategy, which dispatches 
events on a first-in first-out (FIFO queue) basis. Any variant behaviour must 
be fully specified by overriding the behavioural specification of the dispatchNex­
tEvent operation.
2.3.5 Tool support
As the fUML standard has been published recently, there are very few tools 
available to support it. The first fUML model-interpreter is the fUML Reference 
Implementation [76] that accepts an XMI file compatible with the fUML standard 
as an input and provides an execution trace of the selected activity model(s) as 
its output. Thanks to the tool authors who included a number of examples which 
guided our understanding of how fUML models should look.
The second tool is the CAMEO Simulation Toolkit [1] which provides a model 
execution framework based on the fUML and the W3C SCXML standards. It 
extends the CASE tool (MagicDraw) to validate system behaviour by executing 
and animating the models in the context of realistic mock-ups of the intended 
user interface.
For authoring the fUML diagrams in this work, we use MagicDraw [2] as a CASE 
Tool. MagicDraw is an (award-winning) architecture, software and system mod­
eling CASE tool. One of the most distinguishing features in MagicDraw, is that 
third-parties can extend its functionality using additional plugins. MagicDraw 
provides a group of Application Programming Interfaces (APIs) to allow the plu­
gins to have an internal access for the CASE tool. For example, developers can 
use such APIs to redraw some elements of the activity diagrams with special 
effects.
2.4 Model Driven Engineering
Model Driven Engineering [42] (MDE) is a software development approach in 
which abstract (source) models are transformed into concrete (target) implemen­
tations based on a group of transformation rules. The transformation rules define 
how each source element will be represented in the target model based on the 
source/target meta-models. The Meta-model (model of the model) is a model 
that defines the elements of the instance model (e.g., UML class diagram) and the
30 CHAPTER 2. BACKCROUNE CONCEPTS
relation between its elements. The automatic code generation from the system 
software model is one implementation of the MDE approach.
Currently, there are lots of supporting tools for MDE, among which the Epsilon 
[64] model management framework is a leading example. Epsilon is a family of 
consistent and interoperable task-specific programming languages which can be 
used to interact with models to perform common MDE tasks such as code gen­
eration, rnodel-to-model transformation, model validation, comparison, merging 
and refactoring. Each task-specific language provides constructs and syntax that 
are tailored to the specific task. We use the following languages in this work 
(detailed in [64]):
Epsilon Transformation Language (ETL): A rule-based model-to-model trans­
formation language that supports transforming the source model to the tar­
get one based on transformation rules, as well as the ability to query and 
modify both source and target models.
Epsilon Generation Language (EGL):A template-based model-to-text lan­
guage for generating any textual artifacts from models. EGL supports 
mixing generated with hand-written text and template coordination.
Epsilon Validation Language (EVL): A model validation language that sup­
ports model consistency checking and constraint dependency management.
2.5 Case studies
To achieve the objective of our research stated in Section 1.E2, we must use 
realistic software models to realize and verify our approach. Depending on toy 
examples for this task is not enough. For that reason, we use three different 
UML/fUML models for non-trivial case studies in this work. As our focus in this 
research on the behavioural analysis of the systems, we do not use case studies 
with complicated structure (modelled in the class diagram). For example, the 
generalization (inheritance) relationship does no exist in the case studies’ class 
diagrams as it will not affect the overall behaviour of the system.
The case studies vary from each other according to their complexity (i.e., the 
needed number of states to be explored to model check their CSP formal repre­
sentation). This complexity is proportional with the number of communicating 
active objects in the system, as well as the behavioural complexity (e.g., large 
number of possible branches) of each active object.
2.5. CASE STUDIES 31
The following sections introduce those case studies and the following chapters 
will discuss the results of applying our formalization approach on them.
2.5.1 Tokeneer ID Station subsystem
The Tokeneer project [18] is one of the most interesting pilot projects forming 
part of the Verified Software Initiative [55], and has been cited by the US Na­
tional Academies as exemplifying best practice in software engineering [61]. The 
project was certified to Common Criteria Level 5 and in the areas of specification, 
design and implementation achieving Levels 6 and 7. The Tokeneer project re­
developed one component (Tokeneer ID Station (TIS)) of a Tokeneer system that 
was developed by the NSA (National Security Agency) to provide protection to 
secure information held on a network of workstations situated in a physically se­
cure enclave. A survey of other projects using formal methods has been discussed 
in [126].
The entire project archive has been released [12] for experimentation by re­
searchers. This includes the project specifications written in Z [19] and an open 
source implementation. Woodcock and Aydal [124] have conducted several ex­
periments using model-based testing techniques to discover twelve anomalous 
scenarios which challenged the dependability claims for Tokeneer as a security- 
critical system. Several of the scenarios highlight the importance of the behaviour 
of the user because one of the security objectives for Tokeneer is to prevent acci­
dental, unauthorised access to the enclave by a user. The user was not formally 
modelled in the Z specification [12]. We also note the important of the user in 
our analysis.
Our motivation for using the Tokeneer project as a case study is not to re-validate 
the project but rather to investigate the concurrent behaviour of the various 
components of the TIS subsystem in the context of asynchronous communication. 
The correspondence between the TIS formal specifications [12] and our TIS fUML 
model is not a one-one relationship.
Our TIS fUML model contains more implementation details that are abstracted 
in the TIS Z specifications. Therefore, our formal analysis benefits from being 
able to examine the low level details of asynchronous communication. Such an 
analysis allows us to investigate potential deadlocks which might occur if the 
formal specifications were implemented using such communication mechanisms.
The components of interest in the TIS subsystem are represented in the class 
diagram in Figure 2.4. As the system behavioural analysis is our objective in 
this research, we do not formalize the class diagram, and its inclusion is just to
32 CHAPTER 2. BACKGROUND CONCEPTS
illustrate the relationship between the system’s components.
receives input from
provides input to
accesses paneiused by
Alarm can activate
isAlarming : boolean
accesses controlleractivated byuses
Door Controller
controls controlled by
User PanelUser
Door
isOpen : boolean 
isLocked : boolean
Figure 2.4: TIS class diagram
Door: This is the physical enclave’s door that the user opens to access the 
secure enclave. It has no intelligent behaviour as it is entirely controlled by 
the door controller component. The two main attributes of this component are: 
isOpen attribute which indicates the status of the door (opened or closed), and 
the isLocked attribute which indicates the status of the door’s latch (locked or 
unlocked).
D oor C ontro ller: This component controls the door’s latch status {isLocked) 
by setting its value based on the incoming signals from the User Panel. It also 
manages two timers: the first timer watches if the door is kept closed and un­
locked, and the second timer watches if the door is kept opened and locked.
User: This component models the user behaviour within the system. He is 
responsible for requesting enclave entry, and opening the door in case it was suc­
cessfully unlocked by the User Panel. He is also responsible for closing the door 
after accessing the enclave. The system may serve more than one user at the 
same time.
U ser P anel: This component models the behaviour of the panel used by the 
user to gain access to the enclave. It is responsible for deciding whether the user 
is allowed to access the enclave or not.
2.5. CASE STUDIES 33
A larm : This component holds the status of the alarm (alarming or silent), based 
on the setting/resetting by the Door Controller component to the isAlarming 
attribute.
In the TIS fUML model, all objects (of the above classes) which have interesting 
behaviour have associated activity diagrams. The Alarm object is a simple data 
holder and thus no activity diagram is associated with it. The activity diagrams 
of the TIS subsystem are given in Appendix A.
The distinguished point in the TIS case study (compared to the incoming two), 
is that it shows how the formalization can help in the analysis of having several 
instances of the same class in the system (two concurrent users) and the effect 
on the overall behaviour. Additionally, the representation of the TIS objects’ 
behaviours in the form of an abstracted UML state diagrams and concrete fUML 
activity diagrams, allowed for checking their behavioural consistency as will be 
shown in Chapter 5.
2.5.2 Gas Station System
The TIS case study is very useful to validate the formalization in general and 
analyzing the system concurrency; however, its model checking (using FDR2) is 
very fast which makes it not suitable for validating our optimization approach 
(as the optimization effect will not be noticed). For that reason, there was a need 
to include another more complicated case study to our research.
Raistrick et al. used part of the Gas Station System (GSS) executable UML 
model as an example in their book [97] and they included the whole model on 
the accompanied CD. Based on that model, we have developed the GSS fUML 
model using MagicDraw to be our second case study. The GSS model is more 
complicated than the TIS one as it consists of nine active objects communicating 
with each others, besides the complicated behaviour of some objects. The model 
also contains dynamic object creation/ destruction (i.e., some objects are created 
during the runtime and then destructed afterwards) which was not considered 
in the TIS fUML model. Figure 2.5 depicts the nine active classes and the 
relationships between them.
34 CHAPTER 2. BACKGROUND CONCEPTS
Pump
+pumpNumber : Integer 
+tankNumber : Integer
«te rm ina l> :
Meter
« te rm in a l»
TankOperator
Transaction
« te rm in a l»
Attendant
« te rm in a l»
Gun
« te rm in a l»
Motor
+tankNumber : Integer 
+gradeName : String 
+tankEmptyFlag : Boolean 
+tankLevel : float 
+tankCapacity : float 
+emptyIfireshold : float
Tank
+transactionNumber : Integer 
+pumpNumber : Integer 
+transactionType : Integer 
+cost : float
+transactlonProcessTime : String 
+deliveryStartTime : String
+time : String 
+pumpNumber : Integer 
+volumeDellvered : float 
+cost : float
Delivery
Figure 2.5: GSS class diagram
The GSS models the software that controls the fuel delivery through the pumps 
in the gas station. Each pump in the system has a Gun that the customer uses to 
trigger the fuel pumping, a Motor that performs the fuel suction, and a Meter that 
sends the pumped fuel amount during the delivery. The fuel is provided to the 
pump from a Tank which has the ability to check the fuel level inside it. The Tank 
Operator is responsible for filling the Tank in the case where the fuel becomes 
lower than a certain threshold. The Attendant initiates the delivery process 
when it is requested from the customer. The Delivery component manages the 
delivery process and the calculations of the pumped fuel and its cost, and when 
the delivery is finished it creates the Transaction which stores all the information 
about this delivery. The reader can refer to Appendix A for the activity diagrams 
that represents the behaviours of the GSS fUML model classes.
The complexity of this case study makes it interesting to validate our optimization 
approach and challenge checking its corresponding CSP model using FDR2.
2.5.3 Cruise Control System
Having one case study to validate our optimization approach is not enough. To 
increase our confidence with the formalization and optimization approaches and 
at the same time examine Compass user experience, we add a third case study 
to our work.
2.5. CASE STUDIES 35
The Cruise Control System (CCS) model is a large example included in the 
CAMEO Simulation Toolkit [1]. The original model is represented using the 
SysML modelling language. We redesigned part of the CCS in fUML using Mag­
icDraw to be our third case study. The CCS fUML model includes eight active 
objects communicating with each others asynchronously. The class diagram in 
Figure 2.6 shows the CCS model components and their relationships.
« t e r m in a l»
Driver
Vehicle
-mass : float ; 
-isForward ; Boolean
1 1
pre_error ; float 
actSpeed : float 
-refSpeed : float 
-Integral :.float 
IGaln ; float 
IsEngaged : Boolean 1
CrulseControlier
............. : r..
Display ThrottieActuator
-throttlePos : float
PedalSensor
MotlonSensor
BrakeActuator
hbrakePos ; float
Figure 2.6: CCS class diagram
The CCS case study models the system that the driver can use to sustain the 
vehicle on a certain speed. This is initiated by pressing a button that engages 
the CCS which captures the current speed and starts controlling the speed. The 
CCS depends mainly on a feedback loop that estimates the current vehicle speed 
using the Motion Sensor readings and then controls the throttle and the brake 
actuators to maintain the initial (captures) speed. Once the driver presses the 
disengage button or presses any pedal, the CCS disengaged automatically leaving 
the full control to the driver.
Although the CCS fUML model does not introduce new elements or mechanisms, 
validating it is important for further realization for our formalization approach 
on a safety-critical system that requires this kind of the formal verification. The 
model is a bit more complicated than the CSS one (as it contains more active 
objects), so we can further investigate the effect of our optimization approach. 
Finally, Chapter 8 illustrates how we use the CCS case study to demonstrate
36 CHAPTER 2. BACKGROUND CONCEPTS
Compass usage models.
2.6 Summary
We introduce in this chapter the basic concepts that we will use throughout the 
thesis. Introducing the formal methods in general and the CSP formal language 
in particular provides all the needed information to understand the CSP processes 
that will appear in the next chapters. Also introducing the fUML standard and 
its inter-object communication mechanism is very important to understand the 
following chapters.
Finally, we introduce the three case studies that we use in this research. For each 
of the case studies, we describe the rationale behind adding it and the challenges 
it addresses. The next chapters will show how those case studies enrich our 
research and give more confidence of its applicability.
Chapter 3
Models Formalization and 
Optimization: 
Literature Review
The formalization of semi-formal models is the process of transforming semi- 
formal models into formal models for formal verification and analysis using model/proof 
checkers. Figure 3.1 shows a schematic diagram for the formalization process 
showing the three components involved in this process:
• Source: Semi-formal language;
• Transformation mechanism;
• Target: Formal language.
However, the key component that controls the usage of these components is the 
formalization objective, i.e., why is the formalization of the semi-formal model 
necessary?
TransformationSemi-formalModel
Formal
Model
Figure 3.1: Semi-formal to formal model transformation
37
CHAPTER 3. MODELS FORMALIZATION AND OPTIMIZATION:
38 MTERATHRE
The following sections will show that there are much research work that has been 
done on formalizing semi-formal models using different formal languages. Also 
various transformation mechanisms are used to handle the transformation serving 
different objectives. In the view of the formalization process components, we will 
discuss the previous work done in this area.
Further, we will also discuss the previous work done to optimize the resulting 
formal model after the formalization to avoid the state explosion problem during 
the model checking.
At the end of the formalization and the optimization main sections, we will outline 
our observations resulting from the analysis of all the reviewed literature, such 
observations were the main influences on our work’s contributions.
Section 3.1 includes all the reviewed work related to formalizing semi-formal 
models into formal ones. We will focus on the recent distinguished work in that 
field. Section 3.1.1 categorizes the previous work based on the used semi-formal 
language. Section 3.1.2 categorizes them based on the used formal language. Sec­
tion 3.1.3 describes the different transformation mechanisms used. Section 3.1.4 
describes the different transformation objectives. In Section 3.1.5 we report our 
observations about all the reviewed literature in this field. Section 3.2 includes 
all the reviewed work related to the formal models optimization. Section 3.2.1 
describes the different optimization techniques which are applied on the LTS 
(Label Transition System) level, while Section 3.2.2 describes the techniques that 
are applied of the formal model level. Section 3.2.3 reports our observations on 
the formal models optimization techniques in general and their relation to the 
semi-formal models formalization.
3.1 Formalization
3.1.1 Semi-formal language
Our definition for the semi-formal languages, are those that only precisely define 
syntax, but their semantics is ambiguous. Also they are not supported by model 
checkers or proof checkers tools. Semi-formal notations have been widely used 
in different kinds of industrial projects. For example, UML [87] (as the most 
known semi-formal language) is popular among software practitioners because it 
is simple, intuitive, and a widely accepted graphical notation.
Most of the reviewed literature depended on standard UML as a semi-formal 
language, and most of them focused on the class, state, and/or sequence diagrams
3.1. FORMALIZATION 39
formalization [75, 62, 81, 17, 133, 66, 14, 110, 91, 78, 21, 63, 65]. Formalizing the 
system’s class diagrams allows for verifying some static properties of the system 
architecture or checking the consistency between them and other UML diagrams 
types (e.g., checking the consistency between a class diagram and a sequence 
diagram that represents a scenario of one of its objects). The formalization of the 
system’s state diagrams can be useful to verify/analyze the objects’ behaviour, 
however; the low level implementation decisions do not appear in them, and thus 
will not appear in the formal representation.
The authors in [116, 39, 128] considered the standard UML activity diagram for 
formalization, but without considering the inter-object communication as their 
focus was analyzing the behaviour of each object separately.
All the previously mentioned work used the standard UML diagrams as a semi- 
formal representation without imposing any restrictions on them. We would 
argue that this approach is not practical because of the big gap between the 
flexible UML standard and the formal domain, as well as its missing for some 
important specifications such as the inter-object communication mechanism.
The authors in [13, 24, 28, 26, 25, 15, 95] suggested augmenting the UML dia­
grams with OCL (Object Constraint Language) to impose more constraints on 
the input UML model. Others suggested using more constrained UML standard 
profiles such as [98, 111] who used UML-RT profile, [77] who used MARTE profile 
(a standard UML profile for real-time and embedded systems development), and 
[132] who used SysML profile.
Stephen Mellor and Marc Balcer [73] provided an xUML (Executable UML) pro­
file which supports the execution (enaction) of UML models by the aid of simu­
lation tools. Some works such as [119, 48, 45, 127] considered xUML as a good 
candidate to be used as a semi-formal modelling language as it gave them suitable 
constraints that make the formalization process more direct.
Using an executable model for the semi-formal language reduces the gap between 
it and the formal domain; however, the unavailability of the xUML meta-model 
obstructs its formalization, especially when considering an MDE tool to handle 
the transformation.
The literature also includes a body of work that considered semi-formal notations 
other than UML. For example, the authors in [70] studied formalizing the Ada 
Rendezvous Flow Structure notation [114], and the authors in [103] used the 
Statemate Statecharts [32] as a semi-formal notation.
CHAPTER 3. MODELS FORMALIZATION AND OPTIMIZATION:
40 LITERATURE REVIEW
3.1.2 Formal language
The formal languages listed below are used as a target for the source semi-formal 
languages. Each author chooses the formal language that is more convenient 
to his work objective and the used checking approach (model checking or proof 
checking). The availability of tools for a particular formal language also plays 
an important role in that decision. For example, [48] justified their use for the 
mCRL2 [46] is strongly motivated by the availability of powerful verification tools.
The following list includes a subset of the formal methods that have been used 
for the semi-formal model formalization:
AGP (Algebra of Communicating Processes) [16] used in [70];
Alloy [59] used in [15];
B [10] used in [14];
CSP [106] used in [81, 65, 128, 89];
CSP (Constraint Satisfaction Problem) [72] used in [24, 26, 25];
LOTOS [4] used in [78, 132]; 
mCRL2 [46] used in [48];
Z [23] used in [13, 94];
Object-Z [35] used in [75, 62];
Petri Nets [80] used in [116, 30];
Promela [56] used in [133];
Circus [105] used in [98];
CSP |] B  [107] used in [119];
Booster [33] used in [28].
As can be noticed, no one formal method has been extensively used than the 
others (i.e., almost equally weighted). We could not find a particular pattern 
maps between the used formal method and the transformation objective. How­
ever, most of the work that studies the system behaviours analysis depends on 
a process algebra formal method which can describe the system’s components 
interaction and has a tool support. For example, [81, 65, 128, 89] used the CSP, 
[70] used ACP, and [48] used mCRL2.
3.1. FORMALIZATION 41
3.1.3 Transformation mechanism
With regards to how the transformation is done from a semi-formal language into 
a formal one, the research can be classified under the following three categories:
• Manual transformation;
• Automatic transformation;
• Automatic transformation using MDE techniques.
Here we introduce these mechanisms and in Chapter 4 we discuss the justification 
of using an MDE technique to perform the transformation from fUML to CSP.
Manual transformation
In this category the transformation is done manually based on certain mapping 
rules. The rules maps between the elements of the semi-formal model and their 
corresponding formal representation. A cohesive formal representation of the 
semi-formal model should be the result of applying those mapping rules. The 
authors in [98, 70, 13, 14, 78, 45] followed this approach.
It is obvious that the manual transformation approach is not scalable for the 
large semi-formal models. Also, the amount of time, effort and the possibility of 
human errors make this approach not practical for the usage in real-life projects.
Automatic transformation
This category also depends on mapping rules; however the work in this category 
considers using a software tool that apply the rules automatically. For example, 
Miao et al. [75] developed a tool called OZRose to transform from UML to 
Object-Z. Cabot et al. [25] developed a tool called UMLtoCSP to transform 
from UML to CSP (Constraint Satisfaction Problem). Jesus et al. [60] developed 
a tool that transforms Simulink models to CSP called Sim2Csp based on mapping 
rules. The same for the authors in [15] who developed UML2Alloy. Many other 
authors follow this approach such as [81, 17, 133, 28, 89, 63].
The implementation of the transformation technique can vary from one tool to 
another; however, neglecting the source/target languages meta-models and de­
pending directly on the models to do the model-to-text transformation, reduces
CHAPTER 3. MODELS FORMALIZATION AND OPTIMIZATION:
42 LITERATURE REVIEW
the scalability and the modularity of the technique (e.g., supporting another 
source language will require radical changes in the tool).
A utom atic  transformation using MDE techniques
Recently, MDE (Model Driven Engineering) is gaining attention due to its promise 
to increase productivity in developing, documenting, and maintaining software 
systems. MDE techniques incorporate the source and the target languages meta­
models to do the model-to-model and the model-to-text transformation. Unlike 
the previous technique (Automatic transformation), this one increases the scala­
bility and the modularity of the transformation. Instead of reinventing the wheel, 
some authors made use of this technology to transform from the semi-formal to 
a formal language.
For example, the authors in [117] used the Epsilon [64] model management frame­
work to transform from UML to CSP || B. The authors in [121] summarised a 
comparison between 11 different MDE tools used to transform from UML activ­
ity diagram into CSP (UML-to-CSP case study [22]), as part of the AGTIVE’07 
tool contest. The participated tools were: Tiger EMF Transformer, TOG (Triple 
Graph Grammars), PROGRES, GrGen.NET, GReAT, VMTS, USE, MoTMoT, 
GrTP, M0MENT2-GT, and XL [121].
3.1 .4  Transformation objective
In this section we categorize the work done in this field (semi-formal models 
formalization) based on the rationale behind doing this formalization. Based on 
our literature review, we can categorize them as follows, taking into account that 
some of the reviewed work address more than one category:
• Intra-model consistency checking;
• Generic system behaviour analysis;
• Refinement checking;
• Properties checking;
• Visualizing the formal language.
The following subsections describe each of those categories, list the work done in 
each category and provide a summary of that work.
3.1. FORMALIZATION 43
Intra-model consistency checking
All of the work done in this category depended on UML as a semi-formal lan­
guage. Systems in UML can be described using multiple views, and ensuring 
consistency between those views is the focus of intra-model consistency [37]. In 
other words, using different diagrams to model different aspects of a system brings 
the risk of inconsistency among diagrams. Consistency here means that the re­
quirements /design expressed in different diagrams of the model do not contradict 
each other.
For example, the behaviour of an object can be represented as a state diagram. 
A sequence diagram can also be used to represent a possible scenario for the same 
object based on its state diagram. If the represented scenario is not compatible 
with the state diagram (i.e., cannot be reproduced from the state machine), this 
can be considered an intra-model inconsistency between that state and sequence 
diagrams.
By transforming the UML model into a formal language, proof and model check­
ing can be applied to check the intra-model consistency on the formalized model 
using proof and model checker tools.
Many papers have addressed this issue (intra-model inconsistency checking) by 
depending on proof checking. For example, [13] illustrated the transformation 
from UML to Z and focused on checking the consistency of class models against 
the object diagrams. They depended on Z/Eves as a proof checker. The drawback 
of this approach is that the discharging of some of the proofs in Z/Eves requires 
expertise in using the prover. Also [110] depended on proof checking by using 
first order logic formulas and SPASS as a theorem prover.
On the other hand, the following body of work uses model checking to address 
the same problem [133, 39, 99, 36]. The authors in [133] focused on checking the 
consistency between the UML state and sequence diagrams. They automatically 
transform the diagrams into a formal representation called Split Automata (a 
variant of automata to facilitate formalizing the hierarchical states), and from 
Split Automata to Promela, so that model checking can be conducted using 
SPIN. The split automata can make the specifications in Promela much clearer 
than those written with flattened automata. However, it does not solve the 
problem of state explosion because the model checker (SPIN) itself generates 
exponential increasing states when it does verification.
Authors in [39] focused on checking the consistency between UML 1.5 activity 
diagrams and the invariants defined in the class diagram for the same model. 
The work examines two different approaches to represent the activity diagrams
44
CHAPTER 3. MODELS EORMAMZATfON AND OPTIMIZATION;
LITERATURE REVIEW
into the input language of NuSMV (a symbolic model verifier ). The first ap­
proach represents the activity diagram into Statemate Statechart, which assumes 
synchronous communication. In the second approach the activity diagram is rep­
resented as a UML state diagram, which assumes asynchronous communication. 
