Академический Документы
Профессиональный Документы
Культура Документы
Abstract UML is the de-facto standard for system modeling. of critical nature. This importance of formal analysis is
Due to its visual syntax and expressiveness, it is widely accepted generally well accepted for enhancing correctness and quality
and used in the industry. However, it is a semi-formal means of software [5]. The problem is the time and effort required
of system specification and thus prone to inconsistencies. We
believe that UML models need to be thoroughly verified because to learn and apply these techniques.
verification of UML models helps to find errors in the early Some common verification methods are the usual testing
system design. Object Constraint Language (OCL) somewhat techniques, model checking and formal proof construction.
alleviates this problem but is not always enough. Past attempts In this paper, we use the latter by embedding the UML
at formally specifying UML for verification include those based Class Diagram and the OCL expressions in the interactive and
on simplistic Z specifications and the much more complex ones
based on shallow embedding of UML and OCL in Higher Order automated theorem prover Isabelle using its built-in Higher
Logic (HOL). All these approaches are either too simplistic Order Logic (HOL)1 . HOL itself is built on typed lambda
or too complex for the software industrys purposes. In this calculus and is extremely useful for embedding languages.
paper, we formalize UMLs class diagram and OCL constraints The novelty of our specification is the ease of use. Since
in the highly successful automated/interactive theorem prover the majority of software practitioners are unwilling to invest
Isabelle using one of its built-in logics, HOL. The aim is to
create a formalization, which is accessible to the average software time and efforts in learning the complexities of mathematical
engineer while still being powerful enough to be able to prove techniques such as those used in earlier formalization, we
consistency and other useful properties. The formalization believe that by using simpler techniques, the formalization can
based on UML2.0 and OCL2.0, addresses all concepts related be made more accessible to a wider audience.
to class diagrams such as type definitions, attributes, operations, The meta models of UML and OCL are detailed
aggregation and association along with the syntax and semantics
of OCL expressions in the context of UML class diagrams. specifications of these two languages. By modeling the meta
models, formal proofs can be developed which can be reused
Index TermsAlgorithms, Tools & Applications, Formal for any system specification described through UML and OCL.
Methods, System Design, Automated Theorem Prover This gives a high reusability value to the efforts put in the
formal specification and verification of the meta model.
I. I NTRODUCTION The rest of the paper is organized as follows: First, we
The Unified Modeling Language (UML) [1] is a visual give a brief introduction to past attempts at formalizing the
language highly accepted and used in the industry. It is UML and OCL. We describe the Isabelle theorem prover
domain independent and thus applicable in a wide variety in brief giving a short introduction to the constructs used
of domains [2]. The basic diagram in UML is the Class in this formalization. In Section III, we formalize the UML
Diagram, which is composed of classes, attributes, operations, Class Diagram along with all the required components. OCL
parameters and different types. Figure 1a shows a simple class Expressions are specified in Section IV. We give examples of
diagram. usage in parallel to the specification of constructs. Finally, we
UML models are easy to use but they lack in specification describe the open issues in this formalization and the future
of information which cannot be depicted visually. The Object directions for this formalization.
Constraint Language (OCL) [3] was developed to alleviate this
problem [4]. OCL is a powerful language which can be used II. BACKGROUND W ORK
not only to specify complex constraints on UML models but A. Past Formalizations of UML/OCL
also as a query language [2]. Figure 1b shows a collection of
Several attempts have been made in the past at formalizing
constraints written in OCL.
the UML meta model. These have been, for example, formal
While OCL manages to bring some formality to the UML
specifications in Z notation [6], [7]. These proved to be
models, it is only a specification language and requires
only specifications with no way to automatically verify
some sort of verification technique for proving properties.
