Escolar Documentos
Profissional Documentos
Cultura Documentos
S0218194010004918
SPI-J111
0218-1940
of Computer Engineering
Arak University, Arak, Iran
1. Introduction
UML Activity diagram is a useful modeling tool for dynamic parts of a system. It
allows specifying workows as well as modeling of complex and large processes [1].
It is also used to model the behavior of a system and to specify the global behavior
of a Service-Oriented Architecture (SOA) [2]. However, to let the user understand
whether the designed model fullls the stated requirements, we need to combine
modeling with suitable analysis capabilities. Precise analysis in an automated way
requires design models like Activities to be stated with a formal language (i.e. a
language with a precise semantics).
679
680
SPI-J111
0218-1940
SPI-J111
0218-1940
681
handling and events) for modeling than [13]. Also, with respect to checking user
dened properties on the Activities, our approach is more exible. Finally, using
our approach is easier for designers since we use traditional graph transformation
system. This contrasts with [15] which uses a concept named rule invocation that
cannot be supported directly by existing environments for modeling graph transformation systems (e.g. AGG).
The rest of this paper is organized as follows. Section 2 surveys the related
works. Section 3 describes our approach to dene a formal semantics for Activities.
Section 4 shows our approach to verify modeled workows and Sec. 5 concludes the
paper.
2. Related Work
Denition of formal semantics for Activity diagrams using dierent formal languages
has been a research topic in software engineering. In [16], Hausmann denes a concept named Dynamic Meta Modeling (DMM) using graph transformation systems.
In this new concept, the traditional graph rules have been extended by dening
a new concept named rule invocation. DMM includes two kinds of rules: bigstep and small-step rules. Big-step rules have a similar mechanism as traditional
rules but small-step rules should be invoked by big-step rules. In [16], there is
also a denition for semantics of Activity diagrams using concept of DMM. By
using DMM and semantics dened by Hausmann for modeling and verication of
workows, Engels et al. [17] show how to employ GROOVE [16] for verication.
However, since GROOVE does not support rule invocation, they change the rules
to be veriable by GROOVE. They check deadlock freedom and action reachability
properties on the modeled workows. Compared to this work, our approach is more
exible in supporting user dened properties. Furthermore, our approach has the
ability to support data ow, event and exception modeling. In addition, it is not so
easy for designers to use this approach since the extension dened by Hausmann
(small/big step rules and rule invocation) cannot be modeled directly in existing
graph transformation tools.
Rafe and Rahmani [7] proposed a formal semantics for workow modeling and
analyzing by using graph transformation systems. They dene a graph schema to
formalize the metamodel of the Activities. To formalize the behavior of Activity
diagrams, they dene a set of graph transformation rules. The proposed semantics
only covers control ow and does not support traverse-to-completion.
St
orrle et al. [19] use Petri nets as the semantic background for the UML 2.0
Activities. By dening denotational semantics, they examine Activities based on
the UML version 2.0 standard. It covers basic control ow and data ow, expansion
nodes and exception handling. They showed that some of the constructs proposed
in the standard are not so easily formalized. They concluded that it is not possible
to use Petri nets for this purpose because of the traverse-to-completion semantics
in UML 2.0.
682
SPI-J111
0218-1940
In [20], Eshuis denes a statechart-like semantics for UML 1.5 Activity diagrams.
He introduced a property called strong fairness (a model with no innite loop) to
verify functional requirements of the model. This approach uses NuSMV model
checker [21] to check the strong fairness property stated in an LTL expression.
He dened two levels of formalism: requirements level that is easy to analyze but
somewhat abstract and implementation level that is dicult to analyze but has an
accurate representation. This approach along with two others [14, 22] treat UML
1.5 Activities instead of its successor (UML 2.0).
Using UML Activities (instead of dening semantics for Activities), Baldan et al.