The second approach is more realistic as it more close to the implementation. 
However, the first approach is more efficient as it reveals smaller state space.
Authors in [36, 99] proposed using CSP to address the same problem with FDR 
as a model checker. However, [99] proposed using Object-Z to represent the class 
diagram, as both CSP and Object-Z share a common failures-divergences model.
Generic system  behaviour analysis
This category includes the literature that studies unwanted behaviours of the 
system to make sure they will not happen. We focus on the model-independent 
behaviours that can be checked as part of the toolset (do not require user input). 
The following healthiness properties are examples of such behaviour:
• Deadlock: a blocked situation that a group of processes mutually wait on 
each other and no further action is possible. Most of the model checkers 
(e.g., FDR) are able to generate a trace leading to the deadlock.
• Livelock: orthogonally, livelock is infinite internal behaviour.
Automatically checking these behaviours depending only on the semi-formal model 
is not possible. However, by transforming the model into a formal one, model 
checkers can be used to handle this checking. [116, 28, 81, 119] followed this 
approach.
Thierry-Mieg et al. [116] propose translating the UML activity diagrams into 
IPN (Instantiable Petri nets). IPN supports hierarchical descriptions native, and 
use the notion of transition synchronization for composition of behaviours. The 
formalized model is checked using the structural bounds computation tool which 
allows checking: unbounded behaviour, deadlock, and unreachable final state. 
The main originality of this work is in the composition mechanisms used and the 
natively support for hierarchy instead of requiring a flattening of the representa­
tion, which leads to scalability issues. The weakness of this translation is in the 
non-determinism of decision nodes, and the absence of any data manipulation.
Yong Ng et al. [81] formalize the behaviour of the UML state diagram into CSP. 
They first define a structural model for a UML state machine, and then proceed 
by using this structural model to describe the behaviour of the UML structures
3.1. FORMALIZATION 45
in terms of CSP processes. The paper mentions the possible behavioural analysis 
that can be done on the generated CSP such as: refinement checking between two 
state diagrams, deadlock checking and divergence checking. However, no model 
checking results have been reported for a case study.
Turner et al. [119] automatically translated from xUML to CSP j| B (an inte­
grated formal language that combines CSP and B). The main objective of the 
transformation was to check the formalized model against deadlock. The trans­
formation tool is based on a model-text transformation strategy that uses the 
xUML meta-model to map to CSP and B constructs. Unlike the previous ap­
proaches, this one considers the asynchronous communication between objects by 
modelling the objects’ queues and signals sending/receiving mechanism in CSP. 
However, the authors do not demonstrate how the approach can be scaled for 
industrial size projects.
The main objective of [70] is to detect the deadlocks in Ada Rendezvous Flow 
Structure by mapping to ACP (Algebra of Communication Process). ACP can 
clearly describe finite states communication automata, simplify process composi­
tion, and conveniently hide internal details. To avoid the state explosion problem, 
this work checks the deadlock statically (i.e., without exploring all the possible 
states of the system such as FDR).
Refinement checking
The term refinement has been addressed in literature by different meanings. 
In this category we mean checking the consistency between the abstract and 
the concrete semi-formal models based on certain rules. For example, if the 
modeller abstractly designs a class diagram (GDI) that includes a generalization 
relationship between class A and B, then he refines this class diagram to produce 
a concrete (refined) one (CD2). In such refinement process, it is not common 
to refine the generalization relationship in GDI to an association relationship in 
GD2. However, rules can be applied to ensure the compatibility between GDI 
and GD2.
The concept of refinement is a key feature in formal methods, such as Event-B 
[11] where the properties of the abstract model are verified by the refined model. 
Many works aiming to check refinement between semi-formal models, depend on 
transforming the semi-formal diagrams into formal representation and then check 
refinement between the formalized models using proof or model checkers.
The authors in [98] propose formalizing UML-RT (class, structure, and state di­
agrams) into Gircus [125] (a specification language that combines GSP, Z and
CHAPTER 3. MODELS EORMALIZATION AND OPTIMIZATION:
46 LITERATURE REVIEW
specification statements). The main objective of their work is to prove that the 
model transformation (from an abstract to concrete UML-RT model) preserves 
the original model semantics. One concern in this work is that the Post & Pre 
conditions are described directly in Circus, which means that the modeller has 
to have some knowledge with CSP and Z formal languages to define those con­
straints.
The authors in [14] use the same concept (but the formalization done to B) to 
check several kinds of refinements between different UML diagrams augmented 
with OCT. The Signature Refinement is one of those kinds which checks consis­
tency between the abstract and the refined operation signature (operations name, 
number of parameters and their types). An access control case study was used 
to illustrate the four kinds of refinements.
The authors in [45] propose checking refinement between abstract and more de­
tailed UML state and sequence diagrams. Using a similar approach they trans­
form the UML diagrams into cTLA (compositional Temporal Logic of Actions) 
and then used TLC (Temporal Logic Checker) as a model checker. Unlike the 
two previous papers, this one considérés the inter-object communication, whereas 
each cTLA process representing an active object contains a queue to handle con­
current calls.
Property checking
The following collection of papers share the same objective which is checking user 
defined properties to make sure they are satisfied by a system model. Mostly one 
wants to check safety or liveness properties, which hold for the whole lifetime of 
the system. Having the semi-formal model in formal representation allows model 
checkers to check such properties.
The main objective of paper [48] is to check safety specifications in the railway in­
terlocking systems modelled in xUML (following the UML 2.2 standard wherever 
possible), besides checking other behaviours like deadlock. The work considered 
formalizing the xUML model into the process algebra mCRL2 to do the model 
checking. The inter-object communication addressed in this paper pointed out 
two important issues in the UML 2.2 standard:
• UML 2 neither limits the size of event pools nor limits the number of events 
the instance may accept from the environment at any point in time.
• Class instances may starve (i.e., a class instance may have events in its 
event pool waiting to be dispatched), but the instance may never get its
3.1. FORMALIZATION 47
turn; this comes about as UML 2.2 does not impose any fairness restrictions 
concerning event dispatching.
To resolve those issues, they propose some constraints on the mCRL2 model so 
the models can be checked. Unlike most of the other work, this one reports the 
model checking results in terms of time and number of states, as well as the 
configurations of the used machines.
Following the same approach, [127] focused on transforming xUML to S/R  (the 
input language of COSPAN [49]). However, the authors here suggested simulat­
ing the asynchronous message passing between class instances by synchronous 
communication between processes modelling class instances and their message 
queues.
Roscoe et al. [103] formalize Statemate Statecharts into CSP. They develop 
a compiler to handle the transformation written in CSPM making heavy use of 
functional programming. The formalized model included information represented 
within the source Statemate Statecharts such as: timing, priorities, hierarchical 
structuring and variables/ timers. The main purpose of that transformation is to 
check the following:
• General errors in the system: in the generated CSP script, finitely de­
tectable run-time errors are all flagged by an error event.
. • Reachability of states: to test whether a certain state in any chart can be 
reached at some point.
• Consistency with application-specific requirements (safety properties).
The approach was clearly illustrated by a Burglar Alarm System case study. 
The authors also mentioned that they have discovered many errors in practical 
industrial systems by this approach.
Knapp et al. [63] developed a tool that transforms from UML 2.0 diagrams 
into Automata. The main objective of that formalization was to check if the 
formalized interaction (modelled as a UML sequence diagram) can be satisfied 
by the formalized UML state machines. The checking is done using SPIN model 
checker.
Instead of depending on model checkers. Planas et al. [92] choose a lightweight 
approach that depends on the static analysis to verify strong executability cor­
rectness in UML/OCL model. They defined the specification of the operations’ 
behaviours in Alf (Action Language for fUML) [85]. Although their approach is
CHAPTER 3. MODELS EORMALIZATION AND OPTIMIZATION:
48 LITERATURE REVIEW
suitable for checking models at design-time, it is limited to the capability of the 
static analysis. For example, checking the deadlock that could happen due to the 
interaction between the system’s objects cannot be done using this approach.
Visualizing the formal language
UML is a graphical language that has an extensively structured set of constructs 
but lacks a comprehensive static or behavioural semantics. On the other hand for­
mal methods, such as CSP, have a well defined behavioural semantics supported 
by model checkers, such as FDR. To combine the different potential offered by 
the two in a design process, some works such as [82] proposed an approach to 
translating UML diagrams to CSP. The automated translation provided a graph­
ical interface to work with CSP, and this could be useful for CSP novices. The 
authors depend on the state diagram to visualize the CSP dynamic behaviour, 
such as event occurrence and state transitions. And the class diagram to show 
the static relationships between different CSP processes.
Similarly [47] used the same concept to visualize B formal language by represent­
ing the B machines as UML state diagrams. Also Butler proposed visualization 
for Event-B by representing the model in UML-B (a graphical front end for 
Event-B) [112].
3.1.5 Formalization observations
After analyzing all the reviewed literature in this field, we find that some points 
have been addressed only in a limited way, yet they are very important for the 
practical use of semi-formal models formalization approach. The following sum­
marize those points:
C onsideration  of asynchronous in ter-ob jec t com m unication
According to [39] the asynchronous inter-object communication is closer to a 
system’s implementation. However, this has been addressed very limitedly in 
[119, 45, 48, 83]. The main reason behind this avoidance is the state space 
explosion problem that the model checkers face when modelling this way of com­
munication.
C onsideration  of m odeller friendly feedback
The main reason of doing the semi-formal language formalization is to make 
use of the formal language power (model or proof checking), but at the same 
time isolating the formal methods complexity from the modeller. To complete
3.2. OPTIMIZATION 49
the round trip engineering process, the generated feedback (output) from the 
model/proof checker should be transformed to a modeller friendly representation.
Providing modeller friendly feedback has been addressed only a few times in the 
literature. Maybe the reason of this limitation is due to its difficulty, as the gener­
ation of such feedback requires additional traceability information to be generated 
during the formalization process. Without this information, generating modeller 
friendly feedback is not possible. The authors in [26, 109] proposed presenting 
the model checking results (e.g., counter-example) as an object diagram that 
represents a snapshot of the system during the error. Alternatively, Mrugalla et 
al. in [79] presents the counter-example as a sequence and a timing diagram. In 
another approach, the authors in [116, 91] proposed compiler style-errors with 
valuable feedback.
Consideration of industrial size projects
In order to be able to use any of the mentioned approaches in real life projects, the 
approach should be able to handle industrial size projects. We have noticed that 
optimizing the resulted formal model after the formalization has been addressed 
in the literature only in a limited way. Section 3.2 is dedicated to discuss this 
issue.
Finally, we have found that the majority of the reviewed work is focusing on 
finding errors in the specifications and design models, and few focused on how to 
use formal methods to detect errors that can arise from implementation decisions. 
Generally, the xUML formalization attempts [119, 48, 45] addressed this issue.
3.2 Optimization
The automatic formalization of semi-formal models may lead to very convoluted 
formal models especially if the implementation details are considered (such as 
when formalizing xUML or fUML models). Checking such models is subject to 
the state space explosion problem, wherethe number of states becomes too large 
to be checked by the model checker, given the limitation of the machine that runs 
the model checking.
There is a significant body of work researched in avoiding the state explosion 
problem. Some authors such as Planas et al. [91] avoided the problem com­
pletely by depending on the model static analysis to check certain properties. 
Another authors also avoided the problem by depending on proof checkers (in­
stead of model checkers) such as Younes et al. [130] who translates from UML 
activity diagrams to Event-B and then depends on AtelierB [6]to perform the
50
CHAPTER 3. MODELS FORMALIZATION AND OPTIMIZATION:
LITERATURE REVIEW
proof checking for specific properties.
Those who found model checking more relevant to analyze their models were 
forced to face the state explosion problem. The work that has been done to avoid 
this problem can be categorized in two main categories which are outlined in the 
following subsections.
3.2.1 LTS optimization
This category includes the work that focuses on optimizing the corresponding 
LTS (Label Transition System) of the formal model. Deep understanding of 
the generated LTS and internal access to the model checker tool are required to 
develop an optimization technique within this category. The LTS optimization 
targets removing nodes and transitions without affecting the semantics of the 
LTS.
As described in [102], FDR2 calculates the LTS semantics of the CSP processes 
and then performs model checking. FDR2 has the option to apply some opti­
mization techniques such as:
Strong bisimulation
Strong bisimulation identifies the nodes in the model’s LTS if their patterns of 
actions are equivalent in a strong way. FDR2 automatically applies this to all the 
low level component processes it compiles to reduce the state space by grouping 
the bisimilar nodes [101].
Figure 3.2: Strong bisimulation equivalence (from [101])
Figure 3.2 shows an example of a small LTS on the left hand side, where for
3.2. OPTIMIZATION 51
simplicity assume that all the actions have the same label (a, say). It is obvious 
that nodes E, F and G are bisimilar because all of them cannot do any actions, 
which means they can be represented as one node (Z). Nodes B, C and D are also 
bisimilar because all of them can do a to move to another node within the group, 
or to move to group Z, thus they can be represented as one node (Y). Node A 
cannot be strongly bisimilar to any of B, C or D as all of these can become one of 
E, F, G after a and A cannot. Applying the bisimulation results in the optimized 
LTS on the right hand side.
Normalization
FDR2 has the capability to perform refinement checking between specification 
and implementation processes based on the chosen semantic model. For exam­
ple, in the traces model, FDR2 checks whether the visible events that can be 
performed by the state of the implementation are a subset of those that can 
happen in the specification. This exploration strategy works fine as long as the 
specification process is deterministic (e.g., contains no r ’s). However, when this 
is not the case, a Gartesian product of the two state spaces needs to be explored 
to check the refinement, which is not efficient at all.
To avoid this problem, FDR2 normalizes the specification process before the 
refinement checking. Ryan et al. [104] described the steps that FDR2 performs 
to eliminate all the internal transitions and transforms the specification LTS to 
a structure (Generalized LTS) in which there is at most one transition from 
any state by any given event, and at the same time keep the nondeterminism 
information. In the worst case, the Generalized LTS is exponentially larger than 
the original LTS, but in most real examples normalization in fact reduces the 
state space, often dramatically [41].
Compression functions
FDR2 also supplies a group of compression functions that can be called within the 
CSP script to apply certain optimization technique on a specific process. Roscoe 
in [102] showed how to use those functions and their effect on the state space. 
Below are two examples of FDR2 compression functions:
• explicate: renames the states from the representation of their natural struc­
ture to a small integer value (tabulating). Although this does not reduce 
the number of states in the LTS, it makes the subsequent manipulations 
substantially faster.
CHAPTER 3. MODELS FORMALIZATION AND OPTIMIZATION:
52 LITERATURE REVIEW
• tav^loop-factor: searches the LTS for the r-loop’s (ring of nodes connected 
with internal events ( r ’s)) and replaces them with single nodes. This in 
turns will reduce the number of states without affecting the traces model 
semantics, as proved by Roscoe [102].
Many other LTS optimization techniques have been implemented in other model 
checkers. For example, ProB [67] uses techniques such as permutation flooding 
[68] and hash value [69] symmetric reduction.
3.2.2 Formal model optimization
This category includes those who concentrate on optimizing the formal model 
before translating it to the LTS representation. The authors in this category 
work on modifying the formal model such that fewer states are required to be 
explored, without the need to an internal access to the model checker. The two 
main strategies to apply this technique are:
By decom position
This technique relies on decomposing the formal model into constituent parts to 
have an effective model checking. In this subcategory, Wang et al. [122] pro­
posed an optimization algorithm that slices the Extended Hierarchical Automata 
(EHA) formal model based on a slicing criterion extracted from the property to 
be checked. For example, one slice can ignore the hierarchical states if they are 
irrelevant to the property.
Schneider et al. [108] proposed decomposing the CSPjjB model into finer grained 
components called chunks to allow checking divergence freedom in large systems 
using FDR2. The technique is applicable also on the CSP models. The authors 
formally verified their technique using mathematical proofs, however they did not 
address the implementation of the technique so it can be applied automatically.
Winter et al. [123] used ASM (Abstract State Machines) to formally model large 
railways interlockings. They have used a manual decomposition approach that 
depends on dividing the model into smaller segments based on the understanding 
of the system. Then, if the safety requirements are satisfied by each segment, 
this means they are satisfied for the whole track-layout. Although this decom­
position approach maybe effective, being a manual approach that depends on a 
certain system makes it very limited and impractical approach that cannot be 
generalized.
3.2. OPTIMIZATION 53
Desovski et al. [34] represented the system specification into SCR (Software 
Cost Reduction) [50], and to avoid the state explosion problem, they proposed 
a decomposition approach (based on the min-cut algorithm [29]) which divides 
the system automatically into smaller components such that they have minimal 
coupling with the rest of the system.
By abstraction
The term “abstraction” in formal methods has been used in different ways in the 
literature to address different optimization techniques. Abstracting data types 
is one usage of this term. Model checkers cannot deal with the unbounded data 
types (such as: Integers, Floats, etc.) as they will definitely lead to state explo­
sion. Replacing the variables of these types with an abstract variables that ranges 
between bounded values is a possible solution for this problem. For example, let 
X be an integer variable that is used in the condition: if{x < 10), in that case x 
can be replaced with another abstract variable that has the following values: 10, 
vi and vi, where v\ > 10 and % < 10.
Heitmeyer et al. [51] used such abstraction by replacing detailed variables in the 
SCR formal model with more abstract ones, and in some cases they remove the 
detailed variables completely from the model. Also, Jesus et al. [60] abstract any 
infinite domain in the system to allow checking their CSP models using FDR2.
The abstraction can be applied on a behaviour as well (Model abstraction). Hsieh 
[57] et al. described a model abstraction technique that replaces the low-level 
detailed behaviour description in system’s model with a high-level description 
that encapsulates the behavior of the model using non-deterministic automaton.
3.2.3 Optimization observations
After discussing the work that has been done for optimizing the formal models, 
we can summarize our observations in the following points. Our observations 
relate the semi-formal model formalization (discussed in Section 3.1) with its 
corresponding formal model optimization.
Consideration of the optim ization in the formalization
When conducting automatic formalization from semi-formal model to a formal 
one, the resulting formal model may contain irrelevant information with respect 
to the checked property. It is very important to consider optimizing the result­
ing formal model before checking it, otherwise we will face the state explosion 
problem. Also, when the semi-formal model is an executable one (e.g., xUML or
CHAPTER 3. MODELS FORMALIZATION AND OPTIMIZATION:
54 LITERATURE REVIEW
fXJML), the data and model abstractions becomes crucial. The majority of the 
reviewed formalization work did not address the issue of optimization.
C onsideration  of th e  sem i-form al m odels op tim ization
Another aspect that can lead to more optimized formal models is to start the 
optimization from the semi-formal model. This can be done by applying some 
modifications on the semi-formal model before the formalization process. We 
have not found any proposal in the reviewed literature to automatically scan 
the semi-formal models searching for specific undesired patterns (patterns that 
complicate the resulted formal model), and advise the modeller to avoid them.
C onsideration  of using M D E in th e  optim ization
MDE frameworks can be used to perform rnodel-to-model transformation, and 
thus can be used to transform a formal model to an optimized one based on certain 
transformation/ optimization rules. Apart from the models refactoring work, in 
the reviewed literature we did not find any usage of the MDE to automate the 
optimization process.
C onsideration  of th e  op tim ization  verification
Optimizing formal models is very perilous because the optimization may elim­
inate (suppress) important information in the original formal model. Eor that 
reason, mathematical (formal) proofs are required to make sure that the required 
information for the checked property will not be eliminated from the model. Most 
of the reviewed works considered this point when they perform the optimization 
automatically.
3.3 Summary
The previous sections outlined our literature review by grouping the papers that 
address the semi-formal models formalization based on different perspectives. 
Firstly, we grouped them by the used semi-formal language. Secondly, we grouped 
them based on a formal language. Thirdly, we grouped them based on the trans­
formation mechanism. Finally, we grouped them based on the transformation 
objective, and we gave a brief description for each paper in this section to elab­
orate the differences between those papers clearly. We focused our description 
on the parts related to our work and we also highlighted any observed technical 
issues in the used approach.
We also grouped the work that address the optimization of the formal models 
into in order to discuss them clearly. The first group include those who focused 
on optimizing the LTS of the formal model, and the second group contains those
3.3. SUMMARY 55
who focused on formalizing the original formal model.
Our observations shed light on some points that have been addressed in the 
literature in a limited way. We would argue that this avoidance is the main 
cause of not having semi-formal models formalization as part of today’s off-the- 
shelf CASE tools. Trying to cover most of those points using a comprehensive 
approach is the main motivator to our work.
We have aimed to include in this literature review the most distinguished recent 
work in the field that relates'semi-formal and formal models. However, we have 
not considered the integration of the formal and semi-formal notations to produce 
a new modelling notation, since this is not the scope of the PhD. Work follow­
ing this approach proposes new notation that combines semi-formal and formal 
notations in order to take the advantages of both. For example, Frappier et al. 
[43] proposed extending statecharts with process algebra operators (like those 
found in CSP and EB3) to form a new notation called algebraic state transition 
diagrams (ASTDs). Also Plata et al. [93] proposed using UML and Object-Z 
together to check refinement between different versions of class diagrams based 
on refinement rules. Our concern regarding this approach is that the modeller 
should be familiar with the used formal language to create the input model.
Chapter 4
fUML Model Formalization
In the previous chapter (our observations in Section 3.2.3 and Section 3.1.5) we 
have identified specific points that have been addressed in the literature in a 
limited way, yet they are very important for the practical use of the semi-formal 
models formalization in industry. In particular, we describe in this chapter our 
formalization approach that addresses the asynchronous communication and the 
implementation decision errors issues. The other points are covered in the next 
chapters.
Our approach depends mainly on translating (formalizing) the fUML model into 
CSP, and then using FDR2 as a model checker to analyze the model behaviour. 
The fUML formal model formalization includes: the activity diagrams formaliza­
tion (which represents the objects behaviour), the objects management formal­
ization and the inter-object asynchronous communication formalization.
To validate our approach we used it to automatically formalize the Tokeneer 
ID Station subsystem (introduced in Chapter 2) fUML model into CSP. Conse­
quently, we used FDR2 to perform the model checking with one and two users in 
the system. The checking results are reported and discussed in the chapter.
Section 4.1 gives an overview about the approach used for transforming semi- 
formal models into formal ones. The section describes the ingredients and how 
we combine them to build a system that performs the formalization. It also de­
scribes how this approach addresses the observed issues in the previous chapter. 
Section 4.2 describes the main component of our approach (The Model Formal- 
izer) and how it performs the formalization in full detail. This includes the 
description of the fUML-to-CSP mapping rules and the fUML inter-object com­
57
58 CHAPTER 4. FUML MODEL FORMALIZATION
munication mechanism formalization. Section 4.3 describes the Model Forrnalizer 
testing strategy to make sure that it is doing the formalization as required. Fi­
nally, in Section 4.4 we discuss the results when we use the Tokeneer ID Station 
as a case study to verify the Model Forrnalizer functionality.
4.1 Approach overview
Generally, the proposed approach aims to transform the semi-formal model into 
a formal representation with the purpose of analyzing and verifying the input 
model against certain properties. We will call this kind of transformation “for­
malization” for short. The framework of the approach outlined below consists 
of the core components, as we will build upon them in the incoming chapters to 
extend the approach’s functionality.
4.1.1 Selected languages and tools
We have selected several languages and tools to help us achieve our target and 
implement the approach. All of those ingredients have been introduced in full 
details in Chapter 2. In the following we list them and briefly mention the 
rationale behind choosing each one:
fUML as a sem i-form al language
To our knowledge, fUML [88] is the only OMG standard that contains a detailed 
specification of how the inter-object communication mechanism should be imple­
mented in the fUML execution engine. Moreover, fUML is nearer to the code 
(implementation) rather than the abstract design models, thus errors that may 
appear due to some implementation decisions can be detected by analysing the 
fUML model. Also the availability of the fUML meta-model (part of the stan­
dard) gives it an advantage over xUML [73], which encouraged us to use it in 
such research work.
C SP as a form al language
The main reason for using GSP [106] as a formal language, is its capability of 
modelling concurrent systems supported by model checkers. As our aim is to ana­
lyze and verify system behaviours in the view of the asynchronous communication 
between their components, GSP is appropriate for modelling such systems. The 
other reason for using CSP is that our team experience in it exceeds any other 
formal language (even though they handle concurrency).
