Sylvan: multi-core framework for decision diagrams

Decision diagrams, such as binary decision diagrams, multi-terminal binary decision diagrams and multi-valued decision diagrams, play an important role in various fields. They are especially useful to represent the characteristic function of sets of states and transitions in symbolic model checking. Most implementations of decision diagrams do not parallelize the decision diagram operations. As performance gains in the current era now mostly come from parallel processing, an ongoing challenge is to develop datastructures and algorithms for modern multi-core architectures. The decision diagram package Sylvan provides a contribution by implementing parallelized decision diagram operations and thus allowing sequential algorithms that use decision diagrams to exploit the power of multi-core machines. This paper discusses the design and implementation of Sylvan, especially an improvement to the lock-free unique table that uses bit arrays, the concurrent operation cache and the implementation of parallel garbage collection. We extend Sylvan with multi-terminal binary decision diagrams for integers, real numbers and rational numbers. This extension also allows for custom MTBDD leaves and operations and we provide an example implementation of GMP rational numbers. Furthermore, we show how the provided framework can be integrated in existing tools to provide out-of-the-box parallel BDD algorithms, as well as support for the parallelization of higher-level algorithms. As a case study, we parallelize on-the-fly symbolic reachability in the model checking toolset LTSmin. We experimentally demonstrate that the parallelization of symbolic model checking for explicit-state modeling languages, as supported by LTSmin, scales well. We also show that improvements in the design of the unique table result in faster execution of on-the-fly symbolic reachability.     

Defining and validating metrics for assessing the understandability of entity–relationship diagrams

Database and data model evolution cause significant problems in the highly dynamic business environment that we experience these days. To support the rapidly changing data requirements of agile companies, conceptual data models, which constitute the foundation of database design, should be sufficiently flexible to be able to incorporate changes easily and smoothly. In order to understand what factors drive the maintainability of conceptual data models and to improve conceptual modelling processes, we need to be able to assess conceptual data model properties and qualities in an objective and cost-efficient manner. The scarcity of early available and thoroughly validated maintainability measurement instruments motivated us to define a set of metrics for Entity–Relationship (ER) diagrams. In this paper we show that these easily calculated and objective metrics, measuring structural properties of ER diagrams, can be used as indicators of the understandability of the diagrams. Understandability is a key factor in determining maintainability as model modifications must be preceded by a thorough understanding of the model. The validation of the metrics as early understandability indicators opens up the way for an in-depth study of how structural properties determine conceptual data model understandability. It also allows building maintenance-related prediction models that can be used in conceptual data modelling practice.     

Shimba—an environment for reverse engineering Java software systems

Shimba is a reverse engineering environment to support the understanding of Java software systems. Shimba integrates the Rigi and SCED tools to analyze and visualize the static and dynamic aspects of a subject system. The static software artifacts and their dependencies are extracted from Java byte code and viewed as directed graphs using the Rigi reverse engineering environment. The run‐time information is generated by running the target software under a customized SDK debugger. The generated information is viewed as sequence diagrams using the SCED tool. In SCED, statechart diagrams can be synthesized automatically from sequence diagrams, allowing the user to investigate the overall run‐time behavior of objects in the target system. Shimba provides facilities to manage the different diagrams and to trace artifacts and relations across views. In Shimba, SCED sequence diagrams are used to slice the static dependency graphs produced by Rigi. In turn, Rigi graphs are used to guide the generation of SCED sequence diagrams and to raise their level of abstraction. We show how the information exchange among the views enables goal‐driven reverse engineering tasks and aids the overall understanding of the target software system. The FUJABA software system serves as a case study to illustrate and validate the Shimba reverse engineering environment. Copyright © 2001 John Wiley & Sons, Ltd.     

