Formal Analysis of Sequence Diagram with Time Constraints by

Transcription

Int J Software Informatics, Volume 6, Issue 2 (2012), pp. 327–357
International Journal of Software and Informatics, ISSN 1673-7288
c
2012
by ISCAS. All rights reserved.
E-mail: [email protected]
http://www.ijsi.org
Tel: +86-10-62661040
Formal Analysis of Sequence Diagram with Time
Constraints by Model Transformation
Meixia Zhu1,2 , Hanpin Wang1,2 , Xikui Liu3 , and Xiaoqiong Han1,2
1
(School of Electronics Engineering and Computer Science, Institute of Software,
Peking University, Beijing 100871, China)
2
(Key Laboratory of High Confidence Software Technologies of Ministry of Education,
Peking University, Beijing 100871, China)
3
(College of Information Engineering, Shandong University of Science and Technology,
Qingdao 266590, China)
Abstract The Profile for the Modeling and Analysis of Real-Time Embedded Systems
(MARTE) provides an extended sequence diagram with time properties (SDT). This kind
of diagram is frequently used in the preliminary developing phase of the embedded real
time systems (ERTS), however, it is not easy to verify the system it has described because
few tools can check it directly. This is mainly due to its semi-formal style and its abstract
mode in describing the behaviors of the corresponding system. The formal definition of
the SDT is firstly introduced, and an extended model named timed transition system for
SDT (TTS4SDT) is advanced for describing its formal semantics. By model transformation
techniques, the SDT is transformed to the intermediate model—TTS4SDT, and the transforming methods are divided into two categories: when the SDT doesn’t equip with nesting
structures and when it does. Two examples (one is without nesting structure and another is
with) are offered to demonstrate the transforming process. Then based on the TTS4SDT,
the sequence diagram is analyzed in a rigid way to eliminate the mistakes arising from the
designing stage.
Key words: real-time systems; timed transition system; formal semantics; MARTE; model
transformation
Zhu MX, Wang HP, Liu XK, Han XQ. Formal analysis of sequence diagram with time
constraints by model transformation. Int J Software Informatics, Vol.6, No.2 (2012): 327–
357. http://www.ijsi.org/1673-7288/6/i123.htm
1
Introduction
Among a series of real-time system designing specifications, MARTE[1] (the profile for the modeling and analysis of real-time and embedded systems) is a kind of domain specific modeling language (DSML). It has brought the real-time system (RTS)
designers lots of convenience by presenting the system in a higher level of abstracting
This work is sponsored by the National Natural Science Foundation of China under Grant Nos.
60873061 and 61170299, the National Basic Research Program of China (973 Program) under Grant
Nos. 2009CB320701 and 2010CB328103.
Corresponding author: Meixia Zhu, Email: [email protected], [email protected]
Received 2010-12-30; Revised 2011-06-03; Accepted 2011-10-12; Published online 2012-03-19.
328
International Journal of Software and Informatics, Volume 6, Issue 2 (2012)
mode and providing a series of modeling diagrams such as use-case diagram, activity
diagram, sequence diagram and so on to describe the system’s behavior respectively
from static and dynamic aspects, thus, it can be seen that MARTE is a versatile tool
for the designers. But, as far as the analyzers are concerned, they require that the
detailed behavior must be expressed in a clear and unambiguous style, so those diagrams which are showed in an abstract mode can not be directly used for analyzing
purposing.
Here, we pay attention to one of the most important dynamic diagram: sequence
diagram (SD). The SD which was firstly proposed in the Unified Modeling Language
(UML)[2] profile has been extended in the MARTE. It is an effective time modeling
tool since it has kept the main idea of the RTS modeling process: sequentialization[3],
i.e., an action must occur before another in some temporal ordering of events. But
its semi-formal style and the abstracting mode make it hard to bear some crucial
analysis work such as verifying whether the system satisfies the time constraints that
the designers have specified. Here, the semi-formal style means that its syntax is
described by class diagrams, while its semantics are described by natural languages.
1.1
Related work
How to give the SD formal semantics is still an open issue since it was firstly
proposed in the UML. In Ref. [4], the authors propose a thread-tag based sequence
diagram, then they further define a formal semantics based on partially ordered multiset for the thread-tag based sequence diagram. The authors of Ref. [5] use Petri net [6]
as an intermediate model and they intend to offer SD an operational semantics to
solve the semantic ambiguity problem. Reference [7] transforms SD to activity diagram which focuses on the execution sequence of the actions on the same objects.
The authors intend to define the SD in a formal style in Ref. [8] by defining a new
model—the composition of UML sequence diagrams (CUD)—to substitute the fragments. The reference book[9] summaries the research achievements in this field and
also introuduces some analysis methods. We find out that most of the works draw
support from graph transformation, but they don’t consider the appropriateness of
the formal model, and most of the intermediate models only can capture part of the
information that the corresponding SD has offered.
There are also many works relating to the UML models with time extensions.
In Ref. [10], the authors propose an approach to translate the real-time extension
of SD to UPPAAL timed automata[11] and shows how various behaviors of SD can
be verified. The authors of Ref. [12] give the solution for timing analysis of simple
UML sequence diagrams, and develop an algorithm for checking the compositions of
UML sequence diagrams. Here, the simple UML sequence diagrams describe exactly
one scenario without any alternatives and loops, and the compositions of the UML
sequence diagram can describe multiple scenarios. Reference [13] presents an alternative approach to the semantics of message sequence charts (MSCs) which are similar
to SD, and furthermore, it shows how some generalizations of ordered events can lead
to a language better suited to model real-world requirements. The authors design
a tool called TASS (Timing Analyzer of Scenario-Based Specifications) to check the
scenario-based specifications in Ref. [14]. It accepts UML2.0 interaction models with
general and expressive timing constraints and can be used for three kinds of timing
Meixia Zhu, et al.: Formal analysis of sequence diagram with time constraints ...
329
analysis problems: the reachability analysis, the constraint conformance analysis, and
the bounded delay analysis. The underlying technique of TASS is to reduce the timing
analysis problems into linear programming problems.
1.2
Motivation
Before the publication of MARTE, those works which try to extend SD to depict
time properties for RTS are flexible, i.e. an agreed way was not offered for academic
and industrial communities. MARTE is published for offering a common standard
for the designers when they use UML as the modeling tool to model the real-time
systems. The MARTE specification (Edition 2) published by the Object Management
Group in Nov. 2009 extends the traditional SD mainly in two ways:
• To place time intervals on events,
• and to specify some constraints on events by Clock Value Specification Language
(CVSL)[1] .
We called this kind of extended SD as sequence diagram with time (SDT). In such
circumstances, one problem have to be considered:
• How to check whether the constraints be satisfied or not?
As a modeling tool, SDT can not answer this question. Moreover, The semantic ambiguity problem becomes more serious, because there is not a definite time zero-setting
strategy which is critical for RTS to deal with the time elements in the implementation
of the SD.
The researchers have come to realize the urgency of offering checking methods
for SDT. MARTE has proposed to solve this problem with the help of model transformation techniques in the property analysis modeling (PAM) stage. It proposes to
transform model (denoted as A) which is designed according to the MARTE specification to another formal model (denoted as B), where B is always provided with
complete checking tools. Just as we have pointed out before, the problem that how
to guarantee B can simulate the behaviors of A is must to be considered, because if B
can not simulate A, then the checking result getting from B can not be applied to A.
We intend to deal with the checking challenge of SDT also by model transformation
techniques[15] .
2
To Find An Appropriate Intermediate Model
The first step of model transformation is to find an appropriate intermediate
model. Hitherto, Timed Automata (TA) [16] and Networks of Timed Automata
(NTA)[17] are still recognized as two classical formalisms for modeling real-time systems with dense time. Rich theoretical foundations and a number of developed verification tools like UPPAAL[11] , KRONOS[18] , IF[19] and CMC[20] have been offered.
However, the SDs and automata respectively focus on different aspects of the ERTS.
• SD is a kind of interaction diagram that focuses on the message transmitting
among a number of objects. While, automaton is a convenient form to define
the lifecycle of just one object, or an order of the invocations of its operation.
330
Intuitively, the former is in connection with a set of objects, but the latter is
only interested in one particular object.
• Each event respectively has a clock to control its earliest and latest executing
time in SD, but in TA and NTA, the occurrence times of all actions are controlled
by one global clock. Some constraints such as (t5 − t1 ) <= 13; and (y ==
f f )?3 6 t8 − t7 6 5 : 5 6 t8 − t5 6 10 defined in Fig. 1 cannot be conveniently
expressed in TA and NTA because two and more clocks are considered in the
above constraints.
Figure 1.
The sequence diagram getting from Section 3
For RTS, some extensions of Petri net on time have also been proposed to allow
the combination of an unbounded discrete structure with dense-time variables, such
as the Time-Arc Petri Net (TAPN)[21] and Time-Arc Petri Net with read arcs [22] .
But in SD, the time properties are placed on each sending event or receiving event
but not on object, and, as far as TAPN is concerned, time properties are placed on
the tokens of every place. If we transform SD into TAPN, then we have to place each
time constraint on one appropriate token. It is quite clear that this transforming
method violates the real intention of SDT.
To place the time properties on the transitions of the corresponding timed petri
net (TPN)[23] seems more suitable. However, we find out that TPN is only a modeling
tool where its formal semantics is described by dint of another formal model—timed
transition system (TTS)[24] . Take the tool Romeo[25] which is designed for checking
the properties such as reachability and liveness of the TPN models as example, it use
state-class graph[26] which is a special kind of TTS to describe its semantics. Thus,
in order to give the SDT formal semantics, we directly take TTS as the intermediate
331
model, and we extend TTS to TTS4SD to capture the detailed information of the
corresponding SDT.
Just as we have pointed out, if the target model B cannot simulate the behavior
of the source model A (Here, it is SDT), then the checking result getting from B
(Here, it is TTS4SDT) can not be applied to A. In order to tackle this problem, the
formal semantics of the SDT is described by TTS4SDT. The formal semantics also
provide the transforming process from SDT to TTS4SDT. Although MARTE offers
the formal syntax in the form of class diagrams, it isn’t suitable for the transforming
purpose, so we first offer the formal definition to describe the complete and detailed
information of SDT based on set theory. Then, we describe the formal semantics of
SDT by means of TTS4SDT. Then based on TTS4SDT, we carry out the further
checking works. In next section, based on the set theory, we will introduce the formal
definition of the SDT.
3
The Definition of SD
At first, we define a series of symbols for the description of SDT and TTS4SDT.
Let Σ ⊆ C ∪ N be an infinite character set where C is an infinite alphabet set and
N is an infinite set of natural numbers. Σ∗ is the set of infinite words over Σ. We
use R+ to represent the set of non-negative real numbers. Given a set col, |col|,
col/x and col.i where 1 6 i 6 |col| and P (col) separately represent its length, the set
eliminating x where x ∈ col, its ith element and its power set. At last, we use tt and
f f to separately denote the logical true and f alse.
In the definition of SD, the fragments, objects, message, events, boolean expressions and time properties are defined as a series of sets. The detailed information of
the sequence diagram such as the allocation and the order of events is depicted by a
series of functions.
Definition 1. A sequence diagram defined in MARTE specification is a tuple
D = (C, O, M , E, G, P ro, F un, Cseq , Eseq ) where
• C ⊆ Σ∗ is a finite set of combined fragments;
• O ⊆ Σ∗ is a finite set of objects;
• M ⊆ Σ∗ is a finite set of messages;
• E ⊆ Σ∗ is a finite set of events. For any message m ∈ M , let !m and ?m
represent the sending and receiving event of m respectively. (!m, ?m) is used to
denote that !m must occur before ?m. Please note that, C, O, M and E are
mutually disjoint.
• G is a set of boolean expressions[27];
• P ro is a set of expressions described by CVSL on events, which represent the
timing constraints enforced on D.
• F un is a tuple composed by a set of functions to depict the detailed information
of D, and it defined as follows: F un= (φ, ϕ, ω, α, β, γ, ψ) where
332
– φ: C → K is a function to denote the kind of the corresponding combined
fragment, where K = {seq, alt, opt, par, break, loop, neg, assert};
– ϕ: C → G is a function to assign a guard to a fragment. ∀c ∈ C,
φ(c) ∈ {par, neg, assert, seq} ⇒ ϕ(c) = tt, where ⇒ denotes the logical
implication;
– ω: C → P (C) is a function to point out the nesting relation. ω(c) = ∅
means that no fragments is nested by c, then we call c is plain. If c0 ∈ ω(c),
then c nests c0 ;
– α: E → O is a function to map each event to an object; Given a fragment
c, if ω(c) = ∅, then c is called elementary, and if c is not included in any
ω(c0 ) where c0 ∈ C ∧ c0 6= c, then, we call c is plain.
– β: E → R+ × R+ associates each transition with a time interval in the
form of [ef t(e), lf t(e)], where ef t(e) and lf t(e) are respectively the static
earliest and latest firing time of e ∈ E that satisfying ef t(e) 6 lf t(e), and
0 0
[ and 0 ]0 can be respectively replaced by 0 (0 and 0 )0 ;
– γ: E → C is a function to assign each event to the fragment it is in;
– ψ: E → Σ∗ is a function to give the occurring time of every event a name;
• Cseq is a finite array whose elements are of the form (c, c0 ) where c, c0 ∈ C∧c 6= c0 ,
which represents c should be considered before c0 ;
• Eseq is a finite array whose elements are of the form (e, e0 ) where e, e0 ∈ E∧e 6= e0
which represents that e should be occurred before e0 ;
And, we also specify that:
1. t(Cseq ) is the transitive closure of Cseq , and it is computed according to equation
(c, c0 ) ∈ t(Cseq ) ⇔ (3.1.1) ∨ (3.1.2) ∨ (3.1.3) ∨ (3.1.4) where


