Job No/ 1

© British Crown Copyright 2008/MOD

Developing a High Integrity Code Generator Using iUML/iCCG

Sam Moody

AWE plc, Aldermaston, Berkshire,

United Kingdom

Job No/ 2

© British Crown Copyright 2008/MOD

Outline

Motivation

Building a code generator with iUML/iCCG

Application Development with iUML

Current Results

Other work exploring xUML

Job No/ 3

© British Crown Copyright 2008/MOD

Motivation Historically development has been based on

bespoke processes

Research advances in software engineering in academia and industry

Links AWE formal methods research to commercial toolsets

Explore code generation

Combined with tried and trusted high integrity tools such as the SPARK toolset

Job No/ 4

© British Crown Copyright 2008/MOD

Challenging Requirements We must demonstrate 100% freedom of

anomalous behaviour

30 year working life cycle

Not to be maintained

Process and design must be understood over life

Job No/ 5

© British Crown Copyright 2008/MOD

Tool Selection – Why xUML UML is the prevalent modelling technology in

use by the software industry at large

UML suffers semantic weaknesses

Precise Executable profile of the Unified Modelling Language (xUML)

Adds Action Semantics to Standard UML Diagrams

Supports Model Driven Architecture

Job No/ 6

© British Crown Copyright 2008/MOD

Tool Selection – Why Kennedy-Carter

Interested in the application of static techniques

A business model which encourages technology transfer

Code generators built using the xUML formalism

Models are platform independent with full behavioural specification defined in ASL

No need to embed target code (i.e. SPARK, Ada or C)

Job No/ 7

© British Crown Copyright 2008/MOD

Outline

Motivation

Building a code generator with iUML/iCCG

Application Development with iUML

Current Results

Other work exploring xUML

Job No/ 8

© British Crown Copyright 2008/MOD

Building a code generator with iCCG

Implementation

Definition of Mapping Rules

Requirements of software platform

Code Generator

Job No/ 9

© British Crown Copyright 2008/MOD

Code Generator Development with iUML

iCCG is a meta-model of the entire xUML profile itself in xUML

The classes in the iCCG are instantiated by the model for which code is to be generated

Operations added in ASL to target code generation to the desired language – ie. SPARK

Existing xUML code generators include targets such as C, C++, Java and Ada

Job No/ 10

© British Crown Copyright 2008/MOD

Extract of the iCCG Meta-model

Class

AttributeOperation

© Copyright Kennedy Carter Ltd 2008. Reproduced with permission

Job No/ 11

© British Crown Copyright 2008/MOD

Building a code generator with iCCG

Job No/ 12

© British Crown Copyright 2008/MOD

Building a code generator with iCCG

Job No/ 13

© British Crown Copyright 2008/MOD

Building a code generator with iCCG

Precise xUML model of xUML

The same formalism used for application and code generator development

The code generator design will have longevity

Transformation rules are readily understandable

Allows different implementations to be targeted

Job No/ 14

© British Crown Copyright 2008/MOD

Outline

Motivation

Building a code generator with iUML/iCCG

Application Development with iUML

Current Results

Other work exploring xUML

Job No/ 15

© British Crown Copyright 2008/MOD

Application Development

Write Annotations in description field

Write ASL in the method field

Examiner report

Skeleton Class DiagramGenerate SPARK code and Analyse with SPARK toolset

Executable Model

Job No/ 16

© British Crown Copyright 2008/MOD

Development Process – Model Annotation

Code generator provides ‘low-level’ embedded annotations

“Inherits”, “Owns” and operations supporting the formalism

Analyst provides annotations for the design on xUML active elements

i.e. State Actions and Operations

Job No/ 17

© British Crown Copyright 2008/MOD

xUML Skeleton Design

Job No/ 18

© British Crown Copyright 2008/MOD

xUML Annotated Design

Job No/ 19

© British Crown Copyright 2008/MOD

xUML Annotated Design

Job No/ 20

© British Crown Copyright 2008/MOD

xUML Executable Design

Job No/ 21

© British Crown Copyright 2008/MOD

Multi-Domain

-

- --

- --

BridgeCPR1

Job No/ 22

© British Crown Copyright 2008/MOD

Multi Domain

Supports complete analysis on domain by domain bases

Domains can be implemented and tested in isolation

Bridges analysed in context of relevant domain

Minor constraints on xUML bridges

Job No/ 23

© British Crown Copyright 2008/MOD

Outline

Motivation

Building a code generator with iUML/iCCG

Application Development with iUML

Current Results

Other work exploring xUML

Job No/ 24

© British Crown Copyright 2008/MOD

Current Status

Successfully analysed a representative model using SPARK Examiner

Generation of SPARK from multi domain xUML models

Process defined to allow complete system analysis

Supports all SPARK ‘core’ Annotations

Only minor restrictions on xUML

Job No/ 25

© British Crown Copyright 2008/MOD

Outline

Motivation

Building a code generator with iUML/iCCG

Application Development with iUML/iCCG

Current Results

Other work exploring xUML

Job No/ 26

© British Crown Copyright 2008/MOD

SystemB Project Automatic generation of CSP||B

specifications from xUML models

Generator built using Kennedy Carter tools

Generator based on model-text transformations

Verification of CSP||B specifications using ProB and FDR

Provides greater assurance in UML models than is possible within Kennedy Carter tools

xUML MetaModel

xUML Model CSP ModelCSP||B Model

SystemB CCG

Job No/ 27

© British Crown Copyright 2008/MOD

Summary Code generator is itself captured in a precise

industrially accepted format

The resulting code is produced from a precisely defined, traceable process

Generated code can be statically checked for correctness

Provides additional rigour to development cycle

Development can begin earlier before Hardware is available or known.

Knowledge captured is likely to have longevity

Job No/ 28

© British Crown Copyright 2008/MOD

Questions

?