Model-Based Verification and Validation of Properties  by Engels, Gregor et al.
p ( )
URL: http://www.elsevier.nl/locate/entcs/volume82.html 18 pages
Model-Based Verication and Validation of
Properties
Gregor Engels
1
Jochen M. Kuster
2
Reiko Heckel
3
Marc Lohmann
4
Faculty of Computer Science, Electrical Engineering and Mathematics
University of Paderborn
Paderborn, Germany
Abstract
One of the key issues in software development, like in all engineering problems, is
to ensure that the product delivered meets its specication. Verication and valida-
tion are well-established techniques for ensuring the quality of a product within the
overall software development lifecycle. With models being expressed in the Unied
Modeling Language, the application of verication and validation is complicated.
Firstly, concerning verication, a UML model is typically not the input language of
a verication tool. Secondly, with regards to validation, a UML model is also not
directly executable.
In this paper, we show how verication and validation can be achieved for UML
models. Within our approach, graph transformation techniques are applied for
automated translation of UML models into a language understood by a verication
tool or directly into an implementation. By the use of such semantic-preserving
transformations, both verication and validation can be lifted up to the model level,
allowing for a seamless integration of verication and validation into a UML-based
development process.
1 Introduction
In all engineering disciplines, the construction and analysis of models is widely
accepted for enhancing the quality of the product engineered. Besides repre-
senting a plan for the actual construction of the product, another key purpose
of models is to allow the reasoning about properties of the product before
1
Email: engels@uni-paderborn.de
2
Email: jkuester@uni-paderborn.de
3
Email: reiko@uni-paderborn.de
4
Email: mlohmann@uni-paderborn.de
c
2003 Published by Elsevier Science B. V.
133
CC BY-NC-ND license.  Open access under 
Engels et al.
actually building it. Examples for such analysis of properties include the stat-
ics of bridge structures within civil engineering or calculating the resistance
within electrical engineering.
In software engineering, we distinguish between constructive and analyti-
cal means of quality assurance. Constructive means to prevent the occurrence
of errors in the process of development, e.g., by the use of less error-prone
programming languages (like Java instead of C++) or through automated
generation of implementations from high-level models. Analytical means are
used to detect errors in models or implementations. In particular, model-based
analysis allows the reasoning about important properties of a software system
early within the process of software construction. Examples for such proper-
ties include deadlock freedom of the application, the conformance to certain
memory or timing constraints, but also the correctness of the implementation
with respect to a given model.
Analysis techniques are generally partitioned into verication and valida-
tion techniques. Verication techniques such as model checking and theorem
proving have a long tradition in formal specication languages like algebraic
specications [7], Z [23], CSP [17], or Petri nets [20]. At the implementation
level, temporal logics [18] and assertions [16] have been proposed to verify
the conformance of a program with its specication. Despite of the relative
maturity of formal verication within software engineering research, practical
applications are limited to safety-critical and embedded systems [6], i.e., sys-
tems with a high penalty of failures. Reasons for this include the complexity
of formal specication techniques and the lack of training of software engi-
neers in applying them. Furthermore, there are also well-known limitations of
formal verication such as the state-explosion problem within model checking.
Common to all verication techniques is that they rely on a formal semantics
of the specication or programming language concerned.
In contrast to formal verication, where a property may be assured with
mathematical rigor, validation techniques may detect errors or improve our
condence in the model or implementation, but they cannot prove any prop-
erty in a denite way. The classic technique for validation of properties in
software engineering is testing. Testing relies on the construction of test strate-
gies for a property including subsequent execution of parts or all of the system
according to these strategies [3]. As testing takes place on a lower level of ab-
straction, the range of properties that can be validated is much greater than
using formal verication.
With the advance of the Unied Modeling Language [19] in recent years,
model-based development is becoming more widely accepted within industry.
However, UML models are nowadays primarily used for communication and
documentation purposes, i.e., tasks which do not require a formal semantics
or sophisticated tool support. On the other hand, as a standard notation the
UML could be the key to overcome one of the problems of formal methods:
the need for specialized experts for every particular language.
134
Engels et al.
In this paper, we sketch an approach how model-based analysis of prop-
erties can be made applicable within a UML-based development process. For
property verication, our approach is to design a partial formalization of UML
models such that existing verication techniques can be reused. This partial
formalization relies on the concept of graph transformation to dene the auto-
matic translation of UML models into a suitable semantic domain [14], i.e., a
formal specication language with appropriate tool support. For each property
to be veried, conditions need to be stated in the formal language specication
used.
For property validation, our approach is to test the implementation of the
system. For that purpose, we have to transform a model into an implementa-
tion, possibly by using existing graph transformation techniques for code gen-
eration. For such a transformation, we assume that it is semantic-preserving.
