A Tridimensional Approach for Studying the Formal Verification of Model Transformations

A Tridimensional Approach for Studying the Formal Verification of

Model Transformations

Moussa AMRANI, Levi LUCIO, Gehan SELIM,Benoît COMBEMALE, Jürgen DINGEL, Hans VANGHELUWE, Yves LE TRAON AND James R. CORDY

2

Taxonomy Overview

Property (kind)

Transformation

Formal Verification (Fv) Technique

TRANSFORMATIONS

Property (kind)

Transformation


LanguageHow to express a transformation?

DefinitionWhat is a transformation?

ClassificationHow to categorise transformations?

5

What is Model Transformation (MT)?

Source model(s) Target

model(s)Transformation

execution

Transformationspecification

Source meta-model

Targetmeta-model

TransformationLanguage

Meta-metamodelco

nform

s to

conforms to

conf

orm

s to conform

s to

conf

orm

s to

refers to refers to

inputs outputs

exec

utes

6

MT Definitions in the Literature

• « the process of converting one model to another model of the same system » [1]

• « a model transformation is the automatic generation of a target model from a source model, according to a transformation definition » [2]

• « a program that mutates one model into another » [3]• « the automatic generation of one or multiple target models from one

or multiple source models, according to a transformation description » [4]

• « the automatic manipulation of a model with a specific intention » [5]

[1] Object Management Group (2003) MDA Guide (version 1.0.1). Technical Report.[2] KLEPPE, A.G. and WARMER, J. and BAST, W. (2003). Domain-specific Mda Explained – The Model-Driven Architecture: Practice and

Promises. Addison-Wesley.[3] TRATT, L. (2005). Model Transformation And Tool Integration, SOSYM, 4(2), pp. 112–122.[4] MENS, T. and VAN GORP, P. (2006). A Taxonomy Of Model Transformation, ENTCS 152, pp. 125–142.[5] SYRIANI, E. (2011) A Multi-Paradigm Foundation for Model Transformation Language Engineering. Ph.D. dissertation, McGill University,

(Canada).

Directly inspired from the MDA approach specific to systems;

• Transformations are a computation;

• Transformations subsume intentions

• Shift from system-centric to general models;

• Transformations are directed;• Transformations are automatic.

• Transformations operate on multiple models;

• Transformations obey to descriptions (a.k.a., specifications)

7

A Broader Definition for MTs« the automatic manipulation, conform to a description, of (a) source model(s) to produce (a) target model(s) according to a specific intention »

1. Dual nature– Transformations are computations;– Transformations manipulate models.

2. Clear distinction between– the specification level (refers to src. / tgt. metamodels);– the execution level (inputs / outputs src. / tgt. models)

3. Intention at the core

Transformation

LanguageHow to express a transformation?

DefinitionWhat is a transformation?

ClassificationHow to categorise transformations? Property (kind)


12

Classification

• Czarnecki & Helsen (2006)– Hierarchical classification of MTs;– Mostly dedicated to GBTs.

• Mens & Van Gorp (2006)Heterogeneity Are the source & target models the same?

endogeneous / exogeneousAbstraction level Do we change it?

horizontal / verticalSrc. Conservation Do we keep the original source model?

in-place / out-placeArity How many models are involved?

one / multiple[1] CZARNECKI, K. and HELSEN, S. (2006). Feature-Based Survey of Model Transformation Approaches. IBM Systems , 45(3), pp. 621–645.[2] MENS, T. and VAN GORP, P. (2006). A Taxonomy Of Model Transformation, ENTCS, LNCS 152, pp. 125–142.

13

Variations on DSL Semantics1. Write a transformation for expressing the semantics of my DSL2. Check the semantics’ correctness

DSL metamodel Semantic Domain

Translational Semantics

Behavioural Semantics• Out-place;• Exogeneous;• Vertical;• 1:1

• In-place;• Endogeneous;• Horizontal;• 1:1

14

Towards a semantical classification

• Previous classifications are syntactical– Classify the transformation’s form;– Sensitive to the chosen approach for expressing transformations

• However, properties are semantics-related– Independent of the style; but rather– Dependent of the transformation’s intention;

• Semantical Classification– Relates properties of interest with transformation’s intention– The properties formulation depends on the approach

15

Conclusion

• A broder definition for the transformation concept– Intention at the core

• Several Transformation Languages paradigms– Influence on the FV techniques

• Need of a more semantical classification– Next part partially relates intention with properties

PROPERTIES

Property (kind)

Transformation


Transformation – Related Property

Language – Related Property

• Termination• Determinism• Typing

18

Termination

[1] PLUMP, D. (1998) Termination of Graph Rewriting is Undecidable. Fundamenta Informaticæ, 33(2), pp. 201–209.[2] EHRIG, H. & K., TAENTZER, G., DE LARA, J., VARRÓ, D. and VARRÓ-GYAPAI, S. (2005). Termination Criteria for Model Transformation. In FASE,

2005.[3] VARRÓ, D., VARRÓ-GYAPAI, S., EHRIG, H., PRANGE, U., TAENTZER, G. (2006) Termination Analysis of Model Transformations by Petri Nets. In

