Professional Documents
Culture Documents
architecture description contains sufficient details, an composition Ci as well as a set of composition constraints
implementation from the resulting SAM architecture Csi, e.g. Ci = {Cmi, Cni, Csi}. In addition, each component or
description to Java code can be automatically generated connector is composed of two elements, a behavioral model
from our existing SAM translator tool. and a property specification, e.g. Cij = (Bij, P ij). Each
The paper proceeds as follows: Section 2 gives some behavioral model is described by a Petri net, while a
background information. Section 3 describes our approach property specification by a temporal logical formula. The
to mapping UML architecture description to SAM model; atomic proposition used in the first order temporal logic
Section 4 gives an example of the approach applied an formula is the ports of each component or connector. Thus
embedded system example and evaluates the approach; each behavioral model can be connected with its property
Section 5 describes related work and Section 6 concludes. specification. A component Cmi or a connector Cni can be
refined to a low level composition Cl by a mapping relation
2. Preliminaries h, e.g. h(Cmi ) or h(Cmi ) = Cl. SAM is suitable to describe
large scale systems’ description.
In this section, we provide a brief introduction to software SAM gives the flexibility to choose any variant of Petri nets
architecture documentation, UML, and SAM. and temporal logics to specify behavior and constraints
2.1 Software Architecture Viewpoints according to system characteristics. In our case, Predicate
Transition (PrT) net [11] and linear temporal logic (LTL)
Although, there is not a universally accepted way in
are chosen.
documenting software architecture design. The component
and connector (C&C) view, showing the dynamic behavioral
aspect of a software system, proposed in [35] is no doubt an 3. Our Approach
essential one, which has been the target used in the Our approach takes a software architecture description based
development of many software architecture description on the C&C view and documented using the UML, and
languages. The C&C view is also included in the work of produces a formal software architecture description in SAM.
the Software Engineering Institute (SEI) [30], where the More specifically, in the UML software architecture
authors presented three view types - module, component and description:
connector, and allocation view in documenting software a) A class diagram is used to model the overall
architecture design; and provided guidelines of how to use structure of a software architecture,
UML to document these architecture view types. With b) State chart diagrams are used to define the behavior
regard to the representation of the C&C view, three of individual components and connectors, and
strategies are demonstrated: using component types as c) OCL is used to specify architecture level
classes, subsystems, or real-time profiles. Since the behavior constraints.
of each class and object is described by the state charts The above UML notations are mapped to SAM entities as
diagram, the behavior of the system represented by the class follows:
diagram can be a group of state charts diagram with a) The class diagram is mapped to an overall
interactions. hierarchical SAM structure,
2.1 SAM – Software Architecture Model b) State chart diagrams are mapped to PrT nets, and
c) OCL expressions are mapped to temporal logic
SAM is an architectural description model based on Petri formulae.
nets [29], which are well-suited for modeling distributed The resulting SAM model can be analyzed with various
systems. SAM [15] has dual formalisms underlying – Petri existing formal analysis techniques including model
nets and Temporal logic. Petri nets are used to describe checking.
behavioral models of components and connectors while Furthermore, to improve the productivity and quality, we
temporal logic is used to specify system properties of provide an automated realization of the resulting SAM
components and connectors. model. We have designed and implemented a tool, named
SAM (Software Architecture Model) is hierarchically SAM parser, with the PrT-XML and temporal logic-XML
defined as follows. A set of compositions C = {C1, C2, …, transformation. Figure 1 shows the overall structure of the
Ck} represents different design levels or subsystems. A set of approach.
component Cmi and connectors Cni are specified within each
Temporal logic and first order logic formulae are intervention from the driver, by actuating the throttle-
transformed into automata by a logic engine Maude ([5]). accelerator pedal linkage. A modern automotive cruise
These translated automata will feed into our runtime control is a control loop that takes over control of the
checker generator to produce monitors for different throttle, which is normally controlled by the driver with
formulae. the gas pedal, and holds the vehicle speed at a set value.
We assume an automatic transmission vehicle. When
Runtime Checker Generation: Runtime checkers are turned on by the driver, a cruise-control system (CCS)
generated by breaking the temporal logic formula into automatically maintains the speed of a car over varying
subformulae and creating a matrix for the formula [33]. terrain. The CCS can be turned on by pressing Start
In order to generate monitoring codes for properties button, and enabled by pressing SetSpeed button. Resume
(linear temporal formulae), a logic server, Maude [5] in button will enable the CCS at the last maintained speed
our case, is necessary. Maude, acting as the main when the brake is released. The cruise control function is
algorithm generator in the framework, constructs an disabled when the brake or accelerator pedal is pressed.
e_cient dynamic programming algorithm (i.e. monitoring Pressed once Resume button can increase the speed with
code) from any LTL formula [33]. The generated 1mph and the SetSpeed button can decrease the speed
algorithm can check if the corresponding LTL formula is with 1mph when the cruise control function is enabled.