In addition, a test case must be generated from the model that provides input
to the implementation. How such a test case is generated is determined by
a so-called test strategy. Applying a test case to an implementation of the
model then allows validating a property for the implemenation and also for
the model, due to the semantic-preserving transformation between them.
Our approach needs to be supported by an integrated tool suite that pro-
vides means for both property verication and validation. For property veri-
cation, the tool suite oers partial formalizations for UML models in order to
overcome the diÆcult task of designing such a formalization from scratch. For
property validation, the tool suite oers test strategies to create tests applied
to the system under test.
The remainder of the paper is structured as follows. First, we will elaborate
on model-based development with UML, introducing our view of a UML-
based development process. Then, our approach to verication and validation
of properties is explained. Both verication of properties and validation of
properties is then illustrated with an example and requirements for a tool
suite are stated.
2 Model-based development with UML
Within a software development process, software engineers typically make use
of a system model that abstracts on the one hand from the real world and on
the other hand from the implementation. Such a system model often consists
of dierent submodels at dierent abstraction levels. By model-based develop-
ment, we understand a software development process where a system model is
gradually rened from a high abstraction level to a lower abstraction level. A
low-level system model can then be automatically transformed into a running
prototype by applying code generation techniques for a given platform.
The Unied Modeling Language supports the construction of a system
model by oering dierent sublanguages, each focusing on specic aspects of
the system. For example, class diagrams focus on the overall structure of
135
Engels et al.
the system whereas sequence diagrams are often used for describing typical
interactions of system objects. A statechart can be used for describing the
reactive behavior of a class of system objects and is well-suited as a constituent
of a low-level system model.
Our approach to model-based development with UML requires that we de-
scribe in detail our system model. For simplicity, we will distinguish between
two abstraction levels, a high- and a low-level abstraction level. On the high
level, our system model is composed of use case diagrams and sequence dia-
grams describing the interaction of the system with users of the system. On
the low level, it is composed of class diagrams, statecharts and activity dia-
grams. The statechart diagrams provide the reactive behavior view of system
objects. Activity diagrams are used for describing operations modeled within
classes in detail and may also include source code fragments (or other UML
diagrams which may be transformed to code).
Given such a low-level system model, code for a running implementation
can be generated by applying code generation techniques to class diagrams,
statecharts and activity diagrams (cf. [11]).
3 Verication and Validation of Properties
One central goal of model-based development is to enable analysis of the sys-
tem, thus ensuring the quality of the system already on the model level. That
is, we want to reason about certain properties of the system prior to the con-
struction of the implementation. Examples for such properties are deadlock
freedom, timing consistency and limited memory resources. When developing
a concurrent object-oriented application, deadlock freedom of the interaction
is often a major requirement. Timing consistency is of importance for real-time
systems. There, it must be assured that certain computations are performed
within a given pre-dened time span. Limited memory resources are often a
characteristic feature of embedded applications.
In general, four dierent strategies can be distinguished when analysing a
model or a system for the fulllment of properties: Either a property can be
veried or it can be validated, leading to the well-known distinction of veri-
cation and validation. In addition, this can either be done on the model level
or on the implementation level. In this paper, we will concentrate on model-
based verication and model-based validation which is a natural consequence
of the goal of model-based development.
Both property verication and validation are not directly performed on
model level. Concerning property verication, the model is translated into a
suitable semantic domain. Here we assume that the translation is semantic-
preserving. As a consequence, if the property is not fullled, we can conclude
that both the translation within the semantic domain and the model itself do
not fulll the property. Model-based validation is performed on the implemen-
tation level assuming again that the implementation of the system has been
136
Engels et al.
derived from the system model by a semantic-preserving transformation. If
under this assumption a tested property is not fullled by the implementation
then it must be due to faults in the model. As a consequence, we have lifted up
both verication and validation from the implementation layer to the model
layer.
For verication of properties, rst a suitable formal verication tool (e.g.
a model checker) has to be chosen capable of verifying the aspects associ-
ated to the property. For example, for the property of deadlock freedom, the
model checker has to support the aspects of concurrency, communication and
interaction of processes. After identication of such a verication tool, condi-
tions need to be established for the property. These conditions are specied
within the specication language understood by the verication tool. Note
that, dierent from a property, a condition is bound to a concrete specica-
tion language and it can well be the case that the same property is expressed
dierently in dierent specication languages.
As model checkers typically operate on formal specication languages and
we focus on a UML-based development process, for verication of conditions,
a UML model must rst be translated into such a specication language.
Rather then designing a complete translation of the UML model it is advisable
to restrict the translation to those aspects that contribute to the conditions.