Semantic Translation of Simulink Diagrams to Input/Output Extended Finite Automata

We develop a semantic translation approach for Simulink diagrams. Simulink is a graphical tool for representing and simulating dynamical systems. We propose a recursive approach for translating a class of Simulink diagrams to input/output-extended finite automata (I/O-EFA). An I/O-EFA model of a Simulink diagram can be used for further analysis such as test generation and formal verification. We show that the translation approach is sound and complete: The input-state-output behavior of an I/O-EFA model, as defined in terms of a step-trajectory, preserves the input-state-output behavior of the corresponding Simulink diagram at each sample time (assuming the same integration method for any of the continuous blocks with dynamics).     

一种基于故障扩展SysML活动图的安全性验证框架研究

随着嵌入式系统在能源、交通等安全关键领域的广泛应用,针对嵌入式软件的安全性分析与验证方法一直是学术界和工业界的研究热点之一。使用扩展了故障树语义信息的SysML活动图来统一系统的功能模型与安全需求分析模型,并在保留故障树和SysML活动图两种模型语义描述的基础上,提出了一种基于故障扩展SysML活动图的安全性验证框架,包括:首先利用故障树最小割集提取故障信息并给出故障树逻辑门的转换规则;然后给出故障扩展SysML活动图的构建步骤;最后使用Promela对故障扩展SysML活动图进行建模,并使用模型检测工具SPIN对其进行分析验证。通过一个燃气灶控制系统验证了此方法的有效性。     

Numeric semantics of class diagrams with multiplicity and uniqueness constraints

We translate class diagrams with multiplicity constraints and uniqueness attributes to inequalities over non-negative integers. Based on this numeric semantics we check the satisfiability and consistency of class diagrams and compute minimal models. We show that this approach is efficient and provides succinct user feedback in the case of errors. In an experimental section we demonstrate that general off-the-shelf solvers for integer linear programming perform as well on real-world and synthetic benchmarks as specialised algorithms do, facilitating the extension of the formal model by further numeric constraints like cost functions. Our results are embedded in a research programme on reasoning about class diagrams and are motivated by applications in configuration management. Compared to other (for instance logic-based) approaches our aim is to hide the complexity of formal methods behind familiar user interfaces like class diagrams and to concentrate on problems that can be solved efficiently in order to be able to provide immediate feedback to users.     

A formal framework for modeling and validating Simulink diagrams

Simulink has been widely used in industry to model and simulate embedded systems. With the increasing usage of embedded systems in real-time safety-critical situations, Simulink becomes deficient to analyze (timing) requirements with high-level assurance. In this article, we apply Timed Interval Calculus (TIC), a real-time specification language, to complement Simulink with TIC formal verification capability. We elaborately construct TIC library functions to model Simulink library blocks which are used to compose Simulink diagrams. Next, Simulink diagrams are automatically transformed into TIC models which preserve functional and timing aspects. Important requirements such as timing bounded liveness can be precisely specified in TIC for whole diagrams or some components. Lastly, validation of TIC models can be rigorously conducted with a high degree of automation using a generic theorem prover. Our framework can enlarge the design space by representing environment properties to open systems, and handle complex diagrams as the analysis of continuous and discrete behavior is supported.     

Automated transformations from UML behavior models to contracts

In model driven architecture （MDA）, system requirements are first captured by UML （unified mod- eling language） use cases with sequence diagrams to describe their intended use and implemented by classes of objected-oriented languages in the subsequent design stages. It is important that the dynamic behavior specified by the sequence diagrams is in full compliance with the implementation classes. This paper proposes an auto- matic approach and tool support for generating class contracts, which define a precondition and a postcondition for each operation of the class. The former serves as a guard to ensure invocations of the operations respect the semantics introduced by the sequence diagrams, and the latter places the system in a legal state to facilitate the succeeding operation calls. The contracts can be easily mapped to code of an object-oriented language such as Java. Thus, the approach helps to bridge the gap between the requirements and design stages of system development process. We use our model transformation tool to first generate a UML protocol state machine from the sequence diagrams, and then derive the contracts for a controller class. The transformations take into account the concurrency and critical constructs of the respective UML diagrams.     

