A dependability profile within MARTE

The importance of assessing software non-functional properties (NFP) beside the functional ones is well accepted in the software engineering community. In particular, dependability is a NFP that should be assessed early in the software life-cycle by evaluating the system behaviour under different fault assumptions. Dependability-specific modeling and analysis techniques include for example Failure Mode and Effect Analysis for qualitative evaluation, stochastic Petri nets for quantitative evaluation, and fault trees for both forms of evaluation. Unified Modeling Language (UML) may be specialized for different domains by using the profile mechanism. For example, the MARTE profile extends UML with concepts for modeling and quantitative analysis of real-time and embedded systems (more specifically, for schedulability and performance analysis). This paper proposes to add to MARTE a profile for dependability analysis and modeling (DAM). A case study of an intrusion-tolerant message service will offer insight on how the MARTE-DAM profile can be used to derive a stochastic Petri net model for performance and dependability assessment.     

Generating heterogeneous executable specifications in SystemC from UML/MARTE models

Modeling and analysis of real-time embedded system is becoming an important area of research nowadays. In this context, the UML/MARTE profile has been introduced to support the specification, design, and verification stages in the development process. It provides a wide set of facilities to capture the information required in the refinement steps throughout the design flow. To carry out the actions involved in these design steps, MARTE-based tools and methodologies are required. This paper presents a methodology to automatically generate SystemC heterogeneous executable specifications from generic MARTE models. To generate these specifications, the information included in the MARTE models is extracted to discover the system structure and hierarchy. A subset of the concurrency and communication features of the MARTE profile is used for this purpose. Then, automatic generation of the executable specification is possible. The code implementing the corresponding behavior can be easily integrated into the executable model. This design methodology proposes a refinement flow in order to perform the design steps before deciding the final system implementation.     

Clock constraint specification language: specifying clock constraints with UML/MARTE

The Object Management Group (OMG) unified modeling language (UML) profile for modeling and analysis of real-time and embedded systems (MARTE) aims at using the general-purpose modeling language UML in the domain of real-time and embedded (RTE) systems. To achieve this goal, it is absolutely required to introduce inside the mainly untimed UML an unambiguous time structure which MARTE model elements can rely on to build precise models amenable to formal analysis. The MARTE Time model has defined such a structure. We have also defined a non-normative concrete syntax called the clock constraint specification language (CCSL) to demonstrate what can be done based on this structure. This paper gives a brief overview of this syntax and its formal semantics, and shows how existing UML model elements can be used to apply this syntax in a graphical way and benefit from the semantics.     

Development of the open system for the automation of scientific research in image understanding Black Square, Version 1.2

The automated software system Black Square, Version 1.2 is described. The system is intended for the automation of image processing, analysis, and recognition. It is an open system for generating new knowledge: objects, algorithms of image processing, recognition procedures originally not intended for image processing, and methods for solving applied problems. The system combines the features of information retrieval, reference, training, and computing systems. This work was partially supported by the Russian Foundation for Basic Research, project nos. 04-07-90187 and 05-07-08000; by the INTAS grant no. 04-77-7067; by the Cooperative grant “Image Analysis and Synthesis: Theoretical Foundations and Prototypical Applications in Medical Imaging” within agreement between Italian National Research Council and Russian Academy of Sciences (RAS); by the RAS Program “Fundamental Science to Medicine”; and by the Program of Scientific Research of the Presidium of RAS “Mathematical Modeling and Intellectual Systems.”     

The meaning of multiplicity of n-ary associations in UML

The concept of multiplicity in UML derives from that of cardinality in entity-relationship modeling techniques. The UML documentation defines this concept but at the same time acknowledges some lack of obviousness in the specification of multiplicities for n-ary associations. This paper shows an ambiguity in the definition given by UML documentation and proposes a clarification to this definition, as well as the use of outer and inner multiplicities as a simple extension to the current notation to represent other multiplicity constraints, such as participation constraints, that are equally valuable in understanding n-ary associations. Initial submission: 16 January 2002 / Revised submission: 17 October 2002 Published online: 2 December 2002 RID="*" ID="*"A previous shorter version of this paper was presented under the title “Semantics of the Minimum Multiplicity in Ternary Associations in UML” at The 4th International Conference on the Unified Modeling Language-UML’2001, October 1–5 2001, Toronto, Ontario, Canada, Springer Verlag, LNCS 2185, pp. 329–341.     