(c, c0 ) ∈ Cseq
(3.1.1)



 (c, c00 ) ∈ t(C ) ∧ (c00 , c0 ) ∈ t(C ) (3.1.2)
seq
seq
(3.1)
00
0
00

(c,
c
)
∈
t(C
)
∧
c
∈
ω(c
)
(3.1.3)

seq



(c00 , c0 ) ∈ t(Cseq ) ∧ c ∈ ω(c00 )
(3.1.4)
2. If (c1 , c2 ) ∈ t(Cseq ) ∧ c0 ∈ ω(c1 ) or (c2 , c1 ) ∈ t(Cseq ) ∧ c0 ∈ ω(c2 ), then c0 also be
considered before or after c2 .
3. Given a fragment c, if ∀c0 ∈ C, c 6∈ ω(c0 ), i.e. no fragment nests c, then we call
c is plain. If ω(c) = ∅, then c is elementary. We use CE and CP to respectively
denote the elementary and plain fragments set, and they are defined as:
CP = {c|∀c0 , c0 6= c ∧ c 6∈ ω(c0 )}, CE = {c|ω(c) = ∅}
(3.2)
4. For convenience, given a fragment c, when φ(c) = alt, we take c as a nesting
fragment where ω(c).1 is the sub-fragment when ϕ(c) = tt and ω(c).2 is the else
branch when ϕ(f ) = f f .
333
We take Fig. 1 as example, it can be defined as sd1 =(C, O, M, E, G, Pro, Fun,
Cseq , Eseq ) where
• C = {c1 , c2 , c3 , c4 , c5 },
• O = {A, B, C},
• M = {m1 , m2 , m3 , m4 , m5 , m6 };
• E = {!m1 , ?m1 , !m2 , ?m2 , !m3 , ?m3 , !m4 , ?m4 , !m5 , ?m5 , !m6 , ?m6 },
• G = {n < 3, y == f f },
• Pro={t5 − t1 6 13, t10 − t7 6 16, (y == f f )?3 6 t8 − t7 6 5 : 5 6 t8 − t5 6 10};
• and the F un= (φ, ϕ, ω, α, β, γ, ψ) are described as Table 1 and Table 2,
• Cseq = {(c1 , c5 ), (c2 , c3 ), (c3 , c4 )},
• Eseq = {(?m1 , !m2 ), (!m3, ?m3), (?m4 , !m5 )}
Table 1
S
{(!mi , ?mi )|1 6 i 6 6 ∧ i ∈ N}.
The formal definition of the fragments of sd1
c1
c2
c3
c4
c5
loop
seq
break
seq
par
ϕ
n<3
tt
y == f f
tt
tt
ω
{c2 , c3 , c4 }
∅
∅
∅
∅
φ
Table 2
The formal definition of the events of sd1
!m1
?m1
!m2
?m2
!m3
?m3
!m4
?m4
!m5
?m5
!m6
α
A
B
B
C
A
C
B
A
A
B
B
?m6
C
β
[1, 2]
[2, 3]
[0, 2]
[1, 2]
[1, 2]
[1, 2]
[2, 4]
[1, 4]
[1, 2]
[1, 3]
[2, 3]
[1, 4]
γ
c2
c2
c2
c2
c3
c3
c4
c4
c5
c5
c5
c5
ψ
t1
t2
t3
t4
t5
t6
t7
t8
t9
t10
t11
t12
In Section 4, we continue to introduce the formal definition of TTS4SDT.
4
The Intermediate Model: TTS4SDT
As an adequate formal paradigm to support the whole life-cycle engineering of
real time systems, TTS has been used for the modeling and evaluation of various
systems. TTS describes systems which combine discrete and continuous evolutions.
Many time dependent models use it to describe their formal semantics and also for
further analysis purposes. We firstly introduce the definition of transition system
(TS).
Definition 2. A transition system is a triple S = (Q, q0 , T ), where
• Q ⊆ Σ∗ is a set of states,
• q0 ⊆ Q is a set of initial states,
• T is the transitions set, where every transition is in the form of (q, a, q 0 ) ∈
Q × Σ∗ × Q.
334
TTS is an extension of TS on time aspects, and it defines as follows:
Definition 3. A timed transition system is a transition system S = (Q, q0 , T ,
lT , uT ), where
• Q ⊆ Σ∗ is a set of states,
• q0 ⊆ Q is a set of initial states,
• T is the transitions set, where every transition is either a discrete event transition
in the form of (q, a, q 0 ) ∈ Q × Σ∗ × Q or a delay transition in the form of
(q, d, q 0 ) ∈ Q × R+ × Q,
• a minimal delay lt ∈ N for every transition t ∈ T ,
• a maximal delay ut ∈ N for every transition t ∈ T . For all t ∈ T , we require
that lt 6 ut ,
• Moreover, every delay transition satisfies:
d
d
– Time-determinacy: if q −
→ q 0 and q −
→ q 00 with d ∈ R+ , then q 0 = q 00 ,
0
– 0-delay: q −
→ q,
d0
d
d+d0
– Additivity: if q −
→ q 00 and q 00 −→ q 0 with d, d0 ∈ R+ , then q −−−→ q 0 ,
d
– Continuity: if q −
→ q 0 , then for every d0 and d00 in R+ such that d = d0 + d00 ,
d0
d00
there exists q 00 such that q −→ q 00 −→ q 0 .
The traditional definition is not enough to describe the semantics of the corresponding SD, because
• every event is allocated at one object and belonged to one fragment.
• and, in SD, the transitions are divided into three kinds: discrete transitions
among events →e , discrete transitions among fragments →c , and delay moves
d
d
−
→e or −
→c , where d ∈ R+ .
The transitions among events and fragments describe the system’s behaviors respectively from micro and macro scopes:
• to specify the execution sequence of the events when the guards are fixed,
• and to specify the transitions among the fragments when the guard is changed
from one to another.
In next section, we will start to introduce the extended model: TTS4SDT.
4.1
TTS4SDT
At first, we extend the discrete transition → to →e to describe the event transition. The detailed definition is as follows:
Definition 4. Given an SDT D = (C, O, M , E, G, P ro, F un, Cseq , Eseq ),
there is a TTS (TTSet ) Set = (Qe , q0e , Te , lTe , uTe ) to describe its event transitions,
where
335
• Qe = P (E),
• q0e ⊆ Qe is an array of initial states,
• Te is an array of event transitions, Every transition te ∈ Te is a binary relation
on Qe
• lT e is an array, lte ∈ lTe means a minimal delay for every transition t ∈ Te ,
• and uT e is also an array, ute ∈ uTe means a maximal delay for every transition
t ∈ Te .
• Moreover Te consists of either
d
– delay moves qe −
→e qe0 with lt 6 d 6 ut that satisfy the above time properties that have been introduced in Definition 3,
– or discrete moves {qe , qe0 , γ(a), a, α(a)} which means that in the fragment
γ(a), an event a ∈ q of the object α(a) is occurring, for simplicity, we use
(γ(a),a,α(a))
qe −−−−−−−−→e qe0 to denote {qe , qe0 , γ(a), a, α(a)}.
d
0
A run of Set can be defined as a finite or infinite sequence of moves ρe = q0e −→
e
(c0 ,a0 ,o0 )
d
(c1 ,a1 ,o1 )
d
1
n
0
0
0
q0e
−−−−−−→e q1e −→
e q1e −−−−−−→e · · · qne −→e qne where discrete events alternate
d0 (c0 ,a0 ,o0 )···dn
0
.
with time durations. The sequence ρe can also be write as q0e −−−−−−−−−−→e qne
U ntimed(ρe ) is the execution sequence of the events which is obtained by the concatenation (c0 , a0 , o0 )(c1 , a1 , o1 ). . . (cn , an , on ) of labels in Σ∗ , and Duration(ρe ) =
P|ρe |
i=0 di , where |ρe | is the length of ρe .
Next, we extend the discrete transition → to →c to describe the transitions
among fragments.
Definition 5. Given an SDT D = (C, O, M , E, G, P ro, F un, Cseq , Eseq ),
there is a TS (TSct ) Sct = (Qc , q0c , Tc ) to describe its fragment transitions, where
• Qc = P (C) is a set of states,
• q0c ⊆ Qc is a set of the initial states,
• Tc is a set of transitions. Every transition tc ∈ Tc is a binary relation on Qc
g
and {qc , g, qc0 } with g ∈ G, qc , qc0 ∈ Qc . For simplicity, we use qc −
→c qc0 to denote
0
{qc , g, qc }.
g0
A run of Sct can be defined as a finite or infinite sequence of moves ρc = q0c −→c
· · · −→f qnc where guards are changed from one to another. The sequence ρc can also
gn
g0 ···dn
0
be written as q0c −−−−→c qnc
. The word F rag(ρc ) is obtained by the concatenation
∗
g0 . . . gn of labels in Σ which is a presentation of the varying process of the guards.
At last, based on the above two definitions, we introduce the definition of the
TTS4SDT.
Definition 6. An object-oriented timed transition system for SDT (TTS4SDT)
is a transition system S = (T T Set , T Sct ), where TTSet is an object-oriented timed
transition system based on event transitions that has been defined in Definition 4 and
TSct is an object-oriented transition system based on fragment transitions that has
been defined in Definition 5.
336
