Ontology-Based Verification of UML Class Model XOR Constraint and Dependency Relationship Constraints

Unified Modeling Language (UML) models are considered important artifacts of model-driven engineering (MDE). This can automatically transform models to other paradigms and programming languages. If a model has bugs, then MDE can transfer these to a new code. The class model is a key component of UML that is used in analysis and design. Without a formal foundation, UML can create only graphical diagrams, making it impossible to verify properties such as satisfiability, consistency and consequences. Different techniques have been used to verify UML class models, but these do not support some important components. This paper transforms and verifies unsupported components such as XOR association constraints and dependency relationships of a UML class model through ontology. We use various UML class models to validate the proposed ontology-based method, easy and efficient transformation and verification of unsupported elements. The results show this approach can verify large and complex models.


Introduction
In today's world, there is an extensive use of software in high-end television sets, mobile phones, cars and other devices. With it being used so commonly, software failure understandably may lead to human and economic losses. For example, in 2017 [1], a software bug caused the Cloudflare network to leak sensitive customer data such as passwords and cookies. Again, due to software errors, some 3200 prison inmates were released early in the United States between 2003 and 2015 [2]. In 1991, a missile-defense system in Saudi Arabia failed to identify an attack due to inaccurate tracking software, at a cost of 28 lives. The above examples illustrate the importance of software development and verification [3]. In the development phase, it is important to check for the absence of errors. This can be done in later stages after coding of development. Error correction is much more expensive in the later than in the earlier stages of development [4].
The software industry seeks high-level quality assurance at a low cost in a short time. For competitive reasons, software should be of moderate quality when delivered. Developers rely on the end-user to discover bugs. However, a modest level of quality is essential. Software quality can be significantly improved by using model verification [5], in which Unified Modeling Language (UML) models are created at an early phase. Proper verification of UML models may serve to solve several problems that might occur in later stages of software development [6]. A UML model can verify software for correctness and violations of constraints. Models are considered the most important elements in software development, especially in model-driven engineering (MDE) [7,8].
The automatic transformation provides systematic reuse of existing artifacts. However, this can cause problems, such as models with errors that are implicitly passed on to the code. Hence model verification is necessary [9,10]. This ensures that a model is bug free, correct and consistent. Consistency is the most fundamental element of property correctness [11]. It verifies that model elements are consistent with the declaration. In UML class model verification, a model is considered consistent when it has a valid nonempty instance [12].
UML offers various models to address different aspects of software [4,13]. The class model is the most important. It uses simple diagrammatic notation to specify static aspects of a system [14]. The main elements of a class diagram are their classes and relationships, i.e., dependency, association and generalization [15][16][17]. These are the relational building blocks of UML and the most important elements of object-oriented modeling [18]. Current UML class model verification methods are sufficient to check for correctness. However, they do not focus on some fundamental elements of the class model. A comparison of class model verification methods [19] indicate that dependency relationships are not supported. The XOR constraint is another graphical element that is not supported by any verification method. In some Object Constraint Language (OCL)-supported verification methods, XOR constraints can be presented through OCL constraints and indirectly verified, but OCL has some limitations. For example, the UML specification does not restrict constraint language, and accordingly, constraints can be defined through formal languages, informal languages (JAVA, C#) and natural languages [20,21]. Most computer-aided software engineering (CASE) tools do not support OCL, nor do they provide limited support because commercial CASE providers do not see a large OCL market [22,23]. Indeed, the use of OCL in software development is of little significance [22,24]. It may be hard to understand because several equivalent implementations are possible for a constraint [25]. Hence, designers may have difficulties when it is combined with a diagrammatic paradigm, and even heavy users of UML barely employ OCL [22,[24][25][26][27]. Moreover, current UML/OCL model verification methods do not deal with the consequences and do not formalize through OCL, which is essential in verification because it may cause a model to become inconsistent.
Ontology is a metaphysical discipline practiced by researchers since the 16 th century for real-world representation and categorization. Computational ontology provides a formal model of a system which is currently used as a computational artifact for computer-based decisions on domain knowledge [28]. There are five types of components. (1) Concepts represent values that may be abstract or concrete, such as a task description, function, reasoning process, or action. They are like the classes of a UML class model. (2) Taxonomies organize concepts into generalization and specialization relationships. An example is the generalization relationship of a UML class model. Verification methods use many formal and semi-formal methods to validate UML class models. They are hard to understand, use much mathematical notation and are different from UML class models. Ontology and UML class models have related features such as classes, generalization and relationships. Ontology has a powerful reasoner that can be quickly and easily applied on complex problem spaces and draw inferences from thousands of ontological items [29]. Consequently, the reliability and consistency of MDE can be improved using an ontology-based verification method.
This work focuses on the design and development of a rigorous method based on an ontology that facilitates transformation and verification of UML class model elements. The results show that the proposed method can significantly reduce verification time. For evaluation, we transform a UML class model to Protégé ontology.
To develop the model, the top-level elements of ontology are first developed, e.g., UML classes are transformed to ontology concepts and association relationships into object properties. Following this, classes and object properties are associated through domain and range. Proposed constraints are implemented in Protégé and the model's consistency is checked through the pellet reasoner in Protégé.
The rest of this paper is structured as follows. Section 2 presents related work. Section 3 focuses on an example and Section 4 explores the transformation and verification of XOR constraints. Section 5 presents the transformation and verification of dependency relationships. Section 6 describes the experimental results, which illustrate the proposed approach efficiently and effectively verifying UML model elements. Section 7 provides conclusions and future directions.

