Structured Axiomatic Semantics for UML Models

In this paper we provide a systematic formal interpretation for most elements of the UML notation. This interpretation, in a structured temporal logic, enables precise analysis of the properties of these models, and the verification of one model against another. We extend previous work by providing a structured logical interpretation for sequence diagrams, in which object communication is represented using theory morphisms. As an application of the formalisation, we show how the introduction of particular design patterns can be proved to be refinement transformations.


Introduction
The UML 10] combines and extends elements of previous OO notations such as OMT, Booch and Objectory.In contrast to these methods, its notations are precisely de ned using the Object Constraint Language (OCL) and a meta-model to express the allowed forms of diagrams and their properties.Detailed syntactic description and constraints on model structures are given in 11].However the semantics of model elements are only given via natural language.As a result, many ambiguities remain.For example: whether objects may be recreated at di erent times with the same identity; in what order the entry and exit actions of concurrently entered/exited states are performed, and so forth.Here we will use a formal framework to express alternatives for these semantic choices.

Outline of Semantics
A mathematical semantic representation of UML models can be given in terms of theories in extended rst-order set theory as in the semantics presented for Syntropy in 2] and VDM ++ in 8].In order to reason about real-time properties of systems the Real-time Action Logic (RAL) of 8] will be used.
A RAL theory has the form: theory Name types local type symbols attributes time-varying data, representing instance or class variables actions actions which may a ect the data, such as operations, statechart transitions and methods axioms logical properties and constraints between the theory elements.
Theories can be used to represent classes, instances, associations and general submodels of a UML model.These models are therefore being understood as speci cations: they describe the features and properties which should be supported by any implementation that satis es the model (equivalently, any structure that satis es the axioms of its theory).An important relationship between theories is that of logical consequence { theory S satis es (the properties of) theory T if there is an interpretation of the symbols of T into those of S under which every property of T holds: S ` (') for every theorem ' of T. This has the e ect that any structure satisfying the axioms of S will also satisfy those of T. A design model D with theory S can be considered a correct re nement of an abstract (speci cation) model C with theory T if S satis es T.
In addition to Z-style mathematical notation such as F for \set of nite sets of", r ?1 for relational inverse and r(j S j ) for relational image, etc, RAL theories can use the following notations: 1.For each classi er or state X there is an attribute X : F(X) denoting the set of existing instances of X.This represents deep equality between objects in the sense that if x; y 2 X and x = y then not only x:att = y:att for all attributes of X, but also recursively for attributes of x:att and y:att, etc. 2. If is an action symbol, and P a predicate, then ]P is a predicate which means \every execution of establishes P on termination", that is, P is a postcondition of .
Either Z or OCL notation could be used for axioms in theories, representing the semantics or constraints of UML models.In 7] we de ne a translation from OCL into Z.

Object Models
A UML class C is represented as a theory ?C of the form given in Figure 1.The write frame of an action (the set of attributes that it may change) is written after its declaration.
Each instance attribute att i : T i of C gains an additional parameter of type C in the class theory ?C and similarly for operations.Thus the self attribute becomes the identity function on object identi ers 1 .Class attributes and actions do not gain the additional C parameter as they are independent of any particular instance.The standard OO notation a:att will be used as an alternative for att(a) for attribute att of instance a and similarly a:act(x) will be used for actions act(a; x).?C includes ?S for each supplier S of C.
Similarly each association lr can be interpreted in a theory which contains an attribute lr representing the current extent of the association (the set of pairs of objects in it) and actions add link and delete link to add and remove links from this set.Axioms de ne the cardinality of the association ends and other properties of the association.In particular, if ab is an association between classes A and B, then ab A B, so membership of ab implies existence for the object instances at the ends of the link.