This is due to the well-known limitations of model-checking and because of
the diÆculty of dening a complete formal semantics of the UML model in
terms of the formal language understood by the model checker. For example,
when verifying a property that has to do with communication and interaction
of components such as deadlock freedom, submodels of the UML model that
have to do with the structure aspect such as class diagrams need not be
formalized. For designing such a partial translation, we have shown that a
graph transformation approach is well-suited [14].
UML System
ModelProperties
Formal
Specification
Formal
Conditions
graph
t
r
a
n
sformation
Verificati
result
Formal verification
Result Mod
v
is
ua
li
za
ti
on
manualencoding
Fig. 1. Steps within model-based verication of properties
In Figure 1, the dierent steps within model-based verication are illus-
trated. Given a UML system model, this is transformed into a formal spec-
ication applying pre-dened graph transformation rules. Additionally, the
properties are manually encoded into formal conditions. Then both the formal
conditions and the formal specication are analyzed with a formal verication
137
Engels et al.
tool to prove the formal conditions. The results are visualized within a result
model, typically using the same visual modeling language as in the system
model. This result model can be used by the developer to improve the system
model according to the verication results.
For validation of properties, tests check conformance of the system under
test to a specication by simulating the model or testing an implementation
derived from the model. Tests must be designed as a suÆcient representative
of the checked property of the system under test. As a consequence, software
testing relies on the execution of code using dierent test inputs for one prop-
erty. For testing such a specic property, a test case species the pre-test state
of the implementation under test, the test inputs and the expected results. A
test suite is a collection of test cases, typically related by a common goal [4].
Following our discussion, one needs to answer the following questions con-
cerning model-based validation:

How to derive a test case or a test suite from UML models for the validation
of a specic property?

How to execute a test case or a test suite to validate a specic property?
For deriving a test case from a UML model, an algorithm or heuristic
is needed which we refer to as test strategy. The system model describes
the implementation under test. A test model is a part of the system model,
annotated with the properties to be tested. For example, for testing timing
constraints, time expressions are attached on message or stimuli names of a
sequence diagram of the system model. Such a sequence diagram is then used
as a test model.
Depending on the test strategy, test cases are derived from test models
complemented by system models. We assume that test strategies dene how
test cases are derived from UML models such as sequence diagrams or class
diagrams; this means a test strategy describes how to derive precise specica-
tions of possible test cases from UML diagrams.
For the execution of a test case, code of the system model is generated
using graph transformation rules and the test cases are applied to the code
under test. For example, for ensuring timing constraints of a system, a test
strategy can dene how test models derived from system models consisting
of a set of sequence diagrams together with timing constraints attached to
each sequence diagram are used to create a test case. After applying code
generation techniques to the system model, a test case or a test suite is used
to validate the resource constraints.
In Figure 2, the dierent steps within model-based validation are illus-
trated. Given a UML system model, this is transformed into a part of the
implementation in a programming language applying pre-dened graph trans-
formation rules. Additionally, the test model or the UML system model is
transformed into a test case or a test suite.
Then the implementation of the system is executed with the test case as
138
Engels et al.
UML System 
ModelTest Model
ImplementationTest Suite Test resulTestexecution
Result Mod
v
is
ua
li
za
ti
on
generation according
to test strategy
graph
t
r
a
n
sformation
Fig. 2. Steps within model-based validation of properties
input. The test results are visualized with a result model using the same visual
modeling language as in the system model. This result model can be used by
the developer to improve the system model according to the test results.
By applying these techniques of model-based verication and model-based
validation of properties, important properties can be either veried or vali-
dated within model-based development. For model-based verication of prop-
erties, a partial translation of the UML model into the formal language of a
model checker must be pre-dened. For model-based validation of properties,
a suitable test strategy must be pre-dened, which denes how to derive test
cases from system models and how to apply them. In the remainder of the pa-
per, we will now illustrate both model-based verication and validation with
an example.
4 Verication of Deadlock Freedom
In this section, we will concentrate on the verication of a specic property,
deadlock freedom. In general, deadlock freedom is the property that a collec-
tion of components working together cannot reach a deadlock state. Such a
deadlock state can be characterized by the situation that no component can
make any progress.
Within our system model, we will be interested in deadlock freedom of
a collection of objects working together. We will assume a low-level system
model consisting of a class diagram and additionally collaboration diagrams.
In order to support the modeling of concurrent systems, we will assume that
this low-level system model is expressed in UML-RT [22], a prole of UML
for modeling real-time systems and incorporating the concept of components
called capsules. In the following, we shortly describe concepts of UML-RT.
Then we will concentrate on the verication of deadlock freedom within such
a low-level system model.