4.2
The semantics of TTS4SDT
The traditional semantics of TTS is urgent, which means that all transitions
cannot be disabled by time delays. Formally, if two or more events ex , . . . , ey can be
occurred at state q, then the enabled transition t can occur if and only if
e
e
x
∃ex ∈ q, t = q −→
q 0 ∧ u t 6 l t0 , t 0 ∈ { −
→ |e ∈ {ex , . . . , ey }/ex}.
(4.3)
While the urgent semantics doesn’t work for SDT when parallel fragments are concerned. Take Fig. 2 as example, it describes a TTS and a parallel fragment. According
to the urgent semantics, !e1 can never be occurred before !e2 since u!e2 6 l!e1 , while
in the parallel fragment, !e1 and !e2 can be interleaving executed according to the
MARTE specification. Thus the semantics must be modified in TTS4SDT to allow
the interleaving execution of more than two transitions, we call this kind of semantics
as lazy semantics of TTS4SDT.
Figure 2.
An example to illustrate the semantics of TTS
Before defining its semantics, we firstly define a mapping v that is from X ⊆
(Σ∗ ∪ R+ ) to R+ . Intuitively, v(e) represents the amount of time that has elapsed
since e is enabled. For ∀x ∈ Σ and ∀d ∈ R+ , v(x + d) = v(x) + d. We note 0 the
valuation which assigns to every x ∈ Σ∗ the value 0.
Definition 7. Given a TTS4SDT= (Set , Sct ) where Set = (Qe , q0e , Te , lTe , uTe )
and Sct = (Qc , q0c , Tc ). its semantics is described as two sequences of moves:
d
γ(a0 ),a0 ,α(a0 )
0
0
0
• A finite or infinite sequence of moves of Set : ρe = (q0e , 0) −→
e (q0e , v0 )−−−−−−−−−→e
d
γ(a1 ),a1 ,α(a1 )
d
1
n
0
0
0
0
(q1e , v1 )−→
e (q1e , v1 )−−−−−−−−−→e · · · (qne , vn )−→e (qne , vn ) where discrete events
alternate with time durations. The sequence ρe can also be write as
d0 (γ(a0 ),a0 ,α(a0 ))···dn
0
(q0e , 0) −−−−−−−−−−−−−−−→e (qne
, vn0 )
(4.4)
Furthermore,
γ(a),a,α(a)
– for any discrete transition (q, v) −−−−−−−→e (q 0 , v 0 ) where a ∈ q, and when
a has occurred,
0
0
v (a ) =
(
0
if(a0 ∈ q 0 ∨ a0 = a)
v(a0 )
else
(4.5)
d
– for any delay moves (q, v) −
→ (q, v 0 ), it satisfies
∃t, lt 6 d 6 ut ∧ t ∈ q ∧ ∀x ∈ q, v 0 (x) = v(x) + d.
(4.6)
g1
337
gn
• A finite or infinite sequence of moves of Sct : ρc = q0c −→c q1c · · · −→c qnc .
Figure 3 is a simple example to illustrate the structure of the TTS4SDT. Its
formal definition is as follows: S = (Set , Sct ), where
• Set = (Qe , q0e , Te , lTe , uTe ) where
– Qe = {q0 , q1 , q2 , q3 , q4 , q5 , q6 },
– q0e = {q0 },
– Te = {{q0 , q1 , Y, e0 , A}, {q1 , q0 , Y, e1 , B}, {q2 , q3 , Y ,e2 , C}, {q3 , q0 , Y, e3 , A},
{q3 , q4 , Z, e3 , A}, {q4 , q5 , P, e4 , B}, {q5 , q6 , P, e5 , C}},
– lTe = {1, 2, 1, 1, 3},
– uTe = {2, 4, 3, 3, 5}.
• Sct = (Qc , q0c , Tc ) where
– Qc = {X, Y, Z, P },
– q0c = {X},
– Tc = {{Y, Z, y == f f }, {Y, P , x 6= 1 ∧ y == tt}, {Z, P , x 6= 1 ∧ y == f f },
{X, X, x == 1}}.
Figure 3.
A simple TTS4SDT
Its semantics can be described as a set of infinite moves among the events and the
time delays as well as a set of moves among the fragments. An interpretation of Fig. 3
(Y,e0 ,A)
1.5
(Y,e1 ,B)
2.3
1.4
is ρe1 = (q0 , v0 )−−→e (q0 , v1 )−−−−−→e (q1 , v2 )−−→e (q1 , v3 )−−−−−→e (q2 , v4 )−−→e (q4 , v5 )
(P,e4 ,B)
(P,e5 ,C)
3.5
−−−−−→e (q5 , v6 )−−→e (q5 , v7 )−−−−−→e (q6 , v8 ), and the time part of ρe1 is described in
Table 3.
Table 3
The time part of every event of ρe1
event
v0
v1
v2
v3
v4
v5
v6
v7
v8
e0
0
1.5
0
2.3
0
1.4
1.4
4.9
4.9
e1
0
1.5
0
2.3
0
1.4
1.4
4.9
4.9
e2
0
1.5
1.5
3.8
0
1.4
1.4
4.9
4.9
e3
0
1.5
1.5
3.8
3.8
5.2
5.2
8.7
8.7
e4
0
1.5
1.5
3.8
0
1.4
0
3.5
3.5
e5
0
1.5
1.5
3.8
3.8
5.2
0
3.5
0
338
5
The Semantics of SDT
Now, we start to talk about how to describe the formal semantics of the SDT in
the form of a TTS4SDT. The well-defined semantics of RTS must have the following
two features:
• a proper next-state relation that can help us to describe its semantics by computing out all executing sequences we wish to consider, and
• a proper time zero-setting strategy which allows us to decide the enabling events
in the present moment.
The properties that have been declared in MARTE must be also kept in the corresponding semantics, and they are
1. in the par fragment, the events are executed interleaving, then the number of
the events that can be executed at first or last may be more than one,
2. in the loop fragment, when all the f inal events complete, according to the guard,
either one of the head events of the loop fragment or one of the head events in
another fragment is to be executed.
3. the opt and the break operators are two variants of the alt operator and they
are complementary. A fragment with opt operator is semantically equivalent to
an alt fragment where there is one operand with non-empty content and the
second operand is empty. While a fragment with break operator designates a
breaking scenario that is performed instead of the remainder of the enclosing
fragment,
4. the guards are inheritable.
We find out that the nesting structure has brought many inconveniences to the
analyzers even though it brings many conveniences to the designers. In this paper,
we classify the processes into two kinds: without nesting and with nesting. At first,
we introduce the semantics of the SDT without nesting.
5.1
The semantics of SDT without nesting
We use c.h and c.f to separately denote the head events set and the final events
set of the fragment c. They are defined separately as:
• c.h = {e|γ(e) = c ∧ ∀e0 ∈ E, γ(e0 ) = c ⇒ (e0 , e) 6∈ Eseq },
• c.f = {e|γ(e) = c ∧ ∀e0 ∈ E, γ(e0 ) = c ⇒ (e, e0 ) 6∈ Eseq }.
S
We use E0 to denote |C|
1 C.i.h, 1 6 i 6 |C|. Taking it as basis, we start to give out
the semantics of the SDT in the form of TTS4SDT.
Definition 8. Semantics of SDT without nesting: the semantics of a sequence
diagram D = (C, O, M , E, G, P ro, F un, Cseq , Eseq ) without nesting structure is
described by a TTS4SDT S = (Set , Sct ) where
• Set = (Qe , q0e , Te , lTe , uTe ) is a TTSet ,
339
• Sct = (Qc , q0c , Tc ) is a TSct .
They are separately defined as follows:
• Set = (Qe , q0e , Te , lTe , uTe ), where
– Qe = P (E),
– q0e = E0 ,
– Te consists of discrete and delay transitions:
1. The discrete transition relation is defined as:
(γ(e),e,α(e))
(Ecur , v) −−−−−−−−→e (Enx (e), v 0 ) ⇔ e ∈ Ecur ∧enabled(e) = tt∧v(ψ(e)) ∈ β(e)
(5.7)
where
(a) enabled(e) = tt means that e is ‘enabled’, and enalbed(e) is a logic
contain formulas in the form of:
e ∈ Ecur ∧ Θ(γ(e)) = tt ∧ ∀e0 ∈ Ecur , Θ(γ(e0 )) = tt ⇒ (γ(e0 ), γ(e)) 6∈ t(Cseq )
(5.8)
and Θ(c) is defined as:
(
ϕ(c)
φ(c) 6= break
(5.9)
Θ(c) =
¬ϕ(c) φ(c) = break
(b) after the occurring of e, the time zero-setting strategy is organized
according to the following equation:
(
0
if (e0 ∈ Enx (e) ∨ e0 == e)
0 0
(5.10)
v (e ) =
v(e0 ) else
where
Enx (e) = {e0 |(e, e0 ) ∈ Eseq ∨ (e0 ∈ Ecur ∧ (γ(e), γ(e0 )) ∈ t(Cseq ))}∪
(
γ(e).h if φ(γ(e)) = loop ∧ e ∈ γ(e).f
∅
else
(5.11)
(c) The delay move is defined as:
d
(Ecur , v) −
→e (Ecur , v 0 ) ⇔ v 0 = v + d.
– ∀e ∈ E, lTe = ef t(e),
– ∀e ∈ E, uTe = lf t(e),
• Sct = (Qc , q0c , Tc ), where
– Qc = P (C),
– q0c = C0 = {c|Θ(c) = tt ∧ ∀c0 ∈ C, Θ(c0 ) = tt ⇒ (c0 , c) 6∈ t(Cseq )},
(5.12)
340
– Tc is defined as:
g
Ccur −
→c Cnx (c)
(5.13)
0
and c ∈ Cnx (c) ⇔ (5.14.1) ∨ (5.14.2),

