Towards a Generic Verification Methodology for System Models

Robert Wille 1, Martin Gogolla 2, Mathias Soeken 1,3, Mirco Kuhlmann 2, Rolf Drechsler 1,3

1 Group for Computer Architecture, University of Bremen, 28359 Bremen, Germany
2 Database Systems Group, University of Bremen, 28359 Bremen, Germany
3 Cyber-Physical Systems, DFKI GmbH, 28359 Bremen, Germany

Abstract—The use of modeling languages such as UML or SysML enables to formally specify and verify the behavior of digital systems already in the absence of a specific implementation. However, for each modeling method and verification task usually a separate verification solution has to be applied today.

In this paper, a methodology is envisioned that aims at stopping this “inflation” of different verification approaches and instead employs a generic methodology. For this purpose, a given specification as well as the verification shall be transformed into a basic model which itself is specified by means of a generic modeling language. Then, a range of automatic reasoning engines shall uniformly be applied to perform the actual verification. A feasibility study demonstrates the applicability of the envisioned approach.

I. INTRODUCTION & BACKGROUND

Modeling languages such as the Unified Modeling Language (UML) [21] or the Systems Modeling Language (SysML) [22] together with textual constraints e.g. provided by the Object Constraint Language (OCL) [23] have been established to specify the design of complex systems. They provide different concepts such as class diagrams, sequence diagrams, or activity diagrams which are expressive enough to formally specify a complex system, but hide specific implementation details.

Since modeling languages permit formal descriptions, they additionally enable the verification of the respective specification already in the absence of a specific implementation. As a result, verification questions such as “Does the conjunction of all constraints still allow the instantiation of a legal system state?” or “Is it possible to reach certain bad states, good states, or deadlocks?” can be addressed already in the early design steps. These verification tasks are typically categorized in terms such as consistency, reachability, or independence [9].

For this purpose, many verification methods have been presented in the past. For example, theorem provers such as PVS [24], HOL-OCL/Isabelle [25], or KeY [26] have been applied. They perform a deductive derivation of the respective verification goal and have been shown to be quite powerful. However, they always require significant manual interaction as well as special knowledge and are therefore time- and cost-intensive.

Consequently, push button methods are desired. Methods based on automatic reasoning engines such as CSP solvers [3], description logic [27], Alloy [11], or SAT solvers [1], [6] have been shown to be quite promising. Here, the model together with the verification task are transformed into a valid input of a reasoning engine and are afterwards automatically solved by it.

II. PROPOSED IDEA

In this paper, we envision an approach that employs a generic methodology to verify specifications given in modeling languages. The general idea is illustrated in Fig. 1(b).

Instead of treating single diagram types or small combinations of them separately (as it has been done in the past; see Fig. 1(a)), we propose to transform them to a basic model. The basic model itself is specified by an atomic subset of UML and OCL constraints which is expressive enough to describe all constructs from languages such as UML, but small enough to allow for a flexible further processing.

Besides that, the verification tasks are modeled in the same language as the specification. For example, the question whether a certain bad state can be reached in a given model is formulated as a sequence diagram where the initial state and the considered bad state are provided, but the respective operation calls are left blank. These descriptions are also transformed into a basic model leading to a holistic verification environment.

The combination of the basic model and the task leads to the actual verification problem to be solved. Since both, the basic model and the task, are composed of an atomic number of UML constructs, transformations to the desired inputs for reasoning engines can be provided at moderate costs.
Fig. 1(c) shows the general architecture of the envisioned methodology. In order to support a new diagram type, it is sufficient to provide a model transformation to the basic model without thinking of a specific verification task. Analogously, a new verification task is added by providing an appropriate model transformation to the basic model as well. Finally, a desired reasoning engine is incorporated by transforming the basic model into the respective language of the engine; again without thinking of precise diagram types to support.

III. TRANSFORMATION TO THE BASIC MODEL

Transforming arbitrary constructs of modeling languages into a basic model is obviously the biggest challenge of the envisioned methodology. In this section, we introduce the characteristics of the proposed basic model and illustrate by means of established UML descriptions how the required model transformations can be conducted.

A. Basic Model

The envisioned methodology aims at supporting a wide range of constructs from various modeling languages. At the same time, the transformation effort to the different reasoning engines should be as small as possible. Hence, the basic model needs to satisfy both of the following characteristics:

- **Universality**, i.e. for each construct an equivalent formulation in the basic model must exist.
- **Atomicity**, i.e. the constructs of the basic model should be limited to fundamental modeling concepts such that a uniform further processing as well as the flexibility of the overall framework is ensured.

