A Formal Semantics of UML Sequence Diagram - UNU-IIST - United ...

and edges represent links and passing messages. Since asequence diagram is defined as a sequence of messages, weshould give formal definition of messages.Definition 1 A message is a tuple:wheremsg = (ob i : C i , ob j : C j , action, order)• ob i is the source object of the message with class typeC i , of course the source of message can also be anactor.• ob j is the target object of the message with class typeC j .• action is a guarded method call of the form g → act ,where g is a Boolean expression of attributes of sourceobject ob i , and possibly public variables, and actionis either a command without method calls (an internalaction) or a method call ob j .m().• order is the order number of the message in the correspondingsequence diagram structure tree. All the ordernumbers of messages in the sequence diagram constructa partial order. The order number of a messageis given according to its position in the tree. The rootnode is corresponding to the starting object or actor ofa sequence diagram. Then the first layer branches withorder number is 1, 2, , 3, · · · , n. From the u-th nodeob u of first layer object nodes, perhaps there are mnodes. The corresponding order numbers of branchesare u.1, u.2, · · · , u.m. The u.v is the v-th branchesfrom the node object ob u . Given the sequence diagramexample in Figure 2, the corresponding structure treewith ordered messages is shown in Figure 7.We now look at how composite diagrams can be constructedfrom basic diagrams by using programming language-likeconstructs.obi : Cig -> m()obj : Cjg -> m()Figure 3. Basic activation notationobi : Ciobj : Cj• The activation notation of a basic message in sequencediagram is shown in Figure 3.• The iterative notation of messages is shown in Figure4. The corresponding ordered tree can be constructedin the figure.• The special messages such as create object anddestroy are shown in Figure 5.• And the branching choice case of messages can bedealt as shown in Figure 6.obi : Cig -> m()u.v.1: * g1 -> n1()u.v : g -> m()obk : Ckobj : Cjobi : Ci* g1 -> n1()g2 -> n2()obj : Cjobk : Ckobk : Cku.v.2: g2 -> n2()Figure 4. Iteration notationA complicate sequence diagram can be constructed byabove basic notations. For sequence diagram of Figure 2,we can easily derive its corresponding message orderedstructure tree as shown in Figure 7.The ordered structure tree presents the hierarchical relationshipsamong the messages. And the execution of messages(i.e. execution of the method represented by the message)in the sequence diagram must follow the traversingrule of first root then son trees from left to right. For onethread sequence diagram, there is only one token to denotecontrol right of invoking message. In the beginning of anexecution of the sequence diagram, the token is in the actor’shand. When the source of message wants to invokea message, the source object or actor must hold the token.When the message is invoked, the token should be passedthe target of message. The source of message will wait untilthe target return the token, it can invoke another messageor return the token to the previous source which invoked itbefore. We consider that the execution of a sequence diagramfrom the start to termination is the process of the token4

obi : Ciobi : Ciobj : Cjobj=new Cj()obj : Cjb1 -> m()destroy()b2 -> n()obi : Ciobi : Ciu.v: obj=new Cj()u.v+1: destroy()u.v: b1 -> m()u.v+1: b2 -> n()obj : Cjobj : CjFigure 5. Create and destroy notationsobj : Cjobj : Cjtraversing from the root node of the hierarchical tree to subtreesfrom left to right, finally the token return back to theroot.If the order of the messages given in one thread sequencediagram is not conformed to a hierarchical structure tree,then the diagram is not well-formed. For example, the sequencediagram shown in Figure 8 is illegal because afterthe first message getName() finished, the thread controlpoint is returned the actor CampaignManager, the nextmessage ∗getCost() can be invoked by object : Campaignin the system.Figure 6. Branching choice notationCampaign Manager1: getName() 2: listCampaigns() 3: checkCapaingnBudget():Client2.1: *getCampaignDetails():Client:Campaign3.1: *getCost() 3.2: getOverheads()4 Computational Model:Campaign:Advert:CampaignWe use a notation similar to a transition or action system[13] to combine the models of class diagrams and themodel of sequence diagrams together to model a design ofa system. A system is defined by a tuple (α, Φ, Θ, P ) where• α denotes the set of program variables known to theprogram.