Formal Aspects of Computing

, Volume 20, Issue 2, pp 161–204 | Cite as

Integrating a formal method into a software engineering process with UML and Java

  • Michael Möller
  • Ernst-Rüdiger Olderog
  • Holger Rasch
  • Heike Wehrheim
Original Article


We describe how CSP-OZ, a formal method combining the process algebra CSP with the specification language Object-Z, can be integrated into an object-oriented software engineering process employing the UML as a modelling and Java as an implementation language. The benefit of this integration lies in the rigour of the formal method, which improves the precision of the constructed models and opens up the possibility of (1) verifying properties of models in the early design phases, and (2) checking adherence of implementations to models.

The envisaged application area of our approach is the design of distributed reactive systems. To this end, we propose a specific UML profile for reactive systems. The profile contains facilities for modelling components, their interfaces and interconnections via synchronous/broadcast communication, and the overall architecture of a system. The integration with the formal method proceeds by generating a significant part of the CSP-OZ specification from the initially developed UML model. The formal specification is on the one hand the starting point for verifying properties of the model, for instance by using the FDR model checker. On the other hand, it is the basis for generating contracts for the final implementation. Contracts are written in the Java Modeling Language (JML) complemented by CSPjassda, an assertion language for specifying orderings between method invocations. A set of tools for runtime checking can be used to supervise the adherence of the final Java implementation to the generated contracts.


