1 Introduction
###### Abstract

Guidelines and consistency rules of UML are used to control the degrees of freedom provided by the language to prevent faults. Guidelines are used in specific domains (e.g., avionics) to recommend the proper use of technologies. Consistency rules are used to deal with inconsistencies in models. However, guidelines and consistency rules use informal restrictions on the uses of languages, which makes checking difficult. In this paper, we consider these problems from a language-theoretic view. We propose the formalism of C-Systems, short for “formal language control systems”. A C-System consists of a controlled grammar and a controlling grammar. Guidelines and consistency rules are formalized as controlling grammars that control the uses of UML, i.e. the derivations using the grammar of UML. This approach can be implemented as a parser, which can automatically verify the rules on a UML user model in XMI format. A comparison to related work shows our contribution: a generic top-down and syntax-based approach that checks language level constraints at compile-time.

A Language-theoretic View on Guidelines and Consistency Rules of UML

## 1 Introduction

The UML (Unified Modeling Language) is a graphic modeling language developed by OMG (Object Management Group), and defined by the specifications [1] and [2]. UML has emerged as the software industry’s dominant modeling language for specifying, designing and documenting the artifacts of systems [3][4].

Evolving descriptions of software artifacts are frequently inconsistent, and tolerating this inconsistency is important [5][6]. Different developers construct and update these descriptions at different times during development [7], thus resulting in inconsistencies. They develop multiple views on a system providing pieces of information which are redundant or complementary. Constraints exist on these pieces of information whose violation leads to inconsistent models. Inconsistency problems of UML models have attracted great attention from both academic and industrial communities [8][9][10]. A list of 635 consistency rules are identified by [11][12].

Guidelines, which also contain a set of rules, are often required on models which are specific to a given context. For instance, OOTiA (Object-Oriented Technology in Aviation) demands that “the length of an inheritance should be less than 6” [13]. This context is domain specific. If these constraints are not respected, the presence of faults is not sure but its risk is high. The context can also be technology specific. For instance, “multiple inheritance should be avoided in safety critical, certified systems” (IL #38 of [13]), if the UML models are implemented by Java code, as this language does not provide the multiple inheritance mechanism.

It seems that consistency rules and guidelines are irrelevant at first glance. However, in fact, they have the same origin from a language-theoretical view. We noticed that both of the two types of potential faults in models come from the degrees of freedom offered by languages. These degrees of freedom cannot be eliminated without reducing the language capabilities [14]. For instance, the multiple diagrams in UML are useful, as they describe various viewpoints on one system, even if they are at the origin of numerous inconsistencies. In the same way, multiple inheritance can be implemented in the C++ language.

To prevent these risks of faults, the use of languages must be controlled. To do it, guidelines are old and popular means in industry. However, their expression is informal and their checking is difficult. For instance, 6 months were needed to check 350 consistency rules on an avionics UML model including 116 class diagrams.

This paper aims at formalizing the acceptable use of languages and proposing a way to check the use correctness, by considering guidelines and consistency rules from a language-theoretical view. To achieve this goal, acceptable uses of a language are defined as a grammar handling the productions of the grammar of the language. To support this idea, UML must be specified by a formal language, or at least a language with precisely defined syntax, e.g., XMI in this paper. Thus, a graphic model can be serialized. This formalism also provides a deeper view on the origin of inconsistencies in models.

This paper is organized as follows. First, we introduce the grammar of UML in XMI in Section 2. Then in Section 3, we define the C-System, i.e. a formalism containing controlling grammars that restrict the use of the grammar of UML. We illustrate the formalism using examples in Section 4. Related work and implementation of this approach are discussed in Sections 5 and 6. Section 7 concludes the paper.

## 2 The Grammar of UML in XMI

XMI (XML Metadata Interchange) [15] is used to facilitate interchanging UML models between different modeling tools in XML format. Many tools implement the conversion, e.g., Altova UModel can export UML models as XMI files.

A UML model in XMI is an XMI-compliant XML document that conforms to its XML schema, and is a derivative of the XMI document productions which is defined as a grammar. The XML schema is a derivative of the XMI schema productions. The XMI specification defines both the XMI schema productions and the XMI document productions in [15].