Statecharts
A statechart speci cation of the behaviour of instances of a class C can be formalised as an extension of the class theory of C, as follows.
If M is a UML StateMachine, then its set of states, States M , consist of M:top (in 11]) and all states (recursively) linked to M:top via subvertex links { ie., all substates of the top state of M.
1.If M is the statemachine linked to a class C, each state S : States M is represented in the same manner as a subclass of C, and in general, nesting of state S 1 in state S 2 is expressed by axioms S 1 S 2 (S 1 is a subtype of S 2 ) and S 1 S 2 as for class generalisation.
If two states are exclusive (ie, they are not related by nesting) then the corresponding S sets are axiomatised as disjoint.
The subclasses corresponding to states are usually dynamic (Syntropy 1] also treats statechart states as dynamic subclasses): an object instance x may move from one state S of C to another S 0 as a result of an action.This is expressed by changes to the S and S 0 attributes: the deletion of x from S and its addition to S 0 .
2. The set of transitions Trans M of M is M:transition in the UML metamodel.The set of events Events M of M is M:transition:trigger.Each element of Trans M Events M is represented by a distinct action symbol.
Each event e is the abstract generalisation of the actions t 1 , : : :, t n representing its transitions: 8a : C a:t 1 a:e ^: : : ^a:t n a:e where the t i are all transitions in the statechart whose trigger event (in the sense of the UML semantics 11]) is e. 3. The axiom for the e ect of a transition t from state S 1 to state S 2 with label e(x) G]=Post a Act where G is the guard condition and Post is some postcondition constraint on the resulting state, is 8a : C a:G ^a 2 S 1 ) a:t(x)](a:Post ^a 2 S 2 ) 4. The transition only occurs if the trigger event occurs whilst the object is in the correct state: 8a : C a 2 S 1 ^a:G ) (a:e(x) a:t(x)) We assume that distinct transitions from the same source state have nonoverlapping guard conditions.
5. Asynchronously generated actions must occur at some future time (after t has occurred): a:t(x) ) (a:Act 1 ^ (: : : a:Act m ) : : :) is the \next" operator of temporal logic, interpreted as \next method execution initiation time" in RAL, is the \eventually" operator.Act is the list Act 1 a : : : a Act m of generated actions of t, ie t:e ect in the sense of 11] (ActionSequence is a subclass of Action in the UML metamodel).
6. Synchronously generated actions have the axiom: a:t(x) a:Act 1 ; : : : ; a:Act m We can provide a semantics for general UML statechart models by a series of transformations into a smaller statechart language (Section 5) and then apply the above axiomatisation.However to simplify veri cation of critical systems, we have developed a smaller statechart language with strong modularity and scoping restrictions on message sending 9] which uses the same semantics.
3 The Core Package

Association
An association r with name rname, and linked classi ers r:connection:type = hC 1 ; : : : ; C n i (connection gives the AssociationEnd elements of r, type the classi ers connected to these ends, 11, page 2-15]) is formalised by an attribute r : F (C 1 : : : C n ) such that r C 1 : : : C n That is, the elements of r are tuples (c 1 ; : : : ; c n ) of elements of the classi ers that it links, where each of the c i is an existing instance.
Subsequently, we will only consider binary associations, as more general nary associations can be transformed into n binary associations together with a new class and logical constraints2 .

Association Class
A theory representing an association class C has an attribute r describing the extent of the association, and an attribute C describing the extent of the class.
We require that these are isomorphic at all times, ie: card(C) = card(r) This is ensured if there is a function i : C ! C 1 C 2 such that i is an isomorphism 3 between C and r and such that create link r (a; b) create C (i ?1 (a; b)) delete link r (a; b) kill C (i ?1 (a; b)) create C (x) create link r (i(x)) kill C (x) delete link r (i(x))