Modelling Formal specification CSP Object-Z UML Java Contracts Model checking Runtime checking 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. ÁBRS02.
    Ábrahám-Mumm E, de Boer FS, de Roever W-P, Steffen M (2002) Verification for Java’s reentrant multithreading concept. In: FoSSACS 2002, Vol 2303 of LNCS, Springer, Heidelberg, pp 4–20Google Scholar
  2. BD02.
    Bolton Ch, Davies J (2002) Refinement in Object-Z and CSP. In: Butler M, Petre L, Sere K (eds) IFM 2002: integrated formal methods, number 2335 in LNCS, pp 225–244Google Scholar
  3. BFMW01.
    Bartetzko D, Fischer C, Möller M, Wehrheim H (2001) Jass—Java with Assertions. In: Havelund K, Roşu G (eds) ENTCS, Vol 55. Elsevier Scholar
  4. BHR84.
    Brookes SD, Hoare CAR, Roscoe AW (1984) A theory of communicating sequential processes. J ACM 31: 560–599zbMATHCrossRefMathSciNetGoogle Scholar
  5. BM02.
    Brörkens M, Möller M (2002) Dynamic event generation for runtime checking using the JDI. In: Havelund K, Rosu G (eds) ENTCS, Vol 70. Elsevier Scholar
  6. Brö02.
    Brörkens M (2002) Trace- und Zeit-Zusicherungen beim Programmieren mit Vertrag. Master’s thesis, University of Oldenburg, Department of Computing Science, January 2002Google Scholar
  7. CS02.
    Cavalcanti A, Sampaio A (2002) From CSP-OZ to Java with processes. In: Workshop on formal methods for parallel programming, held in conjunction with international parallel and distributed processing symposium. IEEE CS Press, 2002. Contained in IPDPS collected proceedings CD-ROMGoogle Scholar
  8. CSW03.
    Cavalcanti A, Sampaio A, Woodcock J (2003) A refinement strategy for circus. Formal Aspects Comput 15(2-3): 146–181zbMATHCrossRefGoogle Scholar
  9. DB03.
    Derrick J, Boiten EA (2003) Relational concurrent refinement. Formal Aspects Comput 15(2-3): 182–214zbMATHCrossRefGoogle Scholar
  10. DC03.
    Davies J, Crichton Ch (2003) Concurrency and refinement in the unified modeling language. Formal Aspects Comput 15(2-3): 118–145zbMATHCrossRefGoogle Scholar
  11. DH01.
    Damm W, Harel D (2001) LSCs: Breathing life into message sequence charts. Formal Methods Syst Des 19(1): 45–80zbMATHCrossRefGoogle Scholar
  12. DJPV05.
    Damm W, Josko B, Pnueli A, Votintseva A (2005) A discrete-time UML semantics for concurrency and communication in safety-critical applications. Sci Comput Program 55(1-3)Google Scholar
  13. DLCP00.
    Dupuy S, Ledru Y, Chabre-Peccoud M (2000) An overview of RoZ - a tool for integrating UML and Z specifications. In: 12th conference on advanced information systems engineering (CAiSE’2000)Google Scholar
  14. DRS95.
    Duke R, Rose G, Smith G (1995) Object-Z: A specification language advocated for the description of standards. Comput Stand Interfaces 17: 511–533CrossRefGoogle Scholar
  15. Dru00.
    Drusinsky D (2000) The Temporal Rover and the ATG Rover. In: SPIN Modelchecking and Software Verification, volume 1885 of LNCS, Springer, Heidelberg, pp 323–330Google Scholar
  16. EKHG01.
    Engels G, Küster J, Heckel R, Groenewegen L (2001) A methodology for specifying and analyzing consistency of object-oriented behavioral models. In: 9th ACM SigSoft symposium on foundations of software engineering, Vol 26 of ACM Software Engineering NotesGoogle Scholar
  17. FDR03.
    Formal Systems (Europe) Ltd. (2003) Failures-divergence refinement: FDR2 user manual, May 2003Google Scholar
  18. Fis97.
    Fischer C (1997) CSP-OZ: a combination of Object-Z and CSP. In: Bowman H, Derrick J (eds) Formal methods for open object-based distributed systems (FMOODS ’97), Vol 2. Chapman & Hall, London, pp 423–438Google Scholar
  19. Fis00.
    Fischer C (2000) Combination and implementation of processes and data: from CSP-OZ to Java. PhD thesis, Bericht Nr. 2/2000, University of Oldenburg, April 2000Google Scholar
  20. FOW01.
    Fischer C, Olderog E-R, Wehrheim H (2001) A CSP view on UML-RT structure diagrams. In: Hussmann H (ed) Fundamental approaches to software engineering (FASE’01), Vol 2029 of LNCS. Springer, Heidelberg, 2001, pp 91–108Google Scholar
  21. FSKdR05.
    Fecher H, Schönborn J, Kyas M, de Roever WP (2005) 29 new unclarities in the semantics of UML 2.0 state machines. In: ICFEM, Vol 3785 of LNCS. Springer, Heidelberg, 2005, pp 52–65Google Scholar
  22. FW99.