XMI provides a mapping between a UML user model and an XML document, and a mapping between UML (also MOF) and an XML Schema. XMI generates an XML file using the XMI document productions, and generates an XML schema using the XMI schema productions. Each of the two sets of productions composes a context-free grammar in EBNF [16]. A UML user model can be expressed using an XMI-compliant XML document that conforms to the corresponding XML Schema, and is a derivative of the XMI document grammar.

The grammar and its productions for deriving XMI-compliant XML documents of UML models are defined in [15]. The main part of the grammar is given here after. To make our presentation more concise, we omit declaration and version information of XML files (and the related productions whose names start with “1”).

To make later reasoning easier, we modified some representations of the productions, but without changing the generative power of the grammar.

1. The choice operator “” is used to compose several productions with the same left-hand side into a single line in [15]. We decomposed some of these productions into several productions without the choice operator. An original production having choices might be divided into a set of productions . For example, the original production 2 with three choices was divided into the productions 2_1, 2_2 and 2_3.

2. The closure operator “*” is used to simplify the representation of the grammar in [15], but it also would make the representation of reasoning confusing. Thus, the productions whose names start with “3” were added to replace the productions with closure operators.

The grammar of UML in XMI includes the following productions (each production is labeled by a name starting with a digit):

 3_1:  XMIElements ::= 2:XMIElement
3_2:  XMIElements ::= 2:XMIElement 3:XMIElements

2_1:  XMIElement ::= 2a:XMIObjectElement
2_2:  XMIElement ::= 2b:XMIValueElement
2_3:  XMIElement ::= 2c:XMIReferenceElement

2a_1: XMIObjectElement ::= "<" 2k:QName 2d:XMIAttributes "/>"
2a_2: XMIObjectElement ::= "<" 2k:QName 2d:XMIAttributes ">"
3:XMIElements "</" 2k:QName ">"

2b_1: XMIValueElement ::= "<" xmiName ">" value "</" xmiName ">"
2b_2: XMIValueElement ::= "<" xmiName "nil=‘true’/>"

2c_1: XMIReferenceElement::= "<" xmiName 2l:LinkAttribs "/>"
2c_2: XMIReferenceElement::= "<" xmiName 2g:TypeAttrib

2d_1: XMIAttributes ::= 2g:TypeAttrib  2e:IdentityAttribs
3h:FeatureAttribs
2d_2: XMIAttributes ::= 2e:IdentityAttribs  3h:FeatureAttribs

2e:   IdentityAttribs ::= 2f:IdAttribName "=‘" id "’"

2f_1: IdAttribName ::= "xmi:id"
2f_2: IdAttribName ::= xmiIdAttribName

2g:   TypeAttrib ::= "xmi:type=‘" 2k:QName "’"

3h_1: FeatureAttribs ::= 2h:FeatureAttrib
3h_2: FeatureAttribs ::= 2h:FeatureAttrib  3h:FeatureAttribs

2h_1: FeatureAttrib ::= 2i:XMIValueAttribute
2h_2: FeatureAttrib ::= 2j:XMIReferenceAttribute

2i:   XMIValueAttribute ::= xmiName "=‘" value "’"

2j:   XMIReferenceAttribute ::= xmiName "=‘" (refId | 2n:URIref)+"’"

2k:   QName ::= "uml:" xmiName  |  xmiName

2m:   Link ::= "href=‘" 2n:URIref "’"

2n:   URIref ::= (2k:QName)? uriReference



In the grammar, the symbol “::=” stands for the conventional rewriting symbol “” in formal languages theory [17]. Each nonterminal starts with a capital letter, prefixing a label of the related production, e.g., “2:XMIElement” is a nonterminal with possible productions “2_1, 2_2, 2_3”. Each terminal starts with a lowercase letter or is quoted.