Association End
Assume a binary association r with linked classi ers C 1 (target) and C 2 (source) and name rname (Figure 2).If it is set to aggregate a CASE tool should check that the source end of the association has aggregation value none if the target end has value aggregate.In addition r must be transitive and irre exive (page 2-58 of 11]).
If the meta-attribute is set to composite then r has the speci c properties: 1. One-many (page 2-21 of 11]): x 2 C 1 ^x0 2 C 1 ^(x; y) 2 r ^(x 0 ; y) 2 r ) x = x 0 2. Deletion propogating (page 2-57 of 11]): x 2 C 1 ^(x; y) 2 r ) kill C1 (x) kill C2 (y) x 2 C 1 ) not((x; x) 2 r) Changeable If this meta-attribute has value frozen, then the set of C 1 objects linked to a particular C 2 object cannot change while the latter exists: y 2 C 2 ^y 2 C 2 ) r ?1 (j fyg j ) = r ?1 (j fyg j ) An alternative interpretation could be that the set of existing C 1 objects cannot change, but these can be deleted: y 2 C 2 ^y 2 C 2 ) r ?1 (j fyg j ) \ C 1 = r ?1 (j fyg j ) If this is addOnly then the above constraints are weakened with in place of =.
IsOrdered If this meta-attribute has value true, there is an additional attribute ord C1;r : C 2 !seq(C 1 ) y 2 C 2 ) r ?1 (j fyg j ) = ran(ord C1;r (y)) In other words, ord gives an ordering to the sets of C 1 elements linked to each y 2 C 2 .
IsNavigable If this meta-attribute has value true, it implies a tool check that messages are only sent (in statecharts, sequence diagrams, activity diagrams and collaboration diagrams) along the association in a navigable direction.
Multiplicity A cardinality restriction can be interpreted as a subset of N. For example, 1; 5 : : 7; 9 : : de nes the set f1; 5; 6; 7g fn : N j n 9g Hence a cardinality restriction c 1 : P(N) at the C 1 end of r yields the axiom: y 2 C 2 ) card(r ?1 (j fyg j )) 2 c 1 Name If the role name attached to C 1 is r 1 , then there is an attribute r 1 : C 2 !F(C 1 ) y 2 C 2 ) r 1 (y) = r ?1 (j fyg j ) In the case that the cardinality restriction at the C 1 end is 1 (ie, c 1 = f1g) we can de ne instead r 1 : C 2 !C 1 y 2 C 2 ) fr 1 (y)g = r ?1 (j fyg j )

Attribute
If an attribute of classi er C has name att and type T, has instance scope and multiplicity 1, then it is expressed as an attribute symbol att : C ! T and may be written as att(c) or c:att for speci c c 2 C.
In the case that the ownerScope is classi er then there is no need for a C parameter: att : T since the same value is shared by all instances of C.
If the multiplicity constraint c is not f1g then att is represented as an attribute symbol att : C ! seq(T) where size(att(x)) 2 c for each x 2 C. Similarly for multiple classi er scope attributes.
Changeable If this meta-attribute is frozen then we have the axiom x 2 C ^x 2 C ) att(x) = att(x) A logically stronger version is where 2 means \at all future times" in contrast to 2 which means \at all future method initiation times".This version implies that even if an object is `reborn' then it always has the same value for att even in discontinuous portions of its life.If this is addOnly then x 2 C ^x 2 C ) ran(att(x)) ran( att(x)) Initial Value This de nes the value set at creation: create C (x)](att(x) = initval) 3.5 Behavioural Feature These are expressed as action symbols.If behavioural feature f of classi er C has parameters p 1 : T 1 ; : : : ; p m : T m then it is represented as an action symbol f(C; T 1 ; : : : ; T m ) in the case of instance scope, or f(T 1 ; : : : ; T m ) in the case of classi er scope.IsQuery If this is true, then the write frame of f is the empty set.

Constraint
These are interpreted (where possible) as predicates in the theory of the smallest model containing all model elements that they constrain.They are true at all times in the history of an instance of such a model.

Data Type
These are represented by data types in our logic.A utility class C is one all of whose attributes and actions are of class scope (page 2-28 of 11]).

Feature
The ownerScope of a feature is represented as explained in Sections 3.4 and 3.5 above.
The visibility of an attribute is not distinguished in our semantics and requires checks by CASE tools for the notation.