Verification of certain properties such as correctness, security, 1 The complete Isabelle theory source for our formalization is available
and well-formedness are especially important in systems from: http://recluze.wordpress.com/publications/
Actor
+actorid : int
+age : int
+name : string 0..*
+startWork()
+endWork() +Manages context Actor inv:
self.age >= 18
Salesman Item
+soldBy +sold
+experience : int -itemid : int context Actor::startWork() pre:
+commission : decimal -name : string
+getSale() : decimal -price : decimal currentTime.hours >= 8
1 0..*
+getCommission() : decimal +setDiscount()
the specifications. Verification by hand is very difficult is a generic theorem prover. This means that it is possible to
and becomes infeasible even for the slightly complex of encode new logics in the meta-logic of Isabelle which is very
specifications. Brucker et al. have developed a tool called helpful since one doesnt have to learn different tools for new
HOL-Z [8] which can be used to port Z specifications to logics. It also allows for the checking of the consistency of
the Isabelle theorem prover for verification. This technique, logics themselves.
while being powerful, results in extremely long and complex Model checking is another technique, which has been
subgoals even for the smallest of proof obligations. used extensively in the past for the purpose of verification.
Another, more detailed formalization of UML and OCL has Construction of formal proofs, however, is preferable over
been done by Brucker et al. It is based on shallow embedding model checking because formal proofs do not require limitting
of the OCL in Isabelle and is called HOL-OCL [9]. This the number of executions or other assumptions such as
technique has proved to be extremely powerful for verification finiteness. They can also be used to prove certain properties,
of UML and OCL specifications. However, it requires the use which can not be proved through model checking [13].
of very complex operations and techniques which are difficult A complete discussion of Isabelle theory and syntax is well
even for the experienced software specification engineers. outside the scope of a single paper. However, in the next
We believe that this is a work in the right direction but a section, we give a brief account of the syntax of constructs
formalization which can be adopted by the practitioners of used in the formalization of UML and OCL meta-model.
the software industry will have to be more accessible to the Please refer to the appropriate section of the Isabelle/HOL
average software engineer. Our formalization of the UML tutorial [10] for detailed discussion of these constructs.
class diagram and OCL is also based on Isabelle but is built
using simpler techniques than HOL-OCL. We believe that this C. Basic Isabelle Syntax
technique will be accessible for a much wider audience and
thus has a better chance of being accepted in the practices of All formalizations in Isabelle are done in the context of a
software engineers for verification purposes. theory. A theory is composed of datatypes, constants, defi-
We will discuss the semantics of UML and OCL as we nitions, functions, lemmas and theorems etc. A formalization
proceed with the formalization. More information about these normally begins with the definition of datatypes required by
two can be found in [1] and [3]. the theory. It is important that its data types be defined most
accurately. Isabelle has several constructs for defining types,
each with its pros and cons. Following is a brief discussion
B. Isabelle Theorem Prover regarding these constructs. See [10] Chapter 8 for more details
Isabelle [10] is an interactive/automated theorem prover about these concepts.
extremely popular in the mathematics and research commu- typedecl: is the most basic way of defining types. It only
nities [11][13]. It is interactive in that the user specifies defines a type name without any details of the type. This is
a theorem and tries proving the theorem in steps. Isabelle used for types which are parameters to the theory and are not
ensures that each step, and thus the whole proof, is logically defined by the theory itself.
correct [14]. This gives a very high level of credibility to typedef: defines a non-empty subset of an existing type. This
the proofs created using Isabelle. Figure 2 shows the Proof is the basic construct and most other type definition constructs
General front-end of Isabelle. The top buffer of the editor is are built on top of it. The only requirement for a datatype
the Isabelle source and the bottom buffer is the output. In defined using typedef is that it must have at least one element.
the figure, it can be seen how Isabelle formulates goals to be records: are not defined as primitive constructs of Isabelle
proved for any input in the theory file. but are built on top of other primitives. They are essentially
Isabelle can also be used as an automated theorem prover. represented as n-tuples but the different elements are assigned
Its powerful and complex theorem proving tools, such as the a unique name thus making access easier. The syntax for
simplifier based on term rewriting, can be used to prove simple defining records is this:
theorems automatically thus saving time and efforts. Isabelle record RecordName =
Control
navigation
Isabelle
source
keyword
Isabelle
theory source
Proofs and
Goals outputs
and subgoals
Fig. 2: Isabelle Front-End Proof General Showing Theory and Proof State Buffers