As an example to illustrate the use of the grammar, Figure 2 represents a package Root which includes three classes, where the class FaxMachine is derived from Scanner and Printer. The core part of the exported XMI 2.1 compliant file (using Altova UModel) is as follows:

 <uml:Package xmi:id="U00000001-7510-11d9-86f2-000476a22f44"
name="Root">
<packagedElement xmi:type="uml:Class"
name="Scanner" visibility="public">
<ownedAttribute xmi:type="uml:Property"
xmi:id="U46ec6e01-5510-43a2-80e9-89d9b780a60b"
name="sid" visibility="protected"/>
</packagedElement>
<packagedElement xmi:type="uml:Class"
xmi:id="Ua9bd8252-0742-4b3e-9b4b-07a95f7d242e"
name="Printer" visibility="public">
<ownedAttribute xmi:type="uml:Property"
xmi:id="U2ce0e4c8-88ee-445b-8169-f4c483ab9160"
name="pid" visibility="protected"/>
</packagedElement>
<packagedElement xmi:type="uml:Class"
xmi:id="U6dea1ea0-81d2-4b9c-aab7-a830765169f0"
name="FaxMachine" visibility="public">
<generalization xmi:type="uml:Generalization"
<generalization xmi:type="uml:Generalization"
xmi:id="U86a6818b-f7e7-42d9-a21b-c0e639a4f716"
general="Ua9bd8252-0742-4b3e-9b4b-07a95f7d242e"/>
</packagedElement>
</uml:Package>


This text is a derivative of the XMI document productions, c.f. the previous grammar . We may use the sequence of productions “2a_2, 2k(Package), 2d_2, 2e, 2f_1, 3h_1, 2h_1, 2i” to derive the following sentential form:

 <uml:Package xmi:id="U00000001-7510-11d9-86f2-000476a22f44"
name="Root">
3:XMIElements "</" 2k:QName ">"


Note that the production 2k has a parameter xmiName, i.e. the value of the terminal when apply the production. In a derivation, we specify a value of the parameter as “2k(value)”. For example, “2k(Package)” is a derivation using 2k with xmiName = “Package”. For simplicity, we consider “2k(value)” as a terminal as a whole. We continue to apply productions, and finally derive the XMI file previously presented.

Notice that the model of Fig. 2 (both in UML and XML) does not conform to the guidelines in OOTiA about multiple inheritance, since it uses multi-inheritance. The model of Fig. 2 has an inconsistency: “the number of outgoing edges of is not the same as the number of incoming edges of ”. In particular, joins two edges from the same , This join transition will never be activated, since only one of the two edges will be fired.

We will define a formal model to check the conformance to these rules by controlling the use of the grammar of UML.

## 3 The C-System: A Formal Language Control System

In this section, we propose the formal model for controlling the use of grammars based on classical language theory [17].

Let be a grammar, where is the set of nonterminals, is the set of terminals, is the set of productions of the form where is the name of the production, , , and is the start symbol. A derivation using a specified production is denoted by , and multiple derivations are denoted by .

###### Definition 1

A controlling grammar over a controlled grammar (or simply grammar) is a quadruple , where . The language is called a controlling language.

The symbol is read “control ” or “ hat”. For making reading easier, we assume that . means that the terminals of are exactly the productions of .

If we use an automaton to process the input string, such that , then we can also use a controlling automaton to represent the controlling language.

As we know, each string has at least one leftmost derivation (denoted by “”) using a sequence of productions from , e.g. . The controlling grammar restricts the derivation in the sense that the sequences of applied productions should be in the language it specifies, i.e., . Formally, we have the following definition.

###### Definition 2

Given a grammar , the language of the grammar with a controlling grammar is:

, and

We say that and constitute a C-System , short for formal language control system. The language is called a global system language.

The symbol is called “meta composition”. Its left operand is controlled by the right operand, which is a meta level grammar. If we use automata-based notations, a string if and only if accepts , and accepts the sequence of the labels of the transitions used.

A regular C-System is a C-System of which the controlled grammar is a regular grammar (or is a finite automaton). Some variants of regular C-Systems are proposed for ensuring system safety requirements, e.g. Input/Output C-Systems [18], Interface C-Systems [19][20]. We denote by the family of regular C-Systems.

A context-free C-System is a C-System of which the controlled grammar is a context-free grammar (or is a pushdown automaton). We denote by the family of context-free C-Systems.

Generally, we denote by the family of C-Systems that consist of -type controlled grammar and -type controlling grammar, where . Although could be also other types in Chomsky hierarchy, e.g. context-sensitive, this is beyond the scope of this paper.

Obviously, the set of accepted inputs is a subset of the controlled language, such that the sequence of the applied productions belongs to the controlling language. Consider a simple example as follows.