4.1 UML-RT
Concerning the modeling language, we will use UML-RT [22], a prole of UML
for modeling real-time systems and incorporating the concept of components
139
Engels et al.
called capsules. In the following, we shortly describe concepts of UML-RT and
then we relate submodels used within UML-RT to the previously identied
aspects.
CapsuleA: CapsuleB:
P1:Protocol::RoleA P2:Protocol::RoleB
SA SB
SProtocol
Protocol
RoleA RoleB
<<connector>>
Fig. 3. Submodels and their usage in UML-RT
UML-RT is an extension of the UML by introducing the notions of capsules,
ports, connectors, protocols and protocol roles. Originally targeted at enabling
modeling of complex real-time systems, UML-RT has also been seen as a
candidate for modeling software architectures [21] and for modeling concurrent
systems in general. In the following, concepts of UML-RT are explained in
detail.
A capsule is a stereotyped active class and is used for modeling a self
contained component of a system. Other than ordinary classes, capsule oper-
ations can only be called from within the capsule. For communication with
other capsules a capsule may have one or more ports through which it is in-
terconnected to other capsules via connectors. A connector is an association
between capsules. It represents a hardware connection via which capsules
communicate by sending and receiving signals. These signals enter or leave a
capsule at a port. A port realizes a protocol role which species the signals
sent and received via the port. One or more protocol roles form a protocol.
From the point of view of behavioral modeling, a statechart may be as-
sociated to a capsule. A capsule statechart describes how the capsule reacts
to signals received via its ports and when signals are sent via its ports. State
transitions of capsule statecharts may also include calls of capsule operations.
For protocols, there exist also the possibility of modeling all valid sequences
of message exchanges in a protocol statechart. The protocol statechart there-
fore expresses requirements rather than specifying the implementation of a
protocol.
In Figure 3, concepts of UML-RT are illustrated using a very simple ex-
ample consisting of two capsule instances CapsuleA and CapsuleB connected
by a connector via the two ports P1 and P2. The ports are bound to the
protocol roles RoleA and RoleB, respectively. Each capsule is associated to a
capsule statechart, S
A
and S
B
respectively, describing the dynamic behavior
140
Engels et al.
of the capsule. The protocol statechart S
Protocol
is associated to the connector
between the two capsules.
After introducing UML-RT as the language for specifying the system model
and xing the property deadlock freedom to be veried, in accordance with
Figure 1 we have to

choose a suitable formal language and a model checker

dene a partial mapping of a UML-RT model into the language of the model
checker

dene conditions for deadlock freedom in the language of the model checker
4.2 The formal language CSP and the model checker FDR
We choose as a formal language CSP [17] which provides a mathematical model
for concurrency based on a simple programming notation and supported by
tools [12]. Next, we briey review the syntax and semantics of the CSP
processes we are using.
Given a set A of actions and a set of process names N , the syntax of CSP
is given by
P ::= STOP j SKIP j a! P j P [AjB]P j P u P j P 2P j P n a j pn
where a 2 A, A;B  A, and pn 2 N .
Process names are used for dening recursive processes using equations
pn = P . The interpretation of the operations is as follows. The processes
STOP and SKIP represent, respectively, deadlock and successful termination.
The prex process a ! P performs action a and continues like P . The
parallel composition P [AjB]Q results in an interleaving of P and Q except
for the actions in A \ B, which have to be performed synchronously. The
processes P uQ and P 2 Q represent internal and external choice between P
and Q, respectively. That means, while P uQ performs an internal ( -)action
when evolving into P or into Q, for P 2 Q this requires an observable action
of either P or Q. For example, (a ! P ) u (b ! Q) performs  in order to
become either a ! P or b ! Q. Instead, (a ! P ) 2 (b ! Q) must perform
a or b and evolves into P or Q, respectively. This distinction shall be relevant
for the translation of statechart diagrams below. Finally, the process P n a
behaves like P except that all occurrences of action a are hidden.
The semantics of CSP is usually dened in terms of traces, failures, and
divergences [17]. A trace is just a nite sequence s 2 A

of actions which
may be observed when a process is executing. A failure (s; A) provides, in
addition, the set A of actions that will be refused by the process after executing
s. Divergences are traces that are followed by innite internal computations
(without any communication). We denote by T (P ) the set of all traces of P.
Together with these semantic models come several notions of process re-
nement. We write P v
T
Q if T (Q)  T (P ), i.e., every trace of Q is also
a trace of P . Analogously, P v
F
Q if the failures of Q are included in the
141
Engels et al.
failures of P , etc. In general, the idea is that Q is a renement of P if Q
is more deterministic (more completely specied) than P . These renement
relations shall be used to express consistency constraints.
4.3 A partial mapping of UML-RT to CSP
For the property of deadlock freedom, we can restrict our mapping of a UML-
RT model to statecharts associated to capsules.