Using the BCD model for risk analysis: An influence diagram based approach

In this paper, we are interested in addressing risk analysis. We propose an influence diagram-based approach that focuses on a Benefit, Cost, Deficit (BCD) model. The BCD model is proposed for studying the intentional deviant behaviors of human operators in a system. In this model, the consequences of human actions are analyzed with respect to three parameters: benefit, cost and deficit. Our approach aims to expand the BCD model by integrating factors, such as those related to the organization of the system in question, that influence human operator actions. In addition, the approach considers multiple criteria that are related, for example, to safety and productivity. To build a model that evaluates the risk induced by human actions in a system and analyzes the impact of the different factors, we use influence diagrams. Influence diagrams are probabilistic graphical models that can deal with uncertainty and with incomplete and imprecise information. Influence diagrams also represent the interdependencies between the different variables of the studied problem. In addition, contrary to Bayesian networks, influence diagrams can rank a set of actions by providing information on which action carries the greatest risk or the most benefits. We applied this approach to a case study of an industrial rotary press, but it can also be used in other problems and sectors.     

Interactive 3D Force‐Directed Edge Bundling

Interactive analysis of 3D relational data is challenging. A common way of representing such data are node‐link diagrams as they support analysts in achieving a mental model of the data. However, naïve 3D depictions of complex graphs tend to be visually cluttered, even more than in a 2D layout. This makes graph exploration and data analysis less efficient. This problem can be addressed by edge bundling. We introduce a 3D cluster‐based edge bundling algorithm that is inspired by the force‐directed edge bundling (FDEB) algorithm [ HvW09b ] and fulfills the requirements to be embedded in an interactive framework for spatial data analysis. It is parallelized and scales with the size of the graph regarding the runtime. Furthermore, it maintains the edge's model and thus supports rendering the graph in different structural styles. We demonstrate this with a graph originating from a simulation of the function of a macaque brain.     

Decision-diagram-based techniques for bounded reachability checking of asynchronous systems

Bounded reachability analysis and bounded model checking are widely believed to perform poorly when using decision diagrams instead of SAT procedures. Recent research suggests this to be untrue with regards to synchronous systems and, in particular, digital circuits. This article shows that the belief is also a myth for asynchronous systems, such as models specified by Petri nets. We propose several Bounded Saturation approaches to compute bounded state spaces using decision diagrams. These approaches are based on the established Saturation algorithm, which benefits from a non-standard search strategy that is very different from breadth-first search, but employ different flavors of decision diagrams: multi-valued decision diagrams, edge-valued decision diagrams, and algebraic decision diagrams. We apply our approaches to studying deadlock as a safety property. Our extensive benchmarking shows that our algorithms often, but not always, compare favorably against two SAT-based approaches that are advocated in the literature. Research supported by the NSF under grants CNS-0501747 and CNS-0501748 and by the EPSRC under grant GR/S86211/01. An extended abstract of this article appeared in the proceedings of the 13th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), LNCS~4424, pp.~648–663, 2007, Springer.     

Polyline‐sourced Geodesic Voronoi Diagrams on Triangle Meshes

This paper studies the Voronoi diagrams on 2‐manifold meshes based on geodesic metric (a.k.a. geodesic Voronoi diagrams or GVDs), which have polyline generators. We show that our general setting leads to situations more complicated than conventional 2D Euclidean Voronoi diagrams as well as point‐source based GVDs, since a typical bisector contains line segments, hyperbolic segments and parabolic segments. To tackle this challenge, we introduce a new concept, called local Voronoi diagram (LVD), which is a combination of additively weighted Voronoi diagram and line‐segment Voronoi diagram on a mesh triangle. We show that when restricting on a single mesh triangle, the GVD is a subset of the LVD and only two types of mesh triangles can contain GVD edges. Based on these results, we propose an efficient algorithm for constructing the GVD with polyline generators. Our algorithm runs in O(nNlogN) time and takes O(nN) space on an n‐face mesh with m generators, where N = max{m, n}. Computational results on real‐world models demonstrate the efficiency of our algorithm.     