We propose to realize these characteristics by restricting the basic model to a UML/OCL subset composed of (1) reduced UML class diagrams (e.g. allowing no inheritance, supporting only binary associations, etc.), (2) UML object diagrams following the same restrictions as their class diagram counterparts, and (3) textual constraints provided in OCL. These constructs are atomic enough to enable a flexible encoding for different reasoning engines. In fact, only the basic concepts of class diagrams and object diagrams need to be encoded for the addressed reasoning engine. OCL constraints can often be directly mapped to the required syntax. Examples of such encodings are e.g. available in [6], [7]. At the same time, this basic model is expressive enough to describe enhanced constructs from languages such as UML. This is illustrated in more detail in the following sections.

B. Transformation of Static Aspects

In order to transform enhanced UML constructs to the basic model, existing approaches should be exploited. For example, multiplicities of associations, aggregations, and compositions can be transformed as introduced in [28]. Similarly, arbitrary associations or classes of associations can be represented by binary associations together with OCL invariants. Inheritance
The examples from above clearly show that a major cornerstone of the envisioned methodology, namely the transformation of various constructs into the basic model, is doable. Obviously, similar transformations are still left to be developed for other UML constructs and even other modeling languages. However, as initial feasibility studies documented in the next section confirm, the envisioned methodology is a promising step towards a holistic approach for system verification.

IV. FEASIBILITY STUDIES

In order to demonstrate the applicability of the envisioned methodology, feasibility studies of the transformations described above have been conducted. To this end, by means of the existing tool USE [10], given UML/OCL models have been parsed, transformed into the basic model, and subsequently applied to a selected reasoning engine which solved a considered verification task on it.

Initial studies have been conducted on several designs which have been applied for benchmarking purposes before (e.g. in [1], [6]). By these studies, we were able to show that the basic model as introduced as above is sufficient to represent the respective models as well as the verification tasks for the considered cases. That is, verification tasks as conducted e.g. in [1], [6] can also be handled by the envisioned methodology and its basic model.

However, the restricted amount of constructs in the basic model (due to the desired atomicity) comes with a price: The respective instances are larger since e.g. the additional snapshot classes add further design elements in the model. As a result, the run-time of the reasoning engine increases. Some results of our studies illustrating this are presented in Table I. Here, reachability problems have been solved using the dedicated verification approach from [6] and the envisioned methodology, respectively, on the traffic light preemption benchmark proposed in [6]. The first column denotes the number of instantiated traffic light controllers, while the second and the fourth column (both denoted by Size) list the number of instantiated objects with respect to the used approach. As can be seen, the previous approach does not produce additional objects, whereas the envisioned methodology leads to overhead (e.g. due to the snapshot construction). That is, the instances of the envisioned methodology are significantly larger. As a result, it also takes longer to determine a result as shown in the third and fifth column (denoting the respective run-times in CPU seconds). However, the run-times are still reasonable and motivate a further investigation of the basic model as proposed.

Moreover, using the envisioned methodology enables for an easy exchange of reasoning engines. That, in turn, allows to accelerate the solving process just by choosing the most appropriate solver for the considered problem. In [6], the SMT solver Booolector [30] was applied (as was to obtain the results shown in the fifth column of Table I). However, due to the atomic structure of the basic models, interfaces to other reasoning engines can easily be added to the envisioned methodology. We did this for the SAT and SMT solving scheme of the Z3 solver [31]. The resulting run-times are presented in the remaining columns of Table I. By doing this, even small improvements with respect to the dedicated verification method presented in [6] are possible.
In this paper, we envisioned a flexible verification methodology for checking systems specified by means of modeling languages. The approach aims at supporting an arbitrary variation of constructs. New diagram types, verification tasks, and even reasoning engines should easily be added by just providing the respective transformation (instead of entirely re-implementing the overall approach). Combinations of more than one diagram (even of different types) should easily be performed by just composing the resulting basic models. Since the verification tasks shall be modeled using the same concepts as the specification, an integrated specification and verification environment is created. Furthermore, the envisioned methodology is aiming for a better performance since every verification task can be tackled by a range of different reasoning engines. As a result, major obstacles of today's approaches for model verification are addressed. By means of feasibility studies, the applicability of the envisioned approach has been shown. Future work is going to focus on the thorough development of model transformations for various constructs and modeling languages as well as a detailed consideration of the transformation of verification tasks.

**ACKNOWLEDGMENTS**

This work was supported by the German Research Foundation (DFG) within the Reinhard Koselleck project DR 287/23-1.

**REFERENCES**