Our concept of mapping of statecharts to CSP processes relies on graph
transformation rules and is inspired by Hiemer [15]. For a precise description
of our mapping, the reader is referred to [10] and [8], detailing the use of
graph transformation techniques. In the following, we briey summarize our
results:
For each capsule statechart S, a CSP process is constructed (denoted by
CSP (S)) parameterized over the states of the statechart. Similarly, we also
translate the protocol statechart into a CSP process. Additionally, we de-
ne for each CSP process CSP (S) a view process that restricts the process
to the messages exchanged via a specic port p and denote this process by
V
p
(CSP (S)). Informally, this view process mirrors our decision to concentrate
on messages sent over a specic port.
According to the UML specication, each statechart is associated to an
event queue where incoming messages are stored. However, the behavior of
such an event queue is not dened. In order to be both precise and exible
about the size of buers and their behavior, we assume that the storage and
scheduling of events is the task of the connectors. Currently, connector behav-
ior is not supported by UML-RT. For this reason, we propose to use connector
stereotypes for selecting specic, pre-dened connector behavior. We associate
every connector stereotype to a CSP process CON describing its behavior.
Given two capsules connected by two ports p
1
and p
2
via a connector
associated to a connector process CON and capsule statecharts associated to
the capsules named S
A
and S
B
, we dene the semantics of this construct by
V
p1
(CSP (S
A
)) k [p1
in
; p1
out
]CON k [p2
in
; p2
out
]V
p2
(CSP (S
B
))
We denote this process with CSP
p
1
;p
2
(S
A
; CON; S
B
).
4.4 Conditions for Deadlock Freedom and Verication
Having described the partial mapping of UML-RT models into CSP, we are
now able to specify conditions for models translated to CSP:
Condition 1 (Deadlock freeness) Two capsule statecharts S
A
and S
B
of two capsules connected by a connector with behavior CON via the
ports p
1
and p
2
are deadlock free, if the induced system of CSP processes
CSP
p
1
;p
2
(S
A
; CON; S
B
) is deadlock free.
142
Engels et al.
Given a concrete UML-RT model, this can be translated into CSP using
the partial translation described above. Then, the model checker FDR is used
for evaluating the condition of deadlock freeness. The output of the model
checker will then be either that the model is deadlock free or it will output a
counterexample (see Figure 4).
Fig. 4. The FDR tool and a trace to a deadlock
5 Validation of Properties
In this section, we will illustrate the validation of a specic property, timing
constraints. In general, for the conformance to timing constraints it must be
assured at runtime that the system performs certain computations within a
pre-dened time span.
A general problem regarding model-based validation is that the usage of
UML models varies from one development method to another. If there are no
specic assumptions about the usage of UML models (like in [2]), it is diÆcult
to automate the testing approach. To allow the automatic derivation of test
cases from UML system models, we assume the model-based development
presented in section 2.
In the following, we shortly describe how to derive a test model from a
system model. Then we will concentrate on a specic test strategy for deriving
test cases from a UML model for the validation of timing constraints.
143
Engels et al.
 : TransactionControl
b : Bill
accA : Account accB : Account
getAmount()
amount
debit(amount)
proveBalance()
debitSuccess
[debitSuccess=true] payIn(amount)
a:payBill(b)
{a.executionTime
<=20ms}
[debitSuccess=false] closeAccount()
Fig. 5. Test model - sequence diagram of system model with additional time prop-
erty
5.1 Creating a Test Model
Concerning our test models, we will use UML sequence diagrams which are
annotated by a developer with a specic property to test. In the following, we
shortly describe a UML sequence diagram annotated with timing constraints.
Sequence diagrams show the interactions of objects as a set of messages. A
sequence diagram has two dimensions: the vertical dimension represents time
and the horizontal dimension represents dierent instances [19]. Sequence
diagrams are often used to model sequences of method calls belonging to al-
ternative execution sequences of public operations. Each alternative sequence
captures a dierent scenario. Timing constraints are expressed using timing
expression on message or stimuli names.
Figure 5 shows a sequence diagram with a timing constraint which rep-
resents a test model. It models the control of a credit transfer to pay a bill.
The expression executionTime describes the time span for the method-call
payBill(b) until its processing must be nished. This test model is de-
rived from the system model by adding the timing constraint to be validated.
Within the system model used in our simplied development approach, the
sequence diagram is used to detail a use case.
5.2 Deriving test cases for timing constraints from sequence diagrams
In the following, we describe a test strategy to derive dierent test cases from
a test model to validate timing constraints by an implementation generated
from the system model. As an example test model, we use a sequence diagram
annotated with timing constraints. Each test case derived from the test model
describes dierent combinations of pre-test states, test inputs and expected
results to ensure that each test case executes a dierent sequence of method
calls described in the sequence diagrams. This collection of test cases is a test
suite, related by the testing goal for the validation of timing constraints.