基于MARTE模型的系统可靠性预测

系统的可靠性是系统的重要非功能属性之一。传统的可靠性分析在系统开发结束后进行,可能会发现由于系统开发早期的架构设计不合理而导致的问题,这时再修改系统架构并重做后继开发步骤,将会浪费大量人力和物力。如果能在开发的早期阶段,在系统模型层面进行分析并预测,则可以尽早地发现系统可靠性方面的问题并将其修复。UML是一种通用的、标准化的建模语言,MARTE是UML在嵌入式实时系统领域的扩展。提出了基于MARTE模型的系统可靠性预测方法,该方法考虑的MARTE模型包括用例图、活动图、部署图。先将MARTE模型转换为马尔可夫决策过程网络模型,再利用概率模型检测工具PRISM进行分析,得到系统可靠性的预测结果。实例研究表明,所提方法不仅能够预测系统可靠性的最大值和最小值,还能通过调整各个资源的可靠性值,考察其对系统可靠性的影响,为设计人员的进一步工作提供参考。     

Improving the accuracy of UML metamodel extensions by introducing induced associations

In the process of extending the UML metamodel for a specific domain, the metamodel specifier introduces frequently some metaassociations at MOF level M2 with the aim that they induce some specific associations at MOF level M1. For instance, if a metamodel for software process modelling states that a “Role” is responsible for an “Artifact”, we can interpret that its specifier intended to model two aspects: (1) the implications of this metaassociation at level M1 (e.g., the specific instance of Role “TestEngineer” is responsible for the specific instance of Artifact “TestPlans”); and (2) the implications of this metaassociation at level M0 (e.g., “John Doe” is the responsible test engineer for elaborating the test plans for the package “Foo”). Unfortunately, the second aspect is often not enforced by the metamodel and, as a result, the models which are defined as its instances may not incorporate it. This problem, consequence of the so-called “shallow instantiation” in Atkinson and Kühne (Procs. UML’01, LNCS 2185, Springer, 2001), prevents these models from being accurate enough in the sense that they do not express all the information intended by the metamodel specifier and consequently do not distinguish metaassociations that induce associations at M1 from those that do not. In this article we introduce the concept of induced association that may come up when an extension of the UML metamodel is developed. The implications that this concept has both in the extended metamodel and in its instances are discussed. We also present a methodology to enforce that M1 models incorporate the associations induced by the metamodel which they are instances from. Next, as an example of application we present a quality metamodel for software artifacts which makes intensive use of induced associations. Finally, we introduce a software tool to assist the development of quality models as correct instantiations of the metamodel, assuring the proper application of the induced associations as required by the metamodel.     

Transformation challenges: from software models to performance models

A software model can be analysed for non-functional requirements by extending it with suitable annotations and transforming it into analysis models for the corresponding non-functional properties. For quantitative performance evaluation, suitable annotations are standardized in the “UML Profile for Modeling and Analysis of Real-Time Embedded systems” (MARTE) and its predecessor, the “UML Profile for Schedulability, Performance and Time”. A range of different performance model types (such as queueing networks, Petri nets, stochastic process algebra) may be used for analysis. In this work, an intermediate “Core Scenario Model” (CSM) is used in the transformation from the source software model to the target performance model. CSM focuses on how the system behaviour uses the system resources. The semantic gap between the software model and the performance model must be bridged by (1) information supplied in the performance annotations, (2) in interpretation of the global behaviour expressed in the CSM and (3) in the process of constructing the performance model. Flexibility is required for specifying sets of alternative cases, for choosing where this bridging information is supplied, and for overriding values. It is also essential to be able to trace the source of values used in a particular performance estimate. The performance model in turn can be used to verify responsiveness and scalability of a software system, to discover architectural limitations at an early stage of development, and to develop efficient performance tests. This paper describes how the semantic gap between software models in UML+MARTE and performance models (based on queueing or Petri nets) can be bridged using transformations based on CSMs, and how the transformation challenges are addressed.     