0
00
00
00

 (c, c ) ∈ t(Cseq ) ∧ g = Θ(c ) ∧ ∀c ∈ C, (c, c ) ∈
t(Cseq ) ∧ Θ(c00 ) = tt → (c0 , c00 ) ∈ t(Cseq ) (5.14.1)


(c = c0 ∧ φ(c) = loop ∧ g = Θ(c))
(5.14.2)
(5.14)
Take Fig. 4 as example, where its formal definition is sd2 =(C, O, M, E, G, Pro,
Cseq , Eseq , Fun) where
• C = {c2 , c1 , c3 , c4 },
• O = {A, B, C},
• M = {m1 , m2 , m3 , m4 , m5 , m6 },
• E = {!m1 , ?m1 , !m2 , ?m2 , !m3 , ?m3 , !m4 , ?m4 , !m5 , ?m5 , !m6 , ?m6 },
• G = {n < 3, y == tt, n > 3 ∧ y == tt, n > 3 ∧ y == f f },
• Pro={t5 − t1 6 13, t10 − t7 6 16, (y == f f )?3 6 t8 − t7 6 5 : 5 6 t8 − t5 6 10},
• Cseq = {(c2 , c1 ), (c1 , c3 ), (c3 , c4 )},
• Eseq ={(!m1 , ?m1 ), (?m1 , !m2 ), (!m2 , ?m2 ), (!m3, ?m3), (!m4 , ?m4 ), (!m5 , ?m5 ),
(!m6 , ?m6 )},
• and the F un= (φ, ϕ, ω, α, β, γ, ψ) are described as Table 4 and Table 5.
Figure 4.
The sequence diagram getting from Section 3
341
The formal definition of the events of sd2
Table 4
!m1
?m1
!m2
?m2
!m3
?m3
!m4
?m4
!m5
?m5
!m6
α
A
B
B
C
A
C
B
A
A
B
B
?m6
C
β
[1, 2]
[2, 3]
[0, 2]
[1, 2]
[1, 2]
[1, 2]
[2, 4]
[1, 4]
[1, 2]
[1, 3]
[2, 3]
[1, 4]
γ
c2
c2
c2
c2
c1
c1
c3
c3
c4
c4
c4
c4
ψ
t1
t2
t3
t4
t5
t6
t7
t8
t9
t10
t11
t12
The formal definition of the fragments of sd2
Table 5
c2
c1
c3
c4
φ
loop
opt
seq
par
ϕ
n<3
y == tt
tt
tt
ω
∅
∅
∅
∅
Then, take it as example, we start to explain the process of constructing a
TTS4SDT according to Definition 8. At first, we have:
• E0 = {!m1 , !m3 , !m4 , !m5 , !m6 },
•