[23] use hypergraphs to show the behavior of a model (instance graph). They use
instance graph to show the static model of a system, then by dening a rule for
each Action in the Activity and using synchronized hyper graph rewriting, they
control the application of the rules. They present a variant of monadic second-order
logic to verify hyper graphs. On the negative side, they do not introduce any tools
to implement their ideas. Also, they do not use semantics dened by UML 2.0
(e.g. token ow) to implement their proposal.
3. Implementing the Semantics
To simplify modeling of workows, we only use a subset of UML 2.0 Activities. This
is because using this subset suces to model many types of workows. Figure 1
shows the parts of Activities which we consider for workow modeling. Before presenting our dened semantics for workow modeling, we need to show its basic idea.
Based on the UML 2.0 specication [3], Activities have a Petri-net-like semantics,
i.e., the semantics is based on token ow. When an Activity is executed, the Init
SPI-J111
0218-1940
683
node starts the token ow. Based on our dened rules this token is then routed
through the Activity.
Following the semantics described above, we need to dene an accurate syntax
for the model under design. To do so, we dene a set of constraints on the model.
These constraints are as follows:
(1)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
Each Activity diagram must have exactly one Init node and one Final node.
Init node has no incoming edges and Final node has no outgoing edges.
Each Fork and Decision node should have exactly two outgoing edges.
Each Merge, Action, Object, Init and Join node must have exactly one outgoing
edge.
The source and target node of each edge should not be identical (there must
not be any self-edge in the graphs).
Each Final, Object, Action, Fork and Decision node should have only one incoming edge.
Each Join and Merge node should have exactly two incoming edges.
Each Action node can have some outgoing edges to some dierent ExceptionHandler node and each ExceptionHandler node should have exactly one outgoing edge to an Action node (this kind of edges is dierent from other edges).
Note that constraints 1,3 and 7 do not restrict the modeler in practice: more
than one Init node can be modeled equivalently by one Init node and one or more
Fork node(s) (Final and Join nodes accordingly). Fork (or Decision) nodes with
more than two outgoing edges can be modeled equivalently by cascading two or
more Fork (Decision) nodes (we use the same way for Join and Merge nodes).
These constraints have been proposed to have models with precise syntax and to
make drawing of many UML 2.0 Activities possible.c
The class diagram shown in Fig. 1 represents a portion of UML 2.0 Activity diagrams metamodel [25]. This metamodel can be formally considered as an
attributed typed graph. As it was mentioned in Sec. 3, a metamodel denes the
abstract syntax of a modeling language. Also, a type graph represents a modeling
language formally. UML 2.0 specication stipulates that activities use a Petri-like
semantics [26]. Therefore, to show tokens, we add an attribute to Action node,
named token of type boolean. Figure 2 shows the enhanced metamodel as a
type graph for Activity diagrams.
The proposed type graph based on the enhanced metamodel along with listed
constraints are shown in Fig. 2. We design this type graph and other parts of
proposed graph transformation system in AGG toolset. AGG automatically checks
the consistency of each host graph (i.e. Activity diagram) and rules with the type
graph and other constraints. Modeling an Activity in AGG ensures us that it is
syntactically consistent with type graph and other constraints. A formal denition
c Since
them.
labels or guards on the edges have no eect on our approach for verication, we ignore
684
SPI-J111
0218-1940
of workows (or in general Activity diagram) is: a workow is a host graph typed
over the typed graph of Fig. 2.
Our proposed type graph includes one abstract type (i.e. Node). The star (*)
sign on the top right corner shows the multiplicity of these nodes in the models. This
abstract type is inherited by other nodes (except Exception). Using inheritance, all
the other nodes (except Exception) have the associations with the specied multiplicities to node type Edge. According to UML 2.0 specication, in contrast
with control nodes and edges, Action and Object nodes can hold the token. Preventing control nodes and edges from holding tokens ensures that tokens do not get
stuck when alternative paths are open [23]. Taking this semantics into account,
we enhanced Action nodes with a Token attribute. Two kinds of such attributes
are associated to object nodes. Object nodes can hold more than one token at a
time a specic maximum number of tokens [26]. We used UB to show the upper
bound of tokens. CV shows the current value of tokens. Before the execution of
the Activity, the value of CV is zero which means that the Object node does
not carry any token. Greater values for CV show the number of tokens in an
Object node and thus we do not need token attribute for Object nodes. Node type
Exception is used to support exception handling. Each exception is associated
with a handler (it is specied with an Action node) and may be raised by an action.