Related Work
Many researchers have worked on UML model verifications and discussed correctness properties such as consistency, satisfiability and constraint redundancy according to various aspects, such as the intra/intermodel and static/dynamic models [30]. The verification of the static model concerns only with structural parts such as attributes, associations, aggregation/composition and generalization, while that of the dynamic model considers behavioral elements such as operations. Consistency between models is checked by inter-model verification and consistency of a model against its graphical and textual constraints is subject to intramodel verification. In initial research work, many researchers use the B method, Z notation and description logic (DL) for transformation rules and the meta-model [31][32][33]. However, current research focuses more on consistency and satisfiability [30,31,[34][35][36]19].
France et al. have presented a formal representation of a core meta-model in Z notation [32]. They have shown that this offers benefits such as consistency checking, clarity, refinement and proof chaining. This also specifies the core meta-model by a compositional schema that contains sub-schemas. Object-Z, which is an object-oriented flavor of Z notation, has been used to define the abstract syntax of a UML meta-model [37,38]. Furthermore, the authors argue that the formal specification of the UML meta-model is the most common method to describe language semantics. They propose an integrated framework whose formalism varies according to the verification task. The B formal method has been used to formalize UML models [33,39]. This work verifies UML class model consistency against the well-formedness rules by B prover [39]. They present OCL constraint transformation [33] and transform OCL basic data types to B method basic types and OCL operators to those of the B method.
Researchers have used semi-formal methods such as constraint satisfaction programming (CSP) and Alloy to verify UML class models. A method of UML class model verification was proposed by Cadoli et al. [13], using CSP to represent and solve linear inequalities that worked on satisfiability and full satisfiability. In satisfiability, they verify whether a finite non-empty instance of a class model can be constructed without violating any constraints. In full satisfiability, they ascertain whether an instance model can be constructed in which all classes can be populated without violating constraints. A constraint logic programming-based framework has been presented in a previous study [40], which translates and provides reasoning on UML models through CSP. In the proposed framework, reasoning on the model is done through the model-finding formula and the framework supports the satisfiability checking of OCL fragments. In this connection, the authors have also developed an Eclipse plug-in for the proposed framework.
Cabot et al. [41] proposed a set of techniques to facilitate the efficient integrity checking of UML-based software specifications. They worked on events only responsible for constraint violations, which they called potential structure events (PSEs). PSEs were recorded for each constraint and only those entities and relationships relating to PSEs were verified. A method based on linear inequalities was used to verify generalization relationships, qualified associations and association classes [36,42,43]. This work presented a redundancy elimination method for universal and existential quantifier constraints for aggregation/ composition, association, generalization and qualified association. The authors proposed incremental verification methods for internal consistency of UML/OCL class models. These methods decrease cost of re-verification of the class model. For example, if a new OCL invariant was added to the model, then only that invariant was checked [44].
The semi-formal method Alloy has been used to verify UML class models. Bordbar et al. [35] transformed a UML class model into the signature of an Alloy model as a meta-model instance to facilitate the analysis of the system via Alloy. Maoz et al. [45] formalized the advanced elements of a UML model, such as interfaces and multiple inheritances, to Alloy. They performed different types of reasoning on the class model, such as model intersection and refinement analysis. Berardi et al. [31] used DL to check for redundancies and inconsistencies in a UML class model and argued that a DL-based approach can support reasoning on a large and complex UML class model. This work checked satisfiability and class equivalence.
Ontology has been used to verify UML class models. Xu et al. [46] compared UML and Web Ontology Language (OWL), and found similarities such as classes, relationships and attributes. They also found dissimilarities. For example, OWL has only object property to make relationships among classes, while UML has relationships such as association, aggregation and composition. Belghiat et al. [47] proposed an ontology graph-based specification of a UML meta-model. Parreiras et al. [29] integrated OWL and UML to represent a UML model and incorporated the Meta-Object Facility (MOF) model in ontology as the backbone for OWL and UML.
A model slicing technique was used to verify a complex UML model. Shaikh et al. [19] proposed a technique to reduce the complexity of verification by decreasing the verification time of a large model and a feedback technique for an unsatisfiable UML/OCL class model [48]. Current UML class model verification methods are sound, and they efficiently verify the correctness of models. However, they can consume substantial computational resources and may not generate results, especially for large and complex models. Furthermore, they do not support some essential elements of the UML class model.