As known from existing white box testing techniques there has to be a
144
Engels et al.
measure of how complete we want testing to be. A common criterion is that
a particular type of coverage is to be achieved. Examples of coverage are the
statement coverage criterion whereby every statement in a program is to be
executed or the path coverage criterion whereby every possible path leading
from the start to the end of the code to test is traversed [3,13].
In the case of using sequence diagrams to generate tests, one can trans-
fer this approach from white box testing. We use in our approach the path
coverage criterion, which means that every path within a sequence diagram
must be tested according to its execution time to validate timing constraints.
If the time span for the execution of one path is greater than the annotated
execution time in the UML model, then the system does not comply with the
property and a re-engineering is necessary to get a faster system.
For achieving path coverage, a technique for computing all dierent pos-
sible paths within a sequence diagram automatically is presented by Briand
and Labiche [5]: A sequence diagram is modeled with a regular expression,
where the alphabet elements are the public operations of the objects involved
in a sequence diagram. In this way, they only compute all possible paths of
a sequence diagram, but they disregard low-level design information to de-
rive a test case or a test suite from UML models. In the context of UML
collaboration diagrams Abdurazik and Out [1] presented a similar approach.
They form message sequence paths by using the messages and their sequence
numbers of a sequence diagram. They also cannot create a complete test case
or test suite because they disregard low-level design information.
As an example of our test strategy, we again refer to the sequence diagram
of Figure 5, which models the control of a credit transfer to pay a bill. We
will show how to derive dierent test cases to test the execution time of the
method payBill(b). Note that the sequence diagram contains two possible
sequences of public methods calls. These two possible sequences are (object
names are omitted):
Path 1: getAmount().debit(amount).payIn(amount)
Path 2: getAmount().debit(amount).closeAccount()
+getAmount() : decimal
-amount : decimal
Bill
+debit(in amount : decimal) : bool
+payIn(in amount : decimal)
+closeAccount()
-balance : decimal
Account
+payBill(in b : Bill)
TransactionControl
Prove balance
return true return false
[this.balance >= amount]
[this.balance<amount]
Classes from sequence diagram Activity diagram detailing method   debit(amount)
Fig. 6. Class and Activity diagram of the system model
145
Engels et al.
To create a test suite with dierent test cases to achieve path coverage, we
have to identify the path realization conditions of the sequence diagram. The
path realization of the sequence diagram in Figure 5 depends on the return
value of the method debit(amount). To create test cases we must make use of
low-level design information, for example, data ows within operations. The
usage of the low-level design information allows calculating the return value
of a method to determine the path realization conditions. As an example, the
behavior of the method debit(amount) is detailed on the right in Figure 6. As
described in the activity diagram, the selected path depends on the comparison
between the local variable balance of the class Account and the input amount
of the method debit. This means that the realized path in the sequence
diagram depends on the initial test condition, especially on the initialization
of the classes Account and Bill (see Figure 6). To achieve path coverage we
need two test cases with dierent instances of the classes Account and Bill
to ensure that the execution of the method debit(amount) returns true in
one test case and false in the other.
As a result of the test strategy, we get one test suite with two dierent
test cases to test the timing constraint annotated in the sequence diagram.
The two test cases are almost identical. Their only dierence is the pre-test
state the implementation is initialized with before executing a test case. One
pre-test state initializes the object Bill and the Account in a manner that
path 1 and the other in a manner that path 2 of the sequence diagram is
executed.
To summarize, given a concrete UML system model, this can be translated
into an implementation language using graph transformation rules [11,9]. Fur-
ther, the UML test model is used to create a test suite grouping dierent test
cases with the common goal to validate the conformance to timing constraints
of a specic method. Then, the implementation of the test model is executed
with the test cases as input. The results of the execution will then be that
the implementation fullls the timing constraints or not.
6 Towards an Integrated Tool Suite
In this section, we describe how the analysis of properties can be supported
by an integrated tool suite, the model-analysis workbench. The goal of the
model-analysis workbench is to provide an integrated framework for the soft-
ware engineer to enable both model-based property verication and validation.
From the discussion of both verication and validation of properties we can
conclude: In principle, model-based analysis is possible also for UML models.
However, in order to enable model-based analysis, rather complicated tasks
such as partial formalization of UML models or generation of test cases are
required. As a consequence, the provision of adequate tool support is one
important factor for making widely-accepted model-based analysis of UML
models possible.
146
Engels et al.