###### Example 1

Given a regular grammar and a regular controlling grammar :

 G⎧⎨⎩p1:S→aSp2:S→bSp3:S→ϵ    ^G{^S→p1^S|p3^S|p2AA→p2A|p3A|ϵ

accepts the language , e.g., , . accepts the language . The trivial grammar is considered to provide a simple illustration of the introduced principles.

The grammars and constitute a regular C-System .

Given the string , we conclude that , because we have the leftmost derivations , where as . On the contrary, we have . Although we have the leftmost derivation , .

In fact, the language is equivalent to the language , which is the subset of satisfying the constraints: “every should appear before ” and “at least one ”.

We remark here that our model is different from regularly controlled grammars [21][22], in the sense that we restrict derivations to be leftmost and allow context-free controlling grammars. These differences result in different theoretical results, which are beyond the scope of this paper.

## 4 Examples

In this section we use some practical examples to illustrate the idea of the previous section. We denote the grammar of UML by , where is the set of productions listed in Section 2, and each production is labeled by a name starting with a digit.

###### Example 2

Consider two rules on class diagrams:

Rule 1: Each class can have at most one generalization. This rule is a guideline, as we mentioned in Section 1 and at the end of Section 2. This rule is also a consistency rule in the context of Java, since Java does not allow multiple inheritance. However we may derive a class from multiple classes in the context of C++.

Rule 2: Each class can have at most 30 attributes. This rule may be adopted by software authorities as a guideline in avionics, in order to increase the safety of software systems by minimizing the complexity of classes.

Note that these rules cannot be explicitly integrated into the grammar of UML, but only recommended as guidelines or consistency rules. We cannot put rule 1 into the standard of UML, since UML models can be implemented with both C++ and Java programming languages. Rule 2 is a restriction for a specific domain, and we should not require all programmers to use limited attributes by specifying the UML language.

We aim to specify the rules from the meta-language level, thus control the use of the language. Consider the example of Fig. 2, to obtain the associated XMI text, the sequence of applied productions of in the leftmost derivation is as follow (“…” stands for some omitted productions, to save space):

 2a_2, 2k(Package), 2d_2, 2e, 2f_1, 3h_1, 2h_1, 2i,
..., 2k(packagedElement), ..., 2k(Class),
..., 2k(ownedAttribute), ..., 2k(Property),
..., 2k(packagedElement),
..., 2k(packagedElement), ..., 2k(Class),
..., 2k(ownedAttribute), ..., 2k(Property),
..., 2k(packagedElement),
..., 2k(packagedElement), ..., 2k(Class),
..., 2k(generalization), ..., 2k(Generalization),
..., 2k(generalization), ..., 2k(Generalization),
..., 2k(packagedElement),
..., 2k(Package)


Let stand for , respectively. Note that the occurrence of two after the third violates Rule 1. In fact, all the sequences of productions in the pattern “” are not allowed by the rule (there is no between the two ), indicating that the class has two generalizations.

Thus, we propose the following controlling grammar to restrict the use of the language to satisfy Rule 1:

 ^Gc⎧⎪ ⎪ ⎪ ⎪⎨⎪ ⎪ ⎪ ⎪⎩S→c  Qc | D S | DQc→c  Qc | g  Qg | D Qc | DQg→c  Qc | D Qg | DD→{p | p∈P ∧ p∉{c,g}} (1)

where are nonterminals, includes all productions except . accepts the sequences of productions satisfying Rule 1.

Implicitly, the controlling grammar specifies an automaton in Fig. 3, where is an implicit error state (the dashed circle). Strings of the pattern will lead to the error state.

If the sequence of productions applied to derive a model is accepted by the language , then the model conforms to Rule 1. In Fig. 2, the derivation of the class uses the pattern , which leads to of the automaton, thus it violates Rule 1. On the contrary, the derivations of and are accepted by , thus satisfy Rule 1.

Now consider Rule 2. Let stand for , ,
, respectively. Note that the occurrence of more than 30 after a violates Rule 2. In fact, all the sequences of productions in the pattern “” are not allowed by the rule (there is no between any two ), indicating that the class has more than 30 attributes.