In fact, each action may raise more than one exception. The type graph has a node
type Key. A boolean attribute ag with initial value false is associated to this
node. Each Activity has exactly one node of type key. We control the execution
of the Activity using key node at the beginning and at the end (by some graph
rules). Each node type Edge points to the token needs to be routed (using the
points association).
Such type graph does not satisfy all the above constraints. Therefore, we need
additional constraints. For example, based on this type graph, we can have host
graphs (Activity diagrams) with some Edges without any source or target node. In
AGG, by atomic graph constraint and formula constraint, we can dene desired constraints on the model. For example, consider Fig. 3 which consists of three atomic
SPI-J111
0218-1940
685
graph constraints described by three rules. First, each Edge must have exactly one
source and one target node which cannot be identical. The second constraint ensures
that each node does have two outgoing edges to a node of type Edge (we use the
negation of this constraint in the formula constraint). The last constraint states
that each Fork node must have exactly two outgoing Edges. The formula constraint: (1 && (! 2) && 3) forces the host graphs (Activities) to follow all the three
constraints.
We complete the metamodel of the proposed formal semantics by adding extra
constraints to the graph transformation system. Then, we can directly model workows (or Activities) as a host graph in graph transformation system. Figure 4
shows a sample workow modeled by an Activity diagram [3]. All Action nodes in
the dashed region can raise the exception Cancel Order Request . This Activity
diagram, which describes the processing of orders in a company, is used as a running
example for the rest of the paper. The meaning of the diagram is as follows:
The Decision node with two guards in the diagram is responsible for accepting
or rejecting an order. If the order is accepted, Action Fill Order is performed. Then,
to speed up the process, two Actions Ship Order and Send Invoice are executed in
parallel. After termination of these two actions (or rejection of the order), Order
Close Action is performed. Finally, either by reaching the Final node or raising the
exception Cancel Order Request, the process is terminated.
686
SPI-J111
0218-1940
Fig. 5. A portion of the sample activity diagram in Fig. 4 as a host graph in AGG.
SPI-J111
0218-1940
687
the post-conditions of the rule. We follow the AGG notation to show the rules.
The rule shown in Fig. 6 states that if flag attribute of node Key is false and the
outgoing Edge of Init node does not point to the Key node, the Edge must point to
the Key node (in this case Key node plays the role of a token). This rule is in fact
the starting point for the execution of the Activity. Note that there is no existing
token in the model when the execution starts. Therefore, the Key node plays the
role of a token till the token arrives at an Action or Object node. We use the Key
node (while its flag is false) in the LHS of all designed rules. When a token arrives
at the Final node, the value of ag is changed to true. This terminates the ow of
tokens because no more rule can be applied on the Activity. We discuss the rule
implementing the semantics of Final node later.
Figure 7 shows two other rules implementing portions of the semantics of Object
nodes.d Rule (A) describes the situation when the incoming Edge of an Object node
Fig. 7. Two example rules implementing portions of the semantics for object nodes.
d In
this article, we focused mostly on control ow instead of data ow. Therefore, the implemented
semantics for Object nodes is based on control ow.
688
SPI-J111
0218-1940
points to a token. The LHS of this rule has an Attribute Conditione : AC = x > y
to state that this rule can only be applied on the Activity if the current number of
holding tokens by Object node is less than the dened Upper Bound for that Object
node. This is in contrast with the UML 2.0 specication which states that when
the number of tokens in an Object node reaches its upper bound, no more token
is accepted [23]. This rule increments the current number of tokens (to show the
acceptance of the token by Object node). It also terminates pointing of the incoming
Edge of the Object node to the token. To show the token in the rule we use the Key
node. Of course, it is also possible to use an Action or Object node. Therefore, we
need two similar rules for those cases which are not shown in the gure.