Meta-modelling and graph grammars for multi-paradigm modelling in AToM<Superscript>3</Superscript>

This paper presents the combined use of meta-modelling and graph grammars for the generation of visual modelling tools for simulation formalisms. In meta-modelling, formalisms are described at a meta-level. This information is used by a meta-model processor to generate modelling tools for the described formalisms. We combine meta-modelling with graph grammars to extend the model manipulation capabilities of the generated modelling tools: edit, simulate, transform into another formalism, optimize and generate code. We store all (meta-)models as graphs, and thus, express model manipulations as graph grammars.We present the design and implementation of these concepts in AToM³ (A_To_ol for M_ulti-formalism, M_eta-M_odelling). AToM³ supports modelling of complex systems using different formalisms, all meta-modelled in their own right. Models in different formalisms may be transformed into a single common formalism for further processing. These transformations are specified by graph grammars. Mosterman and Vangheluwe [18] introduced the term multi-paradigm modelling to denote the combination of multiple formalisms, multiple abstraction levels, and meta-modelling. As an example of multi-paradigm modelling we present a meta-model for the Object-Oriented Continuous Simulation Language OOCSMP, in which we combine ideas from UML class diagrams (to express the OOCSMP model structure), Causal Block Diagrams (CBDs), and Statecharts (to specify the methods of the OOCSMP classes). A graph grammar is able to generate OOCSMP code, and then a compiler for this language (C-OOL) generates Java applets for the simulation execution.     

On modelling recursive calls and callbacks with two variants of Unified Modelling Language state diagrams

An important use of the Unified Modelling Language (UML) is modelling synchronous object-oriented software systems. State diagrams are used to model interesting object behaviour, including method invocation. However, almost all previous work formalising state diagrams has assumed asynchronous communication. We show that UML’s “run to completion” semantics leads to anomalous behaviour in the synchronous case, and in particular that it is not possible to model recursive calls, in which an object receives a second synchronous message whilst still in the process of reacting to the first. We propose a solution using state diagrams in two complementary ways.     

Dynamic Meta Modeling with time: Specifying the semantics of multimedia sequence diagrams

The Unified Modeling Langugage (UML) offers different diagram types to model the behavior of software systems. In some domains like embedded real-time systems or multimedia systems, it is necessary to include specifications of time in behavioral models since the correctness of these applications depends on the fulfillment of temporal requirements in addition to functional requirements. UML thus already incorporates language features to model time and temporal constraints. Such model elements must have an equivalent in the semantic domain.We have proposed Dynamic Meta Modeling (DMM), an approach based on graph transformation, as a means for specifying operational semantics of dynamic UML diagrams. In this article, we extend this approach to also account for time by extending the semantic domain to timed graph transformation. This enables us to define the operational semantics of UML diagrams with time specifications. As an example, we provide semantics for special sequence diagrams from the domain of multimedia application modeling.     

Reasoning on temporal class diagrams: Undecidability results

This paper introduces a temporal class diagram language useful to model temporal varying data. The atemporal portion of the language contains the core constructors available in both EER diagrams and UML class diagrams. The temporal part of the language is able to distinguish between temporal and atemporal constructs, and it has the ability to represent dynamic constraints between classes. The language is characterized by a model-theoretic (temporal) semantics. Reasoning services as logical implication and satisfiability are also defined. We show that reasoning on finite models is different from reasoning on unrestricted ones. Then, we prove that reasoning on temporal class diagrams is an undecidable problem on both unrestricted models and on finite ones.     

An experimental comparison of ER and UML class diagrams for data modelling

We present the results of three sets of controlled experiments aimed at analysing whether UML class diagrams are more comprehensible than ER diagrams during data models maintenance. In particular, we considered the support given by the two notations in the comprehension and interpretation of data models, comprehension of the change to perform to meet a change request, and detection of defects contained in a data model. The experiments involved university students with different levels of ability and experience. The results demonstrate that using UML class diagrams subjects achieved better comprehension levels. With regard to the support given by the two notations during maintenance activities the results demonstrate that the two notations give the same support, while in general UML class diagrams provide a better support with respect to ER diagrams during verification activities.