 {c2 } if n < 3
C0 =
{c1 } if n > 3 ∧ y == tt


{c3 } if n > 3 ∧ y == f f
Assume n := 3 ∧ y == f f is the initial external data flow and n := n + 1 is
the external control flow, then ∀e ∈ {!m4 } can occur, thus !m4 is the first occurring
event, then according to Definition 8. One of the execution traces of the OOT S et is
d!m
d?m
!m
?m
d!m
4
4
4
4
5
• ({!m4 }, v0 )−−−→
−−→
−−−→
−−→
e ({!m4 }, v1 )−
e ({?m4 }, v2 )−
e ({?m4 },v3 )−
e ({!m5 , !m6 }, v4 )−−−→e
d!m6
!m
!m
d?m6
5
6
({!m5 , !m6 }, v5 )−−−→
−−→
−−−→e
e ({?m5 , !m6 }, v6 )−−−→e ({?m5 , ?m6 }, v7 )−
e ({?m5 , ?m6 },v8 )−
d?m5
?m
?m
6
5
({?m5 , ?m6 }, v9 )−−−→
−−−→e ({?m5 }, v11 )−−−→
e ({?m5 }, v10 )−
e (∅, v12 ), and its time part is describe as Table 6 where le 6 de 6 ue .
and the transitions of the TSct are as follows:
n<3
• c2 −−−→c c2 ,
tt
tt
→ c c4 ,
• c2 −
→ c c3 −
y==tt
tt
tt
• c2 −−−−→c c1 −
→ c c3 −
→ c c4 .
The fragment transitions and the event transitions described above are showed
in the form of a block diagram as Fig. 5.
As far as the nesting structure is concerned, it is more complicated, and in next
section, we will talk about the semantics of SDT with nesting structure.
342
Table 6
The time part of the sequence of Fig. 1
!m4
?m4
v0
0
0
!m5
0
v1
d!m4
d!m4
d!m4
v2
0
0
d!m4
v3
d?m4
d?m4
d!m4 + d?m4
v4
d?m4
0
v5
d?m4 + d!m5
d!m5
v6
d?m4 + d!m5
d!m5
0
v7
d?m4 + d!m5 + d!m6
d!m5 + d!m6
d!m6
0
v8
d?m4 + d!m5 + d!m6
d!m5 + d!m6
d!m6
v9
d?m4 + d!m5 + d!m6 + d?m6
d!m5 + d!m6 + d?m6
d!m6 + d?m6
v10
d?m4 + d!m5 + d!m6 + d?m6
d!m5 + d!m6 + d?m6
d!m6 + d?m6
v11
d?m4 + d!m5 + d!m6 + d?m6 + d?m5
d!m5 + d!m6 + d?m6 + d?m5
d!m6 + d?m6 + d?m5
v12
d?m4 + d!m5 + d!m6 + d?m6 + d?m5
d!m5 + d!m6 + d?m6 + d?m5
d!m6 + d?m6 + d?m5
?m6
!m6
?m6
v0
0
0
0
v1
d!m4
d!m4
d!m4
v2
d!m4
d!m4
d!m4
v3
d!m4 + d?m4
d!m4 + d?m4
d!m4 + d?m4
v4
0
0
d!m4 + d?m4
v5
d!m5
d!m5
d!m4 + d?m4 + d!m5
v6
0
0
d!m4 + d?m4 + d!m5
v7
d!m6
d!m6
d!m4 + d?m4 + d!m5 + d!m6
v8
0
0
0
v9
d?m6
d?m6
d?m6
v10
0
d?m6
0
v11
d?m5
d!m5 + d?m6 + d?m5
d?m5
v12
0
d!m6 + d?m6 + d?m5
d?m5
5.2
The semantics of SD with nesting
Before the process of transformation, we firstly offer a set of definitions to describe
the top (c.t) and bottom (c.b) fragments sets of c, as well as its head (c.h) and final
(c.f ) events set.
• c0 ∈ c.t ⇔ (5.15.1) ∧ (5.15.2), where
(
c0 ∈ ω(c)
00
00
(5.15.1)
00
0
0
00
∀c ∈ C, c ∈ ω(c) ⇒ (c , c ) 6∈ t(Cseq )
• c0 ∈ c.b ⇔ (5.16.1) ∧ (5.16.2), where
(
c0 ∈ ω(c)
00
00
(5.16.1)
∀c ∈ C, c ∈ ω(c) ⇒ (c , c ) 6∈ t(Cseq )
• e ∈ c.h ⇔ (5.17.1) ∧ (5.17.2), where
(
γ(e) = c
0
0
(5.15.2)
(5.16.2)
(5.17.1)
0
∀e ∈ E, γ(e ) = c ⇒ (e , e) 6∈ Eseq
(5.17.2)
(5.15)
(5.16)
(5.17)
Figure 5.
343
The discrete transitions of Fig. 1
• e ∈ c.f ⇔ (5.18.1) ∧ (5.18.2), where
(
γ(e) = c
0
(5.18.1)
0
0
∀e ∈ E, γ(e ) = c ⇒ (e, e ) 6∈ Eseq
(5.18.2)
(5.18)
and, we also specify that:
1. If c ∈ CP , i.e. c is plain, then c.h =
2. E0 =
S|C|
i=1
S|c.t|
i=1
c.t.i.h, c.f =
S|c.b|
i=1
c.b.i.f .
C.i.h is used to denote the initial events set.
3. Given a fragment c, if it is nested by c0 , i.e. c ∈ ω(c0 ), Θ(c) is used to describe
the guard inheritance relationship between c and c0 . It is defines as:
Θ(c) =
















ϕ(c)
φ(c) 6= break ∧ c ∈ CP
¬ϕ(c)
φ(c) = break ∧ c ∈ CP
ϕ(c) ∧ ϕ(c0 ) ∧ Θ(c0 )
φ(c) 6∈ {break, alt} ∧ φ(c0 ) = alt ∧ c = ω(c0 ).1
ϕ(c) ∧ ¬ϕ(c0 ) ∧ Θ(c0 )
φ(c) 6∈ {break, alt} ∧ φ(c0 ) = alt ∧ c = ω(c0 ).2

ϕ(c) ∧ Θ(c0 )





¬ϕ(c) ∧ ϕ(c0 ) ∧ Θ(c0 )





¬ϕ(c) ∧ ¬ϕ(c0 ) ∧ Θ(c0 )




¬ϕ(c) ∧ Θ(c0 )
φ(c) 6∈ {break, alt} ∧ φ(c0 ) 6= alt
φ(c) = break ∧ φ(c0 ) = alt ∧ c = ω(c0 ).1
φ(c) = break ∧ φ(c0 ) = alt ∧ c = ω(c0 ).2
φ(c) = break ∧ φ(c0 ) 6= alt
(5.19)
344
Taking them as basis, we start to give out the semantics of the SDT with nesting
structure in the form of TTS4SDT.
5.3
The semantics of SD with nesting
Definition 9. Semantics of SD: the semantics of a sequence diagram with
nesting D = (C, O, M , E, G, P ro, Cseq , Eseq , F un) is described by a TTS4SDT
S = (Set , Sct ) where
• Set = (Qe , q0e , Te , lTe , uTe ) is a TTSet ,
• Sct = (Qc , q0c , Tc ) is a TSct .
They are respectively defined as follows:
– Qe = P (E),
– q0e = (E0 , 0), and E0 = {e|γ(e) ∈ C0 },
– And Te consists of discrete and delay transitions.
1. The discrete transition relation is defined by:
(γ(e),e,α(e))
(Ecur , v) −−−−−−−−→e (Enx (e), v 0 ) ⇔ e ∈ Ecur ∧enabled(e) = tt∧v(ψ(e)) ∈ β(e)
(5.20)
2. after the occurring of e, ∀e0 ∈ E, its time part will be computed
according to the following equation:
(
0
if(e0 ∈ Enx (e) ∨ e0 = e)
0 0
(5.21)
v (e ) =
v(e0 ) else
where
Enx (e) = {e0 |(e, e0 ) ∈ Eseq ∨ e0 ∈ Ecur ∧ (γ(e), γ(e0 )) ∈ t(Cseq )}
(
γ(e).h φ(γ(e)) = loop ∧ e ∈ γ(e).f
(5.22)
∪
∅
else
∪
(
ω −1 (γ(e)).t.h φ(ω −1 (γ(e))) = loop ∧ γ(e) ∈ ω −1 (γ(e)).b ∧ e ∈ γ(e).f
∅
else
(5.23)
(a) (5.22) means that if e is one of the f inal events of a loop fragment
c, and c is not nested by any other fragment, then all the events
of γ(e).h must also be included in Enx (e),
(b) (5.23) means that if γ(e) is nested by another fragment c whose
c.b includes γ(e) and e ∈ γ(e).f , then all the events of c.t.h must
also be included in Enx (e).
– The continuous transition relation is defined by:
d
(Ecur , v) −
→e (Ecur , v 0 ) iff v0 == v + d.
345
– ∀e ∈ E, lTe = ef t(e),
– ∀e ∈ E, uTe = lf t(e),
– Qc = P (C),
– q0c = C0 = {c|Θ(c) = tt ∧ ∀c0 ∈ C, Θ(c0 ) = tt ⇒ (c0 , c) 6∈ t(Cseq )},
– Tc is defined as:
g
Ccur −
→c Cnx (c)
(5.24)
0
and c ∈ Cnx (c) ⇔ (5.25.1) ∨ (5.25.2) ∨ (5.25.3) where