FD R 2 as a m odel checker
4.1. APPROACH OVERVIEW 59
As our aim is to fully automate the formal verification process, we choose a model 
checker instead of a proof checker because in many cases in proof checking human 
interaction is required to complete the proof. For checking CSP models, FDR2 
[41] has showed continuous success either on the academic or the industrial side 
for more than 24 years, and is considered to be the state of the art model checker 
for CSP [100].
M DE as a m odel transformation technique
MDE tools provide a modular and flexible way for doing the model transforma­
tion. Moreover, the availability of several frameworks that handle the model- 
to-model and model-to-text transformation based on the source/target language 
meta-model, encouraged us to use this technique. Using one of the MDE tools 
to do the formalization will save a lot of programming effort, compared with 
developing the transformation engine from scratch. We have chosen the Ep­
silon [64] (introduced in Section 2.4) model management framework to perform 
all the MDE tasks. Epsilon is an active open source project [38] that is capable 
of performing all the tasks that we require to do the formalization.
We have previous experience (not in the PhD and not published) of performing 
formalization from UML to Z automatically, but without an MDE framework. 
Instead of just focusing on the logic of the transformation (transformation rules), 
a lot of work was consumed by other programming issues. For example, in MDE 
frameworks, the developer is not concerned with the models’ files reading and 
parsing.
4.1 .2  The framework of the approach
Figure 4.1 depicts how we utilized the above languages and tools, and combine 
them with other components to build our approach that is capable of taking 
the advantage of the semi-formal languages simplicity and the formal languages 
rigour to analyze the input model behaviour.
Modeller
Formal
Model
(CSP)
fUML
Meta-model
CSP
Meta-model
Semi-formal
Model
(fUML)
Model
Checker
(FDR2)
Model Formalizer
Figure 4.1: Approach framework architecture
60 CHAPTER 4. FUML MODEL FORMALIZATION
As a starting point, the modeller uses a CASE tool to model a system in fUML. 
The model should contain the fUML class diagram(s) and activity diagram(s) 
to represent the system structural and behavioural semantics respectively. The 
Model Formalizer is then used to read the fUML model (represented in XMI for­
mat) and performs the formalization to CSP. As we propose using one of the MDE 
frameworks to do the transformation, the model formalizer should be supplied 
by the fUML and CSP meta-models. The final output from the Model Formal­
izer is a CSP script that represents the input fUML model semantics, as well as 
a formal representation for the fUML asynchronous inter-object communication 
mechanism as described in the standard.
The CSP script is ready now to be compiled and analyzed using FDR2 model 
checker. FDR2 can be used to check generic properties (e.g., deadlock, livelock, 
and determinism), or non-generic properties (e.g., safety or liveness properties). 
In the case of finding an error, FDR2 generates the traces that led to this error 
(counter-example) but in a technical format as “traces” (i.e., will be very hard 
to be understood by the modeller who entered the model as an fUML diagrams).
4.1.3 Observed issues addressing
Recalling the observed formalization issues (described in Section 3.1.5 of Chap­
ter 3) and projecting them on the described approach, we can claim that the 
proposed approach is addressing two of those issues in an applicable way as fol­
lows:
C onsideration  of th e  asynchronous in ter-ob jec t com m unication
We addressed this issue by depending on the fUML standard (as a semi-formal 
model) that already includes specifications for the asynchronous inter-object com­
munication mechanism, as well as our work on formalizing the semantics of this 
mechanism into CSP to be part of the whole formal model.
C onsideration  of th e  erro rs  arising from  th e  im plem entation  decisions
The fUML standard has been developed mainly to allow the automatic gen­
eration of an executable code from the fUMIL models. This means that any 
implementation details should be defined either in the fUML model (class and 
activity diagrams) or in the execution engine. Again, depending on fUML as 
a semi-formal language and specifying/formalizing the semantic variation points 
allowed for addressing this issue.
The other issues will be addressed in the following chapters. The rest of this 
chapter will provide an detail on the Model Formalizer and how it performs the 
formalization.
4.2. THE MODEL FORMALIZER 61
4.2 The Model Formalizer
Our work target is to check systems’ behavioural properties in general and dead­
lock freedom in particular at this stage. This target has been reflected in our 
formalization approach. In other words, the formalization of an fUML model 
into CSP will focus on the information (in the fUML model) that is required for 
checking deadlock freedom in first place. Nevertheless, other information will be 
included for proving the expandability of the approach.
The main functionality of the Model Formalizer component is to translate the 
input fUML model into CSP. To capture the dynamic behaviour of the model, 
the component achieves this translation in four stages:
1. Translating the fUML activity diagrams into CSP processes.
2. Generating CSP processes that represents the inter-object communication 
mechanism.
3. Generating GSP processes that manages object creation and destruction.
4. Combining all the previous CSP processes into one single process that rep­
resents the whole system (SYSTEM).
The following sections describe each of those stages and how the Model Formalizer 
automates the formalization process.
4.2.1 fUML to CSP mapping rules
We perform the transformation from fUML activity diagrams to CSP based on a 
collection of mapping rules (we will call them: Map-Rules). Table 4.1 shows the 
fUML activity diagram’s elements and the corresponding GSP representation that 
reflects the semantic behaviour for each element. The selected fUML elements 
and their properties in these Map-Rules are those which were included in the 
used case studies throughout the work.
62 CHAPTER 4. FUML MODEL EORMALIZATION
fUML Element CSP Representation
M ap-R ule (1): A c tiv ity
 ^Activityl ( p a ra m i, param 2 )J ~
parami
param2
Activity l_Proc[param l,pam m 2)  =  | 
let
Process Body 
within A C l
M ap-R ule(2): Send  Signal A ction
A C l  =  send\aIH \bIH\sigl  - t
M ap-R ule(3): Accept E ven t A ction
Accept(sigl)
A C l  = registerSignalslblHlrpl -4  
acceptlblHlsigl -4 ...
Map-Rule(4): Accept Event Action (*)
Accept(sig1, sig2, sig3)
sig3sig1
s g 2
A C l  — registerSignals\bIH\rp2 —> ( 
acceptlblHlsigl —>■... 
□
acceptlbIHlsig2 —)• ...
□
acceptlblHlsigl -4 ...)
4.2. THE MODEL FORMALIZER 63
M ap-Rule(5): Add Structural Feature 
Value Action
«valüeSpecification» 
iValue(FALSE)
aiH, f  «addStructuralFeatureValue» I 
isOpen := FALSE
A C l =
valueSpeclalHlval : {FALSE} 
addStFeature Value ! alH ! is Open ! val 
—y . . .
It can also be TRUE based on the 
fUML element.
M ap-Rule(6): D ecision/M erge Nodes
decis ion i decision2
Action^^Actioni
D Sl = decisioni —> A C l 
n
decision2 AC2 
A C l = ... —4 M Rl 
AC2 =  ... —> M Rl 
M Rl =  ...
M ap-Rule(7): Expansion Region
|7<ite7ati7a»“
I Actioni
A C l = ERMT1{<  el, e2, eS >) 
ERMT1[<>) = AC2 
ERMTl[seq) =
Actionl\head{seq) —>
ER-ITl{tail{seq))
AC2 = ...
64 CHAPTER 4. FUML MODEL FORMALIZATION
M ap-R ule(8): Objects Creation
« c re a te O b je c t»  \  
Objectlype 1
bIH
A C l  =
createObject\aIH\bIH -4- AC 2
M a p -R u le (9 ): Objects D estruction
A C l  =
f ^ d e s t r o y O b je c t» l | destroyObjectlalHlblH AC2
M ap-R ule(lO ): D ata Store
1— 1 ^ r « d a ta s to re > > l 
1 var : Type |
A C l{va r )  =  ... —> AC2{var)  
AC2{var)  =  ... -4- AC2»{var)
Table 4.1: The fUML to CSP Map-Rules
In the Map-Rules, alH  and bIH represent instance handlers of the active objects. 
The values rpl  and rp2 in Map-Rules (3) and (4) represent the registration points 
where the object {bIH) is waiting to accept the signal instances sigl and sigl^ 
sig2, or sigS respectively. Each AcceptEventAction  in an fUML activity diagram 
has its unique registration point.
Mapping from UML activity diagrams to CSP has been addressed several times 
in the literature [129, 128]. The novel points of our mapping are as follows:
Map-Rule(l) maps the fUML activity as a localized CSP process with several pa­
rameters {parami, param2, ..). Within this process we define sub-processes, each 
represents a different fUML element within this activity. The within statement 
defines the action (sub-process) connected to the initial node {A C l) .  Using the
4.2. THE MODEL FORMALIZER 65
le t. . .  within local definition allows for grouping the sub-processes that belongs 
to the same activity.
Map-Rule(2) and (3) map the SendSignalAction and AcceptEventAction to the 
CSP parameterized events send and accept respectively. The registerSignals event 
is used to let the object activation fill the waiting event accepters list with the 
allowed signals to be accepted at this point (registration point). The value rpl 
is explicitly included in the event so that each AcceptEventAction is uniquely 
identified. Section 4.2.2 describes how those events synchronize with the active 
object’s buffer process to allow the asynchronous communication between pro­
cesses (active objects).
The fUML standard supports the option that the AcceptEventAction handles 
more than one signal at a time. When the control flow of the activity reaches 
this action, the object waits for any of the defined signals {sigl, sig2, or sigS) 
to be received. If any of those signals arrive, the object execution proceeds and 
the incoming signal instance is passed to the AcceptEventAction output pin. For 
that reason, in Map-Rule(4), we connect the decision node to the action’s output 
pin to branch the flow based on the incoming signal. We use the same concept of 
Map-Rule(3) followed by an external choice to represent the branching semantics. 
Map-Rules like (2),(3), and (4) are not presented in [129, 128] because the focus 
there is not on the interaction between activity diagrams.
Map-Rule(5) maps the combination of the actions: valueSpecificationAction and 
addStructuralFeatureValue Action to two events to allow (for example) the alH  
instance handler’s attribute isOpen to be set to FALSE. Because we are focusing 
on the properties that we need in our case studies only, the formalization of the 
valueSpecificationAction considers the boolean types only.
We represent the decision node as an internal choice (as in Map-Rule(6)) when 
the incoming edge to the decision node is a control flow. The internal choice 
will make the model checker (FDR2) to explore all choices without the need for 
synchronizing with other events. But we represent it as an external choice (as in 
Map-Rule(4)) when the incoming edge is an object flow, because the branching 
will depend on the incoming signal. Map-Rule(6) also take into consideration 
when the decision node is used as a merge node.
The iterative Expansion Region in fUML acts as a loop that repeats all the 
actions inside it (e.g., Actioni)) with the number of entities supplies in the input 
the array. According to the other Map-Rules, each action inside the region will be 
mapped to a CSP event. Map-Rule(7) maps the Expansion Region as a recursive 
process which repeats the events inside it with the number of elements inside the 
sequence seq which represents the input array.
66 CHAPTER 4. FUML MODEL FORMALIZATION
Map-Rule (8) and (9) map the objects creation and destruction respectively. 
The CSP events createObject and destroy Object synchronize with the objects 
manager process that keeps track with the created and the destroyed objects and 
control the impact on the other events (the objects manager process described 
in Section 4.2.3). In the two events, alH  represents the object that conducted 
the creation or the destruction, while bIH represents the created or the destroyed 
object.
DataStores in fUML are used to store a value and retrieve it any time during the 
activity execution. In the CSP formalization, the DataStore is represented as a 
parameter to the sub-processes inside the main localized process. Having this pa­
rameter in all the sub-processes allows any event to read the value of this param­
eter. Assigning the value of this parameter depends on the data (value) source. 
Map-Rule(lO) handles the insertion of this parameter in the sub-processes.
The M ap-R ules scope
It is obvious that the Map-Rules do not support all the fUML standard elements, 
and for the chosen elements not all the properties are considered in the formal­
ization. This part discusses the rationale behind the inclusion and the exclusion 
for some elements.
The Map-Rules include all the fUML elements that have been used in our research 
case studies and the chosen properties for each element are sufficient to check the 
properties that we focus on them in our work (mainly deadlock freedom and the 
behavioural consistency). Also, formalizing unnecessary properties will lead to a 
complicated CSP model that FDR2 will possibly fail to check. For example, the 
formalization of the addStructuralFeatureValue Action  considers the assignment 
of unordered boolean structural features only.
Some of the excluded fUML elements such as Fork and Join nodes are appropriate 
to use when modelling the concurrent behaviour within the active object. We will 
show in Section 4.2.2 that modelling the concurrent behaviours is considered in 
our formalization but only between the active objects which are communicating 
with each other asynchronously.
As we are constrained with CSP as a formal representation, some aspects in the 
fUML standard cannot be formalized directly using CSP, such as the Join nodes 
which are used to combine multiple/parallel flows in the activity diagram into 
one flow. That is mainly because parallel processes in CSP can just synchronize 
on some events, but their behaviours cannot be combined to act as one process.
The fUML standard includes many intermediate actions such as; Read Structural 
Feature, Write Structural Feature and Test Identity actions. Our framework is
4.2. THE MODEL FORMALIZER 67
flexible enough to support adding more Map-Rules for such actions.
We will see the incoming sections how those rules can be applied on the activity 
diagram in Figure 4.14 to generate the corresponding CSP process in Figure 4.15.
Applying th e  M ap-R ules autom atically
In the previous section, we informally described the Map-Rules to provide a high 
level understanding of the mapping and how the formalized fUML model will look 
like in its CSP representation. The Model Formalizer automates the formalization 
process based on those Map-Rules, however deflned in a precise way. Figure 4.2 
shows the internal architecture of the Model Formalizer component.
fUML
meta-model
CSP'
Model,
CSP
Script
fUML
Model
CSP
meta-model
Model-to-Model
(ETL)
Model-to-Text
(EGL)
Figure 4.2; The Model Formalizer internal architecture
We use Epsilon (introduced in Chapter 2) as an MDE framework to perform the 
transformation from the source model (fUML) to a CSP script. The transforma­
tion is done in two stages; firstly, model-to-model transformation from the fUML 
model to a CSP model using ETL (Epsilon Transformation Language), and sec­
ondly, model-to-text transformation from the CSP model to a CSP script using 
EGL (Epsilon Generation Language) [64].
1. Model-to-Model transformation
The model-to-model transformation is based on all the Map-Rules shown in Ta­
ble 4.1, and each Map-Rule is written in ETL. In ETL there are two styles that 
can be used to represent the transformation rules (Map-Rules). The declarative 
style which is used when the source and target meta-models are similar to each 
other in terms of structure and thus, the transformation is a matter of a simple 
mapping (not our case). In this work we use the imperative style where the ETL 
rule defines the mapping scenario at a low level of abstraction (i.e., how each
CHAPTER 4. FUML MODEL FORMALIZATION
element in the source model will be mapped in the target model?). The reason of 
using this style is the big difference between our source (fUML) and target (CSP) 
models which requires some transformation logic to be handled by the rules.
Epsilon should be provided by the source/target meta-models to perform the 
transformation. The unavailability of the fUML meta-model in a format that 
can be read by Epsilon (ecore format) forced us to use the UML2 meta-model 
[120] as the source one. This workaround is technically valid because fUML is a 
subset of UML2 in general. An alternative for this workaround is to depend on 
the Epsilon XMI driver to read/parse the fUML meta-model which is available 
in an XMI format. For the CSP meta-model, we use the available one in our 
previous work [117]. The full CSP meta-model is depicted in Appendix B.
Map-Rule(1) in ETL Meta-models
Segm en t o f the fUML Meta-mode! (simplified)
rule  Activity_To_LocalizedProcess 
tran sform  activity: ADIActivity 
to  pa : C S P IP rocessA ssignm ent, 
pid: C S P lP rocessID , 
ppl: C S P iP rocessP aram eterL ist, 
locProc: C S P IL ocalisedProcess
node
for ( node in activity.node )
if ( node.isKindOf ( ADIActivityParam eterNode ) )
var param ltem : new C S P IP rocessP aram eterL istltem ;
param ltem .nam e := node.nam e; Segm en t o f  the C S P  M eta-model
ppl.item .add(param ltem ); 
ppl.size := ppl.size + 1; param List
p rocessE xpression processIDpid.nam e = activity.name + '_Proc'; 
p id.param eterL ist := ppl; item
0 . .*pa.processID  := pid;
pa.p rocessE xpression  := locProc;
p rocess
Activity
nam e; String
ProcessID
ActivityNode
P rocessE xpression
L ocalizedProcess
P rocessA ssignm ent
P rocessParam eterL ist
size: Integer
Acti vi ty P ara m eterN od e
nam e: String
ProcessParam eterL istltem
nam e: String
Figure 4.3: Map-Rule(l) for transforming activities to CSP localized processes
Figure 4.3 illustrates a sample ETL rule (Map-Rule(l)) and segments of 
the involved met a-mo dels in this rule. The execution of this ETL rule 
(Activity_To_LocalizedProcess) applies the mapping shown in Map-Rule(l) in 
Table 4.1, as it transforms any activity in the fUML source model {activity) to a 
CSP localized process {locProc) and all its related elements {ProcessAssignment, 
ProcessID and ProcessParameterList). The fUML and CSP models’ elements can
4.2. THE MODEL FORMALIZER 69
be accessed using the variables AD  and CSP respectively using the M’ operator.
The for loop and the nested if condition in the rule’s body are concerned with the 
activity parameters nodes {ActivityParameterNode) that should be represented 
as ProcessParameterListltem^s in the CSP model. Inside the loop, the rule sets 
the items’ names, adds them to the ProcessParameterList (ppl) and adjusts the 
ppl size. After the loop, the rule sets the CSP ProcessID {pid) name with the 
activity name augmented with ‘_Proc’ and then associates the CSP elements with 
each other.
Figure 4.4 shows another example of the ETL representation of Map-Rule(2) 
and the corresponding segments of the fUML and CSP meta-models. The rule 
transforms any SendSignalAcion in the activity diagram {AD) to a CSP sub­
process that performs the send event and then behaves like the next subprocess 
(as shown in Map-Rule(2) in Table 4.1). The getCSP-Process function takes the 
fUML element’s reference as an input (e.g., action) and returns the corresponding 
CSP ProcessID for that element. The variable targetObj holds the target object 
that accepts the sent signal (e.g., userOhj). The variable signalName holds the 
name of the signal that will be sent (e.g., unLockLatchSignal). The SendSignalA- 
cion action is transformed (in the CSP meta-model) to a Prefix that has two 
attributes; the event and the nextProcess. The event is set using the function 
createsendEvent which creates a CSP Event entity {send) for the action and re­
turns it. It also creates the corresponding CSP EventParameter’s and associates 
them with the Event entity. The ProcessExpression relates the ProcessID with 
the Prefix (kind of ProcessExpression). Finally, the function addToLocalized­
Process adds the created subprocess {ProcessAssignment) to the corresponding 
localized process.
70 CHAPTER 4. FUML MODEL EORMALIZATION
Map-Rule(2) in ETL
rule  SendSignalA ction_To_SubProcess 
transform  action: ADlSendSignalAction 
to  pa: C S PIP rocessA ssignm ent, 
prefix: CSPIPrefix
{
pa.processID  := getC S P _P rocess(  action );
var targetObj : String :=
action.target, incom ing,source, name;
var signalNam e: String := action.signal.nam e;
prefix.event := createSendEvent[ action );
prefix.nextProcess := getC SP _P rocess( getTargetNode 
(action.outgoing ) );
pa .processE xpression  := prefix; 
addToLocalizedProcess (action, pa);
Meta-models
Segm ent of the fUML M eta-model (simplified)
Prefix --------------- o
nextP rocess
ProcessExpression ProcessID
< h - nam e: String
EventParam eter
even tParam s
0 ..*
Event
processE xpression  jprocessID
ProcessA ssignm ent
Segm ent of the CSP M eta-model (simplified) 
incoming
ActivityEdge
ActivityNode ObjectNode
o —
'Outgoing
Signal SendSignalAction InputPin
nam e: String 0..1 0..1
Figure 4.4: Map-Rule (2) for SendSignal Action to a CSP subprocess
Implementing the Map-Rules into ETL required grouping/ splitting of some rules 
for code optimization (i.e., Map-Rules are not mapped one-to-one to their ETL 
representation). For example, Map-Rule(3) and part of Map-Rule(4) are grouped 
into one ETL rule. We detail in Appendix C the corresponding ETL represen­
tation of most of the Map-Rules depicted in Table 4.1, as well as a brief about 
each ETL operation that we use in the transformation.
2. Model-to-Text transformation
As shown in Figure 4.2, the output of the model-to-model transformation is a 
CSP model (i.e., not a script that can be understood by FDR2). For that reason 
we follow this step with a model-to-text transformation process that reads the 
generated CSP model and translates it to a CSP script that can be read by FDR2. 
Epsilon has a template based language (EGL) that can perform this task based on 
the same CSP meta-model that we used in the model-to-model transformation.
We use an EGL script that manages the transformation. Apart from the CSP 
processes, the generated CSP script by Epsilon includes also:
Data types definitions (e.g., SIGNAL, INSTANCE and R,EG_POINT).
4.2. THE MODEL FORMALIZER 71
• Sets definitions (e.g., the alphabets of each process).
• Functions definition (e.g, getRegisteredSignals(rpl)).
• Channels definitions (e.g., channel accept : INSTANCE.SIGNAL).
The EGL script that we use in this work was originally written by Edward Turner 
for his work published in [117]. We modified this script to handle our formal­
ization approach. For example, the generation of the CSP processes that handle 
the asynchronous inter-object communication was not considered in the original 
script.
Section 4.4 shows the generated CSP script when applying the formalization on 
an fUML activity diagram.
4.2 .2  Modelling the fUML inter-object communication mechanism in 
CSP
Formalizing the activity diagrams only (as described in the previous section) 
would allow for analyzing the behaviour of each active object independently of 
the other objects. This means that any error that could arise from the interaction 
between objects will not be detected (e.g., deadlock). For that reason we formalize 
the inter-object communication mechanism as a CSP process which acts as a 
linker between the active objects to allow for their asynchronous communication. 
In Section 2.3 we describe how the fUML standard defined this mechanism, so in 
this section we describe its formalization by implementing its semantics in CSP.
The representation of this mechanism (as will be described below) is considered 
to be one of the main contributions in our work.
Initial a ttem p ts
We made several attempts to formalize such communication mechanism before 
reaching the current implementation. Although all of the attempts are compatible 
with the fUML standard, each of them implements the semantic variation point 
(strategy for dispatching signals from the event pool) in a different way. We 
outline below a brief description of each of the initial attempts, as well as a more' 
detailed description of the current implementation in the last subsection:
□ First attem pt; representing the event pool as a bag
In this attempt we represented the event pool of each active object as a bag.
72 CHAPTER 4. FUML MODEL EORMALIZATION
which means any signal can be dispatched from the event pool arbitrarily. As the 
CSP does not have a direct representation for the bags (only sets and sequences), 
we represented the bag as a set of tuples. Each tuple holds the signal instance 
identiher (e.g., sigl, sig2, . . .  ) and the number of occurrence of this signal. The 
main problem in this representation is that it does not preserve the order of the 
incoming signals. Also when the bag becomes full, any incoming signal will be 
dismissed, which will lead to a quick deadlock afterwards. Decreasing the effect 
of the former problem can be done by increasing the bag’s size. However, with 
this representation, FDR2 failed to compile the CSP script when the bag’s size 
is larger than 4 slots (for the Tokeneer case study), which in practice is too small 
to keep the system alive.
□ Second a tte m p t: rep resen ting  th e  event pool as a queue
In this attempt we represented the event pool as a queue, which preserves the 
FIFO (First In First Out) order of the incoming signals. As mentioned in Sec­
tion 2.3 of Chapter 2, this is the default fUML strategy for dispatching events 
from the event pool. Using the queue solved the problem of the nondeterministic 
dispatching of signals from the event pool, preserving the incoming signals order. 
However, a new problem was introduced when an object receives an unexpected 
signal (i.e., not matched to one of the waiting event aceepters). In this situation, 
the object dismisses the incoming signal directly because it has been already re­
moved from the event pool for matching and the fUML standard does not allow 
for returning signals back to the event pool. In many cases the object may need 
to accept this dismissed signal after few further actions, which generally leads to 
an invalid deadlock to the system.
□ T h ird  a tte m p t: rep resen ting  th e  event pool as an o rdered  bag
Recalling the fUML semantic variation points described in Section 2.3, it is al­
lowed to override the default signals dispatching strategy (FIFO). We made use 
of this genericity and modified the previous attempt in which the object does not 
remove any signal from the event pool unless it is registered in its waiting event 
accepter list. At the same time, signals are dispatched in chronological order (i.e., 
remove the oldest signal (spent the longest time) from the event pool first).