    Fischer C, Wehrheim H (1999) Model-checking CSP-OZ specifications with FDR. In: Araki K, Galloway A, Taguchi K (eds) Proceedings of the first international conference on integrated formal methods (IFM). Springer, pp 315–334Google Scholar
  23. GJSB00.
    Gosling J, Joy B, Steele G, Bracha G (2000) The Java language specification, second edition. Addison-Wesley, ReadingGoogle Scholar
  24. Gul00.
    Gullekson G (2000) Designing for concurrency and distribution with Rational Rose RealTime. Technical report, Rational SoftwareGoogle Scholar
  25. HD01.
    Hatcliff J, Dwyer M (2001) Using the Bandera tool set to model-check properties of concurrent Java software. In: Larsen KG (ed) CONCUR 2001, LNCS. Springer, HeidelbergGoogle Scholar
  26. HJ00.
    Huisman M, Jacobs B (2000) Java program verification via a Hoare Logic with abrupt termination. In: Maibaum T (ed) Fundamental approaches to software engineering (FASE 2000), Vol 1783 of LNCS. Springer, Heidelberg, pp 284–303Google Scholar
  27. Hoa85.
    Hoare CAR (1985) Communicating sequential processes. Prentice-Hall, Englewood CliffsGoogle Scholar
  28. HR04a.
    Havelund K, Rosu G (2004) Efficient monitoring of safety properties. Softw Tools Technol Transf 6(2): 158–173CrossRefGoogle Scholar
  29. HR04b.
    Havelund K, Rosu G (2004) An overview of the runtime verification tool java pathexplorer. Formal Methods Syst Des 24(2): 189–215zbMATHCrossRefGoogle Scholar
  30. JBH+98.
    Jacobs B, van den Berg J, Huisman M, van Berkum M, Hensel U, Tews H (1998) Reasoning about Java classes (preliminary report). In: Proceedings OOPSLA 98, Vol 33 of ACM SIGPLAN notices, pp 329–340, Oct. 1998Google Scholar
  31. JML.
    The Java Modeling Language (JML) home page. Scholar
  32. Kra98.
    Kramer R (1998) iContract—the Java Design by Contract tool. Technical report, Reliable SystemsGoogle Scholar
  33. LBR03.
    Leavens GT, Baker AL, Ruby C (2003) Preliminary design of JML: a behavioral interface specification language for Java. Technical Report 98-06v, Iowa State Univ., Dept. of Computer Science, May 2003. See http://www.jmlspecs.orgGoogle Scholar
  34. LCC+03.
    Leavens GT, Cheon Y, Clifton C, Ruby C, Cok DR (2003) How the design of JML accomodates both runtime assertion checking and formal verification. In: FMCO’02, Vol 2852 of LNCS. Springer, HeidelbergGoogle Scholar
  35. Lei01.
    Leino KRM (2001) Extended static checking: a ten-year perspective. In: Wilhelm R (eds) Informatics—10 years back, 10 years ahead, Vol 2000 of LNCS. Springer, Heidelberg, pp 157–175Google Scholar
  36. LMC01.
    Leuschel M, Massart T, Currie A (2001) How to make FDR spin: LTL model checking of CSP by refinement. In: FME 2001: international symposium of formal methods Europe, Vol 2021 of LNCS. Springer, HeidelbergGoogle Scholar
  37. LMM99.
    Latella D, Majzik I, Massink M (1999) Automatic verification of a behavioural subset of UML statechart diagrams using the SPIN model-checker. Formal Aspects Comput 11: 430–445CrossRefGoogle Scholar
  38. MDA.
    OMG model driven architecture. Object Management Group. Scholar
  39. Mey97.
    Meyer B (1997) Object-oriented software construction, 2nd edn. Prentice-Hall, Englewood CliffsGoogle Scholar
  40. Möl02.
    Möller M (2002) Specifying and checking Java using CSP. In: Workshop on formal techniques for java-like programs—FTfJP’2002. Computing Science Department, University of Nijmegen, June 2002. Technical Report NIII-R0204Google Scholar
  41. OC04.
    Oliveira M, Cavalcanti A (2004) From Circus to JCSP. In: Davies J, Schulte W, Barnett M (eds) ICFEM 2004, Vol 3308 of LNCS. Springer, Heidelberg, October 2004, pp 320–340Google Scholar
  42. OH86.
    Olderog E-R, Hoare CAR (1986) Specification-oriented semantics for communicating processes. Acta Inform 23: 9–66zbMATHCrossRefMathSciNetGoogle Scholar
  43. OW05.
    Olderog E-R, Wehrheim H (2005) Specification and (property) inheritance in CSP-OZ. Sci Comput Program 55: 227–257zbMATHCrossRefMathSciNetGoogle Scholar
  44. PHM99.
    Poetzsch-Heffter A, Meyer J (1999) Interactive verification environments for object-oriented languages. J Univ Comput Sci 5(3): 208–225Google Scholar
  45. RACH00.
    Reggio G, Astesiano E, Choppy C, Hussmann H (2000) Analysing UML active classes and associated state machines—a lightweight formal approach. In: Maibaum T (ed) Fundamental approaches to software engineering (FASE 2000), Vol 1783 of LNCS. Springer, HeidelbergGoogle Scholar