satisfied over an event trace. The cruise control system should be automatically
disabled when the speed is below 25mph and above
4. An Application of the MDA Approach 90mph. For the space limit, we cannot show the UML
diagram and generated code. Each place or port must
We present an instance of our approach in a statechart carry its state information which is also ignored in the
diagram, which is one of the state machine in the UML tables. Finally, we have to point out that the guard
models, through a case study. The case study deals with a function for a transition has to be added some more
simplified cruise control system adapted from [13]. In restrictions for the evaluations. For instance, if there is a
this section we will first introduce the cruise control token “void” in the input place of a transition, it means
system and a state chart diagram for the cruise controller. the previous action does not have return value, we have to
Then we present some properties of this example. Finally, justify that field to evaluate the firing condition of the
the runtime verification results are discussed. transition. This means that automatically mapping a
4.1 Cruise Control System and UML Documentation guard condition in a state chart diagram to a guard
function is not sufficient in some cases.
The purpose of a cruise control system is to accurately
maintain the driver’s desired set speed, without
All properties are true if the conditions and guard are
4.2 Experiment Results and Discussion
satisfied. We also check some conditions that is not
The time of generated code with monitors is 4.3s. We suitable for the method, such as different parameters
checked 5 properties covering 5 components and 4 feeding for the method that makes the guard is not
connectors. satisfied, in that case the formula is evaluated as false.
Since the events and actions are defined by the methods The Results are consistent with what we expected from
which are specified in the corresponding classes, each the state chart diagram. Finally, we also find a mapping
fired transition represents a method is operated under mistake in the component Accelerating and component
some guard condition. The properties specified in the Decelerating when we check properties relative to them.
OCL expressions for the state chart diagram is mapped to We modified the mapped SAM composition according to
temporal formulae and further used to generate monitors. the checking results.
analysis of generic UML object-oriented designs [7, 34, 12,
5. Related Work 24, 4, 26, 35], their results may not be ready applicable to
UML architecture level designs.
Our MDA approach and the presented framework integrate Code Generation from the UML Description and
two aspects: software architecture with UML design Verification in the Implementation:
notation and its extension. Moreover, our approach also There is a significant amount of research that considers
provided a runtime validation and verification technique by mappings from UML to other (mostly formal) modeling
using SAM Parser. The related works are discussed in the techniques to validate UML models (e.g. using B [22], CSP
following. [8], SPIN [23], PVS [2], Petri Nets [27, 38], Z/Eves [3] and
Formal Modeling and Analysis of Architecture the work with Object-Z [19, 20, 18, 39]). These works focus
Descriptions in UML: Our work has been influenced by a on the mapping from UML diagrams to formal methods for
large body of research and practical experience. In the model checking or some specification language for the
interest of brevity, we only compare it to the most relevant model checkers. Moreover, less of them address the code
approaches. The work reported in this paper relates to works generation and verification in the implementation level.
that focus on specifying structural and possibly behavioral Property Specification – OCL Expression and Temporal
aspects of a software system using UML. The representative Logic: Various methodologies proposed to deal with the
UML architecture description examples are provided by property specification of object-oriented systems. There are
Kruchten [21], Hofmeister et al. [16] and Clements et al. two main streams to cooperate OCL with temporal logics,
[31]. Although several researchers have explored the formal one is extending OCL with temporal notations ([31, 9, 37]
6 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 5, May 2010
etc.), another is add object concepts into temporal logics [9] S. Flake and W. Mueller. An OCL extension for real-
([6]). The work in both streams increases the complexity of time constraints. In Object Modeling with the OCL,
the extended language and obstacles of the usage. pages 150–171, 2002.
[10] Y. Fu, Z. Dong, and X. He. A Methodology of
6. Conclusion and Future Works Automated Realization of a Software Architecture
Design. In Proceedings of The Seventeenth
In this paper, we have presented an integrated approach for International Conference on Software Engineering and
transferring an architecture description represented in UML Knowledge Engineering (SEKE2005), 2005.
to a formal architecture model represented in SAM, which [11] H. J. Genrich. Predicate/Transition Nets. Lecture Notes
not only supports design level analysis but also automated in Computer Science, 254, 1987.
code generation with run-time verification capability. The [12] M. Gogolla and F. P. Presicce. State Diagrams in UML:
specific details of the approach, outlined in the algorithms A Formal Semantics using Graph Transformations. In
in Section 3, are likely to evolve as our research on the Proceedings of International Conference of Software
relationship between UML and software architectures Engineering, Workshop on Precise Semantics of
deepens; however, we believe that the approach is flexible Modeling Techniques, pages 55–72, 1998.