In Figure 7, Rule (B) shows the case where an Object node holding one or more
tokens (i.e. AC = y > 0) oers a token to its outgoing Edge. The three NACs of
this rule state that the outgoing Edge cannot point to any token. The RHS of this
rule decrements the current number of tokens in the Object node. It also states that
the outgoing Edge points to the Object node (i.e. the Edge is carrying a token).
Three sample rules are shown in Fig. 8 which implement the semantics of Action
nodes. Rule (A) in this gure is similar to rule (A) in Fig. 7, but instead of an Object
node an Action node has been replaced. Moreover, Action node can hold only one
token at a time. Rule (B) in Fig. 8 describes the token ow semantics from Action
nodes which do not raise any exceptions (NAC4 shows this fact). Other three NACs
state that the outgoing Edge cannot point to any token. In fact, this looks like to
e Attribute
SPI-J111
0218-1940
689
rule (B) in Fig. 7. Finally, Rule (C) implements the same semantics as rule (B)
when the Action node can raise an exception. The control ow of the Activity can
be changed by exceptions. Therefore, there are two possible scenarios for token to
be routed. The rst one is shown in Fig. 8 by rule (C) which states that Action
does not raise the exception. Thus, the token is routed through the outgoing Edge
of Action node. The case where Action raises an exception routes the token through
the handled edge to the handler Action node. This case is not shown in the gure.
Note that throw and handled edges dier from activity Edges. In fact, Edge is
a node type in the type graph of Fig. 2 while throw and handled are two edge
types. UML metamodel supports Edge node (Fig. 1) while the type graph has been
enhanced by throw and handled to support exception handling.
Figure 9 describes the semantics of Final node. As the gure shows, when a
token arrives to the Final node, the ow of tokens is terminated by changing the
ag attribute to false. As a result, no more rules can be applied on the Activity.
This diers from the UML specication which states that when a token arrives at
the Final node, the entire Activity is immediately terminated (in contrast with Flow
Final nodes) [27].
Applying all enabled rules to initial state (the Activity diagram before applying
rules) will result in a transition system which represents the complete behavior of
the Activity diagram. When using model checking, this transition system is the
basis for analysis of the Activity. In the next section, we show our approach to
verify an Activity using its transition system.
4. Verification and Validation
As mentioned in Sec. 3, to analyze designed Activities we use our previous approach
to verify graph transformation systems [9]. When designers are experts in graph
transformation, they can directly model workows by graph transformation. Nonexpert designers can model workows by UML Activities.f Indeed such designers
do not need to dene any rule for verication. This is due to designing a bunch
of xed properties for designers. Designers only model the workow. Verication
f In
this case, a transformer is needed to automatically transform UML Activities to graph transformation.
690
SPI-J111
0218-1940
SPI-J111
0218-1940
691
Fig. 11. Two faulty activities. (a) contains a deadlock. (b) contains an unreachable action node.
which the specied Action node (Ship Order in this case) has the token (i.e. it is
reachable).
Now, consider the Activity of Figure 11(b). If we replace the name of the Action
node in Figure 10 (ActionWithToken) with Action4 and check the property, we
see that it is not satised. Since there is a Decision node before Action1 and
Action2, based on the semantics of Decision nodes, the token is routed to only
one of them. As a result, in all executions of this Activity, only one token will
arrive at Join node before Action4. Based on the semantics of Join nodes, token
will never reach Action4. Therefore, we can conclude that this property is never
satised for this workow. Such kind of property can be stated in a more general
way by ignoring the name of Action. In this case, this property only determines the
existence of unreachable Action in the Activity instead of unreachable Action itself.