(c, c0 ) ∈ t(Cseq ) ∧ g = Θ(c00 ) ∧ ∀c00 ∈ C, (c, c00 ) ∈ t(Cseq ) ∧ Θ(c00 )




= tt → (c0 , c00 ) ∈ t(Cseq )
(5.25.1)
0

c
=
c
∧
φ(c)
=
loop
∧
g
=
Θ(c)
(5.25.2)




c ∈ ω(c00 ) ∧ φ(c00 ) = loop ∧ c ∈ c00 .b ∧ c0 ∈ c00 .t ∧ Θ(c00 ) = tt
(5.25.3)
(5.25)
According to Definition 8, we get the TTS4SDT S = (Set , Sct ) of Fig. 1 as follows:
– Qe = {q0 , q1 , · · · , q16 },
– q0e = {!m1 , !m5 , !m6 },
– lTe = {1, 2, 0, 1, 1, 1, 1, 1, 2, 2, 2, 1, 1, 1, 2, 1, 1, 2, 1, 1},
– uTe = {2, 3, 2, 2, 2, 2, 2, 4, 4, 4, 3, 2, 4, 3, 3, 2, 2, 3, 4, 3},
– Te is described in Fig. 6,
– Qc = {c1 , c2 , c3 , c4 , c5 },
q0c =
(
{c2 } if n < 3,
{c5 } if n > 3,
– and Tc is described in Fig. 7,
Figure 6.
The discrete transitions of Fig. 1
346
Figure 7.
The transitions among the fragment of Fig. 1
Assume n := 3 ∧ y == f f is the initial external data flow and n := n + 1 is the
external control flow, then ∀e ∈ {!m5 , !m6 } can occur, thus !m5 is the first event, then
according to Definition 8, the execution traces of the T T Set can be
d!m
d!m
(c5 ,!m5 ,A)
5
6
• ({!m5 , !m6 }, v0 )−−−→
−−−−−−−
→e ({?m5 , !m6 }, v2 )−−−→
e ({!m5 , !m6 }, v1 )−
e ({?m5 , ?m6 }, v3 )
d?m
(c5 ,!m6 ,B)
(c5 ,?m6 ,C)
d?m
6
5
−
−−−−−−−
→e ({?m6 },v4 )−−−−→
−−−−−−−→e ({?m5 }, v6 )−−−−→
e ({?m5 , ?m6 }, v5 )−
e ({?m5 }, v7 )
(c5 ,?m5 B)
−−−−−−−→e (∅, v8 ),
and its time part is describe as Table 7 where le 6 de 6 ue . Please note that, the
kinds of the fragments are distinguished according to the events they include, that is
to say, e ∈ c, then the kind of c is φ(γ(e)).
Table 7
5.4
The time part of the sequence of Fig. 1
!m5
?m5
!m6
v0
0
0
0
?m6
0
v1
d!m5
d!m5
d!m5
d!m5
v2
0
0
0
d!m5
v3
d!m6
d!m6
d!m6
d!m5 + d!m6
v4
d!m6
0
0
0
v5
d!m6 + d?m6
d?m6
d?m6
d?m6
v6
d!m6 + d?m6
0
d?m6
0
v7
d!m6 + d?m6 + d?m5
d?m5
d!m5 + d?m6 + d?m5
d?m5
v8
d!m6 + d?m6 + d?m5
0
d!m6 + d?m6 + d?m5
d?m5
Two operators: negate and assert
According to the UML specification, invalid traces arise only out of the operators
negate and assert. We briefly illustrate the vagueness and ambiguity of negate and
assert as they are defined in the standard specification document. As to negate, it
is probably a kind of negation. The standard does not give an example, or explain
the intuition or pragmatics of this operator, but simply declares that it “designates
that the combined fragment represents traces that are defined to be invalid”, and “all
interaction fragments that are different from negate are considered positive meaning
that they describe traces that are valid and should be possible”. So negate seems
a natural way to specify invalid traces. Later however, the standard declares that
“the sequences of the operand of assert are the only valid continuations. All other
continuations result in an invalid trace”. This suggests that the invalid set of traces
for an assert fragment is its complement, i.e., the set of all other possible traces. This
seems contradictory to the declaration that “the invalid set of traces is associated only
with the use of a negative Combined Fragment”.
The authors try to eliminate the semantics confusion arises from assert and negate
operators by model transformation techniques in Ref. [28]. They consider negate
fragment and assert fragment as stand alone parts. The set of traces that defined a
347
fragment with operator negate is equal to the set of traces given by its (sole) operand,
only that this set is a set of invalid rather than valid traces. They ignore the operators
and only consider the operands.
In this paper, when the operator of a fragment is negate or assert, we will only
transform its operand which may also be a fragment to a TTS4SDT.
5.5
Transform SDT to TTS4SDT
Now, we talk about the main techniques of realizing the automatic translation
from SD to TTS4SDT. A special operation ./ whose function is to construct a family
of sets from a series of sets (it’s a set whose elements are sets too), and when two or
more sets are computed by ./, those sets with the identical content will be induced
to one set. The formal definition is as follows:
Definition 10. The primitive operations of ./ are defined as:
• given two sets X, Y,
X ./ Y = {X} ./ Y = X ./ {Y } =
(
{X, Y } if X 6= Y
{X}
otherwise
{X, Y } = {Y, X},
• ./ is left associative, X ./ Y ./ Z


{X, Y, Z}



 {X, Y }
=

{X, Z}



 {X}
(5.26)
(5.27)
= {X, Y } ./ Z
X 6= Y 6= Z
X 6= Y ∧ (Z = X ∨ Z = Y )
X 6= Z ∧ (Y = X ∨ Y = Z)
(5.28)
X =Y =Z
• We also define an operator which is denoted as ∝ to describe the complement
operation of ./.
A ∝ B = {X|X ∈ A ∧ X 6= B}
(5.29)
where A is a family of sets and B is a set.
According to the above definition, we have:
Theorem 5.1.
Given three sets X, Y, Z, ./ satisfies the following properties:
1. commutative:
X ./ Y = Y ./ X,
(5.30)
X ./ (Y ./ Z) = (X ./ Y ) ./ Z,
(5.31)
X ./ (Y ./ Z) = (X ./ Y ) ./ (X ./ Z),
(5.32)
2. associative:
3. distributive:
348
Proof: We prove it according to Definition 11.
1.
X ./ Y =
(
Y ./ X =
(
{X, Y } if
{X}
(5.33)
otherwise
{Y, X} if
{X}
X 6= Y
X 6= Y
(5.34)
otherwise
by (4.22), we have X ./ Y = Y ./ X,
2. according to (5.27), we have:
X ./ (Y ./ Z)