• P is a set of operations, each of which is a predicatethat relates the initial values of program variables. Thepredicate is of the form p(x) ⊢ R(x, x ′ ) (called a designin [9]):p(x) ⊢ R(x, x ′ ) def= ok ∧ p(x) ⇒ ok ′ ∧ R(x, x ′ )where x and x ′ represent the initial and final valuesof x respectively; ok asserting that the operation isstarted well and ok ′ means that the operation terminated;p(x) is called the precondition, and R(x, x ′ ) thepost-condition or the transition relation.Figure 7. Sequence diagram structure tree• Θ is a predicate over α, called the initial condition anddefines the initial state(s) of the system.• Φ is a predicate over α, called the invariant. It must betrue in any initial state and preserved by each operationin P .An action only changes a subset of variables declared inα. The normal form of a design is thus a framed design ofthe form V : (p ⊢ R), that denotes p ⊢ R ∧ (w ′ = w),where V and w are subsets of α, and w = α − V . Whenthere is no confusion, we will omit the frame in a design byassuming that a variable x can be changed by a design onlyif its primed version x ′ occurs in the design.The above model has to take into account the followingOO aspects.1. A sequence diagram is composed from a number of5

¡CampaignManagergetName()¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡listCampaigns():ClientcheckCampaignBudget()* getCampaignDetails():Campaign* getCost()* getCost():AdvertgetOverheads()Figure 8. Illegal sequence diagramoperations, i.e. method calls, while a class diagramsdetermines the following variables on which sequencediagram operates:• for every class, a class variable that takes valuesof sets of objects of the concept;• for every object of a concept, a variable for eachattribute of the concept;• for every association, an association variablethat take values of sets of links (i.e. pairs) betweenobjects of the associated classes.2. Due to the inheritance mechanism, the effect of a usecase on a variable depends on its current type duringexecution, rather than its originally declared type.3. As in imperative languages, a state of a variable is itscurrent value. An object is represented as a finite tuplethat records its identity, current type, and the values ofits attributes.In summary, a model of an OO design is a system S =(α, Φ, Θ, P ) where• P consists of a set of operations obtained from a numberof sequence diagrams.• α identifies the variables on which the operations in Poperate and it is determined by the class diagram andthe input and output parameters of the methods in thesequence diagram.• The invariant Φ formally models the invariant constraint,such as multiplicities and business rules. Thepair (α, Φ) thus gives the formalization of the classmodel.• Θ is a condition to be established when starting up thesystem.5 Formal Semantics of Sequence DiagramWe consider both static and dynamic semantics of sequencediagrams. In an abstract syntactic form, a wellformedsequence diagram corresponds to an ordered hierarchicaltree structure. The static semantics of a sequencediagram is to check whether it is consistent with the classdiagram declaration. This means that the static semantics isalways dependent on a given class diagram ∆. Meanwhile,the dynamic semantics is defined as a sequence compositionof the first layer system messages of its ordered tree.When a message is executed, it must be consistent with systemstate, i.e., object diagram and the state diagrams of therelevant objects.5.1 Static semantics of sequence diagramGiven a class diagram ∆, let CN be the set of classnames in ∆, AN set of association names, Ass the set ofall associations each of which is represented in the form< C 1 , A, C 2 >, where C 1 , C 2 ∈ CN and A ∈ CN, andmethod(C) be the set of all the methods of class C in ∆.Obviously, for a given messagemsg = (ob i : C i , ob j : C j , g → m(), order)we can define its static semantics as follows.S s [smg]] def= C i ∈ CN ∧ C j ∈ CN∧∃A ∈ CN. < C i , A, C j >∈ Ass ∧ m ∈ Method(C j )The static semantics of a sequence diagram is defined asthe conjunction of all its messages in the structure tree.5.2 Dynamic Semantics of MessageExecution of a message makes system change from onestate s to another s ′ . Based on Hoare and He’s UnifyingTheories of Programming [9], we can define a message actionas first order logic formula on a pair of system states(s, s ′ ). Before giving the semantics of messages, we introducesome useful auxiliary functions: for states s and s ′ ,• s(C) : the set of objects of class C in state s.• s(ob): the corresponding state of object ob in systemstate s, i.e. the values of the attributes of ob.6