To satisfy Rule 2, we propose the following controlling grammar to restrict the use of the language:

 ^Gp⎧⎪ ⎪ ⎪ ⎪ ⎪ ⎪⎨⎪ ⎪ ⎪ ⎪ ⎪ ⎪⎩S→pe  S | c  Qc | D S | DQc→pe S | c  Qc | pr  Q1 | D Qc | DQi→pe S | c  Qc | pr  Qi+1 | D Qi | D  (1≤i<30)Q30→pe  S | c  Qc | D Q30 | DD→{p | p∈P ∧ p∉{c,pr,pe}} (2)

where are nonterminals, includes all productions except . accepts the sequences of productions satisfying Rule 2.

Implicitly, the controlling grammar specifies an automaton in Fig. 4. Strings of the pattern “” will lead to the error state.

If the sequence of productions applied to derive a model is accepted by the language , then the model conforms to Rule 2. In Fig. 2, the derivations of the classes and use the pattern , thus satisfy Rule 2.

Thanks to the controlling grammars, when a model violates required rules, the controlling language will reject the model (an implicit error state will be activated). Some error handling method may be called to process the error, e.g., printing an error message indicating the position and the cause.

We can also use controlling grammar to handle a consistency rule concerning activity diagrams.

###### Example 3

In an activity diagram, the number of outgoing edges of should be the same as the number of incoming edges of its pairwise .

Let stand for , , , , , respectively. We propose the following controlling grammar to restrict the use of the language to satisfy the rule:

 ^Ga⎧⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪⎨⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪⎩S→N  F  I∗  Q  O∗  N | N  I∗  O∗  N | D∗Q→O  Q  I | N  S  N  JN→n  D∗F→f  D∗J→j  D∗I→i  D∗O→o  D∗D→{p | p∈P ∧ p∉{n,f,j,i,o}} (3)

accepts all the sequences of productions of the pattern
, which leads to models respecting the rule. This context-free grammar implicitly specifies a PDA (Pushdown Automaton [17]), which is more complex than the automata in Figures 3 and 4.

Globally, any UML user model derived from the C-System , i.e. , conforms to the rule in Example 3.

As a more concrete instance, we consider the model in Fig. 2. The XMI-compliant document of the model in Fig. 2 is the follows:

 <packagedElement xmi:type="uml:Activity"
xmi:id="U937506ed-af64-44c6-9b4c-e735bb6d8cc6"
name="Activity1" visibility="public">
<node xmi:type="uml:InitialNode" xmi:id="U16aa15e8-0e5d-
4fd1-930a-725073ece9f0">
<outgoing xmi:idref="Ue9366b93-a45b-43f1-a201-2038b0bd0b30"/>
</node>
<node xmi:type="uml:ForkNode" xmi:id="U26768518-a40c-
4713-b35e-c267cc660508" name="ForkNode">
<incoming xmi:idref="Ue9366b93-a45b-43f1-a201-2038b0bd0b30"/>
<outgoing xmi:idref="Ua800ba9b-e167-4a7c-a9a9-80e6a77edeb7"/>
</node>
<node xmi:type="uml:DecisionNode" xmi:id="Uc9e4f0de-8da6-
4c98-9b95-b4cde30ccfc0" name="DecisionNode">
<incoming xmi:idref="Ua800ba9b-e167-4a7c-a9a9-80e6a77edeb7"/>
<outgoing xmi:idref="Ua4a2b313-13d6-4d69-9617-4803560731ef"/>
<outgoing xmi:idref="U6eede33f-98ac-4654-bb17-dbe6aa7e46be"/>
</node>
<node xmi:type="uml:JoinNode" xmi:id="Ud304ce3c-ebe4-
4b06-b75a-fa2321f8a151" name="JoinNode">
<incoming xmi:idref="Ua4a2b313-13d6-4d69-9617-4803560731ef"/>
<incoming xmi:idref="U6eede33f-98ac-4654-bb17-dbe6aa7e46be"/>
</node>
<edge xmi:type="uml:ControlFlow"
xmi:id="Ua4a2b313-13d6-4d69-9617-4803560731ef"
source="Uc9e4f0de-8da6-4c98-9b95-b4cde30ccfc0"
target="Ud304ce3c-ebe4-4b06-b75a-fa2321f8a151">
<guard xmi:type="uml:LiteralString"
xmi:id="U6872f3b3-680c-430e-bdb3-21c0a317d290"
visibility="public" value="x>10"/>
</edge>
<edge xmi:type="uml:ControlFlow"
xmi:id="U6eede33f-98ac-4654-bb17-dbe6aa7e46be"
source="Uc9e4f0de-8da6-4c98-9b95-b4cde30ccfc0"
target="Ud304ce3c-ebe4-4b06-b75a-fa2321f8a151">
<guard xmi:type="uml:LiteralString"
xmi:id="Ub853080d-481c-46ff-9f7c-92a31ac24349"
visibility="public" value="else"/>
</edge>
<edge xmi:type="uml:ControlFlow"
xmi:id="Ua800ba9b-e167-4a7c-a9a9-80e6a77edeb7"
source="U26768518-a40c-4713-b35e-c267cc660508"
target="Uc9e4f0de-8da6-4c98-9b95-b4cde30ccfc0"/>
<edge
xmi:type="uml:ControlFlow"
xmi:id="Ue9366b93-a45b-43f1-a201-2038b0bd0b30"
source="U16aa15e8-0e5d-4fd1-930a-725073ece9f0"
target="U26768518-a40c-4713-b35e-c267cc660508"/>
</packagedElement>