(

{X}
X =Y =Z



 X ./ {Y } =
{X, Y } X 6= Y ∧ Y = Z
(
=

{X, Z}
X = Y ∧ Y 6= Z



 X ./ {Y, Z} =
{X, Y, Z} otherwise
(5.35)
(X ./ Y ) ./ Z

(

{X}
X =Y =Z



 {X} ./ Z =
{X, Z} X = Y ∧ Y 6= Z
(
=

{X, Y }
X 6= Y ∧ Y = Z



 {X, Y } ./ Z =
{X, Y, Z} otherwise
(5.36)
thus X ./ (Y ./ Z) = (X ./ Y ) ./ Z,
3. (X ./ Y ) ./ (X ./ Z)
⇔ ((X ./ Y ) ./ X) ./ Z (Associative)
⇔ ((Y ./ X) ./ X) ./ Z (commutative)
⇔ (Y ./ (X ./ X)) ./ Z (Associative)
⇔ (Y ./ X) ./ Z (5.26)
⇔ (X ./ Y ) ./ Z (commutative)
⇔ X ./ (Y ./ Z) (Associative)
We also define an operator which is denoted as ∝ to describe the complement
operation of ./. A ∝ B = {X|X ∈ A ∧ X 6= B}, where A is a family of sets and
B is a set. Based on this definition. The main function of ./ is to guarantee that
the TTS4SDTs are identical regardless of the considering ordering of the new states
set. Two algorithms are offered to construct the TTS4SDT from an SDT formally
defined according to Definition 1, Definition 8 and Definition 9. Table 8 is an example
to illustrate the ./ and ∝ operators on sets. Using ./ and ∝, the Algorithm 1 and
Algorithm 2 are designed to get the T T Set and T Sct from a given SDT.
Table 8
An example to illustrate the ./ and ∝ operators
A∝X
X
Y
Z
A = X ./ Y ./ Z
{1, 2}
{1, 2}
{1, 2}
{{1, 2}}
∅
{1, 2}
{1, 2, 3}
{1, 2}
{{1, 2}, {1, 2, 3}}
{{1, 2, 3}}
{1, 2}
{1, 2, 3}
{1}
{{1, 2}, {1, 2, 3}, {1}}
{{1}, {1, 2, 3}}
349
Algorithm 1: Generate T T Set from the formal definition of an SD
Input: D = (C, O, M , E, G, P ro, F un, Cseq , Eseq )
Output: T T Set ,
qnew := {q0e },
label q0e as ‘new’,
while (qnew 6= ∅) do
select a ‘new’ element s from qnew ,
int i:=1;
while (i 6 |s|) do
if (enabled(s.i)) then
int j:=1;
while (j 6 |s|) do
if (¬enabled(s.j) ∨ (γ(s.j), γ(s.i) 6∈ t(Cseq ))) then
j++;
end
else
break;
end
end
if (j = |s| + 1) then
create an arc from s.i to Enx (s.i) labeled with (γ(s.i), s.i, α(s.i));
qnew := qnew ./ Enx (s.i);
i++;
end
else
i++;
end
end
else
i++;
end
end
label s as ‘old’;
qnew := qnew ∝ s;
end
6
Analysis
As far as the RTS analyzers are concerned, the main problem lies in the definition
of a proper next-state relation whose iteration allows us to compute all executing
sequences we wish to consider. In Section 5, we have defined the next-state relation of
the SD in the form of Enx (e) and Cnx (e). According to Definition 8 and Definition 9,
all the execution sequences of a given SD can be computed out according to the
Algorithms 1 and 2.
6.1
Reachability graph
In most cases, given an executing sequence ex which represents an expected
behavior of the system under construction, we have to check whether it can be ‘really’
executed in the sequence diagram.
350
Algorithm 2: Generate T Sct from the formal definition of an SD
Input: D = (C, O, M , E, G, P ro, F un, Cseq , Eseq )
Output: T Sct ;
qnew := {q0c };
label q0c as ‘new’;
while (qnew 6= ∅) do
select a ‘new’ element s from qnew ;
int i:=1;
while (i 6 |s|) do
create an arc from s to Cnx (s.i);
label Cnx (s.i) as ‘new’;
qnew := qnew ./ Cnx (s.i);
i++;
end
qnew := qnew ∝ s;
label s as ‘old’;
end
Based on the TTS4SDT we derived in Section 5, we start to check whether ex
can be occurred in the source sequence diagram. For conevenience, we denote the
executing sequence ex as t1 e1 t2 e2 . . . tn en , where ti ∈ R+ ,ei ∈ E and 1 6 i 6 n.
Intuitively, ex is legal if and only if:
• ti ∈ β(ei ) must be true since ti represents the time has elapsed before ei occurs,
• an events sequence (γ(e1 ),e1 ,α(e1 )). . .(γ(en ),en ,α(en )) exists in the corresponding TTS4SDT.
Given an executing sequence ex, ex.f and ex.f.t respectively denote the first
event e and the time has elapsed since e is enabled before it occurs. Algorithm 3
is offered to check whether ex is satisfied or not in the sequence diagram under
construction. According to Algorithm 3, from Fig. 1, we have:
• 1.3, !m5 , 2.4, !m6 , 2.1, ?m6 , 1.5, ?m5 ? is true,
• 1.3, !m5 , 2.4, !m6 , 4.1, ?m6 , 1.5, ?m5 ? is f alse because 4.1 6∈ [1, 4],
If the SDT includes negate or assert fragment, we can get a TTS4SDT (In order to distinguish with the other TTS4SDTs, we denote them as TTS4SDTneg and
TTS4SDTassert ) to simulate the behavior of their operands. Given an executing sequence ex, we first use Algorithm 3 to check whether ex is satisfied or not in the corresponding TTS4SDT (Yes—return true, No—return f alse), then we check whether it
can be satisfied by TTS4SDTneg and TTS4SDTassert (Yes—return true, No—return
f alse), the checking results are illustrated in Table 9, Table 10 and Table 11.
Algorithm 3: to check ex can be satisfied or not in an SD
Input: S: TTS4SDT, ex: executing sequence;
Output: t:{true, false};
int i=j=k:=1; Snew = Snow := ∅; Q := Qe ;
while (i 6 |Q|) do
if ex.f ∈ Q.i then
Snew := Snew ∪ Q.i;
end
else
i + +;
end
end
while (j 6 |Snew |) do
ex.c := ex.f ;
if (ex.f.t 6∈ β(ex.f )) then
t:=false; break;
end
else
ex := ex − ex.f.t − ex.f ;
i:=1;
while (i 6 |Q|) do
if (ex.f ∈ Q.i) then
Snow := Snow ∪ Q.i;
end
else
i + +;
end
end
while (k 6 |Snow |) do
if (there exists a transition (γ(ex.c), ex.c, β(ex.c)) from Snew .j to
Snow .k) then
Snew := Snow ; j := 1; break;
end
else
k + +;
end
end
end
if (k == i + 1) then
j + +;
end
else
j := 1;
end
end
if (j == |Snew | + 1) then
t := f alse;
end
else
t := true
end
351
352
Table 9
The checking result of ex when the SDT include negate fragment
TTS4SDT
Table 10
T T S4SDTneg
result
f alse
f alse
f alse
f alse
true
f alse
true
f alse
true
true
true
f alse
The checking result of ex when the SDT include negate and assert
fragments
TTS4SDT
Table 11
T T S4SDTneg
result
f alse
f alse
f alse
f alse
true
f alse
true
f alse
f alse
true
true
true
The checking result of ex when the SDT include negate and assert
fragments
TTS4SDT
6.2
T T S4SDTneg
T T S4SDTassert
result
f alse
f alse
f alse
f alse
f alse
f alse
true
f alse
f alse
true
f alse
f alse
f alse
true
true
f alse
true
f alse
f alse
f alse
true
f alse
true
true
true
true
f alse
f alse
true
true
true
f alse
Forward checking
Now, we consider another problem, the quantitative aspect. We start to check
whether the constraints can be satisfied or not by the sequence diagram under construction. Given a series of events, we use con(ψ(ei ), . . . , ψ(ej )) to denote the constraint that relates to ei , . . . , ej . According to the CVSL specification[1] , for any
constraint, it can be divided into a set of constraints where every of them is only
related with two events according to the guards. Take con(t8 , t7 , t5 ) of Fig. 1 as
example, we can divide it into con(t8 , t7 ) and con(t8 , t5 ).
Just as we have pointed out in Section 5, the TTS4SDT describes the partial
order relations among the events in the form of TTS4SDTet as well as among the
fragments in the form of TSct , thus, the checking process can be taken as a graph
traversing process. The TTS4SDT getting from Section 5 and the constraints of the
SDT are taken as input elements, and the checking results are as output.
We consider the constraints according to the guards, and the checking process
can be divided into three steps:
1. To determine the timing starting point of the constraints:
co
co
(a) Given a constraint co = con(ψ(ei ), . . . , ψ(ej )), setco
e , Ef and Eu respectively denote the events set relates to co, the foremost events set and the
353
co
co
co
ultimate events set where setco
e = {ei , . . . , ej } and Ef , Eu ⊆ sete can
co
be get from the T T S4SDT set. Thus ψ(ef ) where ef ∈ Ef is the timing
starting point of the executing sequences,
(b) Based on those three sets, all the events sequences that from ef ∈ Efco to
eu ∈ Euco can be found out using the T T S4SDT set we get in Section 5.
For simplicity, we use EVseq (co) to denote the events sequences of co.
2. then, to define two basic clocks–global clock (GC(e)) and local clock (LC(e))–to
respectively specify the occurring time relative to the foremost event e x ∈ Efco
and the occurring time relative to the previous event for every event e ∈ Seq
Pn
where Seq = ex , ey , . . . , e. In fact LC(e) ∈ β(e), and GC(e) ∈ 1 LC(ei ) where
1 6 i 6 n ∧ en == e ∧ e1 == ex .
(3) and at last, to compare the result getting from (2) with the predefined values.
coi
i
The coi , setco
and Eucoi (1 6 i 6 3) of Fig. 1 are described in Table 12 and
e , Ef
the event sequences relating to the constraints are described in Fig. 9.
Table 12
coi
i
The coi , Setco
and Eucoi of Fig. 1
e , Ef
1
2
3
co(t5 , t1 )
co(t10 , t9 )
co(t8 , t7 , t5 )
i