  46. RJB99.
    Rumbaugh J, Jacobson I, Booch G (1999) The unified modeling language reference manual. Object Technology Series. Addison-Wesley, ReadingGoogle Scholar
  47. Ros94.
    Roscoe AW (1994) Model-checking CSP. In: Roscoe AW (eds) A classical mind—essays in honour of C.A.R. Hoare. Prentice-Hall, Englewood Cliffs, pp 353–378Google Scholar
  48. Ros98.
    Roscoe AW (1998) The theory and practice of concurrency. Prentice-Hall, Englewood Cliffs.Google Scholar
  49. RW03.
    Rasch H, Wehrheim H (2003) Checking consistency in UML diagrams: classes and state machines. In: Najm E, Nestmann U, Stevens P (eds) Formal methods for open object-based distributed systems (FMOODS’03), Vol 2884 of LNCS. Springer, Heidelberg, pp 229–243Google Scholar
  50. RW05.
    Rasch H, Wehrheim H (2005) Checking the validity of scenarios in UML models. In: Steffen M, Zavatarro G (eds) FMOODS 2005: formal methods for open, object-based distributed systems, Vol 3535 of LNCS. Springer, Heidelberg, pp 67–82Google Scholar
  51. SB05.
    Snook C, Butler M (2005) UML-B: formal modelling and design aided by UML. ACM Trans Softw Eng MethodolGoogle Scholar
  52. Sca98.
    Scattergood JB (1998) The semantics and implementation of machine-readable CSP. PhD thesis, University of OxfordGoogle Scholar
  53. SD97.
    Smith G, Derrick J (1997) Refinement and verification of concurrent systems specified in Object-Z and CSP. In: Hinchey M, Liu S (eds) International conference of formal engineering methods (ICFEM). IEEE, pp 293–302Google Scholar
  54. SGW94.
    Selic B, Gullekson G, Ward PT (1994) Real-time object-oriented modeling. Wiley, New York.zbMATHGoogle Scholar
  55. SH05.
    Stoerrle H, Hausmann JH (2005) Towards a formal semantics of UML 2.0 activities. In: Software engineering 2005, Vol P-64 of LNI. Gesellschaft fuer Informatik, pp 117–128Google Scholar
  56. SKM01.
    Schäfer T, Knapp A, Merz S (2001) Model checking UML state machines and collaborations. In: Stoller SD, Visser W (eds) ENTCS, Vol 55. Elsevier, AmsterdamGoogle Scholar
  57. Smi92.
    Smith G (1992) An object-oriented approach to formal specification. PhD thesis, Department of Computer Science, University of Queensland, St.Lucia 4072, Australia, October 1992Google Scholar
  58. Smi00.
    Smith G (2000) The object-Z specification language. Kluwer, Dordrecht.zbMATHGoogle Scholar
  59. Spi98.
    Spivey JM (1998) The Z notation: a reference manual, 2nd edn. Prentice-Hall, Oxford.Google Scholar
  60. SR98.
    Selic B, Rumbaugh J (1998) Using UML for modeling complex real-time systems. Technical report, ObjecTimeGoogle Scholar
  61. TS02.
    Treharne H, Schneider SA (2002) Communicating B machines. In: ZB2002: international conference of Z and B Users, Vol 2272 of LNCS. Springer, HeidelbergGoogle Scholar
  62. UML03a.
    OMG Unified Modeling Language specification, version 1.5, March 2003. http://www.omg.orgGoogle Scholar
  63. UML03b.
    OMG Unified Modeling Language: Superstructure, version 2.0—final adopted specification, August 2003 http://www.omg.orgGoogle Scholar
  64. Weh00a.
    Wehrheim H (2000) Data abstraction techniques in the validation of CSP-OZ specifications. Formal Aspects Comput 12: 147–164zbMATHCrossRefGoogle Scholar
  65. Weh00b.
    Wehrheim H (2000) Specification of an automatic manufacturing system – a case study in using integrated formal methods. In: Maibaum T (eds) Fundamental approaches of software engineering (FASE 2000), Vol 1783 of LNCS. Springer, Heidelberg, pp 334–348CrossRefGoogle Scholar
  66. Wel02.
    Welch PH (2002) Process oriented design for Java: concurrency for all. In: Computational science—ICCS 2002, Vol 2330 of LNCS. Springer, Heidelberg, April 2002. Keynote Tutorial, pp 687–687Google Scholar
  67. Z02.
    International Organisation for Standardization (2002) Information technology—Z formal specification notation—Syntax, type system and semantics, 1st edn, July 2002. ISO/IEC 13568:2002 (E) International StandardGoogle Scholar

Copyright information

© British Computer Society 2007

Authors and Affiliations

  • Michael Möller
    • 1
  • Ernst-Rüdiger Olderog
    • 1
  • Holger Rasch
    • 2
  • Heike Wehrheim
    • 2
  1. 1.Department of Computing ScienceUniversity of OldenburgOldenburgGermany
  2. 2.Department of Computer ScienceUniversity of PaderbornPaderbornGermany

Personalised recommendations