Model-Analysis Workbench
ValidationVerification
System Model Management
Interpreter
Property
GTR
Property
Editor
GTR
Editor
CSP
Model
FDR
Verification
Result
Viewer
Interpreter
Test
Model
Test Model
Editor
GTR
GTR
Editor
Runtime
Environment
Source
Code
Validation
Result
Viewer
User Interface
Manual
Encoding Condition
Test
Strategy
Test
Case
Fig. 7. Overview of the model-analysis workbench
In Figure 7, an overview of components of the tool suite is given. We
can distinguish between four main components, one component for system
model management, one for property verication, one for property validation
and a user interface. The user interface serves as an integrative component
of the overall model-analysis workbench and allows the software engineer to
access the three other components. Note that the verication and validation
component consist of sub-components assembled to a workow in a similar
way, thereby mirroring our approach to verication and validation described
in Figure 1 and Figure 2.
The system model management component is responsible for managing
the system model. It includes functionalities for dening and storing a sys-
tem model. This system model management component should be seen as
an interface to existing CASE tools for constructing UML models. It is not
the goal of the tool suite to enable full CASE tool functionality but rather to
enable the denition of dierent types of system models for dierent applica-
tion domains. The support to the actual creation of system model instances
is transfered to CASE tools. The system model instances created by CASE
tools should be then checked in into the model-analysis workbench.
The verication component oers all support needed to perform model-
based verication. For that purpose, an interpreter oers support for par-
tially formalizing UML models by the means of applying graph transforma-
tion rules [8](called GTR in Figure 7). Here, the purpose is to oer support
for dening such translations (GTR editor) and possibly providing a set of
pre-dened translations. Within a property editor, the software engineer can
dene properties which can then manually be transformed into formal condi-
tions. These formal conditions and the CSP model obtained from translating
the system model are then used by the FDR tool to create the verication
results. These results can be visualized by a corresponding viewer.
147
Engels et al.
The validation component supports model-based validation. An inter-
preter allows the generation of source code by applying graph transformation
rules on the UML models [11,9]. Here, the purpose is to support the denition
of translations into a programming language with a GTR editor to adjust the
graph transformation rules according to the process used to create a detailed
system model. Further, the software engineer can edit the test model with a
test model editor which can be a normal CASE tool that allows annotating a
UML system model. The test model is encoded in a test case by a specic test
strategy. The runtime environment executes the compiled source code with
the test cases as input and the results can be visualized by a corresponding
viewer.
7 Conclusion
In this paper, we have presented an approach for model-based analysis of UML
models. Formal verication of UML models is complicated by the absence of
a formal semantics. In order to enable formal verication, our approach relies
on a partial formalization of UML models using graph transformation. Then,
existing model checkers can be reused. Concerning validation, our approach is
to complement the UML model by an additional test model and test strategies.
During testing, code is generated automatically from the UML model and the
test model, taking into account the particular test strategy.
We have demonstrated our approach both for verication and validation.
For verication of properties, we have chosen the property of deadlock freedom
and a UML system model represented in UML-RT, an extension of UML
for modeling concurrent systems. Such a system model has been partially
translated into CSP and a condition for deadlock freedom has been stated.
The verication of this property can be shown by applying the model checker
FDR.
For validation of properties, we have described the components of a test
framework for UML models, consisting of a UML system model and a UML
test model. In the framework, it is shown how testing can then be lifted on the
model level by providing techniques of deriving an implementation from both
the UML system model and the test model, given a particular test strategy.
We have demonstrated our approach to validation using a simple example of
a timing constraint within a sequence diagram.
Finally, we have developed the idea of oering support for the software
engineer by the means of an integrated tool suite. The goal of this tool suite is
to enable property verication and validation by providing pre-dened partial
translations for verication and test strategies for validation.
There are several directions for future work: In general, one goal could
be seen in creating a list of properties with guidelines how to verify or val-
idate it. Such a decision table would help the ordinary software engineer
within the overall process of model-based analysis. Concerning verication,
148
Engels et al.
our approach must be extended to support further properties, possibly by
creating further partial formalizations and using other model checkers. With
regards to validation, a list of pre-dened test strategies should be developed.
Finally, with regards to tool support, the model-analysis workbench should
be constructed supporting the software engineer with a framework for easily
performing model-based analysis.
References
[1] Aynur Abdurazik and Je Outt. Using UML collaboration diagrams for static
checking and test generation. In Andy Evans, Stuart Kent, and Bran Selic,
editors, UML 2000 - The Unied Modeling Language. Advancing the Standard.
Third International Conference, York, UK, October 2000, Proceedings, volume
1939 of LNCS, pages 383{395. Springer, 2000.
[2] F. Basanieri and A. Bertolino. A practical approach to UML-based derivation
of integration tests. In Proc. of Software Quality Week Europe QWE2000,
number 4, pages 20{24, November 2000.