From the logical point of view and the conformance to the fUML standard, this 
attempt was successful. However, by applying this approach on our case study, 
FDR2 failed to compile the CSP script when the bag’s size was larger than 
3 slots (very small and causing a fast deadlock like the first attempt). This is 
mainly because this implementation is based on functional programming (Haskell 
functions), which is not handled efficiently, as FDR2 builds a huge state space 
during the CSP script compilation because the synchronization is not considered 
at this stage. This means that this attempt is theoretically successful (i.e., gives
4.2. THE MODEL FORMALIZER 73
the appropriate behaviour), but it is not working on the practical side.
Current CSP implementation: Controlled Buffer
This implementation applies the same logic described in the third attempt, but 
it avoids the shortcomings that appeared in the previous ones. In particular it 
avoids depending on the sequence data structure or Haskell functions as they 
lead to a significant decay in FDR2 performance during the compilation pro­
cess. Instead, it depends on the CSP primitives only (e.g., parallel composition, 
prefix, etc.). Also this implementation considers delayed events, so there is no 
quick incorrect dropping of signalsdeading to an invalid deadlock. This has been 
achieved by following the third attempt approach (not to remove any signal from 
the event pool unless it is registered in its waiting event accepters list). Moreover, 
the model preserves the incoming signals sending order by checking the signals in 
the event pool in a chronological order. Thanks to Michael Goldsmith [44] who 
helped us reaching this ingenious implementation.
□ The event pool list as a Controlled Buffer
As shown in Figure 4.5 , the idea is built on representing the event pool as a 
Controlled Buffer with N consecutive nodes. When an object sends a signal to 
another object (performs the send event), the signal is placed in the receiver 
object’s buffer {event pool) by placing it in the first node (BO), then the signal 
will move down automatically until reaching the rightmost node in the buffer. 
The same will be repeated for any other incoming signal filling the Controlled 
Buffer from right to left. When the Controlled Buffer becomes full, the oldest 
signal in the buffer (placed in the rightmost node) will be dropped out {drop 
event) and all the signals will be shifted right by one node. Signals are moved 
down as a parameter to the cl, c2, . . . ,  cN events.
Although this implementation will drop the old signals as well which might lead 
(eventually) to a deadlock or livelock, it allows for having much bigger buffers 
compared to our third attempt. For example, in the CCS case study, we set the 
event pool buffer size of an object to 25 slots without affecting the compilation 
time. Such big buffers minimize the probability of the signals dropping as the 
active object will have longer opportunity to consume the signals in the event 
pool. One of the limitations of our work is that we could not find a way to 
compute the appropriate buffer size before the model checking.
74 CHAPTER 4. FUML MODEL FORMALIZATION
BO dropcN
send
B2 B2
testB testetestA
acceptXaccepts accepteaccept A
rejectXrejectereJectA rejects
Figure 4.5: The event pool as a controlled buffer
As will be outlined below, the receiver object uses the te s tY  event (where Y  
represents the cnrrent node: A, B, . . . )  to check if the contained signal is member 
a of the object’s waiting event accepters list. If so, the signal is removed from 
the event pool via the acceptY  event, otherwise the rejectY  event is enabled 
to allow checking the next node. We represent each of those nodes as a CSP 
mutnally recursive process with a simple logic illustrated in Figure 4.6 for the 
first node {BO) and the general node {B). Notice the example possible values for 
the processes parameters between brackets in the figure.
e h
[acceptA) [rejectA]
testB
ireiecl
e
[accepts]
BO(c, d, e ,/ ,  g, /i) =  c?æ Bl(æ, c, d, e ,/ ,  A)
d\x -4- BO{c, d, e ,/ ,  g, h) 
n  g\x -D- {e\x BO(c, d, e ,/ , g, h)
□  h ^  Bl{x ,  c, d, e ,/, g, h)) 
n  c7y -4 f l z  —^ d\x —> Bl{y,  c, d, e , f , g,h)
B{c,  d, e, g, h) — c?æ -4^  B2{x,  c, d, e, g, h)
B2{x,  c, d, e, g, h) =  d\x ->  B (c ,  d, e, g, h)
□  g\x -> {elx B{c,  d, e, g, h)
□  h —)• B2{x,  c, d, e, g,h))
Figure 4.6: Controlled Buffer’s first and general nodes
The processes BO and B  represent the node when it is empty, while B1 and B2  
represent them when the node is holding a signal. In BO and B  the only allowed 
event is c to fill the node with the passed signal in its parameter {x). In B1
4.2. THE MODEL FORMALIZER 75
and 5^  the hold signal (æ) can either be passed to the next node (d) or tested 
{g) by the buffer controller for acceptation (e) or rejection (h). If in B1 the c 
event happened, the oldest signal will be dropped (/) and then the d event will 
be allowed to shift the signals to the right.
As the Controlled Buffer consists of sequence of nodes, we combine the previous 
processes {BO and B ’s) in parallel to form a new process {CB-NODES) that 
represents the Controlled Buffer {event pool) but without being controlled yet. 
Figure 4.7 shows the CSP representation of a three node buffer which can hold 
three signal instances at a time. The process CB^NODES is defined using one 
BO process and two B  processes whose parameters are instantiated appropriately.
CB^NODES =
{{BD{send, cl, acceptA," drop, testA, rejectA)
II B {cl, c2, acceptB, testB, rejectB))
II B{c2, drop, accepte, testC, rejectC)
{ \c 2 ,d r o p \}
) \  (I cl, c2, drop 1}
Figure 4.7: Controlled Buffer with three nodes
□ Controlling the buffer
To maintain dispatching signals in the same order they were sent, we developed 
a controller process {CB-CTRL) that checks nodes one by one from the oldest 
(rightmost) to the newest (leftmost) before removing the signal from the event 
pool, and if the signal exists in the waiting event accepters list, the process allows 
for its acceptance {accept event) otherwise the signal is rejected {reject event) 
and the next node is checked. Figure 4.8 shows our representation of the buffer 
controller process {CB-CTRL) for a three nodes event pool.
76 CHAPTER 4. FUML MODEL FORMALIZATION
C B ^C TR L {{})  = registerSignalslalHlrp
CB_CTRL{getRegisteredSignals{rp))
C B _C TR L{E A )  =  t e s tC lx  i f  {member {x, EA)) then
else rejectC —>■ 
t e s tB lx  -4- i f  (member (x, EA)) then
else rejectB —> 
te s tA lx  - 4  i f  {member {x, EA)) then
{acceptAlx - 4  C B_C TRL{{}))
else rejectA - 4  send?anySig  - 4  C B -C T R L {E A )
Figure 4.8: The buffer controller process for a three nodes event pool
The getRegisteredSignals is a mapping function that returns the allowed signal(s) 
at a certain registration point {rp). For example, in the Door Controller activ­
ity, getRegisteredSignals(rp2) returns lockLatchSignal and doorlsOpenSignal. The 
registerSignals event synchronizes with the corresponding event in the transla­
tion of the activity diagram (Map-Rule(3) and (4)) to initiate the signals checking 
process. The controller process {C B -C TR L )  checks {testY)  the nodes starting 
from the rightmost node {C) to the leftmost node (A). If the signal is a member 
of the waiting event accepters list {EA), the controller allows for its acceptance 
{acceptY) and flushes all the other signals in EA, otherwise it is rejected {rejectY) 
and the next node is checked.
To allow the C B ^C T R L  process to control the buffer CB^N O D ES  we combine 
them parallely in the new process CB_NODES_CTRL as illustrated in Figure 4.9. 
The set aSynchEvents  contains the synchronization events: test, reject, and accept 
for all nodes.
|| CR_CTRT({})
aSynchEvents
Figure 4.9: Controlled Nodes
□ M oving signals along th e  C ontrolled  Buffer
The parallel combination in the process C B-.NO D ES-C TR L  does not provide
4.2. THE MODEL FORMALIZER 77
a mechanism to force FDR2 to move the signals along the nodes from left to 
right. For that reason we depend on the chase function of FDR2 to complete the 
definition.
Chase gives priority to internal {tau) transitions over external ones, and chooses 
one internal transition arbitrarily when there is a choice of several. This reduces 
the state space of the labeled transition system in FDR2 by removing external 
transitions competing with internal ones, and selecting one internal transition 
where there is a choice of them. This results in a refinement of the original process, 
which can only perform external events once all internal progress have completed. 
Thus chase is not semantics-preserving in general (and in this case), but it is 
exactly what is required here so that shuffling the signals along always occurs 
after an output event, before further visible events are possible. For more details 
about how chase works the reader can refer to [131]. For example, using the chase 
function for analyzing the left hand side tree (a tree with some hidden events) in 
Figure 4.10 will produce only two possible traces {tau, tau, g) or (tau, tau, h).
tau.
chase ^
tau/ f tau,
Figure 4.10: Application of Chase function
Figure 4.11 illustrates the application of chase to the process CB^NODES-CTRL 
after hiding the buffer internal events {test, reject, c, and drop) for all nodes 
(grouped in aHiddenEvents). Chase is applied also on the process CB^NODES 
depicted in Figure 4.7. Having those events hidden (taus), FDR2 will follow 
them causing signals to be propagated along the nodes whenever a send event 
happens. The process CB is the complete definition of the Controlled Buffer for 
one instance in the system.
CB = chase{CB-NODES-CTRL \  aHiddenEvents)
Figure 4.11: The complete definition of the Controlled Buffer
It is important to note that we are not using the chase function in the conventional 
way. Chase here prevents further external events from occurring following output 
from the buffer until the signals are propagated internally along the buffer. This
78 CHAPTER 4. FUML MODEL FORMALIZATION
is precisely the behaviour required: that the effect of an output is instantaneous. 
Representing the the buffer as a parallel combination of small processes (BO || 
B II B II • • • ) rather than a sequence of signals (CB((sigl, sig2, - ■ ■ , sigN))) shows 
a substantial performance improvement during the model checking compared 
to the later representation. The non-deterrninistic design of the CB process 
allowed chase to move the signals, because chase has no effect on the deterministic 
processes (chase(P) — P, when P is deterministic).
4.2.3 Objects creation and destruction
Within the formalized fUML model domain (CSP domain), objects are not cre­
ated dynamically because applying this concept in the formal domain will com­
plicate the formal model, and thus makes the model checking more; difficult. 
However, we have to handle the object creation/ destruction fUML actions (be­
cause they exist in our case studies) with a hybrid approach that reflects their 
impact on the model behaviour with minimal overhead.
The approach requires the modeller to define the maximum number of objects 
that will be created for each class and which should be created at the system 
startup. This should be done before the Model Formalizer performs the formal­
ization.
Consequently, the Model Formalizer uses the modeller input to generate instance 
handler entities (e.g., uIHO and uIHl for the User class) and adds them to the 
INSTANCE data type and the set alllnstances which acts as a pool for all the 
instance handlers that going to be created during the system runtime (model 
checking). The Model Formalizer also generates two CSP processes that manage 
object creation/destruction:
The first process M AIN  creates all the instance handlers that the modeller defined 
to be created at the startup by enabling the event createObject. For example, the 
following process creates one instant handler for the Door Controller (dcIHO), 
Door (dlHO)and User Panel (upIHO)and two for the User (uIHO, uIHl)c\ass.
MAIN = createObjectlmainlHldcIHO -4- 
createObject\mainIH\dIHO - 4  
createObject\mainIH\upIHO - 4  
createObjectlmainlHluIHO - 4  
createObjectlmainlHluIHl - 4  PROC-CB
The mainlH  represents a virtual main object that the Model Formalizer defines
4.2. THE MODEL FORMALIZER 79
as a starting point. The process PROC-CB  is a parallel combination between 
the activities processes and their Control Buffers (depicted in Figure 4.12).
The second process {OBJ-M AN) manages the objects creation/destruction dur­
ing the runtime by maintaining a set that holds the created objects. It then uses 
this set to prevent uncreated objects from sending or accepting signals as shown 
in the process below:
OBJ-MAN(created-objs) = createObject ! mainlH  ? obj : created-ohjs —>
O B J-M A N (dijj(created-objs, obj))
OBJ-M ANQ = OBJ-MAN-C{create-first)
OBJ-MAN-C{created-objs) =
send? s : created-ohjs ? t : created-ohjs ? sig —> OBJ-MAN-C(created-ohjs)
□
accept? obj : created-ohjs ? sig -4- OBJ-MAN-C(created-objs)
□
registerSignals ? obj : created-ohjs ? rp OBJ-MAN-C{created-ohjs)
□
createObject ? obj : created-ohjs ? newObj : diff {alllnstances, created-objs) -4
O B J-M A N -C  {union[newObj, created-objs))
□
destroyObject ? obj : created-objs ? do : dyn-objs -4
OBJ-MAN-C{diff(created-objs, dd))
The process object manager process {OBJ-M AN) synchronizes with any other 
process in the system on the events: createObject, destroyObject, send, accept 
and registerSignals. Initially, the instance handlers of the objects that should be 
created at the system startup will be passed to the process as a set (the parameter 
created-objs holds any created object instance handler). The object manager will 
allow those objects only to be created using the createObject event. When all 
those objects are created the process O B J-M A N -C  is enabled to:
• Allow sending to/from the created objects only.
• Allow the created objects only to register and accept signals.
• Allow the created objects only to create new objects and add them to the 
set: created-objs.
CHAPTER 4. FUML MODEL FORMALIZATION
Allow the created objects only to destroy one of the dynamically cre­
ated objects (stored in the set created-objs) and remove it from the set: 
created-objs.
The Model Formalizer generates the above processes (MAIN  and OBJ-M AN) 
based on the modeller input and add them to the CSP script directly.
Although our object management approach simulates the main aspects of the 
dynamic behaviour of the objects creation/destruction, it suffers from two main 
limitations. First, it depends on the modeller to define the maximum number 
of objects per class before the runtime (model checking), which contradicts with 
the objects dynamic allocation concept. Second, it is the modeller responsibility 
to carefully use the CreateObject and DestroyObject actions in a way that the 
number of the currently active objects (created and not destroyed yet) of a certain 
class should be less than or equal to the maximum number that he defined.
4.2 .4  Putting the Model Formalizer’s processes together
This is the final stage of formalizing the fUML model where the Model Formal­
izer generates the whole system big process (SYSTEM). This process is a parallel 
combination between all the processes that synchronize on the send, accept, reg­
isterSignals, createObject and destroyObject events as depicted in Figure 4.12. 
This in turn, for example, will allow object A to send signals to object B by 
inserting the signals in its (object B) event pool (Controlled Buffer). Also this 
will allow the object manager process (OBJ-M AN) to keep track of the objects 
creation and destruction in any process in the system and control the interaction 
with them.
4.3. TESTING THE MODEL FORMALIZER 81
synchronize on the: 
send, accept, registerSignals, createObject, destroyObject 
events
PROC CB
OBJ MAN
Initial Objects 
Creation
SYSTEMObject N 
Controlled Buffer incsp 
(CB nlHO)
Object B 
Controlled Buffer incsp 
(CB blHO)
Object A 
Controlled Buffer incsp 
(CB alHO)
Object N Behaviour incsp
(formalization of its activity diagram)
Object A Behaviour in csp
(formalization of its activity diagram)
Object B Behaviour in c s p
(formalization of its activity diagram)
MAIN
Figure 4.12: The SYSTEM
The SYSTEM  process can then be used by FDR2 to check the whole system 
against a specific behaviour such as: deadlock, livelock or determinism.
To complete the formalization process we have taken some decisions on behalf of 
the modeller (e.g., the representation of the Event Pool as a Controlled Buffer). 
The formal model also has some limitations as we have seen in the object dy­
namic creation/destruction formalization. The formalization tool (e.g., Compass 
in Chapter 8) should inform the modeller with these decisions and limitations so 
he can check if they are compatible with the fUML execution engine or not.
4.3 Testing the Model Formalizer
Testing the Model Formalizer in a formal way is not possible because we cannot 
compare semi-formal (fUML) model against a formal (CSP) one as each one has 
its own domain and attributes. In order to test the Model Formalizer functionality 
and validate its formalization, we followed a two stage informal testing strategy.
In the first stage, we construct tiny fUML models that target few (one or two) 
formalization aspects. We then test the model formalization two times; one with 
positive expected checking results, and one with negative results. For example, 
we have constructed the fUML tiny model depicted in Figure 4.13 to test Map- 
Rule(2) and (3) and an aspect from the inter-object communication formalization.
82 CHAPTER 4. FUML MODEL FORMALIZATION
Activity_A ( objB  ) J
objB
* 2
Send(sigl) " >
^  Accept(sig2)^
A ctivity_B  ( objA  ) J
Accept(sigl) |
 \|^ ___
Send(sig2) ObjA
Figure 4.13: Testing an aspect from the inter-object communication
In this example, the first object (Activity_A) sends sigl to the second object 
(Activity_B) which replies with sig2 to the first object. This is a deadlock free 
fUML model and FDR2 should acknowledge this fact when checking its corre­
sponding CSP representation, otherwise there should be a problem in the for­
malization process. If FDR2 produces the expected output, we then perform 
a change in the fUML model that leads to a deadlock (i.e., corrupt the fUML 
by intention) and re-check the formalized CSP model using FDR2 which should 
report a deadlock scenario in this case.
By this approach, we can test the Model Formalizer on a small scale to focus on 
certain aspects. Nevertheless, in real life, models are much more complicated such 
that many formalization aspects going to be applied on the fUML model (e.g., 
ten Map-Rules, objects creation/ destruction and inter-object communication).
To address this situation (complicated models), in the second stage we test the 
formalization of large case studies. Based on the model checking results using 
FDR2, we manually check the fUML model to make sure it is valid. For example, 
if FDR2 produces a deadlock scenario, we trace this scenario over the fUML model 
to make sure it is valid for the fUML model. On the other hand, if the fUML 
model was deadlock free, we also use the same strategy of modifying the model 
to impose a deadlock by intention and making sure that FDR2 will detect it.
The next section will show how we used this testing strategy to test the Model 
Formalizer using the Tokeneer ID Station case study.
4.4 The formalization of the TIS fUML model
We have introduced the Tokeneer ID Station (TIS) subsystem case study in 
Chapter 2 and our motivation for using it as a case study. As a second stage
4.4. THE FORMALIZATION OF THF TIS FUML MODEL 83
for realizing and validating the Model Formalizer functionality, we have used it 
to formalize the TIS fUML model in CSP and then check the formalized model 
against deadlock freedom. The Model Formalizer also gave us the advantage 
to examine the behaviour of the model when having two concurrent users in the 
system. The following sections will illustrate part of the TIS fUML model and the 
corresponding CSP representation, they will also discuss the deadlock checking 
results for one and two users in the system.
4.4.1 TIS fUML activities
In the TIS fUML model all the objects which have interesting behaviour have 
associated activity diagrams. For illustration, we are focusing here on a segment 
of the Door Controller activity (depicted in Figure 4.14). Although, the segment 
does not include all the fUML elements described in Section 4.2.1, the next chap­
ters will show their usage and formalization in the CSS case study. The complete 
fUML model of the TIS is included in Appendix A but without description.
 ^DoorControllerActivity( alarm O bj : Alarm. doorO bj : Door, selfObj : D oorControllef. upO bj : U serP anel, userO bj : U ser ) J
I « v a lu e S p e c ilic a tio n »  
Value(FALSE)Accept (unlockLatchSignal)
a d d S lru c iu ra lF e a tu re V a lu e » ^  f l î ï â m i O b ^ ^
isAlarming T "  ----------- ------« v a lu e S p e c if ic a tio n »  
! Value(FALSE)doorObj :
<vatueSpeciftcation»
Valure(FALSE)
« ad d S tru c tu ra lF ea tu reV a lu e»  
IsLockedupObI : UserPanel
f« a d d S tru c tu ra lF e a tu re V a lu e »  I '  IsLocked
doorObj :
q  Send
(unlocklngDoorCompleteSignal)
lockT imeoutExceeded
(enbyAuthorizedSignal)
Send 
(lockLatchSignal) lock! imeoutNotExceeded
I userObj : User!
Accept 
(unlockl.atchSlgnaI 
/ ,  doorlsClosedSignal,Accept I 
(doorlsOpenSignal, 
lockLatchSignal) I
lockLatchSignal)
unlockLatchSignal
d o o rlsO p e n S ig n a l
doorlsClosedSignal
selfObJ : DoorControlier
lockLatchSignal lockLatchSignal
To the rest of 
the diagram
Figure 4.14: Segment of the Door Controller Activity
84 CHAPTER 4. FUML MODEL FORMALIZATION
Initially, the Door Controller waits for the unlockLatchSignal to be sent by the 
User Panel when the User requests an entry to the enclave and he is authorized 
to do so. When receiving this signal, the Door Controller changes the status 
of the Door’s lock to be Unlocked by setting the attribute isLocked to FALSE. 
Consequently, the Door Controller sends an unlockingDoorCompleteSignal to the 
User Panel to indicate the completion of the Door unlocking. At this point, the 
Door Controller starts a timer to watch if the User did not open the Door after 
getting the permission for entry. The two possible scenarios for the timer expiry 
{lockTimeoutExceeded or lockTimeoutNotExceeded) are represented as an internal 
decision. The lockTimeoutNotExceeded choice corresponds to the door opening 
within the allowed time. If the timer time out the Door Controller sends the 
lockLatchSignal to itself to change the Door’s lock status to Locked. Otherwise, 
the Door Controller will accept the doorlsOpenSignal from the Door’s object 
to continue its normal behaviour until sending the entryAuthorizedSignal to the 
User’s object.
As we outlined in Section 2.3.3, the fUML standard is agnostic about the seman­
tics of time to allow for a wide variety of time models to be supported. It is 
the tool (execution engine) implementor responsibility to choose a suitable time 
semantic (continues, discrete, sources of time information, etc.). As our focus 
is on the formalization in this stage, we modelled the timer expiry in the Door 
Controller activity as a decision node (lock timeout) which will be translated (by 
the Model Formalizer) to a non-deterministic choice in the CSP domain to ensure 
the checking of the two possibilities (exceeded or not exceeded).
4.4.2 TIS CSP formalization
This section shows a segment of the Model Formalizer’s output when using the 
TIS fUML as an input model. Figure 4.15 shows the Door Controller CSP process 
{DoorControllerActivity-.Proc) that represents the behavioural semantics of the 
Door Controller Activity depicted in Figure 4.14.
4.4. THE FORMALIZATION OF THE TIS FUML MODEL 85
DoorControllerActivity-Proc
{alarmOhj, doorObj, selfObj, upObj, userObj) =
let
A C l = registerSignals] self Objlrpl
accept\selfObj\unlockLatchSignal —>• AC2
AC2 = valueSpec\selfObj?val : FALSE -4
addStFeatureValueldoorObjlisLockedlval —> AC4
AC4 = sendlselfObjlupObjlunLockingDoorCompleteSignal D Sl
D Sl = {lockTimeoutNotExceeded]selfObj —> M Rl
n
lockTimeoutExceeded]selfObj —> ACS)
ACb = send]selfObj]selfObjUockLatchSignal —> M Rl 
M Rl = ACQ
AC6 = registerSignals] self Obj]rp2 AC 7
AC7 = [accept] self ObjUockLatchSignal —^ ...
□
accepP.selfObj]doorlsOpenSignal ACS)
ACS = valueSpec]selfObj7val : FALSE —>
addStFeatureValue]alarmObj]isAlarming]val —> ACID
ACIO = valueSpec]selfObj7val : FALSE —>
addStFeatureValue]doorObj]isLocked]val —> AC12
AC12 = send]selfObj]userOhj]entryAuthorizedSignal —> AC13
ACIS = registerSignals]selfObj]rpS —> AC14
AC14 = [accept]selfObj]unlockLatchSignal —> AC13 
□
accept] self ObjUockLatchSignal —> ...
□
accept]selfObj]doorIsClosedSignal -4 ...) 
within A C l
Figure 4.15: The corresponding CSP process for the Door Controller activity 
Segment
86 CHAPTER 4. FUML MODEL FORMALIZATION
As a direct application of Map-Rule(l), the Door Controller Activity is translated 
to the DoorControllerActivity^Proc CSP localized process with the corresponding 
parameters. AC2, ACS and ACIO are generated by Map-Rule(5). Applying 
Map-Rule(6) on the timer expiry decision node resulted in the internal decision 
in DSl.
When the process registers (using registerSignals event) and accepts (using ac- 
cpet event) the unlockLatchSignal in ACl, this means that the process is ready 
to accept this signal when it is placed in its object’s [selfObj) event pool (con­
trolled buffer). On the other hand, when the send event in AC j happens, the 
unLockingDoorCompleteSignal will be placed in the User Panel object’s [upObj] 
event pool. The inter-object communication is handled by including this process 
in the parallel combination described in Section 4.2.4.