• s(g): a boolean value of guard condition g under systemstate s.• Enable(s, ob, m) : a boolean value. It equals tureif the method m of object ob is enabled under systemstate s.• pre s (ob.m): the precondition of method m of objectob under system state s.• post (s,s ′ )(ob.m): the postcondition of method m ofobject ob under system state pair (s, s ′ ).• Link(s, ob) : the object set which can be navigatedfrom object ob by its associations in the system state s.we can define the dynamic semantics of action execution(except create action) as follows:• A method invocation can only be executed when themethod is enabled in the current state:S d [[ob.m()]] def=Enable(s, ob, m)∧(pre s (ob.m) ⇒ post (s,s ′ )(ob.m))• A guarded message invocation can go ahead only whenthe guard is evaluated to be in the current state:S d [[g → ob.m()]] def= s(g) ∧ S d [[ob.m()]]• Branching provides a choice according to guards ornon-deterministically if both guards are true:S d [[b1 → ob 1 .m() ⊓ b2 → ob 2 .n()]] def=(s(b1) ∧ S d [[ob 1 .m()]]) ∨ (s(b2) ∧ S d [[ob 2 .n()]])• An iteration repeats the execution until the guard becomesfalse:S d [[∗ b → ob.m()]] def= (b ∗ S d [[ob.m()]])• To destroy an object is to remove the object from thesystem state:S d [[ob i .destroy()] def= s ′ (C i ) = s(C i ) − {ob i }where C i is the type class of ob i .When a message is executed, some consistent conditionsshould be checked under system state. The dynamic semanticsof a message: (ob j : C i , ob j : C j , act), can be definedon a pair system (s, s ′ ) as follows, where act is not createobject action.LetwhereP oss def=ob i ∈ s(C i ) ∧ ob j ∈ s(C j ) ∧ ob j ∈ Link(s, ob i )S d [[(ob i : C i , ob j : C j , act)]] def=S d [[act] ✁ P oss ✄ falseP ✁ b ✄ Q def= b ∧ P ∨ ¬b ∧ QAn object can create a new object only when it is already inthe state, the new object must not exist in the current state.The semantics of the action create as ob j = new C j () isdefined as follows:∃o ∉ s(C j ).(ob j = o) ∧ s ′ (C j ) = s(c j ) ∪ {ob}∧Link(s ′ , ob i ) = Link(s, ob i ) ∪ {ob j }✁ob i ∈ s(C i )✄false5.3 Dynamic semantics of sequence diagramThe dynamic semantics of a sequence diagram can bedefined as the sequence composition of the first layermessages in its corresponding ordered structure tree discussedin Section 3. For example, the message sequence< msg 1 , msg 2 , · · · , msg n > is the first layer messagesfrom left to right of a sequence diagram SD. The semanticsof SD can be defined as follows.S d [[SD]] def=c 1 ; S d [[msg 1 ]]; c 2 ; S d [[msg 2 ]]; · · · ; S d [[msg n ]]; c n+1where c 1 , c 2 , · · · , c n and c n+1 are small pieces of programor skip defined in the method, which are defined in softwareimplementation phase. If a group of neighbor messages arein choice or iterative relations rather than in sequence relation,we can handle the semantics similarly as the dynamicsemantics definition of above message.For a composite message msg i with a sequence message< msg i.1 , msg i.2 , · · · , msg i.m > at the layer below, its semanticscan be roughly defined as follows because someexecution information of the method is not provided in thesequence diagram.S d [[msg i ]] def=c 1 ; S d [[msg i.1 ]]; · · · ; c m ; S d [msg i.m ]]; c m+1However, a sequence diagram is generally invoked by anactor of the system [10]. In this case, the semantics can7

e simply defined as follows since there are not pieces programsbetween two system method calls.S d [[SD]] def= S d [[msg 1 ]]; S d [[msg 2 ]; · · · ; S d [[msg n ]]For example, the dynamic semantics of the sequence diagramin Figure 1 can be defined as follows.S d [[SD]] def= S d [[: Client.getName()] ;S d [[: Client.listCampaign()]] ;S d [[: Campaign.checkCampaignBudget()]]where the two messages : Client.listCampaing and :Campaign.checkCampaignBudget() must be executedas the following defined execution traces.S d [[: Client.listCampaign()]] = c 1 ;true ∗ S d [: Compaign.getCampaignDetails()]]; c 2S d [[: Campaign.checkCampaignBudget()]] =c 3 ; true ∗ S d [[: Advert.getCost()]]; c 4 ;S d [[: Campaign.getOverheads()]]; c 56 Conclusion and Future Work6.1 ConclusionThe most informal parts of UML are the descriptions ofuse cases and the links between different UML diagrams.Reports on teaching and using UML for software developmentshow that the majority of inconsistencies are causedby the lack of a precise understanding of these issues 1 . Forexample, a report at the UML 2003 Workshop on Consistencyof UML shows that more than 80 percent of studentson a project making mistakes in drawing sequence diagramswhich contain message passing between unlinked objects.This paper, together with our work presented in [12, 11],address exactly these issues. We define the semantics ofa sequence diagram in the context of a class diagram thatis also formalized. The formalization is based on a classiccomputational model of transition systems that are equivalentto UML state diagrams.1 The Second author attended the UML 2003 Workshop on Consistencyof UML. There were three talks of this kind.6.2 Related workRelated work There is now a large amount of work onformalization of UML, e.g. [14, 2, 3, 15]. It is not easyto give a full account of comparison. However, there aremainly two kind of publications. The first is the so calledtransformational approach in which certain UML diagramsare translated to an existing