The HybridUML profile for UML 2.0

In this article, a new UML extension for the specification of hybrid systems, where observables may consist of both discrete and time-continuous parameters, is presented. Whereas hybrid modeling constructs are not available in standard UML, several specification formalisms for this type of system have been elaborated and discussed, among them the CHARON language of Alur et al. which possesses already several attractive features for modeling embedded real-time systems with hybrid characteristics. Adopting this as a basis, the profile inherits formal semantics based on CHARON, so it offers the possibility for formal reasoning about hybrid UML specifications. Conversely, the CHARON framework is associated with a new syntactic representation within the UML 2.0 world, allowing to develop hybrid specifications with arbitrary CASE tools supporting UML 2.0 and its profiling mechanism. The “look-and-feel” of the profile is illustrated by means of a case study of an embedded system controlling the cabin illumination in an aircraft. The benefits and weaknesses of the constructed hybrid UML profile are discussed, resulting in feed-back for the improvement of both UML 2.0 and the CHARON formalism. The work presented in this article has been investigated by the authors in the context of the HYBRIS (Efficient Specification of Hybrid Systems) project supported by the Deutsche Forschungsgemeinschaft DFG as part of the priority programme on Software Specification - Integration of Software Specification Techniques for Applications in Engineering.     

Performance analysis of aspect-oriented UML models

Aspect-Oriented Modeling (AOM) techniques allow software designers to isolate and address separately solutions for crosscutting concerns (such as security, reliability, new functional features, etc.). Current AOM research is concerned not only with the separate expression of concerns and their composition into a complete system model, but also with the analysis of different properties of such models. This paper proposes an approach for analyzing the performance effects of a given aspect on the overall system performance, after the composition of the aspect model with the system’s primary model. Performance analysis of UML models is enabled by the “UML Performance Profile for Schedulability, Performance and Time” (SPT) standardized by OMG, which defines a set of quantitative performance annotations to be added to a UML model. The first step of the proposed approach is to add performance annotations to both the primary and the aspect models. An aspect model is generic at first, and therefore its performance annotations must be parameterized. A generic model is converted into a context-specific aspect model with concrete values assigned to its performance annotations. The latter is composed with the primary model, generating a complete annotated UML model. The composition is performed in both structural and behavioural views. A novel approach for composing activity diagrams based on graph-rewriting concepts is proposed in the paper. The next step is to transform automatically the composed model into a Layered Queueing Network (LQN) performance model, by using techniques developed in previous work. The proposed approach is illustrated with a case study system, whose primary model is enhanced with some security features by using AOM. The performance effects of the security aspect under consideration are analyzed in two design alternatives, by solving and analyzing the LQN model of the composed system.     

Repetitive model refactoring strategy for the design space exploration of intensive signal processing applications

The efficient design of computation intensive multidimensional signal processing applications requires dealing with three kinds of constraints: those implied by the data dependencies, the non-functional requirements (real-time, power consumption) and resources availability of the execution platform. Modeling and Analysis of Real-time and Embedded systems (MARTE) UML profile through its repetitive structure modeling (RSM) package is well suited to model the inherent parallelism within these applications, a compact representation of parallel execution platforms and the distributive mapping of one on another. The execution of such a specification respects the whole set of constraints defined upon, while the quality of the scheduling is directly linked to the quality of the mapping of the multidimensional structures (data arrays or parallel loop nests) into time and space. We propose here a strategy to use a refactoring tool dedicated to this kind of application that allows to find good trade-offs in the usage of storage and computation resources and in parallelism (both task and data parallelism) exploitation. This strategy is illustrated on an industrial radar application.     