Generalisable Element
If a classi er C has isAbstract true, and C 1 , : : :, C n are all its immediate descendants, then: create C (x) create C1 (x) u : : : u create Cn (x) In other words, creation of an instance of C implies it is actually created as an instance of one of C's proper subclassi ers.
In addition V j6 =i : create C j (x) ^Vj6 =i x 6 2 C j ) kill C i (x) kill C (x) Together with the normal axioms create C i (x) create C (x) for generalisation, these establish by induction that C = C 1 : : : C n at all times.
The isLeaf and isRoot meta-attributes declare whether the classi er cannot or can allow rede nition of its response to signals in descendants.These will not be represented in the semantics as their treatment is primarily a CASE tool issue.

Generalisation
If T is a generalisation of S then S T ^S T This means that any feature of T is also de ned for S.
The second formula is ensured by axioms: create S (x) create T (x) x 2 S ) kill T (x) kill S (x) In other words, if x is added to S it must also be added to T, and if x exists as a subclass instance, then removing it from T must also remove it from S.
A theory ?S for S can be de ned as an extension of the theory ?T for T with these extra data types attributes and axioms, together with the attributes, actions and axioms derived from the declarations contained in the text of S. If locality axioms 1 _ : : : _ p _ att = att are included in ?T however, for each attribute att of T, the i being all actions with att in their write frame, then ?S in general does not satisfy the axioms of ?T : the locality axiom for att is only true in ?S if any action declared in S only modi es att by invoking one of the i from T { so called `strict' inheritance, which provides a form of semi-private scoping (this is also the semantics of INCLUDES in B 5]).

Operation
Operations are represented by action symbols.
Concurrency If this meta-attribute is sequential then there is at most one invocation of the operation, m, of classi er C, executing or waiting to be executed: a 2 C ) #waiting(m(a)) + #active(m(a)) 1 If this is guarded then there can be many waiting invocation requests for m, but only one active: a 2 C ) #active(m(a)) 1 There are no restrictions on concurrent operations.
IsPolymorphic This meta-attribute indicates that the operation is polymorphic.Any polymorphic use of an operation should be checked against the value of this by CASE tools; it is not represented in the semantics.
Speci cation If this is expressed as code or as pre/post conditions, then it can be formalised as an action symbol de nition.

Quali er
If association r between classi ers C 1 and C 2 has quali er attributes q 1 : T 1 , . . ., q k : T k at the C 1 end, and cardinality constraint c at the C 2 end, then we have the axiom: 8x : C 1 ; v 1 : T 1 ; : : : ; v k : T k card(fy : C 2 j (x; y) 2 r ^q1 (x) = v 1 ^: : : ^qk (x) = v k g) 2 c 4 Behavioural Elements Package: Common Behaviour

Action
An action is represented as an action symbol.If an integer recurrence n is speci ed then this describes an n-fold iteration of the named action, where this is the sequential composition of n copies of the action.The target may indicate a set s of objects instead of a single object.In this case s: is interpreted as the concurrent composition jj x2s x: of the individual actions: this composition allows the individual actions to be performed in an arbitrary order, and to overlap in their executions.

Call Action
Calls are represented by the operator between actions in the case of a sequential call: meaning that every invocation instance ( ; i) of coincides in time with some invocation instance of .
In the case of an asynchronous call the invoked action can take place at some future time: ) .

Create Action
For a classi er C the create action is create C (C).

Destroy Action
For a classi er C this is kill C (C).

Instance
An instance a of a classi er C is represented as a member of the extension C of C: a 2 C.

Link
A link is represented as a particular pair (x; y) of elements in the extent r of the association to which it belongs.