It is easy to detect that the sequence of applied productions
” is not accepted by (one follows , while two follow ), thus there is an inconsistency.

We remark here that there are two preconditions of using the controlling grammar concerning the sequences of the model elements in the XML document: 1. must appear before its pairwise ; 2. edges must appear before edges in a node. The two conditions are trivial, since it is easy to control their positions in the exporting XMI documents in implementing such a transformation.

## 5 Related Work

The most popular technique for verifying software correctness is model checking [23]. In this framework, we have three steps in verifying a system. First, we formalize system behavior as a model (e.g., a transition system, a Kripke model [24]). Second, we specify the properties that we aim at validating using temporal logics. Third, we use a certain checking algorithm to search for a counterexample which is an execution trace violating the specified properties. If the algorithm finds such a counterexample, we have to correct the original design.

Most checking tools use specific semantics of UML diagrams. They have the flavor of model checking, e.g., Egyed’s UML/Analyzer [25][26] and OCL (Object Constraint Language) [27]. At first, developers design UML diagrams as a model. Then, we specify the consistency rules as OCL or similar expressions. Certain algorithms are executed to detect counterexamples that violate the rules [28]. Note that these techniques do not discriminate the rules on the model level and those concerning the language level features.

Unlike these techniques, our framework takes another way of ensuring correctness. It consists of the following steps:

1. Specifying the grammar of a language. It specifies an operational semantics, which defines what a language is able to model. Developing the grammar is mainly performed by language designers.

2. Modeling correctness rules of the use of languages as a controlling grammar . It specifies a correctness semantics, which defines what a language is authorized to derive. This process is the duty of safety engineers whose responsibility is to assure the correct use of the language.

3. The two grammars constitute a consistent language as a whole, that is, any derivations of the global system language is a correct and consistent use of the language.

In particular, our work differs from model checking in the following aspects:

1. Our work has different objectives, and uses different approaches to those of model checking. As we show in Fig. 5, model checking techniques use a bottom-up approach — they verify execution traces at the lower level to prove the correct use of the grammar at the middle level . Whereas our proposal uses a top-down approach — we model correctness rules as acceptable sequences of productions () at the higher level to ensure the correct use of . Then any derivatives (at ) that conform to the C-System are definitely a correct use. So the two techniques are complementary.

2. Our work and model checking express language-level and model-level constraints, respectively. Language-level constraints are more effective, because they implicitly have reusability. That is, we only need to develop one language-level constraint and apply it to all the models in the language. However, using model checking, we need to replicate model-level constraints for each model. Additionally, model checking can process model-specific constraints.

3. Our work and model checking use syntax-based and semantics-based approaches (or static and dynamic analysis), respectively. As a result, our approach is generic and metamodel-independent, and concerns little about semantics. So it can be applied to all MOF-compliant languages, not only to UML. However, model checking techniques depends on the semantics of a language, thus specific algorithms should be developed for different models.

4. Our work and model checking catch errors at compile-time and runtime, respectively. As a result, our approach implements membership checking of context-free languages, which is decidable. That is, it searches in a limited space, which is defined by grammars. Model checking may search in a larger, even infinite space, so we have to limit the space of computing, and introduce the risk of missing solutions.