[3] Alfs T. Berztiss. Verication and validation. Handbook of Software Engineering
& Knowledge Engineering, Vol. 2 Emerging Technologies, pages 367{388,
September 2002.
[4] Robert V. Binder. Testing Object-Oriented Systems: Models, Patterns, and
Tools. Object Technology Series. Addison Wesley, 1999.
[5] L. Briand and Y. Labiche. A UML-based Approach to System Testing.
In M. Gogolla and C. Kobryn, editors, UML 2001 - The Unied Modeling
Language. Modeling Languages, Concepts, and Tools., 4th International
Conference, Toronto, Canada, October 1-5, 2001, Proceedings, LNCS, pages
194{208. Springer-Verlag, 2001.
[6] E. M. Clarke and J. M. Wing. Formal Methods: State of the Art and Future
Directions. In ACM Computing Surveys, volume 28, pages 626{643. ACM,
1996.
[7] H. Ehrig and B. Mahr. Fundamentals of algebraic specications 1: Equations
and initial semantics, volume 6 of EACTS Monographs on Theoretical Computer
Science. Springer, Berlin, 1985.
[8] G. Engels, R. Heckel, and J. M. Kuster. Rule-based specication of behavioral
consistency based on the UML meta-model. In M. Gogolla and C. Kobryn,
editors, UML 2001 - The Unied Modeling Language. Modeling Languages,
Concepts, and Tools., 4th International Conference, Toronto, Canada, October
1-5, 2001, Proceedings, volume 2185 of LNCS, pages 272{287. Springer, 2001.
[9] G. Engels, R. Hucking, St. Sauer, and A. Wagner. UML collaboration diagrams
and their transformation to Java. In R. France and B. Rumpe, editors,
Proc. UML'99, Fort Collins, CO, USA, volume 1723 of LNCS, pages 473{488.
Springer-Verlag, October 1999.
149
Engels et al.
[10] G. Engels, J. M. Kuster, L. Groenewegen, and R. Heckel. A methodology for
specifying and analyzing consistency of object-oriented behavioral models. In
Volker Gruhn, editor, Proceedings of the 8th European Software Engineering
Conference (ESEC), pages 186{195. ACM Press, 2001.
[11] T. Fischer, J. Niere, L. Torunski, and A. Zundorf. Story diagrams: A new graph
transformation language based on UML and Java. In H. Ehrig, G. Engels, H.-J.
Kreowski, and G. Rozenberg, editors, Proc. 6th Int. Workshop on Theory and
Application of Graph Transformation (TAGT'98), Paderborn, November 1998,
volume 1764 of LNCS, pages 112{121. Springer-Verlag, 2000.
[12] Formal Systems Europe (Ltd). Failures-Divergence-Renement: FDR2 User
Manual, 1997.
[13] C. Ghezzi, M. Jazayeri, and D. Mandrioli. Fundamentals of Software
Engineering. Prentice-Hall, 1991.
[14] R. Heckel, J. M. Kuster, and G. Taentzer. Towards Automatic Translation
of UML Models into Semantic Domains. In Proceedings of the Appligraph
Workshop on Applied Graph Transformation, 2002.
[15] J.-J. Hiemer. Statecharts in CSP: Ein Prozessmodell in CSP zur Analyse von
STATEMATE-Statecharts. DrKovac Verlag, 1999.
[16] C. Hoare. An axiomatic basis for computer programming. Communications of
the ACM, 12(10):576{580, 1986.
[17] C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, 1985.
[18] Zohar Manna and Amir Pnueli. The Temporal Logic of Reactive and Concurrent
Systems, Specication. Springer-Verlag, 1992.
[19] Object Management Group. Unied Modeling Language Specication, version
1.4, September 2001.
[20] W. Reisig. Petri Nets, volume 4 of EATCS Monographs on Theoretical
Computer Science. Springer-Verlag, 1985.
[21] Bernhard Rumpe, Maurice Schoenmakers, Ansgar Radermacher, and Andy
Schrr. UML + ROOM as a Standard ADL. In Proc. ICECCS'99 5th Int. IEEE
Conf. on Engineering Complex Computer Systems, pages 43{53, Los Alamitos,
1999. IEEE Computer Society Press.
[22] B. Selic. Using UML for modeling complex real-time systems. In F. Mueller and
A. Bestavros, editors, Languages, Compilers, and Tools for Embedded Systems,
volume 1474 of Lecture Notes in Computer Science, pages 250{262. Springer
Verlag, 1998.
[23] J. M. Spivey. Introducing Z: a Specication Language and its Formal Semantics.
Cambridge University Press, 1988.
150