Reductive Transformations
In order to simplify the semantic treatment of statecharts, we assume that the following reductive transformations have been applied to eliminate nesting (ORcomposition of states), concurrent composition (AND-composition) and entry and exit actions.The restrictions are that the original statechart must not contain deferred events or history entry states or conditions depending upon attributes (as opposed to states).x v y denotes that x is a substate of y.
Transitions t : s 0 !s in the original model (s 0 6 = s) are redirected to be transitions t : s 0 !init B .Self transitions t on s are replaced by transitions t x : x !init B for each state x of B. If s = init A then init B becomes the new initial state of A 0 .
If s has an entry action Act then this is added as the last action of any transition to the boundary of s (ie, to init B ), and to any transition into a state of B.
If s has an exit action Act then this is added as the rst action of any transition out of s (ie, which does not have target any state of s).

B: Eliminating Concurrent States
Similarly, an AND-composition A j B of state machines can be expanded out to a state machine C. Transitions t : (a; b) !(a 0 ; b 0 ) arise either as: 1.A synchronised pair t 1 : a ! a 0 and t 2 : b !b 0 of transitions of A and B respectively, where event A (t 1 ) = event B (t 2 ), and this event is then taken as event C (t).The actions of t are then Act 1 jj Act 2 where these are the separate actions of t 1 and t 2 .2. The lifting of a transition t 1 : a ! a 0 of A, and b = b 0 and event A (t 1 ) 2 Events A ? Events B .event C (t 1 ) is de ned to be event A (t 1 ).3. The lifting of a transition t 2 : b !b 0 of B, and a = a 0 , and event B (t 2 ) 2 Events B ? Events A .event C (t 2 ) is de ned to be event B (t 2 ).
Conditions on transitions which refer to concurrent states can also be eliminated in the expansion of an AND composition of state machines to a single state machine.Such conditions are predicates Condition C (t) for each transition t of a statechart C, of the form in S, not(in S) and propositional logic combinations of these.If transition t : a ! a 0 in A has a condition Condition A (t) in s on it, where s 2 States B , then the only transitions t : (a; b) !(a 0 ; b 0 ) in the expansion of A j B are those where s = b.Similarly for the other forms of conditions.
In the resulting statechart C formed from A and B, Condition C (t) is Condition A (t) with each in b predicate replaced by true.
If transition t from a to a 0 includes an invocation of an event e in a concurrent state: Act 1 a e(v) a Act 2 then for each transition t 0 for e(x) from b to b 0 with labelling Act we obtain a modi ed transition for t with labelling Act 1 a Act v=x] a Act 2 from (a; b) to (a 0 ; b 0 ).
The formula t Act 1 ; e(v); Act 2 is added as a logical constraint to the resulting theory.Notice that t 0 may be red by other occurrences of e in addition to those resulting from t, so there may still be transitions of the form t 0 : (c; b) !(c; b 0 ) in the expanded state machine.

Logical Representation of Sequence Diagrams
An object lifeline in a sequence chart can be expressed as a term in a process algebra language OHA (Object history algebra).Class and instance theories can be extended to include a trace which is an axiom expressing the allowed values that the object history can take within this algebra.The histories of di erent objects, ie, di erent lifelines within the same sequence diagram, can be composed by co-limit constructions of their theories, in which symbols are identi ed.
The OHA language for objects of a class C consists of the following atomic The terms of the OHA are then of form P ::= STOP j !P j PjjQ where is an atomic action of the OHA, P and Q are terms.This language is therefore a subset of a CSP algebra in which channels are identi ed by pairs (a; b) : C D of objects.The same de nitions of traces(P) are taken as in the traces semantics of CSP 4].
An additional feature is added to theories, called the trace, and containing an axiom de ning the possible elements of the OHA which the trace of objects satisfying the theory may take.
As an example, consider a sequence chart with two object lifelines, for ob1 : C and ob2 : D, where there is an association from C to D named b at the D end, ie, there is an attribute b : D in the theory I C of instances of C (Figure 3).
The lifeline for ob1 contains a send of message m to its linked b value, so the theory L 1 of a general lifeline of this form, extending I C , includes the trace This abbreviates the axiom trace 2 traces(P) where P is the quoted process.
The lifeline for ob2 contains a corresponding receive, so the general theory is L 2 in this case with the trace component: (a; self)?m() !STOP We connect these lifeline theories and make them speci c to ob1 and ob2 by de ning theory morphisms: 1. f : L 1 !L 3 mapping b 7 !ob2, self 7 !ob1, 2. g : L 2 !L 3 mapping a 7 !ob1, self 7 !ob2.L 3 is the union of the two renamed theories L 1 and L 2 .In L 3 the trace is de ned as the parallel composition of the renamed traces (ob1; ob2)!m() !STOP (ob1; ob2)?m() !STOP of L 1 and L 2 .As in CSP this can be reduced to a communication of m on the channel (ob1; ob2): (ob1; ob2):m() !STOP The interpretation of traces from L 1 is traces B P in L 3 , where P is the language of the trace process of L 1 , and similarly for L 2 .