Running Example
Throughout this paper, we use an example of an office task distribution system to demonstrate our approach. The model has five classes, four associations marked as XOR and one dependency relationship. In the given example, the Task class is connected with the Outsource and Employee class through the Award association. This specifies that the instance of the Task class can be connected with the instance of the Employee class or, the Outsource class. The Employee class relates to the Committee class through two associations, Member and Chair. These specify that the instance of the Employee class can relate to the instance of the Committee class through either a Member or Chair relationship. The Employee class also has a Uses dependency relationship with the Tool class.

Transformation and Verification of XOR Constraints
The UML class model has two types of XOR constraints: (1) Two classes are connected through different associations, which are marked as XOR in Fig. 1, where Employee is connected to the Committee class either through Member or Chair; and (2) The XOR constraint is attached to three classes. For example, a class connected to two classes with the same association. The Award association is connected to three classes and specifies that a task can be either outsourced to a company or awarded to an employee. In the proposed solution, the first type of XOR semantic can be achieved in the ontology by making the XOR-annotated associations with two disjoint object properties. For example, the Member and Chair associations among Employee and Committee are declared as disjoint to one another. The second type of XOR semantic can be achieved by declaring the OWL sub-class restriction. For example, the Award association constraint is transformed to the following sub-class constraint: Task v 9 award:Employee [ award:Oursource ð Þ \ : 9 award:Employee \ award:Outsource ð Þ ð Þ

Satisfiability of Case 1 XOR Constraint
Consider a fragment of the class model shown in Fig. 1, where an Employee class connects to the Committee class through XOR associations, Member and Chair. According to the proposed approach, Member and Chair are declared disjoint object properties. An instance of the class Employee can be linked to the Committee class either through Member or Chair, as shown in Fig. 2. Otherwise, an Employee class instance makes a connection with an instance of Committee through both object properties and the model is unsatisfied, as shown in Fig. 3. Suppose we have the following instances of classes: The ontology graph connectivities satisfying the restrictions are as follows:

Satisfiability of Case 2 XOR Constraint
Consider the class model in Fig. 1, where a Task class connects to the Employee and Outsource classes through XOR association Award. According to the proposed approach, an instance of the Task class can be connected to either the Employee or Outsource instance through association Award, as shown in Fig. 4. Otherwise, the model will be unsatisfied, as shown in Fig. 5.
The ontology graph connectivities satisfying the restrictions are:

Satisfiability Verification Example of an Inconsistent XOR Constraint
Consider the inconsistent class diagram shown in Fig. 6, where the Salesman class is connected to Vehicle and Commercial Vehicle class through travel by the XOR association. In the first instance, it is difficult to see that the model is inconsistent because it does not satisfy the correctness property. i.e., "satisfiability,". An instance of a Salesman connects to an instance of either Vehicle or Commercial Vehicle through travel by association. When this happens, the model is unsatisfied due to the generalization relationship between Vehicle and Commercial Vehicle. The instance of Commercial Vehicle is also considered an instance of Vehicle, which violates the XOR constraints. The model formalized in the ontology using Protégé, and the reasoning outcome, is summarized in Fig. 7, which shows that the ontology is inconsistent.

Transformation and Verification of Dependency Relationships
Dependency relationships are semantic relationships between UML classes. They state that a change in a class can affect another class. They are used in different UML diagrams, such as packages components and uses. Here, only dependency relationships related to the class model that can impact its correctness are considered. Hence, the focus on the dependency relationships of create, drive, call and use. Consequently, the relationships to the object property with some restrictions are transformed. For example, the call and use dependencies are declared transitive, while the create and drive dependencies are transitive and asymmetric.