## 6 Discussion

In this section, we would like to shortly discuss some issues which are beyond the scope of this paper.

The first issue concerns the implementation of controlling grammars. The controlled and controlling grammars can be implemented using two parsers separately. The technique for constructing a parser from a context-free grammar is rather mature [29][30]. Some tools provide automated generation of parsers from a grammar specification, such as Yacc, Bison.

Notice that the inputs of controlling parsers are the sequences of productions applied in the parsing of . So there are communications between the two parsers. Once module uses a production , then the name of the production is sent to as an input. If accepts the sequence of productions and accepts the model, then accepts the model.

The second issue deals with multiple rules. If we have multiple guidelines or consistency rules, each rule is formalized using a grammar. We can develop an automated tool that converts the grammars into automata, and then combine these automata to compute an intersection, i.e., an automaton [17]. The intersection can be used as a controlling automaton, which specifies a controlling language that includes all the semantics of the rules.

The third issue is about the tradeoff between cost and benefits of applying the proposed approach. It seems that writing a controlling grammar is expensive, because it involves formal methods. However, it is probably not the case. As we mentioned, a controlling grammar specify language-level constraints, and can be reused by all the models derived from the controlled grammar. Thus the controlling grammar can be identified and formalized by the organizations who define the language or its authorized usage, e.g., OMG and FAA (Federal Aviation Administration), respectively. Developers and software companies can use the published standard controlling grammar for checking inconsistencies in their models. By contraries, if every user writes their own checking algorithms and codes, e.g., in OCL or other programming languages, the codes will be hard to be reused by other users who have different models to check. Thus the total cost of all the users may be higher. Of course, more empirical results on the tradeoff is a good direction for future work.

## 7 Conclusion

We provided a language-theoretic view on guidelines and consistency rules of UML. We proposed the formalism of C-Systems, short for “formal language control systems”. To the best of our knowledge, none related work proposed similar methodologies. Rules are considered as controlling grammars which control the use of modeling languages. This methodology is generic, syntax-based and metamodel-independent. It provides a top-down approach that checks and reports violations of language level constraints at compile-time. It can be also applied to all MOF-compliant languages, not only to UML, since it does not depend on the specific semantics of languages.

Since we focused on the methodological foundation, one of the future work is to develop an automated checking tool implementing the presented principles. We will also examine instant checking techniques of our method. One feature of UML/Analyzer is instant checking, which only verifies the small portion where the model changes, in order to save the cost of checking [31]. Intuitively, our approach is also easy to be extended to instant checking. We only need to generate the XMI document of the changed part of diagrams (e.g. a class in a class diagram), and verify it. However, this calls for more works in detail.