Proving Pattern Introductions as Re nements
One application of the semantics is to prove that the introduction of particular design patterns 3] are re nements.Here we will consider the Strategy pattern.Strategy can be used to transform a system of the form of the left hand side of Figure 5 to the form given on the right hand side.
The theory interpretation in the case of the Strategy pattern is given in Table Similar reasoning shows that the interpretation of the axiom for the e ect of m in ?Client is provable from the corresponding axiom for m in ?Client1 .
We can now make precise the assumptions required for the transformation to be correct: Other applications of the semantics include proving that transformations such as source and target splitting on statecharts 1] are also re nements.

Conclusions
The de nition of a precise semantics for the UML is an important aim if UML models are to be used for development of critical systems.The semantics we have given supports veri cation of re nement and a transformational approach to development which reduces the proof burden associated with traditional formal techniques 6].The use of an axiomatic framework enables a direct relationship to be established between proof tools for the UML and the semantics.It is also more appropriate than a denotational approach in the case of a general speci cation notation such as the UML which has no speci c executable interpretation.
Work is continuing to extend the semantics to other UML notations, and to develop tools to support veri ed transformations on UML models.

Fig. 2 .
Fig. 2. Typical Binary Association The states of the expanded machine are pairs (a; b) of states a of A and b of B. If a and b are basic states, then (a; b) is a basic state with entry action the composition Entry a jj Entry b of the individual entry actions and exit action the composition Exit a jj Exit b of the individual exit actions.

actions : 1 .
(a; b)!m(e) { send of message m(e) from object a to object b; 2. (a; b)?m(e) { reception of message m(e) by b from a, where m is a method of C.These correspond to points in the history of an object on a sequence diagram, ie, points which are the source or target of message arrows or control transfers.

{
obj:aContext:strategy 2 Strategy at the point where ContextInterface is called; { obj:aContext:strategy must remain in the same subclass of Strategy during the execution of ContextInterface.
5.1 A: Eliminating NestingStates can be nested, that is, a state s of a statechart A may enclose a statechart smach A (s).If a statechart B is nested within a state s of statechart A, ie, B = smach A (s), we can eliminate the nesting to produce a statechart or state machine A 0 by replacing s by B within A, adding transitions t x : x !T for each state x of B for each original transition t : s !T in A (if T 6 = s), where : 9 y : States B ; tr : Trans A x v y ^event A (tr) = event A (t) ŷ = source A (tr)

Table 1 .
Interpretation of Client into Client1 typing axioms of the abstract system are therefore directly provable, in their interpreted versions, in the concrete system.For example, the constraint that obj:aContext 2 Context for obj 2 Client in the theory ?Client is interpreted by the predicate obj 2 Client1 ) obj:aContext 2 Context1 in ?Client1 .But this is a theorem of ?Client1 from its own typing axiom for aContext, as required.The e ect of obj:aContext:set type1 in Client is given by the axiom: obj 2 Client ôbj:aContext 2 Context ) (obj:aContext):set type1 obj:aContext:strategy type := type1 That is, calls of (obj:aContext):set type1 result in obj:aContext:strategy type having the value type1 at their conclusion.ConcreteStrategyA But this is provable from the axiom for obj:aContext:set type in Client1, The