To validate our approach by some benchmarks, we use model checking. For
example, if we implement the semantics correctly, the two Actions ship order
and send invoice in Activity of Fig. 4 can be executed in parallel, i.e. there must
be at least one state in the transition system in which both Actions have the token
in that state. Two property rules of Fig. 12 along with the LTL expression:
(ActionsWithoutToken (ActionsWithToken)) state this property.
In all model checking approaches state space explosion is a serious restriction.
Therefore, we discuss the size of Activities (or graphs in general) that our approach
can verify. Scalability of our approach depends on dierent parameters: the size
of the host graph, the number of dynamic nodes which must be added/deleted
692
SPI-J111
0218-1940
States
Memory (MB)
Time (M Sec)
2173
3
84
1.2
0.1
0.4
2271
1
5
to/from the host graph by rules, the number of applicable rules in the same time,
etc. We know that there is not any dynamic node in the Activities. Besides, the
size of Activities is not usually too large. When the size of Activities is too large
designers can decrease their size using Action Call nodes. As a result we came to
this conclusion that our approach can support Activities with reasonable size. To
investigate this, we veried the example activity diagrams in this paper (diagrams
in Fig. 4 and Fig. 11). The number of the generated states along with the consumed
time and space are shown in Table 1.
Table 1 summarizes the results obtained by our verication approach,g this table
shows that for these examples, the number of generated states, consumed memory
and time are too small.
5. Conclusions and Future Work
We have proposed an approach to formally dene a semantic for UML 2.0 Activities. This semantic is based on token ow and traverse-to-completion using
graph transformation systems. To implement static semantics, we have dened a
type graph (based on UML 2.0 Activity metamodel). All Activities are modeled as
a host graph which must conform to the type graph. To dene dynamic semantics,
we have dened a set of graph transformation rules. We have used our previous
approach to verify graph transformations. We have illustrated our proposed verication approach to verify workows by dening some quality criterion. This is
because workows are a typical modeling domain for UML 2.0 Activities.
Our approach is easy for non-expert designers who have no knowledge about
underlying formalisms (i.e. BIR and Bogor). However, further research is required
to model other necessary elements as Parameter nodes and Pins. We are currently
working on modeling other elements and implementing their semantics as some
graph transformation rules.
g The
SPI-J111
0218-1940
693
References
1. R. Eshuis, D. Jansen and R. Andwieringa, Requirements-level semantics and model
checking of object-oriented statecharts, Requirements Eng. J. 7 (2002) 243263.
2. G. Alonso, F. Casati, H. Kuno and V. Machiraju, Web Services: Concepts, Architectures and Applications (Springer, 2004).
3. Object Management Group, UML Specication V2.0, http://www.omg.org/ technology/documents/modeling spec catalog.htm (2005).
4. L. Baresi and R. Heckel, Tutorial introduction to graph transformation: A software
engineering perspective, in Proc. of First International Conference on Graph Transformation (ICGT), LNCS Vol. 2505, 2002, pp. 402429.
5. H. Ehrig, G. Engels, H. J. Kreowski and G. Rozenberg, Handbook on Graph Grammars
and Computing by Graph Transformation, Vol. 2: Applications, Languages and Tools
(World Scientic, 1999).
6. S. Kuske, A formal semantics of UML state machines based on structured graph
transformation, in Proc. of UML 2001, LNCS Vol. 2185, 2001.
7. V. Rafe and A. T. Rahmani, Formal analysis of workows using UML 2.0 activities and
graph transformation systems, in Proc. of 5th International Colloquium on Theoretical
Aspects of Computing (ICTAC08), LNCS Vol. 5160, 2008, pp. 305318.
8. M. Beyer, AGG1.0 Tutorials, Technical University of Berlin, Department of Computer Science, 1992.
9. L. Baresi, V. Rafe, A. T. Rahmani and P. Spoletini, An ecient solution for model
checking graph transformation systems, in Proc of 3rd Workshop on Graph Transformation for Verification and Concurrency, ENTCS Vol. 213, 2007, pp. 321.