Timing consistency checking for UML/MARTE behavioral models

UML/MARTE model-driven development approaches are gaining attention in developing real-time embedded software (RTES). UML behavioral models with MARTE annotations are used to describe timing behaviors and timing characteristics of RTES. Particularly, state machine, sequence, and timing diagrams with MARTE annotations are appropriate to understand and analyze timing behaviors of RTES. However, to guarantee software correctness and safety, timing inconsistencies in UML/MARTE should be identified in the design phase of RTES. UML/MARTE timing inconsistencies are related to modeling errors and can be hazards throughout the lifecycle of RTES. We propose a systematic approach to check timing consistency of state machine, sequence, and timing diagrams with MARTE annotations for RTES. First, we present how state machine, sequence, and timing diagrams with MARTE annotations specify the behaviors of RTES. To overcome informal semantics of UML/MARTE models, we provide formal definitions of state machine, sequence, and timing diagrams with MARTE annotations. Second, we present the timing consistency checking approach that consists of a rule-based and a model checking-based timing consistency checking. In the rule-based timing consistency checking, we validate well formedness of UML/MARTE behavioral models in timing aspects. In the model checking-based timing consistency checking, we verify whether timing behaviors of sequence and timing diagrams with MARTE annotations are consistent with the timing behaviors of state machine diagrams with MARTE annotations. We support an automated timing consistency checking tool UML/MARTE timing Consistency Analyzer for a seamless approach. We demonstrate the effectiveness and the practicality of the proposed approach by two case studies using cruise control system software and guidance and control unit software.     

Successfully detecting and correcting false friends using channel profiles

The detection and correction of false friends—also called real-word errors—is a notoriously difficult problem. On realistic data, the break-even point for automatic correction so far could not be reached: the number of additional infelicitous corrections outnumbered the useful corrections. We present a new approach where we first compute a profile of the error channel for the given text. During the correction process, the profile (1) helps to restrict attention to a small set of “suspicious” lexical tokens of the input text where it is “plausible” to assume that the token represents a false friend. In this way, recognition of false friends is improved. Furthermore, the profile (2) helps to isolate the “most promising” correction suggestion for “suspicious” tokens. Using a conventional word trigram statistics for disambiguation we obtain a correction method that can be successfully applied to unrestricted text. In experiments for OCR documents, we show significant accuracy gains by fully automatic correction of false friends.     

Special section on testing and security of Web systems

This special section is devoted to a selection of papers that have been originally published in the Proceedings of the International Workshop on Web Quality, Verification and Validation (WQVV) held in Como, Italy, in July 2007. The workshop was part of the Seventh International Conference on Web Engineering (ICWE 2007). These papers investigate different issues of two fundamental “aspects” of quality and dependability of modern Web systems: testing and security. The main contribution of this special section consists in trying to bring the gap between research and “industrial” practice in Web systems. The use of new technologies, tools and methodologies is increasing in the Web and it makes the systems more and more interactive and responsive than in the past. Therefore, limits and problems related to specific aspects of systems quality and dependability are investigated, and new approaches and ideas are proposed to overcome such limitations.     

The COMPLEX methodology for UML/MARTE Modeling and design space exploration of embedded systems

The design of embedded systems is being challenged by their growing complexity and tight performance requirements. This paper presents the COMPLEX UML/MARTE Design Space Exploration methodology, an approach based on a novel combination of Model Driven Engineering (MDE), Electronic System Level (ESL) and design exploration technologies. The proposed framework enables capturing the set of possible design solutions, that is, the design space, in an abstract, standard and graphical way by relying on UML and the standard MARTE profile. From that UML/MARTE based model, the automated generation framework proposed produces an executable, configurable and fast performance model which includes functional code of the application components. This generated model integrates an XML-based interface for communication with the tool which steers the exploration. This way, the DSE loop iterations are efficiently performed, without user intervention, avoiding slow manual editions, or regeneration of the performance model. The novel DSE suited modelling features of the methodology are shown in detail. The paper also presents the performance model generation framework, including the enhancements with regard the previous simulation and estimation technology, and the exploration technology. The paper uses an EFR vocoder system example for showing the methodology and for demonstrative results.     