Representing the fUML activity as a localized process with a sub-process for 
each action makes the CSP process more readable and the transformation task 
easier. This style also allows for recalling the same action several times without 
repetition.
4.4.3 Deadlock checking results w ith  one user
The TIS CSP model 6” US’TEM process includes four interacting processes (Door, 
Door Controller, User, and User Panel). Each process has its own event pool 
with 10 slots. When checking SYSTEM  using EDR2, it managed to compile the 
CSP script (about 600 lines) and reported a deadlock scenario (counter-example) 
after exploring 2.5K states in five seconds. The following trace shows part of the 
counter-example generated by EDR2:
4.4. THE FORMALIZATION OF THE TIS FUML MODEL 87
< . . .
send.uIHO.upIHO.readUserTokenSignal,
accep t.upIHO.readUserTokenSignal,
send.upIHO. dcIHO. unlockLatchSignal,
accep t. dcIHO.unlockLatchSignal,
send.dcIHO.upIHO.unLockingDoorCompleteSignal,
lockTimeoutExceeded.dcIHO,
accep t.upIHO.unLockingDoorCompleteSignal,
send.dcIHO. dcIHO. lockLatchSignal,
r e g is te r S ig n a ls .dcIHO.rp9,
accep t.dcIHO.lockLatchSignal,
valueSpec.dcIHO.FALSE,
send.upIHO.uIHO.doorUnlockedSignal,
addStPeatureValue.dcIHO. isAlarming.FALSE,
r e g is te r S ig n a ls .dlHO.rp20,
r e g is te r S ig n a ls .uIHO.rp3,
accep t.uIHO.doorUnlockedSignal,
send.uIHO.dlHO. openDoorSignal,
accep t.dlHO. openDoorSignal,
send.upIHO.upIHO.resetSignal,
valueSpec.dlHO.TRUE,
registerSignals.uIH 0.rp4, <— The User instance is waiting now.
addStFeatureValue.dlHO. isOpen.TRUE,
r e g is te r S ig n a ls .upIHO.r p l5 ,
value Spec.dcIHO.TRUE,
accep t.upIHO.re se tS ig n a l,
registerSignals.upIH O .rplO , <— The User Panel instance is waiting now.
addStFeatureValue. dcIHO. isLocked.TRUE, 
send.dlHO.dcIHO.doorlsOpenSignal,
registerSignals.dcIH 0.rp6, <— The Door Controller instance is waiting now.
registerS ignals.d IH 0.rp l9  <— The Door instance is waiting now.
The trace shows the sequence of events generated from the checking of TIS 
SYSTEM  process. The registerSignals event causes the object to wait until one 
of the registered signals arrives. As highlighted in the trace, eventually all the sys­
tem’s objects are waiting for each other, causing deadlock. The Door Controller 
(dcIHO) will never send the entryAuthorized signal to the User (uIHO) because it 
does not make sense for a User to enter when the door is locked. Consequently, 
the User cannot evolve its behaviour. Also the unlockLatchSignal will never be 
sent from the User Panel (upIHO) to the Door Controller and so the Door Con­
troller cannot evolve its behaviour. This scenario might happen in real life if the 
user takes a long time (more than the timer period (lockTimeoutExceeded)) to 
open the door after getting permission to enter from the User Panel.
We cannot claim that this deadlock is a breach of the TIS requirements [31] for 
two reasons: firstly, the entry expiration timer that caused this deadlock was not 
specified explicitly in the requirements document. However, we added this timer
CHAPTER 4. FUML MODEL FORMALIZATION
as part of the system implementation to prevent the Door Controller from waiting 
forever for a User to enter the enclave. Secondly, the requirements do not specify 
a certain communication mechanism between the system components (objects), 
leaving that as an implementation issue. We would argue that this deadlock 
was identified because we modelled concurrent behaviour of all the components 
within the TIS subsystem.
When we disabled the entry expiration timer (i.e., the door can be kept closed 
and unlocked forever), the system did not deadlock and FDR2 succeeded in do­
ing a full model check in eight seconds after exploring 9.2K states on the same 
hardware. The controlled buffer with the pre-described implementation in Sec­
tion 4.2.2 allowed for this fast compilation and model checking compared to the 
initial attempts’ implementation of the inter-object communication mechanism.
We also tried to reproduce this deadlock scenario on the Tokeneer simulator [12]; 
however, this scenario did not happen due to the different implementation using 
SPARK.
4.4.4 Deadlock checking results with two users
Another advantage that the fUML model formalization grants, is to check the 
model while having several instances of certain class (es) in the system and in­
vestigate its concurrent behaviour. As an example of this kind of investigation, 
we used our framework to model check Tokeneer while having two users in the 
system (two objects of the User class).
The model checking using FDR2 reveals another deadlock scenario that guided 
us to another problem in our Tokeneer fUML model. The problem is that there 
is no mechanism in our Tokeneer fUML model that allows the Door Controller 
and User Panel to distinguish between each user in the system. For example, 
when the Door Controller sends the doorUnlockedSignal, it will be broadcasted 
to all the users in the system while there is only one user is expecting it.
Below is a simplified version of a segment of the revealed deadlock scenario which 
shows how the receiving of unexpected signals could create inconsistency between 
the objects’ states, and thus deadlock.
4.4. THE FORMALIZATION OF THE TIS FUML MODEL 89
<send.uIHO.uIHO.requestEntrySignal, 
accept.uIHO.requestEntrySignal, 
send.uIHO.upIHO.readUserTokenSignal, 
accep t.upIHO.readUserTokenSignal, 
send.upIHO. dcIHO.unlockLatchSignal, 
accep t. dcIHO.unlockLatchSignal, 
send.dcIHO.upIHO.unLockingDoorCompleteSignal, 
accep t.upIHO.unLo ckingDoorCompleteSignal, 
send.upIHO.uIHO.doorUnlockedSignal, 
send.upIH O .uIH l.doorU nlockedSignal, 
accep t.uIHO. doorUnlockedSignal, 
send.uIHO.dlHO. openDoorSignal, 
accep t.dlHO. openDoorSignal, 
send.dcIHO.uIHO. entryAuthorizedSignal, 
send .dcIH O .uIH l.entryA uthorizedSignal 
. . . >
As highlighted in the trace, two signals have been sent from the User Panel 
(upIHO) to the second user uIHl [doorUnlockedSignal and entryAuthorizedSig­
nal) before uIHl even requests entry using requestEntrySignal. That is because 
upIHO just broadcasts the signals to the exsisting users in the system. Those sig­
nals will not be accepted by uIHl, however they will be queued in its buffer until 
it sends requestEntrySignal to itself. This will make uIHl continue its execution 
without waiting to any response from the User Panel and the Door Controller, 
and thus establishing an inconsistency between the system’s objects states. For 
example, uIHl will be able to open the door (sends openDoorSignal) before the 
Door Controller unlocks it (sends doorUnlockedSignal). Such inconsistency will 
lead to a deadlock as soon as the objects cannot cope with this disorder that has 
not been considered in the model design.
Being able to use the framework to model check the system with two concurrent 
users allowed us to find such a major problem in the TIS fUML model. How­
ever, we could not have reached this deadlock scenario without applying some 
optimization techniques on the generated CSP script, so that FDR2 can check 
it. The check explored 90M states in 20 hours. The optimization techniques are 
described in Chapter 7.
90 CHAPTER 4. FUML MODEL FORMALIZATION
4.5 Summary
We described in this chapter our approach for addressing two of the issues that 
have been covered only to a limited extent in the literature and we argue that the 
lack of treatment has a strong impact for not using formalization of semi-formal 
models in practice. The two issues are:
• Consideration of asynchronous inter-object communication.
• Consideration of the errors arising from the implementation decisions.
We have discussed that using fUML as a semi-formal language contributed in 
addressing those issues because the standard defines the inter-object communica­
tion mechanism. Also fUML is an executable modelling language, which means 
that all the implementation decisions should appear in the fUML model.
The chapter described the framework for implementing the approach which for­
malizes the fUML models into CSP based on a group of mapping rules (Map- 
Rules). Using CSP as a formal language facilitates checking the concurrent be­
haviour of the fUML model in general and deadlock freedom in particular. We 
could not do this checking without the formalization of the inter-object asyn­
chronous communication mechanism in an effective representation that guaran­
tees the compilation and checking of industrial size models using FDR2. Having 
the model formalized allowed also for evaluating different interpretations for the 
signals dispatching strategy (one of the fUML semantic variation points). We 
have implemented the formalization framework using Epsilon tliat performs the 
MDE tasks based on the fUML and CSP meta-models.
Finally, we validated the functionality of the framework (mainly the Model For­
malizer) using the TIS case study. The Model Formalizer managed to formalize 
the TIS fUML into CSP, then we used FDR2 to check the model against dead­
locks having one and two users in the system. The model checking using FDR2 
succeeded in detecting several problems in the TIS fUML model. The detected 
problems can only appear when considering the asynchronous inter-object com­
munication and some implementation decisions, because the problems do not 
have a corresponding representation in the high level specification of the TIS.
Chapter 5
Behavioural Consistency 
Checking of UML/fUML Models
One of the challenges that modellers may face when modelling the system’s re­
quirements in an fUML model is losing the consistency between the requirements 
and the model due to the amount of the implementation detail that exists in the 
fUML model (as it is an executable model). This challenge has inspired us to ex­
tend our formalization approach to handle this issue effectively by introducing a 
new artifact in the modelling process (UML state diagrams) that stands between 
the very abstract specification and the very detailed fUML models.
The UML state diagrams can be used to model the behaviour of the active objects 
in the system without addressing the implementation decisions. Following that, 
the modeller can refine these state diagrams by adding all the required details to 
have an executable model in the form of fUML activity diagrams for the same 
objects.
Checking the consistency between each UML state diagram and its corresponding 
fUML activity diagram is very important to ensure the compatibility between the 
specifications and the implementation. However, the available CASE tools can 
only be used to draw the diagrams and perform the syntactical checking (i.e., 
checks if the UML/fUML diagrams meets the UML/fUML standard specifica­
tion).
On the other hand, in the formal methods domain it is a common task to check 
consistency between abstract and concrete models using model checkers or theo­
91
CHAPTER 5. BEHAVIOURAL CONSISTENCY CHECKING OF UML/FUML
92 MODELS
rem provers. To import refinement into the UML/fUML domain, we are propos­
ing a framework that allows checking UML/fUML models consistency by formal­
izing the UML/fUML models into CSP, then performing the formal consistency 
checking using FDR2.
In this chapter we will show how we extended our formalization framework, 
namely the Model Formalizer to automatically check the behavioural consistency 
between the UML state diagrams and their corresponding fUML activity dia­
grams.
As described in Section 3.1.4 of Chapter 2, we differentiate between two types 
of model inconsistency. First, intra-model inconsistency, which occurs if two (or 
more) diagrams with different types are not consistent (e.g., a state diagram 
and a related sequence diagram in the same UML model). In this type the two 
diagrams are on the same level of detail (no one refines the other) as they arc just 
two views of one behaviour. Second, inter-model inconsistency, which occurs if 
two (or more) diagrams with the same type are not consistent (e.g., a version of a 
state diagram and a refined version represented as a state diagram as well). Our 
work is a combination of these two kinds because we check consistency between 
two different kinds of diagrams (state and activity diagrams) and at the same 
time the second (activity diagram) is a refinement for the first (state diagram). 
Hence, we will refer to this as behavioural consistency.
Although checking consistency between semi-formal models (e.g., UML) has been 
addressed many times in the literature [98, 45] using formal methods, to our 
knowledge, our approach is the first attempt to check consistency between non­
executable and executable semi-formal models. Also, the way we formulate the 
consistency checking assertion in CSP to include the two models actions, is one 
of our work contributions.
The rest of the chapter is organized as follow. Section 5.1 gives an overview about 
the approach we designed to check this kind of consistency in the UML/fUML 
models. Section 5.2 describes how we extended the Model Formalizer to handle 
the behavioural consistency checking and the new Map-Rules. Section 5.3 shows 
the output when formalizing the TIS UML/fUML models. Section 5.4 describes 
our contribution for allowing FDR2 to perform the consistency checking and 
provide a valuable feedback.
5.1. APPROACH OVERVIEW 93
5.1 Approach overview
In Section 4.1 of Chapter 3 we described our formalization approach and the 
framework that supports it. In this section we describe the extension of this 
approach to handle consistency checking between UML state diagrams and their 
corresponding fUML activity diagrams. Figure 5.1 shows the architecture of the 
formalization framework after extending it to support consistency checking.
UML
Meta-model
8^
II
UML 
State Diagram
fUML CSP
Meta-model Meta-model
''1— T —i
Modeller
fUML 
Activity Diagram
Model
Formalizer CSPScript
OK! FDR2
V  J
Counter
Example
Figure 5.1: Formalization framework architecture
Initially the modeller uses a CASE tool (e.g., MagicDraw) to draw the UML 
state diagrams and the corresponding fUML activity diagram for each active 
class in the system. To check consistency between the UML/fUML diagrams, the 
modeller should initiate the checking process. As a first step the diagrams will 
be converted to the XMl (XML Metadata Interchange) [84] format, thus it can 
be read by most of the MDE framework.
The Model Formalizer then processes the input diagrams (state and activity dia­
grams) and transforms them to a CSP script based on a group of Map-Rules and 
the input UML2 [120], fUML [88] and CSP [117] meta-models. The generated 
CSP script is subsequently used as an input to FDR2 that performs the consis­
tency automatic checking. If there is a consistency problem FDR2 generates a 
counter-example which includes the traces (sequence of events) that led to the
CHAPTER 5. BEHAVIOURAL CONSISTENCY CHECKING OF UML/FUML
94 MODELS
problem.
Having consistent UML/fUML diagrams will make the code generation (or model 
interpretation) a safer and direct process, because the modeller will be confident 
that the generated code from the fUML model is compatible with the system 
UML model.
Generally, there could be other ways to check the consistency between a state 
diagram and its corresponding activity diagram without formalizing them. For 
example, there could be a tool that automatically generates the activity diagram 
from the state diagram, and then this tool keeps track for any changes to be done 
in the generated activity diagram and makes sure it is consistent with the state 
diagram.
Another way to check the consistency between the state diagram and its corre­
sponding activity diagram is to use the Epsilon Validation Language (EVL) to 
check certain constraints between the two diagrams. However, this can be useful 
for checking static properties rather than checking the behavioural consistency 
between them (our work’s focus).
5.2 Extending the Model Formalizer
Recalling the Model Formalizer functionality from Section 4.2 of Figure 4, it 
transforms a source fUML model into a formal representation (CSP script) based 
on Epsilon as an MDE framework in two stages (model-to-model then model-to- 
text transformation).
We have extended the Model Formalizer formalization scope to include UML 
state diagrams based on the UML2 meta-model [120]. To support this extension, 
we added three additional Map-Rules which are depicted in Table 5.1. We assume 
that all the transitions represent signals acceptance. The Map-Rules include the 
elements that we use in our work case studies, so elements such as composite or 
orthogonal states are not considered in the formalization. Also the formalization 
of the UML state diagrams has been addressed many times in the literature (as 
we showed in Section 3.1.1) and our focus in this research is mainly on the fUML 
activity diagrams.
UML Element CSP Representation
5.2. EXTENDING THE MODEL FORMALIZER 95
M a p -R u le (ll):  S tate M achine
StateMachine1( selfObj ) J
StateMachine 1-Proc ( selfO bj ) 
let
Process Body 
within STATE-1
M ap-R ule(12): S tate
Statel STATE-1 = inStatelSTl -4- ...
M ap-Rule (13): Transition
sig1
Statel
3 .....
—> accept\aIHt)\sigl —>• STATE-2
State2
Sr.
M ap-R ule(14): M ulti-Transitions
sig1
Statel I
State2
... {accept\aIH{)\sigl STATEJ1
□
accept\aIH0\sig2 -4- S T A T E S )
^  states
Table 5.1: The UML state diagram to CSP Map-Rules
Map-Rule(ll) translates the UML state machine (which includes all the states
CHAPTER 5. BEHAVIOURAL CONSISTENCY CHECKING OF UML/FUML
96 MODELS
and the transitions) into a localized process. The within statement points to the 
state connected to the initial state. Each sub-process inside this localized process 
represents different state as shown in Map-Rule(12). Although, the inState event 
does not affect the behaviour of the object, it will be required for traceability 
reasons as will be shown later. The event holds the current active state ID (e.g., 
^T7).
Map-Rule(13) translates a transition into the accept event which holds the in­
stance handler of the active object (e.g., alHO) and the signal that triggers this 
transition (e.g., sigl) . We use the same alphabets of the fUML activity diagram 
formalization to be able to check the refinement between them. Map-Rule(14) 
addresses the case when there is more than one transition coming out from a 
state.
Each of those Map-Rules has a precise definition in the ETL script that performs 
the Model-to-Model transformation. Figure 5.2 shows the ETL representation 
(simplified version) of Map-Rule(ll) (as an example) and parts of the UML and 
CSP meta-models involved in this rule.
Map-
Rule(1l)
UML
CSP
ETL
Rule
StateMachine To Localized Process
^DoorControi!er_SD(selfObj)^ ^
Corresponding Meta-model
StateMachine
D oorC on tro ller_S D _P roc(se lfO b j)  =  
let
w ith in  S T A T E  1
rule StateMachine_To_MainProcess 
transform sm : SDlStateMachine 
to pid : CSPlProcessID,
pa ; CSPIProcessAssignment
{
pa.processID := pid; 
pa.processExpression := localProc;
pid.name = sm.name + '_Proc';
}
ProcessExpression
7\
Process ID
name: String
processExpression jprocessID
ProcessAssignment
process
LocalizedProcess
Figure 5.2: Map-Rule(ll) ETL and meta-models
The model elements can be accessed using the variables SD and CSP with 
the M’ operator for the UML state diagram and the CSP model respectively. 
The localProc variable represents the main LocalizedProcess that all other sub-
5.3. FORMALIZING THE TIS UML/FUML MODELS 97
processes belongs to it. By executing this rule two CSP elements will be cre­
ated (instances from: ProcessID and ProcessAssignment) and added to the CSP 
model. The reader can refer to [64] for more detail about the Epsilon languages.
The Model Formalizer extension did not include any changes in the EGL script 
which performs the Model-to-Text transformation. That is because we did not 
introduce new constructs to the CSP meta-model for formalizing the UML state 
diagram.
The final output of the Model Formalizer at this stage is a CSP script that 
contains N pairs of CSP processes, where N is the number of active objects in 
the UML/fUML models. The first process in each pair represents the UML state 
diagram behaviour as described above, while the second process represents the 
fUML activity diagram behaviour as described in Chapter 4.
5.3 Formalizing the TIS UML/fUML models
We used the TIS UML/fUML models to test the Model Formalizer’s new func­
tionality. The model contains four active objects, each one is modelled abstractly 
as a UML state diagram and concretely as an fUML state diagram. Figure 5.3 
shows the Door Controller state diagram which is obviously simpler than its 
corresponding activity diagram depicted in Figure 4.14 (the full version in Ap­
pendix A) due to its missing the implementation details. It is obvious also that 
state diagrams can be linked easily to the original specification to ensure their 
compatibility.
The Model Formalizer succeeded on generating a comprehensive CSP script that 
contains all the active objects’ CSP processes (two processes for each object) 
after applying the ETL Map-Rules followed by the EGL script. Figure 5.4 shows 
the output for the DoorController_SD state diagram formalization.
According to Map-Rule(ll), the state machine has been translated into a localized 
CSP process (DoorControllerSD-Proc). Each state is translated to a CSP sub­
process based on Map-Rule(12) (e.g., S5_Open_Locked state was translated to the 
process STATE^5). The inState event is used to identify the current active state 
{ST l, ST2, etc.). Applying Map-Rule(lS) and (14) translated all the transitions 
into the accept events which represent signals reception (e.g., lockLatchSignal, 
unlockLatchSignal, etc.) by the object to change its state.
CHAPTER 5. BEHAVIOURAL CONSISTENCY CHECKING OF UML/FUML
MODELS
DoorController_SD[ selfObj ) J~
unlockLatchSignal unlockLatchSignal
S 3_0p en  Unlocked I lockLatchSlgnal
unlockLatchSignal
doorlsOpenî lignai
doorlsClosedSignal
S4 Open Locked I
tImeoutSignal
-V_
clearAlarmSignal I S5_Open_Locked
doorlsClosedSignal
i S2_C losed_Unlocked lookLatchSlgnal j S1_C losed Locked  ^
unlockLatchSignal i
doorlsClosedSignal
Figure 5.3: Door Controller UML state diagram
5.4 Behavioural consistency checking
Having the two kinds of diagrams (UML state diagram and fUML activity di­
agram) formalized into CSP makes the behavioural consistency checking using 
FDR2 a direct process. We use FDR2 to handle the model checking based on the 
traces refinement semantic model [106]. From one point of view of the process 
execution, one process is consistent with another if its behaviour are allowed by 
the other. Compared to other semantic models (e.g., stable failures), this one is 
sufficient to check if the two UML/fUML diagrams are behaviour ally consistent.
As a first attempt, we modified the Model Formalizer to augment the CSP script 
with the following assertion to let FDR2 check the refinement between each pair 
of CSP processes, where the set hiddenEvents includes all the events except the 
accept event.
D oorC ontro llerSD -P roc {dcIHO) U t
Door Controller Activity-Proc {alHO, dlHO, dcIHO, upIHO, uIHQ) \  hiddenEvents
One problem of using this assertion is that, in the case of an inconsistency, the 
generated counter-example (a trace leading to this inconsistency) by FDR2 will 
include the sequence of events from the DoorControllerActivity^Proc process
5.4. BEHAVIOURAL CONSISTENCY CHECKING 99
DoorController...SD^Proc = let
STATE-1 = inStatelSTl acceptlselfObjlunlockLatchSignal —>■ STATEJ1
STATE-2 = inState\ST2 —> {acceptlselfObjUockLatchSignal —)■ STATE-1
□
acceptlselfObjldoorlsOpenSignal S T A T E S )
S T A T E S  = inStatelSTS —> {acceptlselfObjUockLatchSignal —> STATE-4
□
acceptlselfObjI doorlsClosedSignal -> STATE-2  
□
acceptlselfObjlunlockLatchSignal -4- S T A T E S )
STATE-4 = inState\ST4 - 4  {acceptlselfObjlunlockLatchSignal - 4  S T A T E S
□
acceptlselfObjltimeOutSignal - 4  STATE-5  
□
acceptlselfObjldoorlsClosedSignal - 4  STATE-1)
S T A T E S  = inState\ST5 - 4  {acceptlselfObjlunlockLatchSignal —> S T A T E S
□
acceptlselfObj I clear AlarmSignal -4 STATE-4  
□
acceptl self Objl doorlsClosedSignal -4
within ST A T E -l
Figure 5.4: Corresponding CSP process for the Door Controller state diagram
only (i.e., the counter-example will not include the executed events from the 
DoorControllerSD-Proc process). As we will see in the next chapter, we need 
the executed events from the two processes in order to reflect this counter-example 
on the activity and the state diagrams to identify the inconsistency source.
To overcome this issue, we introduce an additional process DoorControllerSD-TR. 
This process is a copy of the DoorControllerSD-Proc except that it stops when 
any accept event other than those allowed by the DoorControllerSD-Proc pro­
cess happens. For example, the sub-process S T A T E S  in DoorControllerSD-TR  
is generated as follow:
CHAPTER 5. BEHAWOERAL CONSfSTENCY CBECERVG OE EML/EEML
100 MODELS
S T A T E S  = inS ta te \ST2  - 4  (acceptlselfObjUockLatchSignal - 4  S T A T E S
□
acceptl self Ob j  I doorlsOpenSignal - 4  S T A T E S  
□
acceptl self Obj?x - 4  ST O P )
The refinement check (assertion) we now perform is: 
DoorControllcrSD _Proc (dcIHO) Ç t
(DoorControllcrActivity-Proc (a/HO, dlHO, dcIHO, upIHO, ulHO) 
II D o o rC o n tro llc rS D -T R  (dcIHO)) \  hiddenEvents
{ \ acc ep t \ }
The parallel combination above represents a process that follows the states in the 
D oorC ontro llcrSD -P roc  process, but without affecting the refinement checking. 
This representation of the refinement assertion has solved the pre-described trac­
ing issue, as now the generated counter-example by FDR2 includes the events of 
the two main processes (D oorC ontro llcrSD -Proc  and Door Controller Activity-Proc)  
which are needed to construct the appropriate feedback to the modeller. To show 
the effect of this technique, in the Door Controller fUML activity diagram in Fig­
ure 4.14, assume that the modeller (by mistake) connected the initial node to 
the ValucSpccification action (located on the top right corner) instead of the 
Accept (unlockLatchSignal) action. After the formalization and performing the 
refinement checking using FDR2, the generated counter-example will be as fol­
lows:
<
valueSpec.dcIHO.FALSE,
addStPeatureValue.dcIHO.isAlarming.FALSE, 
valueSpec.dcIHO.FALSE,
addStFeatureValue.dcIHO.isLocked.FALSE, 
send.dcIHO.uIHO.entryAuthorizedSignal, 
registerSignals.dcIHO.rp3, 
instate.STl,
accept.dcIHO.lockLatchSignal
We could not have seen the event in S ta tc .S T l  in this trace without the parallel
5.5. SUMMARY 101
combination with the D oorControllerSD-TR  process. Having this event in the 
counter-example clarifies to the modeller that the first state (Sl-Closed-Locked) 
cannot accept the lockLatchSignal while the activity diagram at this point can 
accept it. The idea of having this parallel combination in the assertion to track 
the states is one of our research’s contributions.
The model checking performance using FDR2 was appropriate, only two seconds 
were required to finish the refinement checking for each class (i.e., checking the 
behavioural consistency between the UML state diagram and the corresponding 
fUML activity diagram of the same class), and thus, for the used case studies, 
there is no need for optimizing the CSP model.
5.5 Summary
We introduced in this chapter an extension for our formalization approach to 
allow for checking the behavioural consistency between an abstract UML state 
diagram and a corresponding fUML activity diagram that models the same be­
haviour (of an active object) but with more implementation details. This exten­
sion required modifying the Model Formalizer to handle the UML state diagrams 
formalization via additional Map-Rules. It also required the generation for an 
assertion in the CSP script to allow the refinement (consistency) checking using 
FDR2 in a novel way that guarantees the appearing of all the needed information 
(events) in the counter-example (in case of inconsistency).
In order to validate this extension, we used the TIS case study to automatically 
check the consistency between the classes UML state diagrams and fUML activity 
diagrams. The framework helped us to identify some inconsistencies between the 
UML/fUML diagram especially in the setting of the initial nodes. The model 
checking time was satisfactory, and thus no need for further optimization to the 
CSP model.
Chapter 6
Formalization and Model 
Checking Feedback
One of the limitations of the Model Formalizer is that it cannot formalize all 
UML/fUML models. In other words, the input UML/fUML model should meet 
certain constraints and structure to be complied with our Map-Rules. We have 
discussed the rationale behind this limitation in Chapter 4 and showed that it 
is vital for having a checkable model. Nevertheless, there must be a component 
that acts like a guard (not a filter) to make sure that the input UML/fUML 
model complies with the Map-Rules. In this chapter, we introduce an additional 
component to our formalization framework called the Formalizability Checker. 
The new component provides compiler-error style feedback to the modeller when 
there are problems in the UML/fUML model that inhibit the Model Formalizer 
to perform the formalization to CSP.
Another limitation in our formalization framework is that the modeller is iso­
lated from the formal method domain to a limited extent, namely, until the 
model checking phase using FDR2. We cannot claim that the displayed counter­
example by FDR2 after the model checking, in case of deadlock or inconsistency, 
can be understood effortlessly by the modeller who developed the model using 
UML/fUML. Moving towards a complete isolation for the modeller from the 
formal domain, there must be a translator that converts FDR2 output (counter­
example) to modeller-friendly feedback.
In this chapter, we will introduce two additional components to the formaliza­
tion framework that address this issue. The first component, UML Sequence
103
104 CHAPTER 6. FORMALIZATION AND MODEL CHECKING FEEDBACK
Diagram Generator, converts FDR2 counter-examples in case of deadlock to a 
UML sequence diagram that shows the interactions between the system objects 
until reaching the deadlock states. The second component. Model Debugger, al­
lows the modeller to interactively debug the counter-example on the UML/fUML 
diagrams to identify the cause of the inconsistency between them. As will be 
outlined in the chapter’s sections, the feedback provided differs depending on the 
checked property (deadlock or inconsistency) to maximize the understandability 
of the feedback and make it really valuable to identify the problem in the model.
In order to generate this kind of feedback out of the counter-examples, we added 
more functionality to the Model Formalizer to generate traceability information, 
namely, mapping tables. The feedback components depend on this information 
to link between the CSP and the UML/fUML domains.
Providing this variety of formalization and model checking feedbacks adds to the 
practicality and the originality of our work, as this consideration was out of the 
scope of the reviewed literature in this field.
The rest of this chapter is organized as follows. Section 6.1 gives the overview 
about the new feedback components and how they fit in our formalization frame­
work. Section 6.2, Section 6.3 and Section 6.4 describe the functionality and the 
implementation of the Formalizability Checker, UML Sequence Diagram Gener­
ator and Model Debugger components respectively.
6.1 Extending the formalization framework for feedback
Building on the basic formalization framework introduced in Chapter 4 and ex­
tended in Chapter 5, we introduce here three new components which are re­
sponsible for providing the modeller with various forms of feedback related to the 
formalization and the model checking results. Figure 6.1 shows those components 
and how they fit in the formalization framework.
6.1. EXTENDING THE FORMALIZATION FRAMEWORK FOR FEEDBACK 105
Modeller
UML
Meta-model
FDR2
fUML
Meta-model
CSP
Meta-model
UML 
State Diagram
Formalization
Report
CSP
ScriptfUML 
Activity Diagram
Object-to-Class 
Mapping Table
UML
Sequence Diagram
CSP-to-UML/fUML 
Mapping Table
RP-to-Signals 
Mapping Table
UML Sequence 
Diagram Generator
Model Debugger
Counter
Example
Formalizability
Checker
Model
Formalizer
Figure 6.1: Formalization approach architecture with feedback
The first component is the Formalizability Checker which checks the input models 
(UML state diagrams or fUML activity diagrams) to make sure that they meet all 
the requirements to be formalized into CSP. In case there is a problem that will 
prevent this model from being formalized correctly, the Formalizability Checker 
produces a Formalization Report that informs the modeller of the source of this 
problem(s).
The extension of the framework also includes two other components that translate 
FDR2 formal output from just trace of events (counter-example) to a modeller 
friendly format. In the case of checking deadlock freedom between several com­
municating active objects in the fUML model, the UML Sequence Diagram Gen­
erator component reads the counter-example produced by FDR2 (if a deadlock 
state is found) and translates it to a UML sequence diagram that shows the in­
teractions that lead to this deadlock. In the case of checking consistency between 
UML/fUML models, the Model Debugger component reads the counter-example 
(if inconsistent states are found) and reflects it to the UML/fUML diagrams by 
highlighting the elements one by one until reaching the inconsistent states.
Two mapping tables are required for the UML Sequence Diagram Generator 
and the Model Debugger components to perform their tasks. The first one is the 
Object-to-Class Mapping Table which stores each class and the corresponding ob-
106 CHAPTER 6. FORMALIZATION AND MODEL CHECKING FEEDBACK
ject(s) for each one. This table is generated automatically based on the modeller 
input (number of objects per class) before the formalization process. The second 
table is the RP-to-Signals Mapping Table which stores the expected signals for 
each registration point (RP) in the fUML activity diagram (where Map-Rule(4) 
is applied).
The third mapping table in the framework is the CSP-to-UML/fUML which 
stores the corresponding UML/fUML element for each CSP event. This table is 
generated by the Model Formalizer to allow the Model Debugger to reflect the 
CSP events in the counter-example to the UML/fUML diagrams.
The following sections describe each of the feedback components in more detail 
and provide examples of their modeller friendly outputs.
6.2 The Formalizability Checker
The Map-Rules described in Chapter 4 and Chapter 5 include only a subset of 
the UML/fUML elements, this means that not every UML/fUML diagram can be 
formalized using the Model Formalizer. Also the Map-Rules require some restric­
tions on the UML/fUML elements that the CASE tools do not check (e.g., setting 
the signal property in the SendSignalAction is not imposed by the CASE tools).
For that reason, the UML/fUML diagrams have to fulfill minimum requirements 
(certain conditions) in order to be formalized correctly. These requirements in­
clude: the existence of certain elements, the assignment of certain properties and 
certain organization of the elements.
The Formalizability Checker component is responsible for checking that the UML/fUML 
diagrams meets such requirements by performing pre-dehned checks. If one (or 
more) check was not met, the Formalizability Checker generates a Formaliza­
tion Report that includes the missing element (s) that can eventually corrupt the 
formalization process.
As there are many checks that should be conducted, we include in Table 6.1 only 
some examples of those checks and the related UML/fUML for each check. The 
rest of the developed checks are included in Appendix D.
6.2. THE FORMALIZABILITY CHECKER 107
Check# UML/fUML
Element The Check
Chk(l) Any Node
Any node in the UML/fUML diagram should 
have an incoming and outgoing edges, except:
• The initial node has an outgoing edge 
only.
• The final node has an incoming edge only.
• The SendSignal Action inside the Expan- 
sionRegion has not any incoming or out­
going edges.
Chk(2) InitialNode
Any UML state diagram or fUML activity di­
agram should include only one connected Ini­
tialNode.
Chk(3)
ValueSpecification
Action
The body property of any ValueSpecification Ac­
tion should be set to TRUE or FALSE (as we 
support the boolean values only). The action 
should also have an output pin.
Chk(4) SendSignal Action
The signal property of any SendSignal Action 
should be set to a signal classifier in the model. 
The action should also have an input pin (tar­
get) connected to one of the ActivityParame- 
terNodes to define the target object that should 
accept this signal.
Chk(5) ActivityEdge
The name property of the edges connected to a 
decision node from the source side and this de­
cision node is connected to the output pin of an 
AcceptEventAction from the other edge source 
side (related to Map-Rule(4)), should be set to 
the name of a signal classifier in the model.
Table 6.1: Some of the Formalizability Checker checks
108 CHAPTER 6. FORMALIZATION AND MODEL CHECKING FEEDBACK
There are bad consequences in each case if a check is not met as the Model 
Formalizer will report errors while applying the ETL Map-Rules (very restrictive 
checks). For example, in Chk(2), the Model Formalizer will not be able to set 
the initial CSP sub-process in the within clause of the localized process. Another 
example, in Chk(5), the Model Formalizer will fail to set the expected signal 
in the getRegisteredSignals function (the function that returns all the expected 
signals for a certain registration point) or in the accept CSP event.
Most of the reviewed literature focuses on the formalization without making sure 
that the input semi-formal model is amenable for formalization. For that reason 
we consider the Formalizability Checker as one of our research’s contributions.
6 .2 .1  T h e  im p le m e n t a t io n  o f  t h e  Form alizability  C h eck er
We have implemented the Formalizability Checker using EVE (Epsilon Validation 
Language) together with the UML/fUML meta-models to perform the checking 
task. The EVL script consists of a group of constraints (checks), each examines 
the existence of a certain pattern within a specific context. If the constraint is not 
met (false is returned), a customized message will be provided to the modeller. 
Below is the EVL representation of Chk(5);
context AD!ActivityEdge { 
constraint Chk_5 { 
check {
vcir result : Boolean := false;
if(self.source.isTypeOf(AD IDecisionNode)) and
self.source.incoming.source.owner.isTypeOf(AD !AcceptEventAction))){
for(signal in AD ! Signal.alllnstances()){ 
if(self.name = signal.name){ 
result = true;
}
}
>
return result ;
}
message : "The edge name does not match a signal name for the edge :"
+ self.name
»
The context field determines the focus of the check, which is the ActivityEdges 
in Chk(5) (i.e., this check will be applied on all the edges in the fUML activity
6.3. THE UML SEQUENCE DIAGRAM GENERATOR 109
diagrams). The AD  variable is used to access the activity diagram meta-model, 
while the self parameter is used to access the ActivityEdge attributes. The first 
if condition performs the main check of Chk(5). The for loop and its nested if 
condition scan all the signals instances in the model {AD ! Signal, alllnstances ())to 
force the check to return true if the signal name on the edge {self.name) exists 
at least once. The message field determines what the modeller will see in the 
Formalization Report.
As an alternative implementation for the Formalizability Checker, some CASE 
tools (e.g., MagicDraw) support checking validation rules (represented in OCL) 
to make sure that the model follows certain constraints. However, we choose 
to perform the check outside the CASE tool to decrease the dépendance of our 
approach.
6.2.2 The Formalization Report
When at least one of the checks returns false, the Formalizability Checker gener­
ates the Formalization Report which includes the issue(s) in the model element (s) 
as compiler-style errors. Below are some examples of those possible errors and 
the related check for each one:
<S> The “ValueSpecification(TRUE)” action needs to have an outgoing edge 
connected to another node (related to Chk(l)).
0  The activity “DoorController” does not include an initial node (related to
0  The signal property of the “send(doorUnlockedSignal)” action needs to be 
set to one of the model signals classifiers (related to Chk(4))-
6.3 The UML Sequence Diagram Generator
We have seen in Section 4.4.3 and Section 4.4.4 of Chapter 4 the format of the 
counter-examples generated by FDR2 in case of deadlock. It is obvious that 
the modeller who developed the model as UML/fUML diagrams will find it very 
hard to understand those counter-examples and project them on the fUML model. 
For that reason, we developed the UML Sequence Diagram Generator component 
which acts as a translator for the counter-example from just sequences of CSP
110 CHAPTER 6. FORMALIZATION AND MODEL CHECKING FEEDBACK
events, to a UML sequence diagram that shows the executed interactions (signals 
passings) between the model’s objects until reaching the deadlock state.
All the required information to generate such a sequence diagram exists in the 
counter-example except identifying the corresponding object(s) (instance handler 
in the CSP domain) for each class in the model. To overcome this issue, the 
framework generates the Object-to-Class mapping table based on the modeller 
input which stores this information as shown in Table 6.2
Table 6.2: Sample of the Object-to-Class mapping table for the TIS subsystem
O bject (Instance H andler) Class
upIHO User Panel
dcIHO Door Controller
uIHO User
uIH  1 User
The classes that have multiple instances will have multiple rows in that mapping 
table (e.g, the User class in the TIS model). Figure 6.2 shows the automatically 
generated sequence diagram which corresponds to the trace in Section 4.4.3. It 
is obvious that this format is more easily understood by the modeller and nearer 
to the fUML domain.
6.3.1 The implementation of the UML Sequence Diagram Generator
The UML Sequence Diagram Generator depends on an open-source tool called 
Q uick  S eq u e n c e  D iagram  E d ito r  (QSDE) [96]. The tool takes an input 
script (*.sdx file) that specifies the system objects and how they interact with 
each others. Based on that script, the tool generates a vector image for the 
sequence diagram (as shown in Figure 6.2). A sub-component of the UML Se­
quence Diagram Generator translates FDR2 output to an sdx script based on a 
group of simple mapping rules (written in Java). Table 6.3 shows two samples 
of FDR2 output and the corresponding sdx representation. The SDX command 
in the first row draws a self-sending arrow for the LockLatchSignal on the Door 
Gontroller object’s lifeline, while the command in the second row generates a 
comment associated to the Door object’s lifeline that includes the following text: 
“Expecting: closeDoorSignal” .
6.3. THE UML SEQUENCE DIAGRAM GENERATOR 111
:User rUserPanel
readUserTokenSignal
unlockLatchSignal
unLockingDoorCompleteSlgnal
^  «lockTim eoutExceeded»  
^  lockLatchSignal
doorUnlockedSignal
^  {isAlarming = FALSE}
openDoorSignal
resetSignallZ^
Expecting:
-resetSignal
^  {isLocked = TRUE} Expecting:
-readUserTokenSignal
doorlsOpenSignal
:DoorControiler :Door
Expecting:
-openDoorSignal
Expecting:
-CloseDoorSignal
Expecting:
-unlockLatchSignal
Expecting:
-entryAuthorizedSignal
Expecting:
-lockLatchSignal
-doorlsOpenSignal
Expecting:
-doorUnlockedSignal
-entryDeniedSignal
Figure 6.2: The automatically generated UML sequence diagram from FDR2 
counter-example
Table 6.3: FDR2 output and the corresponding SDX representation
E vents in  FD R 2 O u tp u t SDX R ep resen ta tio n
send.dcO.dcO.lockLatchSignal dc0:dc0.1ockLatchSignal
registers ignals. dO. rp 19
*1 uO 
Expecting: 
-closeDoorSignal 
*1
112 CHAPTER 6. FORMALIZATION AND MODEL CHECKING FEEDBACK
In order to make the sequence diagram more readable, we substitute each reg­
istration point mentioned in the registerSignals event (e.g., rpl9) with a list of 
the corresponding possible signals to be accepted at this point. We use the infor­
mation stored in the RP-to-Signals mapping table which had been generated by 
the Model Formalizer during the formalization process. This table maps between 
each rp and the possible accepted signal(s) at this point.
Multiple counter-exam ples
FDR2 has the option to generate more than one counter-example in case of 
deadlock. Instead of aborting the model checking once detecting a sequence of 
events that lead to a deadlock, FDR2 continues the model checking until reaching 
another sequence. Our framework utilizes this option in FDR2 by allowing the 
modeller to identify the maximum number of counter-examples to be generated 
in case of deadlock before the model checking process. This is made possible by 
FDR2 batch mode that gave us this level of control through the command line 
parameters.
The UML Sequence Diagram Generator has the ability to detect if more than 
one counter-example has been generated by FDR2, and thus generates a corre­
sponding sequence diagram for each counter-example.
Loops detection
Sometimes the generated counter-example includes a repetition of certain pat- 
tern(s) (sub-sequence of events) many times, which decreases the readability of 
the corresponding sequence diagram as it becomes too long to track. To avoid 
this issue, the UML Sequence Diagram Generator has the ability to detect this 
repetition automatically using an advanced search algorithm (that we have de­
veloped specially for this purpose) and replace it with one pattern surrounded by 
a “loop” box.
Figure 6.3 shows part of a generated sequence diagram. As shown inside the 
“loop” box, the repetition of sending the requestEntry and readUserToken signals 
three times, has been detected by the UML Sequence Diagram Generator. Such 
a scenario can happen due to a bug in the User activity diagram.
6.4. THE MODEL DEBUGGER 113
^ Z 1  requestEntrySignal 
accept: requestEntrySignal
readUserTokenSignal_________
a cc ep t readUserTokenSignal ^
« b io C h e c k e d N o tR e q u ire d »
bioCheckNotRequiredSignal
accept: bioCheckNotRequiredSignal
:DoorController:User :UserPanel
P )[X 3]
 ^ I requestEntrySignal 
accept: requestEntrySignal
readUserTokenSignal_________
Figure 6.3: Detecting loops in the counter-example
6.4 The Model Debugger
Our approach for checking the UML/fUML models consistency using FDR2 has 
been discussed in Chapter 5. We have seen that in case of inconsistency FDR2 
displays a counter-example that shows the executed CSP events until reaching the 
inconsistent states. The same feedback issue arises here as well, as the counter­
example (with its formal form) does not provide understandable and efficient 
feedback to the modeller to find the inconsistency source.
Unlike the deadlock counter-example generated by FDR2, this one is different as 
it does not show interactions between the system’s objects. Instead, it shows a 
certain scenario (counter-example) that is allowed by the fUML activity diagram 
but not allowed by the UML state diagram (behavioural inconsistency). For that 
reason, another kind of feedback should be provided to the modeller to reflect this 
counter-example on the UML/fUML diagrams so he can step through the model 
until finding the inconsistency-source. To implement this kind of feedback, we 
added the Model Debugger component to the framework which reads the counter­
example and then highlights the executed events on the UML/fUML diagrams 
based on the modeller interactive inputs. Figure 6.4 illustrates how the Model 
Debugger works for the counter-example depicted in Section 5.4 which shows the 
sequence of events that led to the inconsistency state between the Door Controller 
state and activity diagrams.
114 CHAPTER 6. FORMALIZATION AND MODEL CHECKING FEEDBACK
P a rt o f  th e  D o o r  C on tro ller UML S ta te  D iagram P a r  t  o f  th e  D o o r  C on tro ller fUML A c tiv ity  D iagram
D e b u g g e r  C o n tro lle r
M o d elle r T ra c e  fo rw ard
T ra c e  b a c k w a rd
R e s ta r t  tra c in g
Figure 6.4: Finding the inconsistency using the Model Debugger
Using the Debugger Controller the modeller can step forward and backward in 
the counter-example. Each time he presses the trace forward/backward the corre­
sponding UML/fUML state/action for the CSP event in the counter-example will 
be highlighted on the UML/fUML diagrams. For example, the state Sl-ClosecLLocked 
and the ValueSpecification Action (Value (FALSE)) will be highlighted at the be­
ginning of debugging. When the modeller presses the trace forward button, the 
AddStructuralFeatureValueAction (isAlarming) will be highlighted. By continu­
ally pressing the trace forward button, the actions will be highlighted one after 
one in the activity diagram until reaching the AcceptEventAction. At this point, 
the modeller will be informed by a popup message that the Door Controller 
has accepted the lockLatchSignal, while Sl-ClosedLLocked can accept the unlock­
LatchSignal only.
6.4.1 Preparing the information for the Model Debugger
It is obvious that the CSP events in the counter-example cannot be fully linked 
to the elements of the UML/fUML diagrams. That is because there is no enough 
information in the CSP events (of the counter-example) that allows the Model 
Debugger to relate them with the corresponding UML/fUML elements. For ex­
ample, how can the Model Debugger highlight the corresponding node (on the
6.4. THE MODEL DEBUGGER 115
fUML activity diagram) of the “valueSpec.dcIHO.FALSE” event without map­
ping information? Depending on the events/elements name as an identifier is not 
a solution because more than one UML/fUML action can have the same name 
(See the ValueSpecification Action^ s name (Values (FALSE)) repeated two times 
in Figure 6.4).
To maintain this kind of mapping between the CSP events and the UML/fUML 
elements, we modified the Model Formalizer to do two additional tasks. In the 
first task, it generates a unique node ID (NID) for each event in the CSP model 
and augments the event with this ID as an additional value. For the UML states, 
the instate event already holds an ID for each state (iS'Tl, ST2, •••). Listed 
below the counter-example of Section 5.4 after augmenting the CSP events with 
the NIDs.
<
valueSpec.dcIHO.FALSE.NIDI, 
addStFeatureValue. dcIHO. isAleirming. FALSE. NID2, 
valueSpec.dcIHO.FALSE.NID3, 
addStFeatureValue. dcIHO. isLocked.FALSE.NID4, 
send.dcIHO.uIHO. entryAuthorizedSignal.NID5, 
r e g is te r S ig n a ls .dcIHO.rp3.NID6, 
in sta te .S T l,
accept.dcIHO.lockLat chSignal 
>
In the second task, the Model Formalizer generates the CSP-to-UML/fUML map­
ping table which holds the CSP events IDs and their corresponding UML/fUML 
element IDs (long alphanumeric references generated by MagicDraw and stored 
in the XMI model file). The Model Formalizer generates this mapping table dur­
ing the formalization process and stores it in a text format. Table 6.4 shows a 
sample of this table which helps the Model Debugger to know which UML/fUML 
elements to highlight given the CSP event ID included in the counter-example.
Table 6.4: Sample CSP-to-UML/fUML Mapping Table
CSP Event ID UML/fUML Element ID
ST2 _16_4_8a01c6_129197859_209692_741
NID3 _16_4_80a01c6_128715854_342172_469
116 CHAPTER 6. FORMALIZATION AND MODEL CHECKING FEEDBACK
6.4.2 The implementation of the Model Debugger
The CSP-to-UML/fUML mapping table made the implementation of the Model 
Debugger possible. The Model Debugger waits for FDR2 to finish the model 
checking (in the batch mode) and then reads the output file. If the Model De­
bugger found a counter-example (in case of inconsistency), it starts migrating 
the counter-example into the UML/fUML domain using the CSP-to-UML/fUML 
mapping table.
Unlike the other components in our formalization framework, the Model Debugger 
depends on the used CASE tool (e.g., MagicDraw) to be able to highlight the 
UML/fUML elements. The used CASE tool should support APIs that provide 
an internal access to the diagrams elements using their IDs.
We consider providing this kind of interactive model checking feedback through 
the Model Debugger to find the inconsistency source is one of our research’s 
contribution.
6.5 Summary
We elaborate in this chapter that not all UML/fUML diagrams can be formalized 
as they have to meet minimum constraints. Our proposal to handle this issue 
was to add a new component to the formalization framework (Formalizability 
Checker) that checks the input UML/fUML diagram against those constraints, 
and in case of any issue, provide the modeller with a compiler-error style that 
spots this issue.