and general enough to accommodate needed new changes. [13] H. Gomaa. Designing Concurrent, Distributed, and
As pointed out by Medvidovic in the work [27] ensuring Real-Time Applications with UML. Addison-Wesley
system properties at the level of architecture is of little value Professional, 2000.
unless it can also be ensured that those properties will be [14] K. Havelund and G. Rosu. An overview of the runtime
preserved in the resulting implementation. This reflects the verification tool java pathexplorer. Journal of Formal
importance of the code generation and runtime verification Methods in System Design, 2004.
of system properties in the implementation. Our automated [15] X. He and Y. Deng. A Framework for Specifying and
code generation and run-time verification approach nicely Verifying Software Architecture Specifications in SAM.
addresses the above research issue. volume 45 of The Computer Journal, pages 111–128,
2002.
Acknowledgements We appreciate for all reviewers to read [16] C. Hofmeister, R. L. Nord, and D. Soni. Describing
this paper. This work is supported by Title III under grant Software Architecture with UML. In Proceedings of the
PO31B085057-08. TC2 1st Working IFIP Conference on Software
Architecture (WICSA1), pages 145 – 160, 1999.
[17] M. Kim, S. Kannan, I. Lee, and O. Sokolsky. Java-
References MaC: a Run-time Assurance Tool for Java. In
[1] Uml 2.0 specification. http://www.omg.org/ Proceedings of RV’01: First International Workshop
technology/documents/formal/uml.htm. on Runtime Verification, Paris, France, Electronic
[2] Enhancing Structured Review with Model-Based Notes in Theoretical Computer Science. Elsevier
Verification. IEEE Transaction on Software Science, 2001.
Engineering, 30(11):736–753, 2004. Member-Issa [18] S.-K. Kim, D. Burger, and D. Carrington. An mda
Traore and Member-Demissie B. Aredo. approach towards integrating formal and informal
[3] N. Am´alio, S. Stepney, and F. Polack. Formal proof modeling languages. In FM 2005: Formal Methods,
from uml models. In ICFEM’04, volume 3308 of International Symposium of Formal Methods Europe,,
Lecture Notes in Computer Science, pages 418–433, volume 3582 of Lecture Notes in Computer Science,
2004. pages 448–464, 2005.
[4] D. B. Aredo. Semantics of UML statecharts in PVS. In [19] S.-K. Kim and D. Carrington. Formalizing the UML
Proceeding of 12th Nordic Workshop on Programming Class Diagrams Using Object-Z. In UML’99: The
Theory, Bergen, Norway, 2000. Unified Modeling Language - Beyond the Standard,
[5] M. Clavel, F. J. Dur´an, S. Eker, P. Lincoln, N. Mart´ı- Second International Conference, volume 1723 of
Oliet, J. Meseguer, and J. F. Quesada. Maude: Lecture Notes in Computer Science, 1999.
Specification and Programming in Rewriting Logic. [20] S.-K. Kim and D. Carrington. A Formal Mapping
http://maude.csl.sri.com/papers, March 1999. between UML Models and Object-Z Specifications.
[6] D. Distefano, J.-P. Katoen, and A. Rensink. On a Lecture Notes in Computer Science, volume 1878,
Temporal Logic for Object-Based Systems. In S. F. pages 2–21, 2000.
Smith and C. L. Talcott, editors, Formal Methods for [21] P. Kruchten. The 4+1 view model of architecture. IEEE
Open Object-Based Distributed Systems IV - Proc. Software, 12(6):42–50, 1995.
FMOODS’2000, Stanford, California, USA, September [22] K. Lano, D. Clark, and K. Androutsopoulos. UML to B:
2000. Kluwer Academic Publishers. Formal Verification of Object-Oriented Models. volume
[7] Z. Dong and X. He. Integrating UML State-chart and 2999 of Lecture Notes in Computer Science, pages 187–
Collaboration Diagrams Using Hierarchical Predicate 206,2004.
Transition Nets. In GI Lecture Notes in Informatics, [23] D. Latella, I. Majzik, and M. Massink. Automatic
2001. Verification of a Behavioural Subset of UML Statechart
[8] G. Engels, R. Heckel, and J. M. K¨uster. Rule-based Diagrams Using the SPIN Model-checker. Formal
specification of behavioral consistency based on the Aspects of Computing, 11(6):637 – 664, 1999.
UML meta-model. volume 2185, pages 272–284, 2001.
(IJCNS) International Journal of Computer and Network Security, 7
Vol. 2, No. 5, May 2010
[24] D. Latella, I. Majzik, and M. Massink. Towards a [38] Jiexin Lian, Zhaoxia Hu, Sol M. Shatz. Simulation-
Formal Operational Semantics of UML Statechart based analysis of UML statechart diagrams: methods
Diagrams. In Proceedings of the 3rd IFIP International and case studies. Software Quality Journal. 16(1),
Conference on Formal Methods for Open Object-based March, 2008. ISBN: 0963-9314. Springer Netherlands.