Towards a “Synchronous Reactive” UML profile?

The domain of Real-Time Embedded (RTE) systems was ackowledged as being largely influential on many feature additions to the recent UML2.0 standard [Björkander, M., FDL'03 Keynote address, 2003]. Work on UML1.4 Scheduling, Performance &; Time (SPT) profile also goes in that direction. Still, the paradigms underlying these modeling efforts are that of software components, running on a real-time OSs with physical time constraints and middleware (e.g., RT-Corba) concerns. In other areas of Embedded System Design other paradigms are at work, owing to codesign techniques at the border between software and hardware, or discrete time mathematical engineering (MATLAB/Simulink) and digital signal processing algorithms, etc. The paradigm of Synchronous Reactive (S/R) systems [Benveniste, A., Berry, G.: The synchronous approach to reactive and real-time systems. Proc. IEEE 79(9), 1270–1282 (1991); Benveniste, A., Caspi, P., Edwards, S., Halbwachs, N., Guernic, P.L., de Simone, R.: Synchronous languages twelve years later. Proc. IEEE 91(1), 64–83 (2003)], with discrete logical time and behavior decomposition into instantaneous reactions, proved quite natural in such areas to model mixed hardware/software System-Level Design (SLD). We describe here some of the modeling paradigms needed for a true S/R model framework, and corresponding diagrammatic interpretations. The synchronous reactive domain described here should be dealt with and included in the forthcoming UML profile for “Modeling and Analysis of Real-Time and Embedded systems” (MARTE), whose request for proposal was recently voted at OMG.     

Using UML/MARTE to support performance tuning and stress testing in real-time systems

Real-time embedded systems (RTESs) operating in safety-critical domains have to satisfy strict performance requirements in terms of task deadlines, response time, and CPU usage. Two of the main factors affecting the satisfaction of these requirements are the configuration parameters regulating how the system interacts with hardware devices, and the external events triggering the system tasks. In particular, it is necessary to carefully tune the parameters in order to ensure a satisfactory trade-off between responsiveness and usage of computational resources, and also to stress test the system with worst-case inputs likely to violate the requirements. Performance tuning and stress testing are usually manual, time-consuming, and error-prone processes, because the system parameters and input values range in a large domain, and their impact over performance is hard to predict without executing the system. In this paper, we provide an approach, based on UML/MARTE, to support the generation of system configurations predicted to achieve a satisfactory trade-off between response time and CPU usage, and stress test cases that push the system tasks to violate their deadlines. First, we devise a conceptual model that specifies the abstractions required for analyzing task deadlines, response time, and CPU usage, and provide a mapping between these abstractions and UML/MARTE. Then, we prune the UML/MARTE metamodel to only contain a purpose-specific subset of entities needed to support performance tuning and stress testing. The pruned version is a supertype of UML/MARTE, which ensures that all instances of the pruned metamodel are also instances of UML/MARTE. Finally, we cast the generation of configurations and stress test cases as two constrained optimization problems (COPs) over our conceptual model. The input data for these COPs in automatically generated via a model-to-text (M2T) transformation from models specified in the pruned UML/MARTE metamodel to the Optimization Programming Language. We validate our approach in a safety-critical RTES from the maritime and energy domain, showing that (1) our conceptual model can be applied in an industrial setting with reasonable effort, and (2) the optimization problems effectively identify configurations predicted to minimize response time and CPU usage, and stress test cases that maximize deadline misses. Based on our experience, we highlight challenges and potential issues to be aware of when using UML/MARTE to support performance tuning and stress testing in an industrial context.