10. V. Rafe, A. T. Rahmani, L. Baresi and S. Spoletini, Towards automated verication of layered graph transformation specications, J. IET Software, 3(4) (2009)
276291.
11. V. Rafe and A. T. Rahmani, Towards automated software model checking using graph
transformation systems and Bogor, J. Zhejiang University Science A (JZUS), 10(8)
(2009) 10931105.
12. Robby, M. Dwyer and J. Hatcli, Bogor: An extensible and highly-modular software
model checking framework, in Proc. of the 9th European Software Engineering Conference, 2003, pp. 267276.
13. R. Eshuis, Semantics and Verication of UML Activity Diagrams for Workow Modelling, Ph.D. Thesis, University of Twente, Netherlands, 2005.
14. C. Bolton and J. Davies, On giving a behavioural semantics to activity graphs, in:
A. Evans, S. Kent and B. Selic (Eds.), UML 2000, LNCS Vol. 1939, 2000.
15. C. Soltenborn, Analysis of UML workow diagrams with dynamic metaModeling techniques, Masters Thesis, University of Paderborn, Germany, 2006.
16. J. H. Hausmann, Dynamic Meta Modeling: A Semantics Description Technique for
Visual Modeling Languages, Ph.D. Thesis, University of Paderborn, Germany, 2005.
17. G. Engels, C. Soltenborn and H. Wehrheim, Analysis UML activities using dynamic
meta modeling, in Proc. of 9th IFIP International Conference on Formal Methods for Open Object-Based Distributed Systems (FMOODS), LNCS Vol. 4468, 2007,
pp. 7690.
18. A. Rensink, The GROOVE simulator: A tool for state space generation, in Applications of Graph Transformations with Industrial Relevance (AGTIVE), LNCS
Vol. 3062, 2004, pp. 479485.
19. H. St
orrle and J. H. Hausmann, Towards a formal semantics of UML 2.0 activities,
in: P. Liggesmeyer, K. Pohl and M. Goedicke (Eds.), Software Engineering, LNI GI
Vol. 64, 2005, pp. 117128.
694
SPI-J111
0218-1940
20. R. Eshuis, Symbolic model checking of UML activity diagrams, ACM Trans. Software
Engineering Methodology 15(1) (2006) 138.
21. A. Cimatti, E. Clarke, F. Giunchiglia and M. Roveri, NuSMV: A new symbolic model
checker, International Journal on Software Tools for Technology Transfer 2(4) (2000)
410425.
22. E. B
orger, A. Cavarra and E. Riccobene, An ASM semantics for UML activity diagrams, in: Rus, T. (ed.), AMAST 2000, LNCS Vol. 1816, 2000, pp. 293308.
23. P. Baldan, A. Corradini and F. Gadducci, Specifying and verifying UML activity
diagrams via graph transformation, in Proc. of Global Computing, LNCS Vol. 3267,
2004, pp. 1833.
Schmidt and D. Varr
24. A.
o, CheckVML: A tool for model checking visual modeling languages, in Proc. of UML 2003: 6th International Conference on the Unified Modeling
Language, LNCS Vol. 2863, 2003, pp. 9295.
25. H. St
orrle, Semantics of control-ow in UML 2.0 activities, in: N.N., (ed.), Proc. IEEE
Symposium on Visual Languages and Human-Centric Computing (VL/HCC ), 2004.
26. C. Bock, UML 2 activity and action models Part 4: Object nodes, Journal of Object
Technology, 3(1) (2004) 2741, http://www.jot.fm/issues/issue 2004 01/column3.
27. C. Bock, UML 2 activity and action models Part 3: control nodes, in Journal of Object
Technology 2(6) (2003) 723, http://www.jot.fm/issues/issue 2003 11/column1.
Copyright of International Journal of Software Engineering & Knowledge Engineering is the property of World
Scientific Publishing Company and its content may not be copied or emailed to multiple sites or posted to a
listserv without the copyright holder's express written permission. However, users may print, download, or
email articles for individual use.