## References

• [1] OMG: Unified Modeling Language: Infrastructure, version 2.1.1 (07-02-06). Object Management Group (2007)
• [2] OMG: Unified Modeling Language: Superstructure, version 2.1.1 (07-02-05). Object Management Group (2007)
• [3] Medvidovic, N., Rosenblum, D.S., Redmiles, D.F., Robbins, J.E.: Modeling software architectures in the unified modeling language. ACM Trans. Softw. Eng. Methodol. 11(1) (2002) 2–57
• [4] Booch, G., Rumbaugh, J., Jacobson, I.: The Unified Modeling Language User Guide (2nd Edition). Addison-Wesley (2005)
• [5] Balzer, R.: Tolerating inconsistency. In: Proceedings of the 13th International Conference on Software Engineering (ICSE 1991), IEEE Computer Society (1991) 158–165
• [6] Easterbrook, S.M., Chechik, M.: 2nd international workshop on living with inconsistency. In: Proceedings of the 23rd International Conference on Software Engineering (ICSE 2001), IEEE Computer Society (2001) 749–750
• [7] Nuseibeh, B., Easterbrook, S.M., Russo, A.: Leveraging inconsistency in software development. IEEE Computer 33(4) (2000) 24–29
• [8] Kuzniarz, L., Reggio, G., Sourrouille, J.L., Huzar, Z., eds.: Workshop on consistency problems in UML-based software development I, co-located with UML’02. (2002) Available from http://www.ipd.bth.se/consistencyUML/.
• [9] Kuzniarz, L., Huzar, Z., Reggio, G., Sourrouille, J.L., eds.: Workshop on consistency problems in UML-based software development II, co-located with UML’03. (2003) Available from http://www.ipd.bth.se/consistencyUML/.
• [10] Huzar, Z., Kuzniarz, L., Reggio, G., Sourrouille, J.L., eds.: Workshop on consistency problems in UML-based software development III, co-located with UML’04. (2004) Available from http://www.ipd.bth.se/consistencyUML/.
• [11] Vidal, J.P.S., Malgouyres, H., Motet, G.: UML 2.0 Consistency Rules. Available on Internet (2005) URL: http://www.lattis.univ-toulouse.fr/UML/.
• [12] Vidal, J.P.S., Malgouyres, H., Motet, G.: UML 2.0 consistency rules identification. In: Proceedings of the 2005 International Conference on Software Engineering Research and Practice (SERP’05), CSREA Press (2005)
• [13] Federal Aviation Administration: Handbook for Object-Oriented Technology in Aviation (OOTiA), vol. 2.1, Considerations and issues. U.S. Department of Transportation (October 2004)
• [14] Motet, G.: Risks of faults intrinsic to software languages: Trade-off between design performance and application safety. Safety Science (2009)
• [15] OMG: MOF 2.0 / XMI Mapping, version 2.1.1 (07-12-01). Object Management Group (2007)
• [16] ISO/IEC: ISO/IEC 14977:1996(E): Extended BNF. (1996)
• [17] Hopcroft, J.E., Ullman, J.D.: Introduction to Automata Theory, Languages, and Computation. Addison-Wesley (1979)
• [18] Chen, Z., Motet, G.: Modeling system safety requirements using input/output constraint meta-automata. In: Proceedings of the 4th International Conference on Systems (ICONS’09), IEEE Computer Society (2009) 228–233
• [19] Chen, Z., Motet, G.: System safety requirements as control structures. In: Proceedings of the 33rd Annual IEEE International Computer Software and Applications Conference (COMPSAC 2009), IEEE Computer Society (2009)
• [20] Chen, Z., Motet, G.: Formalizing safety requirements using controlling automata. In: Proceedings of the Second International Conference on Dependability (DEPEND’09), IEEE Computer Society (2009)
• [21] Ginsburg, S., Spanier, E.H.: Control sets on grammars. Mathematical Systems Theory 2(2) (1968) 159–177
• [22] Dassow, J., Paun, G., Salomaa, A.: Grammars with controlled derivations. In Rozenberg, G., Salomaa, A., eds.: Handbook of Formal Languages, Springer (1997) 101–154
• [23] Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. The MIT Press (2000)
• [24] Huth, M., Ryan, M.: Logic in Computer Science: Modelling and Reasoning about Systems, Second Edition. Cambridge University Press (2004)
• [25] Egyed, A.: Fixing inconsistencies in UML design models. In: Proceedings of the 29th International Conference on Software Engineering (ICSE 2007), IEEE Computer Society (2007) 292–301
• [26] Egyed, A.: UML/Analyzer: A tool for the instant consistency checking of UML models. In: Proceedings of the 29th International Conference on Software Engineering (ICSE 2007), IEEE Computer Society (2007) 793–796
• [27] OMG: Object Constraint Language, version 2.0 (06-05-01). Object Management Group (2006)
• [28] Chiorean, D., Pasca, M., Cârcu, A., Botiza, C., Moldovan, S.: Ensuring UML models consistency using the OCL environment. Electr. Notes Theor. Comput. Sci. 102 (2004) 99–110
• [29] Earley, J.: An efficient context-free parsing algorithm. Commun. ACM 13(2) (1970) 94–102
• [30] Aho, A.V., Sethi, R., Ullman, J.D.: Compilers: Principles, Techniques, and Tools. Addison-Wesley, Reading MA (1986)
• [31] Egyed, A.: Instant consistency checking for the UML. In Osterweil, L.J., Rombach, H.D., Soffa, M.L., eds.: Proceedings of the 28th International Conference on Software Engineering (ICSE 2006), ACM (2006) 381–390
You are adding the first comment!
How to quickly get a good reply:
• Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
• Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
• Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters