Jocelyn Simmonds

Using Description Logic to Maintain Consistency between UML Models

A software design is often modelled as a collection of UML diagrams. There is an inherent need to preserve consistency between these diagrams. Moreover, through evolution those diagrams get modified leading to possible inconsistency between different versions of the diagrams. State-of-the-art UML CASE tools provide poor support for consistency maintenance. To solve this problem, an extension of the UML metamodel enabling support for consistency maintenance and a classification of inconsistency problems is proposed. To achieve the detection and resolution of consistency conflicts, the use of description logic (DL) is presented. DL has the important property of being a decidable fragment of first-order predicate logic. By means of a number of concrete experiments in Loom, we show the feasibility of using this formalism for the purpose of maintaining consistency between (evolving) UML models.

Runtime Monitoring of Web Service Conversations

For a system of distributed processes, correctness can be ensured by (statically) checking whether their composition satisfies properties of interest. However, Web services are distributed processes that dynamically discover properties of other Web services. Since the overall system may not be available statically and since each business process is supposed to be relatively simple, we propose to use runtime monitoring of conversations between partners as a means of checking behavioral correctness of the entire Web service system. Specifically, we identify a subset of UML 2.0 sequence diagrams as a property specification language and show that it is sufficiently expressive for capturing safety and liveness properties. By transforming these diagrams to automata, we enable conformance checking of finite execution traces against the specification. We show how our language can be used to specify the specification property system (SPS). We describe an implementation of our approach as part of an industrial system. Finally, we discuss our experience of specifying and monitoring a number of properties from three existing applications.

Exploiting resolution proofs to speed up LTL vacuity detection for BMC

When model-checking reports that a property holds on a model, vacuity detection increases user confidence in this result by checking that the property is satisfied in the intended way. While vacuity detection is effective, it is a relatively expensive technique requiring many additional model-checking runs. We address the problem of efficient vacuity detection for Bounded Model Checking (BMC) of linear temporal logic properties, presenting three partial vacuity detection methods based on the efficient analysis of the resolution proof produced by a successful BMC run. In particular, we define a characteristic of resolution proofs— peripherality—and prove that if a variable is a source of vacuity, then there exists a resolution proof in which this variable is peripheral. Our vacuity detection tool, VaqTree, uses these methods to detect vacuous variables, decreasing the total number of model-checking runs required to detect all sources of vacuity.

A tool for automatic UML model consistency checking

Automated consistency checking of UML models becomes necessary as models grow in size and complexity. Because the UML metamodel does not enforce model consistency, there are no guidelines as how to approach the consistency problem. Current solutions are partial and tools are mostly of academic nature. The translation of the metamodel and the user designed model into Description Logics has proved to be useful in detecting a large set of inconsistencies. We present MCC, a UML model consistency checker, built as a plug-in for Poseidon for UML, and relying on Racer as a reasoning engine. We propose a usable and scalable solution, interoperable with a known modeling tool.

Property Patterns for Runtime Monitoring of Web Service Conversations

For a system of distributed processes, correctness can be ensured by statically checking whether their composition satisfies the properties of interest. However, web services are distributed processes that dynamically discover properties of other web services. Since the overall system may not be available statically and since each business process is supposed to be relatively simple, we propose to use runtime monitoring of conversations between partners as a means of checking behavioral correctness of the entire web service system. Specifically, we identify a subset of UML 2.0 Sequence Diagrams (SD) as a property specification language. We show how our language can be used to specify the patterns in the Specification Property System (SPS) [1]. By formalizing this subset using automata, we can check finite execution traces of web services against various complex properties. Finally, we discuss our experience using our language for runtime monitoring of an existing application, and conclude with a description of existing tool support.

Exploiting Resolution Proofs to Speed Up LTL Vacuity Detection for BMC

When model-checking reports that a property holds on a model, vacuity detection increases user confidence in this result by checking that the property is satisfied in the intended way. While vacuity detection is effective, it is a relatively expensive technique requiring many additional model-checking runs. We address the problem of efficient vacuity detection for Bounded Model Checking (BMC) of LTL properties, presenting three partial vacuity detection methods based on the efficient analysis of the resolution proof produced by a successful BMC run. In particular, we define a characteristic of resolution proofs - peripherality - and prove that if a variable is a source of vacuity, then there exists a resolution proof in which this variable is peripheral. Our vacuity detection tool, VaqTree, uses these methods to detect vacuous variables, decreasing the total number of model-checking runs required to detect all sources of vacuity.

A TOOL BASED ON DL FOR UML MODEL CONSISTENCY CHECKING

Automated consistency checking of UML models becomes necessary as models grow in size and complexity. Since the UML metamodel does not enforce model consistency, there are no fixed guidelines on how to approach the consistency problem. Current solutions are generally partial. The translation of the metamodel and the user designed model into Description Logics has proved to provide a solution in detecting a large set of inconsistencies. In order to make this solution available to system designers, we have implemented MCC+, a UML model consistency checker, built as a plug-in for Poseidon for UML, and relying on Jena as a reasoning engine. Compared to other approaches, we propose a usable and scalable solution, interoperable with a known modeling tool. We show the application of MCC+ to a real world large example of a meshing tool.

Optimizing Computation of Recovery Plans for BPEL Applications

Web service applications are distributed processes that are composed of dynamically bounded services. In our previous work [15], we have described a framework for performing runtime monitoring of web service against behavioural correctness properties (described using property patterns and converted into finite state automata). These specify forbidden behavior (safety properties) and desired behavior (bounded liveness properties). Finite execution traces of web services described in BPEL are checked for conformance at runtime. When violations are discovered, our framework automatically proposes and ranks recovery plans which users can then select for execution. Such plans for safety violations essentially involve “going back” ‐ compensating the executed actions until an alternative behaviour of the application is possible. For bounded liveness violations, recovery plans include both “going back” and “re-planning” ‐ guiding the application towards a desired behaviour. Our experience, reported in [16], identified a drawback in this approach: we compute too many plans due to (a) overapproximating the number of program points where an alternative behaviour is possible and (b) generating recovery plans for bounded liveness properties which can potentially violate safety properties. In this paper, we describe improvements to our framework that remedy these problems and describe their effectiveness on a case study.

RuMoR: monitoring and recovery for BPEL applications

We describe a RUntime MOnitoring and Recovery framework (RuMoR) for BPEL applications. Our tool checks for behavioral conformance with respect to a set of user-specified properties. When runtime violations are discovered, RuMoR automatically proposes and ranks recovery plans which users can then select for execution. These plans are generated using an adaptation of a SAT-based planning technique.