Distributed Systems, pages 331–347, February 1999. [39] Rafael M. Borges and Alexandre C. Mota. Integrating
[25] S. W. Lewandowski and X. He. Generating Code for UML and Formal Methods. Electronic Notes in
Hierarchical Predicate Transition Net Based Designs. In Theoretical Computer Science (ENTCS). Volume 184.
Proceedings of the 12th International Conference on Page 97-112. July 2007. Elsevier Science Publishers.
Software Engineering & Knowledge Engineering, pages
15–22, Chicago, U.S.A., July 2000. Authors Profile
[26] J. Lilius and I. P. Paltor. The Semantics of UML State
Machines. Technical Report 273, Turku Centre for Yujian Fu received the B.S. and M.S. degrees in Electrical
Computer Science, 1999. Engineering from Tianjin Normal University and Nankai
[27] N. Medvidovic, D. S. Rosenblum, and D. F. Redmiles. University in 1992 and 1997, respectively. In 2007, she received
Modeling Software Architectures in the Unified her Ph.D. degree in computer science from Florida International
Modeling Language. ACM Transactions on Software University. She joined the faculty of Department of Computer
Science at the Alabama A&M University in the same year. Dr.
Engineering and Methodology, 11(1):2–57, January
Yujian Fu conducts research in the software verification, software
2002. quality assurance, runtime verification, and formal methods. Dr.
[28] H. Motameni. Mapping to Convert Activity Diagram in Yujian Fu also actively serves as reviewers of several top journals
Fuzzy UML to Fuzzy Petri Net. World Applied Sciences and prestigious conferences. She continuously committed as a
Journal, 3(3): 514 – 521, 2008. ISBN: 1818-4952. member of IEEE, ACM and ASEE.
[29] T. Murata. Petri Nets: Properties, Analysis and
Applications. Proceedings of the IEEE, 77(4):541–580, Zhijiang Dong received the B.S. and M.S. degrees in Huazhong
1989. Tech University, Ph.D. degree in computer science from Florida
[30] J. S. e. a. Paul Clements, Len Bass. Documenting International University. He currently is assistant professor at
Software Architectures: Views and Beyond. Addison- Middle Tennessee University. Dr. Dong’s research is mainly in the
software engineering. Dr. Dong also actively serves as reviewers of
Wesley, January 2003.
several top journals and conferences. He continuously committed
[31] S. Ramakrishnan and J. McGregor. Extending OCL to as a member of IEEE, ACM.
Support Temporal Operators. In 21st International
Conference on Software Engineering (ICSE 99), Xudong He is a professor of school of computing and
Workshop on Testing Distributed Component-Based information science and director of center for advanced and
Systems, May 1999. distributed system engineering at Florida International University.
[32] J. E. Robbins, N. Medvidovic, D. F. Redmiles, and D. Dr. He’s research are software engineering, formal verification and
S. Rosenblum. Integrating architecture description specification. Dr. He currently has over one hundred publications
languages with a standard design method. In ICSE ’98: in prestigious journals and conferences.
Proceedings of the 20th international conference on
Sha Li is an associate professor at department of curriculum,
Software engineering, pages 209–218, Washington, teaching and educational leadership, school of education of
DC, USA, 1998. IEEE Computer Society. Alabama A&M University. Dr. Sha Li received his doctorial
[33] G. Rosu and K. Havelund. Rewriting-Based Techniques degree of educational technology from Oklahoma State University,
for Runtime Verification. Journal of Automated 2001. Sha Li' research interests include distance education,
Software Engineering, 2004. instructional technology, instructional design and multimedia for
[34] J. Saldhana and S. M. Shatz. UML Diagrams to Object learning.
Petri Net Models: An Approach for Modeling and
Analysis. In Proceedings of the International Phil Bording is an associate professor and chair of department of
computer science at Alabama A&M University. Dr. Phil Bording
Conference on Software Engineering and Knowledge
received his Ph.D. degree in computer science from University of
Engineering, pages 103–110, 2000. Tulsa in 1995 and M.S. degree from University of Alabama at
[35] T. Sch¨afer, A. Knapp, and S. Merz. Model Checking Huntsville in 1984. Dr. Bording’s research area is parallel
UML State Machines and Collaborations. Electronic computing.
Notes in Theoretical Computer Science, 55(3):1–13,
2001.
[36] M. Shaw and D. Garlan. Software Architecture:
Perspectives on an Emerging Discipline. Prentice Hall,
1996.
[37] P. Ziemann and M. Gogolla. An Extension of OCL with
Temporal Logic. In Critical Systems Development with
UML – Proceedings of the UML’02 workshop, pages
53–62, TUM, Institut fur Informatik, TUM-I0208,
September 2002.