We introduce also another kind of feedback to complete the separation of the 
modeller from the formal domain by converting FDR2 formal output (counter­
example) to modeller-friendly feedback. This has required extending the formal­
ization framework to handle the feedback task by adding additional components 
(UML Sequence Diagram Generator and Model Debugger) as well as modifying 
the Model Formalizer to generate traceability information. We have shown that 
the kind of the feedback should vary based on the checked property to increase the 
significance of the feedback. For that reason, we convert FDR2 counter-example 
to a UML sequence diagram in case of checking deadlock to show the inter­
actions that led to the deadlock state, while when checking consistency between 
UML/fUML diagram we allow the modeller to visually trace the counter-example 
on the diagrams to find the inconsistency source using the Model Debugger.
Chapter 7
Formalized fUML Models 
Optimization
Automatically formalizing fUML models into CSP is a challenging task. However, 
checking the generated CSP model using FDR2 is far more challenging. That is 
because the generated CSP model holds many implementation details inherited 
from the fUML model, as well as the formalization of the asynchronous fUML 
inter-object communication mechanism. Using the state space compression tech­
niques available in FDR2 (such as supercompilation and compression functions) 
is not enough to provide an effective model checking. When considering indus­
trial size models, in our experience the checking takes too much time and in many 
cases we a face state explosion problem.
We propose in this chapter an optimization approach that works on two levels in 
order to minimize the possibility of that problem. Firstly, on the fUML model 
level, where fUML optimization rules ( “fUML-Opti-Rules” ) are applied to pro­
vide the modeller with advice to optimize his fUML model. Secondly, on the 
CSP model level, optimization rules ( “CSP-Opti-Rules” ) are applied to generate 
another more optimized CSP model. In this chapter we propose a framework 
that integrates optimization with the formalization of fUML to CSP. The fUML- 
Opti-Rules are applied automatically by an Optimization Advisor component 
which generates some directions (advice) to the modeller that guides him to do 
the optimization manually, while a Model Optimizer component applies the CSP- 
Opti-Rules to generate an optimized CSP model. The chapter does not introduce 
a new optimization algorithm that can be applied on the state space level because 
we do not have internal access to FDR2.
117
118 CHAPTER 7. FORMALIZED FUML MODELS OPTIMIZATION
Our optimization is not applied on arbitrary CSP models (not generic optimiza­
tion rules), rather it is applied on a generated CSP model that follows certain 
formalization rules (defined in Chapter 4) and built of a subset of the CSP lan­
guage. The main contribution of this work is that we seize the opportunity of 
having such a constrained CSP model to develop optimization rules that lead 
to a very reduced state space. We will see in this chapter that having a spe­
cialized optimization rules that are valid for certain property (deadlock freedom) 
can boost the optimization to new areas that are hard to reach with the generic 
optimization techniques.
Another contribution is that we extend our previously established formalization 
framework to apply the optimization approach by adding three additional com­
ponents: Optimization Advisor, Model Optimizer and Optimization Interface. 
The new components are based on Epsilon as well to do the MDE tasks, such as 
the model validation and the model-to-model transformation, supported by the 
fUML and CSP met a-mo dels.
In order to realize and validate our approach, we modelled the CSS (Gas Station 
System) case study (introduced in Chapter 2) in fUML, and then we used the 
framework to formalize, optimize and then check the model using FDR2. The 
results of applying the optimization rules on the CSS model are outlined across 
this chapter which show the substantial reduction of the state space after.
The rest of this chapter is organized as follows. In Section 7.1, we give an overview 
about the framework that applies our optimization approach and the changes that 
we made in the previous components. In Section 7.2, we describe the Optimiza­
tion Advisor component. Finally, we describe the Model Optimizer functionalities 
and three optimization rules.
7.1 Extending the framework for optimization
Our optimization approach has been integrated with the formalization framework 
introduced in Chapter 4 by adding two extra components (the Optimization 
Advisor and the Model Optimizer), and separating the model-to-text task from 
the Model Optimizer to another component (CSP Script Generator). Figure 7.1 
shows the framework that performs the optimization and the formalization tasks. 
Checking the UML/fUML models consistency and providing modeller friendly 
feedback are out of this chapter scope, and thus their components are not included 
in the figure (the integration is shown in the next chapter).
Initially, the modeller uses a CASE tool (e.g., MagicDraw) to develop the fUML
7.1. EXTENDING THE FRAMEWORK FOR OPTIMIZATION 119
fUML 
Meta-model
CSP 
Meta-modelOptimizationReport
Optimization
Advisor
Model
Formalizer
(M2M)
Model
Optimizer
(M2M)
fUML
Model
CSP
Model
Optimization
Interface
Modeller
— ►
Optimized
CSP
Model
’
CSP
FDR2 M— Script
CSP Script 
Generator 
(M2T)
Figure 7.1: The integration of the optimization components
model of the system and then chooses the property that he wants to check 
(e.g., deadlock freedom). The Optimization Advisor reads the fUML model and 
searches for specific patterns that are inefficient in terms of the resultant state 
space of the CSP model. The advice is reported to the modeller through an 
Optimization Report, so he can modify the fUML model and start the model 
formalization.
We use the same Model Formalizer of the previous chapters for applying the Map- 
Rules (model-to-model transformation); however, in order to apply an automatic 
optimization on the CSP model (not the script), we took out the model-to-text 
functionality to another component called “CSP Script Generator” .
Based on the chosen property, the Model Optimizer starts its function by reading 
the CSP model (generated by the Model Formalizer) and applying a group of 
optimization rules. Those rules transform the initial CSP model to an optimized 
one that still contains the required information to check the chosen property.
Some optimization rules require an input from the modeller (e.g., CSP-Opti- 
Rule(3)). The Optimization Interface component reads this input from the mod­
eller and pass it to the Model Optimizer in an appropriate format. The modeller 
uses this component also to define the property to be checked.
All the optimization rules included in this chapter are independent (i.e., no rule 
depends on another one). The mathematical proof of each rule assumes certain 
constraints on the CSP model, not from them that another optimization rule was 
applied on the CSP model (that will be optimized).
120 CHAPTER 7. FORMALIZED FUML MODELS OPTIMIZATION
The general approach that we followed to originate all the optimization rules 
included in this chapter was a trial-and-error approach. Initially, we manually 
inspect the fUML model or the CSP script searching for the patterns that may 
cause an increase in the state space. We then examine the consequences of 
removing this pattern from the model. If it is safe to remove it without affecting 
the property that we check, we remove it manually and see if the removal will 
really cause reduction in the state space or not. To be very confident with the 
optimization rule safety (i.e., that it will not eliminate important information 
from the model), we formulate it in a mathematical form and prove this property. 
Finally, we implement the rule in EVL (for the fUML-Opti-Rules) or ETL (for 
the CSP-Opti-Rules) so it can be applied automatically.
The CSP Script Generator component performs the model-to-text task (described 
in Section 4.2.1) that generates a CSP script from the input optimized CSP model 
based on the same CSP meta-model. At this point FDR2 can be launched to do 
the model checking and if the checked property (e.g., deadlock) is not met, FDR2 
displays a counter-example.
The following sections describe the Optimization Advisor and the Model Formal­
izer in full detail.
7.2 The Optimization Advisor
The fUML model may contain some patterns that are correct from the modeller’s 
point of view and the system specification. However, when model checking the 
CSP representation of this fUML model, a state space explosion problem may 
happen due to the existence of those patterns. The focus here is on the patterns 
that cannot be removed automatically because certain decisions are required from 
the modeller to avoid them.
The Optimization Advisor component scans the fUML model with regards to 
those patterns, and if found, it reports advice to the modeller to avoid them. As 
has been introduced, each pattern is detected by a rule called “fUML-Opti-Rule” . 
We use EVL (Epsilon Validation Language) [64] together with the fUML meta­
model to implement those rules. We have used the EVL for the implementation 
of the Formalizability Checker in Section 6.2.1.
Originating fUML-Opti-Rules needs a deep understanding of the corresponding 
CSP model of the fUML one and how FDR2 checks it. By experience, we were 
able to identify some patterns that substantially enlarge the state space in the 
presence of the inter-object asynchronous communication. Once the pattern is
7.2. THE OPTIMIZATION ADVISOR 121
defined, it becomes a direct task to develop an fUML-Opti-Rule in EVL that 
detects this pattern. Using EVL for the optimization purpose is not its typical 
usage [64]; however, using it to implement the fUML-Opti-Rules was a practical 
solution that utilizes Epsilon to cover all the functionalities of our formalization 
and optimization framework.
The following sub-sections describe two fUML-Opti-Rules and their effect on the 
state space.
7.2.1 fUM L-Opti-Rule(l): D etecting self-sending signals
When an object sends a signal to itself, we call this “self-sending”, Although this 
sounds benign, we found by experiment that self-sending signals cause an extra 
overhead on the object’s event pool buffer. Generally, a self-sending signal can 
be replaced by a direct control flow edge that joins the points of sending and 
accepting this signal. This replacement is safe provided that there is no actions 
between the two points as they will be bypassed.
Another unsafe case is when the AcceptEventAction accepts the self-sending signal 
beside another signal, such as the one highlighted in Figure 7.2 for the Pump ob­
ject activity, because a direct control flow between the FuelLevelLow signal send­
ing and acceptance (shown as a dashed line) does not preserve the behavioural 
semantics of the original activity unless the self-sending signal has the higher 
priority in the event pool (i.e., the first one to be dispatched from the object’s 
event pool). For that reason, we do not apply this fUML-Opti-Rule automati­
cally. The Optimization Advisor just highlights the self-sending signals through 
the Optimization Report, leaving the choice to the modeller to do the removal 
based on his understanding of the fUML model. The risk of implementing the 
rule is also reported to the modeller in the Optimization Report.
122 CHAPTER 7. FORMALIZED FUML MODELS OPTIMIZATION
P um p _ A C ( se lfO b j : T a n k , a tte n O b j,  m o to rO b j, g u n O b j jj
P a r t  o f th e
d ia g ra m
"K
rattenOb]
AcceptfTankEmpty, [ 
TankNotEmpty) {
T a n k N o tE m p iy  T a n k E m p ty
(RequestPumpEnable)
 1...
(FuelLevelLow)
\  Accept(FuelLevelLow, 
y X  PumpEnabled)
I  motorObj P u m p E n a b le d
...
seHObj I
 £ .
r 1  Send
■ (StartMotor) #
P a r t  o f th e  d ia g ra m  ||
Send 
(CustomerFlnlstied)
\  Accept
X  (CustomerFlnlshed)
F u e lL e v e lL o w
« V a l u e S p e c i f i c a t i o n »  |  
Value(FALSE) j
I
1 It o  th e  r e s e t  of th e  d ia g ra m !
selfOb]
Figure 7.2: Part of the Pump object activity
On the other hand, it is obvious that removing the CustomerFinished signal send­
ing/acceptance and replacing them with a direct control flow (shown as a dashed 
line at bottom left area of the diagram) will not affect the overall behaviour of 
the object.
We have developed an EVL constraint to check this pattern and report the advice 
to the modeller. The following EVL constraint applies fUML-Opti-Rule(l) on any 
SendSignal Action (defined in the context). The if  condition checks if the target 
object of this send action is the sending object. The message field defines what 
the modeller will see in the Optimization Report in case that this constraint was 
not met.
context ActivityDiagram!SendSignalAction { 
constraint fUML-Opti-Rule-lf 
check {
if(self.target.incoming.source.type.name = self.owner.name){ 
return false;
}
elset
return true ;
7.2. THE OPTIMIZATION ADVISOR 123
}}
message : "The signal action + self.name + sends the signal to its 
object which cein be replaced by a direct control flow." }}
The Optimization Advisor managed to detect four self-sending signals in the 
GSS fUML model, and by safely replacing them with direct control flows the 
state space was reduced from 10.2M states to 4.7M states when checking the 
CSP formal representation of that fUML model.
7.2.2 fUM L-0pti-Rule(2): D etecting unacknowledged signals
An “unacknowledged” signal, is one that has been sent from an object to another 
object, and then it (source object) continues sending further signals without 
waiting for an acknowledgment signal. The problem arises when this pattern is 
repeated several times, because the system will be flooded with the unacknowl­
edged signals and thus the objects’ event pool buffers will overflow.
As a simple example for this problem. Figure 7.3 shows the Meter object activity 
diagram. Without adding the accept event action for the FuelUnitDeliveredACK 
signal, this object will carry on sending the FuelUnitDelivered signal to the De­
livery object (delvObj) causing its event pool to overflow very fast. By acknowl­
edging the signal (as shown in the figure), the Meter object will be forced to wait 
until the Delivery object sends the signal FuelUnitDeliveredACK.
Meler_AD( delvObj : Delivery, selfObj : M eter ) J
delvObj : Delivery (FuelUnitDelivered)
Accept 
(FuelUnitDeliveredACK)
Figure 7.3: The Meter object activity
To find this pattern, fUML-0pti-Rule(2) searches for any SendSignalAetion and 
then follows its outgoing edge recursively. If the target of this edge is AcceptEven- 
t Action or Destroy Object Action nodes, the rule returns true (i.e., no detection 
for this pattern for this SendSignalAetion)., If the target of this edge is SendSig- 
nalAction node, the rule returns false because this means two consecutive send 
actions, and thus no acknowledgment for the first one. The following EVL script 
shows the implementation of fUML-0pti-Rule(2), where the recursive function 
findAcceptAction implements the searching logic.
124 CHAPTER 7. FORMALIZED FUML MODELS OPTIMIZATION
context AD !SendSignalAetion { 
constraint fUML-Opti-Rule-2 { 
check {
return findAcceptAction(self.outgoing.target);
}
message : "The send signal action '" + self.name + 
"' needs to be acknowledged." }}
It is the modeller’s responsibility to acknowledge the signals in his fUML model, 
because this task requires amending the fUML model by adding two actions (the 
sending and the acceptance of the acknowledgment signal).
Applying fUML-0pti-Rule(2) on the GSS fUML model for three unacknowledged 
signals, reduced the state space from 4.7M to 3.0M states when checking its CSP 
formal representation.
7.3 The Model Optimizer
After the Model Formalizer finishes its job, the Model Optimizer starts the auto­
matic optimization of the generated CSP model. The Model Optimizer performs 
a further transformation to that CSP model so that the model checker (FDR2) 
requires less states and time to check it. This transformation is done by applying 
group of optimization transformation rules (CSP-Opti-Rules). The CSP-Opti- 
Rules are defined in ETL also to perform such model-to-model transformation 
task based on the same CSP meta-model. Because the CSP-Opti-Rules are ap­
plied automatically, we support each one with a mathematical proof (theorem) to 
prove it is sound that it does not eliminate important information that is required 
for checking a specific property (e.g., deadlock).
As mentioned in the introduction, our CSP-Opti-Rules are not generic (i.e., they 
cannot be applied on all CSP models). We make use of the opportunity of having 
a constrained CSP model that has been generated from specific rules that consider 
only a subset of the CSP language. Also, our CSP-Opti-Rules are constrained 
with the checked property. For example, CSP-0pti-Rule(2) can be applied if and 
only if the modeller wants to check for deadlock freedom. Having specialized 
optimization rules that are valid for a certain property (deadlock freedom) can 
boost the optimization to new areas that are hard to reach with the generic ones.
The following sub-sections show our three CSP-Opti-Rules and their effect on the 
state space.
7.3. THE MODEL OPTIMIZER 125
7.3.1 C SP-O pti-R ule(l): Removing passive processes
We differentiate between two types of objects. First, core objects, which include 
the main behaviour of the system and interact with other objects in both direc­
tion (sending and accepting signals). Second, terminal objects, which represents 
external entities; however they interact with the system. For example, the GSS 
includes an object for the Attendant just to simulate his interaction with the 
Pump; however, it is a terminal object because it will not be part of the sys­
tem implementation. To check the model against deadlock freedom, the modeller 
should include all kinds of objects (core and terminal) in the fUML model to be 
able to explore all the system behaviours.
Passive objects are special kinds of the terminal objects as they interact in one 
direction (accepting signals only). The Motor object is one of the obvious example 
of the passive objects in the GSS as it does nothing but accept signals {StartMotor 
and StopMotor signals) from the Pump.
In the CSP domain, a passive process is defined as the process that represents the 
passive object behaviour, which is always willing to interact (never refuses any 
interaction). On the implementation level, CSP-Opti-Rule(l) is represented as an 
ETL rule that scans the CSP model for any passive process, and if found, removes 
it from the CSP model. In other words, it removes the passive process from the 
parallel combination between the system’s process which forms the SYSTEM big 
process. CSP-Opti-Rule(l) rules out a process to be passive if it contains the send 
event, which moves out the process from the passive condition (accepts signals 
only).
To formally verify that the removal of passive processes will not affect the dead­
lock checking of the system, we prove the following theorem for the passive process
P2-
T h e o re m (l) . I f  P2 is non-divergent and (s,A p 2 ) E ^"(^2 ) => Xp2 =  {} 
(passive process), then for any process P\: P\ is deadlock free Pi || P2 is 
deadlock free.
P roof
P2 = F D  RU N  From process RU N  definition in [101]
Pi II P2 = F D  Pi II RU N
— F D  Pi From LawZB in Section2.2.1 of [54]
Pi is deadlock free <=> Pi || Pg is deadlock free {as required)
126 CHAPTER 7. FORMALIZED FUML MODELS OPTIMIZATION
□
In the GSS fUML model, there is one passive object (the Motor object) and thus 
one passive process. When checking deadlock freedom, without applying CSP- 
Opti-Rule(l) (or any other optimization rule) on the corresponding CSP model, 
FDR2 was unable to complete the check without crashing. After applying CSP- 
Opti-Rule(l), the Model Optimizer removed the Motor process the CSP model 
and FDR2 succeeded to report the deadlock freedom after exploring 12.3M states 
(the whole model). The reason of this reduction is the removal of the Motor 
object’s buffer which was synchronizing with the send events in the Pump object 
and hence the send event is considered as an external communication (i.e., turning 
a closed system into an open one).
7.3.2 C SP-0pti-R ule(2): Removing abandoned events
The global target of this rule is to search the CSP model for any event that can be 
removed from the model without affecting the deadlock checking results with the 
purpose of reducing the state space. We identify one kind of event that meets this 
criteria which we call “abandoned events”. Abandoned events are those which 
do not synchronize with any other events in other processes in the system (i.e., 
an event that is not in the alphabet of any other process). The removal is done 
by skipping to the next event/process as shown in the example below:
r P = b - , c - ^ p  ^ p ' = b - ^ p '
Q = b -^ Q N
SYSTEM = P \\Q y SYSTEM' = P ' \ \ Q
Theorem(2) is the formal representation of CSP-0pti-Rule(2), nevertheless the 
following definitions and lemmas are required to support this theorem.
D eflnition(2). The operator REMO VE a{P )  is defined as follow:
REMOVEa{STOP) = STOP 
R E M O V E a { a  ^  P) = REMOVEa{P)
f  (æ)) =n (i))
REMOVEa{h P) =  b ^  REMOVEa{P) {where  6 /  a)
7.3. THE MODEL OPTIMIZER 127
REMOVEa{hlx \y^  P{x))  =  blx\y  -4- REMOVEa{P{x))
REMOVEa{P n Q) =  REMOVEa{P) fl REMOVEa{Q) Prom Section 1.2 of [101]
REMOVEaiP n Q )  =  REMOVEa(P) □ REMOVEa(Q)
, i f  a ^ initials(P) A o ^ initials(Q), undefined otherwise
L em m a(2.1). If a ^ initials{P) A a ^  initials(Q), then:
F \ { a }  □ Q \ { a }  =  (P □ Q) \  {a}
LHS RHS
P roof
To proof the equality in this lemma, we should prove that the LHS is subset from 
the RHS, and vice versa. Thus, this proof is done on two stages (1 and 2). The 
proof below depends on the failures definition of the external choice and hiding 
in Section 8.2 of [106] illustrated below:
o Q) = { «),%) I ((>,%) e E (f) nT(Q) }
u
{  ( g , %)  I g #  0  A ( a , X )  6  E ( f )  U E ( Q )  }
P( P  \  {« }) =  { ( y  {« } , X) \ { s , XU  {o }) €  E (P ) }
Therefore the failures definition of the LHS:
. F ( p \ M  o  Q \ W )  =  { « > , ; ^ ) l ( ( ) , ; : ) e E ( P \ W ) n E ( Q \ W ) }
u
{ ( 6 , X ) | a 9 6 <) A ( g , % ) € E ( P \ { o } )  U \ F ( Q \ W ) }
And the failures definition of the RHS:
F {{P  n Q )  \ { a } )  =  { { s \ { a } , X ) \ s  =  {) A ((), X  U {a}) G E(P)  n T( Q)
V
s A O  A ( s , x u { a } ) e  E(P)  U p-(Q )}
S tage(l) proof (LHS Ç RHS)
Consider : (s, X) 6 E {P  \ { o }  □ Q \  {o})
We aim to prove : (g, X) E X ((P  □ Q) \  {a})
128 CHAPTER 7. FORMALIZED FUML MODELS OPTIMIZATION
C a s e ( l . l )  : s  =  0
( 0 , X ) e E ( P \ { a }  o  Q \ { o } )
((), X ) E E ( P \ { a } )  n  X (Q  \  {a})  From  the L H S  fa i lures  def in it ion  
3 s p  ■ { s p , X  U {a})  E P { P )  A 5p \  {a}  =  () From  the h iding fa i lures  def in it ion  
3 s q  ■ { s q , X  U {a})  E F { P )  A sq  \  {«} =  () F rom  the h id ing  fa i lures  d e f im tio n  
C a se ( l. la )  : sp ^  {)
(g p ,X U {a})  E X(P) U X(Q)
{ s p  \  ( a } ,X )  E F { { P  O Q) \  {a}) F r o m  th e  R .H S  f a i l u r e s  d e f in i t i o n  
(0,x) e F { { P ü Q ) \ { a } )  B e c a u s e ,  s p  \  { a }  =  {)  
a s  req u ire d  
C a s e ( l . l b )  : sq ^  { )
S i m i l a r  a s  C ase(1.1 a), b u t  w i t h  sq 
C a s e ( l . l c )  : Sp =  { )  A sq =  { )
((), X U {a}) E F { P )  n  F { Q )  F r o m  s p  a n d  sq h y p o t h e s e s
(s \  {a}, X ) E F { { P  O Q) \  {a}) F r o m  th e  R H S  f a i l u r e s  d e f in i t i o n
( 0 ,X )  E X ((P  O Q) \  {a}) a s  r eq u ire d  
C a se (1 .2 )  : s  A  { )
( s , X ) E X ( f \ { a }  O Q \ { o } )
( s ,X )  E T { P  \  { a } )  U X ( Q \ { a } )  F r o m  th e  fa i l u r e s  d e f in i t i o n  
C a se (1 .2 a )  : ( s ,X )  E F { P  \  {a})
3 sp  • (s p ,X  U { a } )  E P { P )  A Sp \  {a} =  s F r o m  th e  h id i n g  f a i l u r e s  d e f in i t i o n  
( sp ,X U {a } )  E X(P) U X(Q)
(sp \  ( a } ,X )  E X ((P  O Q) \  {a}) F r o m  th e  R H S  f a i l u r e s  d e f in i t i o n  
(s ,X )  E X ((P  O Q) \  {a}) a s  r eq u ire d  
Case(1.2b) : (s ,X ) E X(Q \  {a})
7.3. THE MODEL OPTIMIZER 129
Similar as Case{1.2a), but withsg.