Satisfiability
Sometimes a model can be unsatisfied due to its implicit properties. For example, Fig. 8 shows a UML class model in which an instance of class A creates an instance of class B, an instance of class B creates an instance of class C, and an instance of class D creates an instance of class A. The class C is a subclass of class D. Fig. 9 shows the ontology graph before the inference of the UML class model. The graph after this inference is presented in Fig. 10. The result of the inference shows that the model is cyclic and will not be finitely satisfiable due to the generalization relationship between classes C and D. The instance of C will be considered an instance of D; consequently, C will create an instance of A, as shown in Fig. 10.  The inference model also shows that an instance of class A creates its own class instance due to transitivity, which makes the model unsatisfiable. To detect an unsatisfiable model due to cyclic dependency, an additional restriction is inserted to prevent a class from connecting to itself. This can be achieved by making the Create object property irreflexive. However, OWL-DL does not support reasoning over a property that is marked as both transitive and irreflexive.
The proposed method realizes the irreflexive constraint by inserting an additional restriction on the class level. For example, the dependency relationship between classes A and B is restricted, as A : create9A ð Þ\ createT 9B ð Þ\ createA9B ð Þ : Semantically, the first part of the restriction specifies that class A is irreflexive, and the remaining part specifies that an instance of class A can be connected to an instance of class B through createT and createA.

Consequences
Consequences are an important part of verification, where new knowledge is inferred from existing knowledge. Sometimes properties of a model are not explicitly defined [49]. Fig. 11 shows a class model   Fig. 8 with three classes connected through dependency. Syntactically, the model specifies that when the Booking class instance is created, it creates an instance of the Payment class, which creates an instance of the Transaction class, as shown in Fig. 12. However, semantically, the model specifies that the Booking class instance indirectly creates an instance of the Transaction class due to the transitive characteristic of the create dependency. Fig. 13 shows that a link has been established between the Booking and Transaction classes by the create dependency after performing inference. Fig. 14 shows the outcome in the ontology editor Protégé.

Experiments and Results
In order to check the efficiency of the proposed method when the number of classes and constraints increase, experiments are performed on different UML class models through the proposed approach. The total verification time is measured for every model and compared to the UMLtoCSP and Alloy tools. The correlation between model size/complexity and execution time is examined. UMLtoCSP does not support 64-bit architecture, so all experiments are performed on a 32-bit core2Duo 1.34 processor with 2 GB RAM. The results show that the proposed method is efficient and can verify a large and complex model within a few seconds. Tab. 1 shows the verification times of different XOR models. For the first model "tasks distribution", the proposed method verified an average 0.056 seconds with six classes and three XOR associations. For the "sale management" model, it took on average 0.106 seconds with nine classes and four XOR association constraints. For the "school management" system, it took an average 0.167 seconds with 15 classes and 6 XOR associations. For the "hotel" model, it took on average 0.199 seconds. To check the performance of the method on a large model, an experiment on "Programmed 4" with 100 classes, 200 associations and 100 XOR constraints was performed. This took an average of 0.547 seconds.  The comparative results of verification methods with the proposed method are shown in Fig. 15, where the x-axis indicates UML class models and the y-axis is the total verification time in seconds. The results illustrate the proposed method is marginally more efficient than UMLtoCSP and Alloy and has additional benefits: 1. XOR constraints are automatically formalized in the ontology for verification. UMLtoCSP and Alloy do not support XOR constraints, and these were input manually by the designers in OCL.
2. UMLtoCSP and Alloy support bounded model checking within the limited search space, whereas our proposed approach supports unbounded model checking.
Tab. 2 shows the average execution time required to check the satisfiability and consequences of dependency relationships. For the first model "order management", the proposed method took an average 0.087 seconds with 10 classes and 3 dependency relationships. For the "learning management" system, it took on average 0.198 seconds with 15 classes and 5 dependency relationships. For "car manufacturing", it took an average 0.209 seconds with 20 classes and 8 dependency relationships. For "Programmed 5", it took an average 0.473 seconds with 100 classes and 100 dependency relationships. UML class models with hundreds of dependency relationships and XOR associations are difficult to verify, because in real life, it is rare that a class diagram has as many constraints as "Programmed 4" and "Programmed 5" which demonstrate the efficiency and scalability of the proposed method.

Conclusions and Future Work
Model verification is involved in many software methodologies, such as Agile, MDA, and Rational Unified Process (RUP). These check the model for bugs. The most important UML model, the UML class model, is used in analysis as well as design. In previous work, several elements of the UML class model were checked by various methods, while some important elements, such as XOR constraints and dependency relationships, were never checked. In this paper, we have proposed an ontology-based transformation and verification of the UML class model for unsupported elements such as XOR constraints and dependency relationships. These transformations map XOR constraints and dependency relationships to an ontology so as to analyze various correctness properties such as satisfiability, consistency and consequences. The proposed method has the benefit of various efficient reasoners that work on large ontology models in an acceptable time. Our future work will incorporate the transformation of OCL constraints and support to other UML class model elements.
Funding Statement: The authors express their gratitude to the ministry of education and the deanship of scientific research of Najran University, Kingdom of Saudi Arabia, for financial and technical support under code number NU/ESCI/17/098.

Conflicts of Interest:
The authors declare that they have no conflicts of interest to report regarding the present study.