setco
e
{!m1 , !m3 }
{!m5 , ?m5 }
{!m3 , ?m3 , !m4 , ?m4 }
Efcoi
{!m1 , !m3 }
{!m5 }
{!m3 , !m4 }
Eucoi
{!m3 }
{?m5 }
{?m4 }
i
coi
In Fig. 1, assume the external data flow is n := 1 ∧ y == f f , and the external
control flow is n := n + 1, then co1 : t5 − t1 6 13 is not satisfied since according to
Fig. 9 there is an events sequence results in 126ψ(!m3 )−ψ(!m1 )628, and co3 : y ==
f f ?3 6 t8 − t7 6 5; 5 6 t8 − t5 6 8 is false, because when y == f f , 1 6 t8 − t7 6 4,
its lower bound 1 is less than 3, and when y == tt, 4 6 t8 − t5 6 10, its upper bound
is greater than 8. Thus, only co2 is satisfied according to the current time allocation
strategy.
6.3
Backward refining
The refinement process is divided into three steps:
1. find out all the new time intervals allocation strategies that can make the unsatisfied constraints become satisfied;
2. return to section 4.1 to check whether the satisfied constraints are satisfied or
not when the original intervals are replaced with the new intervals;
3. omit the strategy if it make the satisfied constraints become unsatisfied, or else
retain it.
Now, we start to introduce the first step. Given a constraints co which is unsatisfied with original intervals, we have its lower bound x is greater than the lower bound
x0 or its upper bound y is smaller than the upper bound y 0 that we get from the
analysis process, thus, under such circumstances, we have to refine the time intervals.
354
We use m and n to separately denote the differences of x − x0 and y 0 − y. From the
event sequences EVseq (co)/e where e ∈ Efco .
Then we pick out at most m/n events to increase/decrease their lower/upper
bound value and make sure the total increased/ decreased value equals to m/n. Please
note that, if one event is picked out to increase the lower bound and decrease the upper
bound at the same time, its modified lower bound must not greater than the modified
upper bound. Take Fig. 1 as example, from Section 5.1, we have co1 is not satisfied
when n := 1 ∧ y == tt and co3 is not satisfied too. According to m and n, we refine
the intervals of Fig. 4.
Next, we turn to Section 6.2 to check whether the satisfied constraints are satisfied
or not with the new time intervals. The checking result of Fig. 4 is described in
Fig. 8. At last, we compare the result with the original constraints, if the constraint
is satisfied with the new intervals, then we retain it, or else, for safety purpose, we
omit it. Comparing Fig. 8 with the constraints described in Fig. 4, we find out that
all the constraints can be retained since the new results satisfy the constraints. Then,
we can choose arbitrary strategy as the new time intervals of Fig. 4.
Figure 8.
Figure 9.
The negate and assert fragments
The forward checking table of Fig. 4
Figure 10.
The forward checking table of Fig. 4
Figure 11.
7
355
The modified interval of Fig. 4
Conclusion
In this paper, we put emphasis on two open problems about SD with time properties designed by MARTE specification: formal semantics and checking. As is well
known, Formalization is the basis for the checking of a model, but unfortunately, the
MARTE specification doesn’t offer formal semantics for SD. Although it offers the
formal syntax in the form of class diagrams, it isn’t suitable for the checking purpose. For the reasons above, we offer the formal definition to describe the complete
and detailed information of SD at first, and take this definition as basis, we offer its
formal semantics by means of an extended timed transition system—TTS4SDT. As
far as the checking is concerned, we take the TTS4SDT and its formal semantics as
foundations to carry out the checking work.
Unlike most of the existing works, the formal definition describes the intact content of the corresponding SD, and the TTS4SDT captures its behaviors in two aspects:
the transitions among the events as well as among the fragments. That is, the formal definition and the semantics respectively simulate the SD in static and dynamic
aspects. Then, based on TTS4SDT, A method is proposed to check if the sequence
diagram can satisfy the proposed time constraints.
Comparing with other related works, the main advantages of this paper lies in
three aspects. At first, the semantics describe its intact behaviors in two ways: event
transitions when the guards are fixed and fragment transitions when the guards are
changed from one to another. Secondly, the expectation that the intermediate model
TTS4SDTT can simulate the SDT’s behaviors completely and precisely is achieved,
356
Figure 12.
The backward refining table of Fig. 4
and we have proved that a set of properties can be kept by TTS4SDT. Thirdly, the
semantics are put to practical application from theoretical aspect by offering the
transforming algorithms from sequence diagram to TTS4SDT.
References
[1] OMG. A UML Profile for MARTE: Modeling and Analysis of Real-Time Embedded Systems.
2 edition, June 2008.
[2] OMG. Unified Modeling Language Superstructure. 2.2 edition, February, 2009.
[3] Ribeiro Korff L, Korff M. True concurrency = interleaving concurrency + weak conflict. Electr.
Notes Theor. Comput. Sci., 1998, 14: 204–213.
[4] Dan H, Hierons RM, Counsell . A thread-tag based semantics for sequence diagrams. SEFM.
2007. 173–182.
[5] Eichner C, Fleischhack H, Meyer R, Schrimpf U, Stehno C. Compositional semantics for UML2.0
Sequence Diagrams Using Petri Nets. SDL Forum. 2005. 133–148.
[6] Murata T. Petri nets: properties, analysis and application. Proc. of IEEE. April 1989, 77(4):
541–580.
[7] Garousi V, Briand LC, Labiche Y. Control Flow Analysis of UML 2.0 Sequence Diagrams.
ECMDA-FA. 2005. 160–174.
[8] Li X, Bu J, Hu J, Zhao J, Zhang T, Zheng G. Scenario-based timing consistency checking for
357
time petri nets. FORTE. 2006. 388–403.
[9] Lano K. UML 2 Semantics and Applications. Wiley, 2009.
[10] Firley T, Huhn M, Diethers K, Gehrke T, Goltz U. Timed sequence diagrams and tool-based
analysis-a case study. UML. 1999. 645–660.
[11] Behrmann G, David A, Guldstrand Larsen K. A tutorial on Uppaal. SFM. 2004. 200–236.
[12] Li X, Lilius J. Timing analysis of UML sequence diagrams. UML99-The Unified Modeling
Language. 1999.661–674.
[13] Lucas P. Timed semantics of message sequence charts based on timed automata. Electronic
Notes in Theoretical Computer Science, 2002, 65(2): 160–179.
[14] Pan M, Bu L, Li X. TASS: timing analyzer of scenario-based specifications. CAV. 2009. 689–695.
[15] Lano K, Kolahdouz Rahimi S. Specification and verification of model transformations using
UML-RSDS. IFM. 2010. 199–214.
[16] Alur R, Dill DL. Automata for modeling real-time systems. ICALP. 1990. 322–335.
[17] Alur R, Dill DL. A theory of timed automata. Theoretical Computer Science, 1994, 126(2):
183–235.
[18] Bozga M, Daws C, Maler O, Olivero A, Tripakis S, Yovine S. Kronos: A model-checking tool
for real-time systems. CAV. 1998. 546–550.
[19] Bozga M, Graf S, Ober I, Ober I, Sifakis J. The IF toolset. SFM. 2004. 237–267.
[20] Laroussinie F, Guldstrand Larsen K. CMC: A tool for compositional model-checking of real-time
systems. FORTE. 1998. 439–456.
[21] Bolognesi T, Lucidi F, Trigila S. From timed petri nets to timed LOTOS. PSTV. 1990. 395–408.
[22] Srba J. Timed-arc Petri nets vs. networks of timed automata. ICATPN. 2005. 385–402.
[23] Meir Merlin P. A study of the recoverability of computing systems[Ph.D. Thesis]. University of
California, 1974.
[24] Henzinger TA, Manna Z, Pnueli A. Timed transition systems. REX Workshop. 1991. 226–251.
[25] Gardey G, Lime D, Magnin M, Roux. Romeo O(H.). A tool for analyzing time petri nets. CAV.
2005. 418–423.
[26] Berthomieu B, Diaz M. Modeling and verification of time dependent systems using time petri
nets. IEEE Trans. on Software Engineering, 1991, 17(3): 259–273.
[27] Epp SS. Discrete Mathematics with Applications. Thomson Learning. 3 edition, 2005.
[28] Zhu M, Wang H, Jin W, Wang Z, Xu C. Semantic analysis of UML2.0 sequence diagram based
on model transformation. COMPSAC. 2010. 170–175.

Formal Analysis of Sequence Diagram with Time Constraints by

Transcription

Similar documents

SF6 GAS CARTS

model results: water demand

Water Services

Radar Gun Flyer - Safe Drive Training

View - SDT

flatbeds - Circle D

Skill`s development History and Plans going forward

SDT a virus species classification tool

ABS Consulting

CS 563 Advanced Topics in Computer Graphics Shader

What is in a Step: New Perspectives on a Classical Question ⋆