Stage(2) proof (RHS  Ç LHS)
Consider : { { s , X)  E F ((P  O Q) \  { o } ) )  A
(a ^ initials(P) V a ^ initials(Q))
We aim to prove : { s , X)  E F{ P  \ { a }  □ Q \  {a})
Case(2.1) : s =  ()
Let, { { ) , X)  E E ((P  □ Q) \  {o}) 3 s' • s' \  {a} =  0  A (s', X  U {a}) G F {P  □ Q)
From the hiding failures definition
Case(2.1a) : s' =  ()
((), X U {o}) E E(P)  n F{ Q)  From the RHS failures definition 
((), X) E F {P  \  {a}) n  JF{Q \  {o}) From the hiding definition 
((), X) E X (P  \  {a} □ <5 \  {a}) From the LHS failures definition 
as required 
Case(2.1b) : s' A {)
{ s ' , X U{ a} )  E\F{P) U X(Q) FYom the RHS failures definition
( s ' , X U { a } ) E E ( P )  V ( s ' , X U { a } ) E X ( g )
But, s' \  {a} =  0  A s' A {) 
s' =  (a) " s"
= ^ ((« > " s" ,X U {a } )E X (P )  V ( (a )" s " ,X U { o } )E X (Q )
=4» a E initials(P) V o E initials(Q) =4> Contradiction 
Which means that Case2.1b can never happens under the initial conditions 
Case(2.2) : s A {)
( s , X ) E E ( ( P O Q ) \ { o } )
Let, (s, X) E E ((P  □ Q) \  {a}) 3 s' • s' \  {a} =  s A (s', X  U {a}) E F {P  □ Q)
From the hiding failures definition
Then, (s', X U {o}) E X(P) U jT{Q) From the RHS failures definition &: s' \  {a} =  s
130 CHAPTER 7. FORMALIZED FUML MODELS OPTIMIZATION
(s ' \  {a},  X )  e  T { P  \  a )  U P { Q  \  {«}) F r o m  th e  h id i n g  f a i l u r e s  d e f i n i t i o n  
(s, X )  e  F { P  \  {a})  U J ’(Q \  {a}) B e c a u s e ,  s ' \  {a} =  s 
(s ,X ) € F { P  \  {a} □ Q \  {a}) F r o m  th e  L H S  f a i l u r e s  d e f in i t i o n  
a s  r eq u ire d
□
Lem m a(2.2). If P  \  {a} is non-divergent, RE MO VE a{P)  is defined, and 
P w— a ^  P  I c l x \ y  —> P{x)  | P 73 Q | P U Q | ST O P ,  then;
\ { a}
P ro o f  (by structural)
C a s e ( l )  \ a  P
R E M O V E a { a  ^  P )  =
R E M O V E a { P )  =  From, D e f i n i t i o n { 2 )
p \ { 4
C a se (2 )  : a ? x l y  —> P { x )
PEMOyE.(o?T!T/ P(æ)) =
n  R E M O V E a [ P { x ) )  =  F r o m  D e f i n i t i o n { 2 )
n  P { x )  \  {a} =
{ a l x \ y  - 4  P { x ) )  \  { a }
C a se (3 )  : 6 —> P , w h e r e  b A  o,
R E M O V E a i b  -> P ) =
b -4 R E M O V E a { P )  =  F r o m  D e f m i t i o n { 2 )
6 —> P \ { a }
C a se (4 )  : b l x l y  - 4  P { x ) ,  w h e r e  b A  o,
PPM0yP.(6?æ!!/ P(z)) =
b l x l y  - 4  R E M O V E a { P { x ) )  =  F r o m  D e f i n i t i o n { 2 )
7.3. THE MODEL OPTIMIZER 131
b?x\y - 4  (P(x) \  { a } )
{ b ? x \ y P ( x ) ) \ { a }
Case(5) : P  F\ Q
REMOVEaiP  n Q) =
REMOVEa{P) n REMOVEaiQ) =  From Definition{2)
P \ { a }  n Q \  { a }  =
(P  n Q) \  {«} From Lemma{8.3.3) of [101]
C ase(6) : P □ Q, where a ^ initials{P) A a ^ initials{Q)
REMOVEaiP  □ Q) =
REMOVEaiP) □ REMOVEaiQ)  =  From Definitioni2)
P \ { a }  □ Q \  {a} =
i P D Q ) \  {o} FYom Lemma(2.1)
□
Theorem (2). I f  a G ociPi), a ^ a{P2), Pi \ {a} is non-divergent, REMOVEa{Pi) 
is defined and P\ is defined as P in Lemma(2.2) then: REMOVEa{Pi) || P2 is 
deadlock free Pi || P2 is deadlock free.
P roof
REMOVEaiPi)  II Pg
=  Pi \  {a} II Pg FYom Lemma(2.2)
=  (Pi II Pg) \  {a} FYom Law 6 in Section 3.5.1 of [54]
REMOVEaiPi)  II Pg is deadlock free 44- Pi || Pg is deadlock free From Sectionl3.1.1 of [101]
(as required)
□
Theorem(2) shows the constraints that make a an abandoned event, which is not 
to be member in any other process alphabets (i.e. no process will synchronize
132 CHAPTER 7. FORMALIZED FUML MODELS OPTIMIZATION
on a). It also shows that the removing of a from Pi [REMOVEa[Pi)) will not 
affect the deadlock checking result. Additionally , in the case of P  □ Q, the 
condition a ^ initials{P) A a ^  initials(Q) should be met, which is guaranteed 
because we do not use external choices except in Map-Rule(4) in Section 4.2.1. 
The accept event after the external choice in this rule can never be considered as 
an abandoned event because it synchronizes with the process Controlled Buffer.
It is safe to apply CSP-0pti-Rule(2) on any generated CSP model from the Model 
Formalizer and by the correct selection of the abandoned event, provided that 
the deadlock freedom is the checked property.
We have implemented CSP-0pti-Rule(2) in ETL and applied it on the valueSpec 
and addStPeature Value events, because they are not synchronizing with any other 
events and they never happen after an external choice. Below is a simplified 
version of the ETL representation of CSP-0pti-Rule(2).
rule CSP-0pti-Rule_2
transform prefix: CSP!Prefix!
guard: prefix.event.eventChannel.name = "valueSpec" or
prefix.event.eventChannel.name = "addStFeatureValue"
var pa := CSPIProcessAssignment.alllnstances().select(pa I pa.processExpression = prefix)
pa.processExpression := prefix.nextProcess;
The initial guard condition imposes the application of this rule on the valueSpec 
and addStFeatureValue events only. The first select statement returns the Pro­
cessAssignment handler [pa) of the sub-process that includes the prefix of either 
of those events. Finally, we modify the processExpression of pa to be the next 
process of this prefix instead of the prefix itself. For example, applying this ETL 
rule on the sub-process ACb  =  valueSpeclselfObjlvar : {FALSE} —> AC6 will 
result A(75 =  AC6
The elimination of the abandoned events reduces the state space size, and thus 
allows faster FDR2 checks. When CSP-0pti-Rule(2) was applied on the GSS 
corresponding CSP model, 8 abandoned events were removed to reduce the state 
space from 12.3M to 10.2M states. Using the standard CSP hiding operator in­
stead of REMOVEa{P) did not provide such reduction in the state space because 
the hiding does not remove the event, it just renames it to r.
7.3. THE MODEL OPTIMIZER 133
7.3 .3  C SP-0pti-R ule(3): Toggling internal choices
Unlike the first two CSP-Opti-Rules, this one needs human interaction to be 
performed. It also does not lead to an optimized version of the original model. 
Rather, it splits the original model into sub-models that are easier to be checked 
separately using FDR2. This kind of CSP-Opti-Rules is very useful when analyz­
ing big models, as it will allow the modeller to focus on certain parts of the model 
at a time. This is a bounded approach to find and solve the model’s problems. 
Another benefit is that when the model is too big to be analyzed by FDR2, the 
CSP-Opti-Rule can be used to analyze the system in different stages, each stage 
is an analysis of one of the sub-models.
CSP-0pti-Rule(3) can be summarized as follows: when checking deadlock, if all 
the sub-models are deadlock free, then the original model is deadlock free as 
well. The splitting up of the original model is done based, generally, on reducing 
the behavioural paths in the model’s processes. In particular, CSP-0pti-Rule(3) 
replaces an internal choice with one direct connection to one of its choices. And 
in the case of more than two choices, it disables one of them. The selection of 
the enabled choice(s) comes from the modeller input through the Optimization 
Interface component.
To apply this rule, the Optimization Advisor scans the fUML model for the 
decision nodes that will be translated to internal choices in the CSP model and 
builds a table with those nodes/choices. After building the table, the modeller 
can use the Optimization Interface to toggle the choice branches and start the 
model checking. The selected choices will be passed to the Model Optimizer 
to apply CSP-0pti-Rule(3) based on the modeller selection. After the model 
checking, the modeller can repeat the process with different choice.
Theorem(3) below proves that this accumulative deadlock checking (on several 
stages) is equivalent to the original model deadlock checking (as a whole). For 
example, if the model checking of sub-model-A (which has decision-1 ON and 
decision-2 OFF) is deadlock free, and sub-model-B (which has decision-1 OFF 
and decision-2 ON) is deadlock free, then the whole model is deadlock free.
T heorem (3). I f  SYS  =  Pi D P2 , SYS ' = Pi (after splitting SYS and choosing 
the first branch), and SYS" — P2 (after splitting SYS and choosing the second 
branch), then:
SYS Deadlock Free 44 SYS' Deadlock Free A SYS" Deadlock Free 
P roof
Let SYS  be an LTS (Label Transition System) that consists of:
134 CHAPTER 7. FORMALIZED FUML MODELS OPTIMIZATION
- Set of nodes {Pq, P i , • • • , P-n}, each represents the current status of the system.
- Binary transitions relations between those nodes {  ^ > j x G A+}, where 
A is the set of all possible external events in the system and A"*" — A U {r}.
Let Pq is one of S Y S  nodes (states) that holds a non-deterrninistic (internal) choice (□), 
so that:
Pq —^ ^  Pi ......... first choice, and
P q —-—> P 2 ......... second choice.
Let SYS '  represents SYS,  but with removing the non-deterministic choice and continuing 
with the first choice, so that:
EyE' =  s y E \{ P o  ^ - 4 . Pi}
Let SYS"  represents SYS,  but with removing the non-deterministic choice and continuing 
with the second choice, so that:
E W ^ E Y E X l P o  — ^  P 2 }
Let S Y S  contains a deadlock state such that:
p  p '____> p "  y . . .  > . . .  pn
Where, P'^ (i.e., there are no transitions after P"')
If P q is one of the in between (between P and P^) states and P q appears at most once, then 
the deadlock P  P"  exists in SYS '  or SYS"
Which can be formed as follow:
S Y S  Deadlock Free 44 SYS ' Deadlock Free A SYS" Deadlock Free
as required.
□
As a sample usage of this rule in the GSS case study, assume that the modeller is 
doing some modifications in the fUML model and he wants to repeat the model 
checking several times to ensure that the modifications do not affect the deadlock 
freedom of the system. Using CSP-0pti-Rule(3) to disable the tank emptiness 
choice (i.e., the tank can never be empty), FDR2 managed to check the model 
for deadlock in 11 minutes after exploring 1.8M states instead of 18.4 minutes 
and 3.0M states when the two choices are available (i.e., the tank can be empty 
or not). Finally, the modeller should enable the other branch of the same choice
7.4. PROVING THE RULES INDEPENDENCE 135
(i.e., the tank is always empty) to ensure the system deadlock freedom (done in 
15 minutes and 2.6M states).
The following table summarizes the results of applying our approach on the GSS 
case study using Compass. The “States” field shows the explored number of states 
by FDR2 until reporting the deadlock freedom of the model. The order of the 
applied rules is just according to our test scheme. It is obvious that applying the 
CSP-Opti-Rules and the advice from the fUML-Opti-Rules led to a substantial 
reduction in the state space and the model checking time.
fUML-Opti-
Rule(1)
fUML-Opti-
Rule(2)
CSP-Opti-
Rule(1)
CSP-Opti-
Rule(2)
CSP-Opti-
Rule(3)
GSS
States Time
/ 12.3 M 1.38 H
y y 10.2 M 1.15 H
/ y y 4.7 M 29.7 Min
/ V y y 3.0 M 18.4 Min
/ y y y 1.8 M 2.6 M 11.0 15 Min Min
7.4 Proving the rules independence
As mentioned in Section 7.1, all the optimization rules included in this chapter 
are independent (i.e., the effect of a rule cannot be achieved be applying any of 
the other rules). We prove in this section that the optimization effect of each rule 
is a result of this rule only.
We prove this by identifying examples which are each affected by only one rule. 
We can consider a rule to be independent of the others if it changes the state 
space of the corresponding example and none of the others do. This demonstrates 
that the rule cannot be defined in terms of the others.
136 CHAPTER 7. FORMALIZED FUML MODELS OPTIMIZATION
fU M L -O pti-R ule(l)  independence
O bjA_AD
objB
sig1
___
sig3
O bjB_AD
sig1
èeïfO bjl
sig2
- r sig3
Figure 7.4: fUML example to check fUML-Opti-Rule(l)
The example in Figure 7.4 shows the fUML example (two activity diagrams) of 
two objects communicating with each other. The second object (ObjB) activ­
ity diagram includes a self-sending for sig2 signal. After applying fUML-Opti- 
Rule(l) on this example, the state space has been reduced from 39 to 27 states. 
Applying the remaining four rules has absolutely no effect on the state space 
because the rule is independent and the example does not contain any pattern 
that the other rules are searching for.
fU M L -0pti-R ule(2 )  independence
ObjA_AD
if ObjB
#
si{j1
r >
,/O b jB _A D
ob jC
ObjC_AD
  £
>  sig2
I S{J 8'04
T :
Figure 7.5: fUML example to check fUML-0pti-Rule(2)
7.4. PROVING THE RULES INDEPENDENCE 137
Figure 7.5 shows another example where three objects are communicating. ObJA’s 
activity diagram includes two unacknowledged signals {sigl and sigS). After ac­
knowledging them (i.e., applying fUML-0pti-Rule(2)) the state space has been 
reduced from 538 to 87 states. The other rules have also no effect on the state 
space to proof the independence of fUML-0pti-Rule(2).
CSP-Opti-RuIe(l) independence
/  O b jA_AD O bjB_AD /  O bjC_AD
I ObjB I sifl1 [ÔEjÂl—Kd'woiAcic T
Figure 7.6: fUML example to check CSP-Opti-Rule(l)
It is obvious in the example of Figure 7.6 that ObjC will be translated to a passive 
CSP process which does nothing but accepting sig2. Applying CSP-Opti-Rule(l) 
on this example removes ObjC and reduces the state space from 156 to 20 states. 
None of the other rules were applicable on this example, and thus CSP-Opti- 
Rule(l) is independent. Having the “ACK” suffix in the sending of sigS prevents 
the application of fUML-0pti-Rule(2), as it will be considered as an acknowledge 
signal only.
CSP-0pti-Rule(2) independence
The valueSpecification and addStructuralFeatureValue actions in ObjB in Fig­
ure 7.7 will be translated to two abandoned events. By applying CSP-Opti- 
Rule (2) the two events are removed and the state space has been reduced from 
67 to 15 states, while the other rules have no effect (because they are not appli­
cable).
138 CHA PTER 7. FORMALIZED FUML MODELS OPTIMIZATION
O b j A _ A D
»ig1
sig3
O b j B _ A D
seirobj
f  c
*> sigi
 HJ S'S3 >
<s<isi«iSf(6Ciffcatlon» s 
FALSE I
I
./««w ltlS truduralFealu reV afue» 
i: : isAny
Figure 7.7: fUML example to check CSP-0pti-Rule(2)
C S P -0 p ti-R u le (3 )  independence
ObjA_AD
sig1
\  sig3, sig3
s ig 3  ,
ObjB_AD
sig1
objA
toSig3 ^ X ,  toSig2
s ig 3 s ig 2
Figure 7.8: fUML example to check CSP-0pti-Rule(3)
Applying CSP-0pti-Rule(3) on the example depicted in Figure 7.8 by enabling 
one of the choices (toSigS) and disabling the other one {toSig2) leads to a re­
duction in the state space from 26 to 14 states. Similarly, the application of the 
other four rules has no effect on the state space as none of their patterns exist in 
this example showing the independence of CSP-0pti-Rule(3).
7.5. SUMMARY 139
7.5 Summary
We have described in this chapter a framework for optimizing the formal repre­
sentation (CSP) of the fUML models. The framework does the formalization and 
the optimization tasks using different components. We described two of those 
components that applies the optimization rules. The first one is the Optimiza­
tion Advisor which uses EVL to provide the modeller with some advice to avoid 
some undesirable patterns in his fUML model. The second component is the 
Model Optimizer which uses ETL to generate an optimized CSP model.
The results of applying the specialized optimization rules showed a substantial 
reduction in the state space, and thus in the model checking time. We would 
argue that the general idea of our optimization approach is applicable for the 
other work which considers the UML formalization.
Chapter 8
The Integrated Framework and 
Compass
Many components have been introduced in the previous chapters to perform the 
formalization, feedback and optimization tasks. To understand the big picture 
and relate the components with each others, we describe in this chapter the in­
tegrated framework that includes all the components to provide a comprehensive 
UML/fUML behavioural model checking.
We also introduce in this chapter the implementation of this framework as a 
plugin to the MagicDraw CASE tool. This implementation adds to our work 
practicality and makes the UML/fUML models formal verification available to the 
modellers via a few clicks. Throughout the chapter we will use the CCS (Cruise 
Control System) as a third case study for further realization and verification to 
the framework implementation.
We consider this chapter to be important in order to view the implementation of 
our formalization approach from the user (modeller) point of view. The chapter 
considers some specific scenarios to emphasis some usage models supported with 
screen shots that the modeller uses to interact with the integrated framework.
The rest of the chapter is organized as follows. In Section 8.1, we describe the 
integrated framework and the relation between its components. In Section 8.2, 
we introduce the Compass plugin that implements the framework. In Section 8.3, 
we describe the usage of Compass for the formal verification of the models.
141
142 CHAPTER 8. THE INTEGRATED ERAMEWORK AND COMPASS
8.1 The integrated framework
The previous chapters have shown different frameworks to handle the UML/fUML 
models: formalization, consistency checking, modeller-friendly feedback genera­
tion and optimization. Several components have been used to handle those tasks 
as well as the UML, fUML and CSP meta-models. The need for having a tool 
that allows the modeller to execute those tasks seamlessly motivated ns to de­
velop an integrated framework that includes all those components to handle the 
model management tasks as depicted in Figure 8.1. The arrows in the diagram 
represents the input/output for each component. All the components in the figure 
have been described before, so the following part will focus on their integration.
UML
fU M L ~ ^ Meta-model
Meta-model
''A
CSP
Meta-modelFormalization 
Report
UML 
State Diagram Model
Formalizer
(M2M)
Formalizability 
Checker
fUML 
Activity DiagramModeller 
Â  À
CSP
Model
Optimization 
Report
Model
Optimizer
(M2M)
Optimization
Advisor Optimized 
CSP 
Model
CSP Script 
Generator 
(M2T)Optimization
Interface
RP-to-Signals 
Mapping Table
Object-to-Class 
Mapping Table
CSP-to-UML/fUML 
Mapping Table FDR2
L J
1^  y
[ UML 1
Model Sequence Counter
Debugger Diagram Example
Generator
UML
Sequence Diagram
Figure 8.1: The integrated framework
8.1. THE INTEGRATED FRAMEWORK 143
The modeller is the initiator for all the tasks and he only deals with the UML/fUML 
diagrams. The modeller is completely isolated from the CSP domain, even if 
FDR2 displayed a counter-example the UML Sequence Diagram Generator or the 
Model Debugger will convert it to a modeller-friendly format. When the modeller 
initiates a model checking task, the related components are activated sequen­
tially. The Framework Controller component (does not appear in the diagram) 
manages the components activation based on the modeller inputs. The controller 
has been developed using the Java programming language, and it deals with Ep­
silon components (e.g.. Model Formalizer, Model Optimizer, ..etc.) through a 
specific interface. For example, assuming that the modeller wants to check his 
fUML model against deadlock freedom while enabling the optimization option, 
the following components will be activated with the same sequence:
1. Formalizability Checker: to make sure that the fUML model is amenable 
for formalization.
a) If formalizable: move to step (2).
b) If not formalizable: generates the Formalization Report to the mod­
eller and stop.
2. Optimization Advisor: applies the fUML-Opti-Rules to find any undesirable 
patterns.
a) If not found: move to step(3).
b) If found: generates the Optimization Report and ask the modeller if 
we wants to continue the model checking or not.
3. Model Formalizer: performs the formalization and generates the CSP model.
4. Model Optimizer: applies the CSP-Opti-Rules that are compatible with the 
deadlock checking only and generates the Optimized CSP model.
5. CSP Script Generator: reads the Optimized CSP Model and generates a 
corresponding GSP script.
6. FDR2: process the GSP script and performs the model checking.
a) If the model is deadlock free: a message saying that the fUML model 
is deadlock free will appear to the modeller.
b) If the model is not deadlock free: generates a counter-example and 
move to step (7).
7. UML Sequence Diagram Generator: reads FDR2 counter-example and trans­
late it to a UML sequence diagram based on the pre-generated mapping 
tables.
144 CHAPTER 8. THE INTEGRATED ERAMEWORK AND COMPASS
8.2 The framework implementation: Compass
We implemented the integrated framework as a plugin to the MagicDraw CASE 
tool (introduced in Chapter 2) called Compass * (Checking Original Models 
means Perfectly Analyzed ^stem s). Implementing the framework as a plugin 
to a CASE tool allows the modeller to seamlessly check the UML/fUML models 
without the need to change the modelling environment. It is also better than im­
plementing it as a standalone application to avoid any compatibility or usability 
issues, because the modeller will need to export the UML/fUML models into an 
interchangeable file format (e.g., XMI) and the file in the application.
Compass depends on Epsilon to perform the model management tasks. We al­
ready described in the previous chapters how we depended on the Epsilon trans­
formation / validation languages to implement the framework’s components. Com­
pass also leverages MagicDraw APIs to interact with the modelling environment. 
For example. Compass uses those APIs to highlight the UML/fUML diagrams’ 
elements during the model debugging.
Enabling Compass within MagicDraw allows the modeller to perform the follow­
ing main functions:
Check deadlock freedom for an fUML model;
#
Browse the UML sequence diagram that represents the deadlock scenario 
(if any);
Check the consistency between the UML state diagrams and their corre­
sponding fUML activity diagram;
Debug the UML/fUML model to find the source of the inconsistency (if
anxX
Enable/disable the model checking optimization.
* There is another project called COMPASS (Comprehensive Modelling for Advanced Sys­
tem s of Systems) funded by Seventh Framework Program m e (FP7) th a t researches in the in­
tegration  of well-founded engineering notations, m ethods and tools to  support developers in 
building and analysing system s’ models. However, we could not change the  name of our plugin, 
to  avoid th is confusion, as we published a paper th a t contains th is nam e before the COMPASS 
project launching.
8.3. USING COMPASS 145
8.3 Using Compass
This section describes the experience of using Compass within MagicDraw from 
the modeller point of view. It will not focus of the technical details, but rather 
the user experience of the tool. The description is supported by some screen­
shots of Compass while checking the CCS case study. The section assumes a 
certain process for developing the UML/fUML model that will be elaborated in 
the following sub-sections.
8.3.1 Diagrams drawing
Initially the modeller develops the model by drawing the class diagram of the sys­
tem using MagicDraw. The class diagram should include also all the signals that 
will be passed between the objects. For the active objects, the modeller should 
define their high level behaviours using the standard UML state diagrams. The 
behaviour should be compatible with the original system specifications. Conse­
quently, the modeller can refine the state diagrams by adding more implemen­
tation details in the form of fUML activity diagrams. The activity diagrams 
should include all the needed information to be an executable model (concrete 
behavioural model for the abstract one).
8.3.2 Behavioural consistency checking
After the class, state and activity diagrams are ready the modeller can check 
the consistency between any UML state diagram and its corresponding fUML 
activity diagram using Compass. The modeller can initiate this process from 
MagicDraw tool sub-menu (in main menu) and selecting “Checking UML/fUML 
consistency”. By this selection, the dialog box in Figure 8.2 will appear.
146 CHAPTER 8. THE INTEGRATED ERAMEWORK AND COMPASS
Compass - Consistency Checking
Select th e  S ta te  Diagram and  Its corresponding  Activity Diagram 
to  check  th eir consistency
S ta te  Diagram Activity Diagram
1 CruiseControl_SD | v | D riverA D  i v  j
1 S ta rt  j 1 Can
Driver_AD
Vehicle_AD
CruiseControl_AD
BrakeActuator_AD
ThrottleA ctuator_A D
MotionSensor_AD
Pedal5ensor_A D
Display AD
Figure 8.2: Compass - Checking UML/fUML consistency
The modeller can use this dialog to choose the diagrams that will be checked for 
consistency and them launch the checking by pressing the “Start” button. Com­
pass will start the formalizability checking and if the model meets the formaliza­
tion constraints Compass will start the formalization to CSP immediately. After 
generating the CSP script, Compass will launch FDR2 to perform the model 
checking. In the case of inconsistency, FDR2 will generate a counter-example 
that includes the sequence of the executed events until reaching the inconsis­
tency state. This counter-example will be completely hidden from the modeller 
and as an alternative a Debugger Controller toolbar will appear to him as shown 
in Figure 8.3.
Reproduced with permission of copyright owner. Further reproduction prohibited without permission.