formalism, such as Z, B, VDM,CSP, Petri-Nets, etc. The advantage of this approach is thatthe tools exist for the well established for reasoning after thetranslation. The other approach is to directly provide formalsemantic models for the UML models and then provide thecombination of the different models for consistency checking.Our work belongs to the later. We believe that our workfocus on the most informal aspects of UML that are thoserelated to formalization of use cases [12] and the sematiccombination of different UML models. We want to ensurethat a conceptual class diagram is constructed to support therealization of a certain family of use cases, and a family ofinteraction diagrams is to describe of the interactions amongobjects of a class diagram, and a state diagram is only definedin the context of a class diagram. Also, our approachwill faithfully preserve the multi-view with multi-notationin UML, that we believe to be its most important advantagecompared to a single notational modelling framework suchas CSP, Z, VDM, etc., each of which is very natural whendealing with certain aspects of a system, but may not be thatnice for other aspects.Our work is not in the area of design algorithms forautomatic checking of consistency of UML models or foridentifying inconsistencies of UML models, e.g. [4], or developmentof tools for tool for consistency management inUML-based development, such as [6]. However, the semanticsprovided in this paper supports formal verificationof the correctness of such algorithms, and the developmentof such a tool.6.3 Future workIn this paper, we have not considered concurrent executionin the sequence diagram. That means the message passingis synchronous rather than asynchronous. For the asynchronousmessage passing in sequence diagram, the correspondingsemantics can be similarly defined as a concurrentprocesses of CSP. Meanwhile we can also add the timingconstraint mechanism into the sequence diagram. Thiswill be part of our future work. Future work also includesthe formal link between a UML model of requirements thatconsists of a conceptual class diagram and a use-case model[12] and a UML model of design is define in this paper thatconsists of a class diagram and a family of sequence diagrams.8

Acknowledgement: Many thanks to the referees’ valuablecomments on this paper.References[1] N. Aguirre and T. Maibaum. A temporal logic approach tocomponent-based system specification and verification. InProc. ICSE’02, 2002.[2] S. Bennett, S. McRobb, and R. Farmer. Object-OrientedSystems Analysis and Design using UML. Mc-Graw Hill,2000.[3] S. Bennett, J. Skelton, and K. Lunn. Schaum’s Outline ofUML. Mc-Graw Hill, 2001.[4] B.Litvak, S. Tyszberowicz, and A. Yehudai. Behaviouralconsistent validation of uml diagrams. In Proc. 1st IEEEInternational Conference on Software Engineering and FormalMethods (SEFM), pages 118–125. IEEE Computer Society,2003.[5] G. Booch, J. Rumbaugh, and I. Jacobson. The Unified ModellingLanguage User Guide. Addison-Wesley, 1999.[6] R. H. G. Engels and J. Kuster. The consistency workbench: atool for consistency management in uml-base development.In J. W. P. Stevens and G.Booch, editors, The Proceedings ofUML 2003 in LNCS 2865, pages 356–359. Springer-Verlag,October 2003.[7] J. He, Z. Liu, and X. Li. Towards a refinement calculus forobject-oriented systems. In Proc. ICCI02, Alberta, Canada.IEEE Computer Scociety, 2002.[8] J. He, Z. Liu, and X. Li. Modeling object-oriented programmingwith reference type and dynamic binding. TechnicalReport UNU/IIST Report No 279, UNU/IIST, P.O. Box3058, Macau, May 2003.[9] C. Hoare and J. He. Unifying theories of programming.Prentice-Hall International, 1998.[10] C. Larman. Applying UML and Patterns. Prentice-Hall International,2001.[11] Z. Liu, J. He, X. Li, and Y. Chen. A relational model for formalobject-oriented requirement analysis in uml. In J. Dongand J. Woodcock, editors, Formal Methods and SoftwareEngineering, 5th International Conference on Formal EngineeringMethods(ICFEM2003), in LNCS 2885, pages 640–664, Singapore.[12] Z. Liu, X. Li, and J. He. Using transition systems to unifyuml models. In C. George, editor, The Proceedings of 4thInternational Conference on Formal Engineering Methods(ICFEM2002), in LNCS 2495, pages 535–547, Shanghai,China, October 2002. Springer-Verlag.[13] Z. Mana and A. Pnueli. The temporal framework for concurrentprograms. In R. Boyer and J. Moore, editors, TheCorrectness Problem in Computer Science, pages 215–274.Academic Press, 1981.[14] R. Paige, J. Ostroff, and P. Brooke. Checking the consistencyof collaboration and class diagram using pvs. In Procof Fourth Workshop on Rigorous Object-Oriented Methods(ROOM4),London, England. British Computer Society,2002.[15] A. Tsiolakis. Integrating model information in uml sequencediagrams. In Electronic Notes in Theoretical Computer Science.9