ICGT, LNCS 4178, pp. 260–274.[4] BRUGGINK, H. S. (2008). Towards a Systematic Method for Proving Termination of Graph Transformation Systems. ENTCS, 213(1).[5] KÜSTER, J. M. (2006). Definition and Validation of Model Transformations. SOSYM, 5(3), pp. 233–259.[6] SPOTO, F., HILL, P. M., PAYET, E. (2006). Path-Length Analysis of Object-Oriented Programs. In International Workshop on Emerging

Applications of Abstract Interpretation.[7] BERDINE, J., COOK, B., DI STEFANO, D., O’HEARN, P. W. (2006). “Automatic Termination Proofs for Programs with Shape-Shifting Heaps. In

Computer-Aided Verification (CAV), LNCS 4144, pp. 386–400.[8] BARROCA, B., LÚCIO, L., AMARAL, V., FÉLIX, R. and SOUSA, V. (2010) DSLTrans: A Turing-Incomplete Transformation Language. In Conference

on Software and Language Engineering (SLE), pp. 296–305.

Graph-Based Transformations [1]

Meta-Programming Languages

Sufficient Criteria

• Reduction of the rules’ form [2]

• Reduction to another technical space [3]

• Detection of possible sources of infinite computations [4,5]

Abstract Interpretation on top of low-level artifacts:• Finiteness of variable

pointers length [6]• Effective progress within

loops [7]

Expressiveness Reduction

• Layered and in-place transformations [8]

22

DeterminismGraph-Based Transformations [1]

(critical pairs) MPLs

Sufficient Criteria

• Local confluence (in terminating systems [1])• For TAGG [2]• For GBTs with control conditions [3]

• Critical Pairs detections• Injective matches, without deleting

rules pairs [4]• EMF containment preserving [5]

• Confluence for aspect weaving [6]

Deterministic by

nature…

Expressiveness Reduction

• Layered and in-place transformations, with layer amalgamation [7]

[1] PLUMP, D. (2005). Confluence of Graph Transformation Revisited. In Processes, Terms and Cycles: Steps on the Road to Infinity, vol. 3838, pp. 280–308

[2] HECKEL, R., KÜSTER, J. M., TAENTZER, G. (2002). Confluence of Typed Attributed Graph Transformation Systems. In ICGT, pp. 161–176.[3] KÜSTER, J. M. (2006). Definition and Validation of Model Transformations. SOSYM, 5(3), pp. 233–259.[4] LAMBERS, L., EHRIG, H., OREJAS, F. (2006). Efficient Detection of Conflicts in Graph-based Model Transformation. In ENTCS 152, pp. 97–

109.[5] BIERMANN, E. (2011). Local Confluence Analysis of Consistent EMF Transformations. In ECEASST 38, pp. 68–84.[6] GRØNMO, R., RUNDE, R., MØLLER-PEDERSEN, B. (2011). Confluence of Aspects For Sequence Diagrams. SOSYM, pp. 1–36, Sep. 2011.[7] BARROCA, B., LÚCIO, L., AMARAL, V., FÉLIX, R. and SOUSA, V. (2010) DSLTrans: A Turing-Incomplete Transformation Language. In

Conference on Software and Language Engineering (SLE), pp. 296–305.

Property (kind)Transformation – Related

PropertyLanguage – Related

Property

• On the source / target model(s)• On the model’s syntax relations• On the model’s semantic relations

Transformation


30

Model Syntax Relations

[1] D. AKEHURST, S. KENT, and O. PATRASCOIU, “A Relational Approach to Defining and Implementing Transformations in Metamodels,” SOSYM, vol. 2(4), pp. 215–239, 2003.

[2] A. NARAYANAN and G. KARSAI, “Verifying Model Transformation By Structural Correspondence,” ECEASST, vol. 10, pp. 15–29, 2008.[3] A. SCHÜRR and F. KLAR, “15 Years of Triple Graph Grammars,” in ICGT, 2008, pp. 411–425.[4] L. LÚCIO, B. BARROCA, and V. AMARAL, “A Technique for Automatic Validation of Model Transformations,” in MODELS, 2010.

The fact that certain relations exist between the elements of the source (meta)models and their counterparts in the target (meta)models implies a correct transformation

31

Model Semantics Relations

[1] A. NARAYANAN and G. KARSAI, “Towards Verifying Model Transformations,” ENTCS, vol. 211, pp. 191–200, April 2008.[2] D. VARRO and A. ́ PATARICZA, “Automated Formal Verification of Model Transformations,” in CSDUML, 2003, pp. 63–78.[3] B.BECKER, D.BEYER, H.GIESE, F.KLEIN and D.SCHILLING, “Symbolic Invariant Verification For Systems With Dynamic Structural Adaptation,”

in ICSE, 2006.[4] J.PADBERG,M.GAJEWSKY andC.ERMEL,“Refinement versus Verification: Compatibility of Net Invariants and Stepwise Development of

High-Level Petri Nets,” Technische Universita t Berlin, Tech. Rep., 1997. ̈[5] T.MASSONI,R.GHEYI,andP.BORBA,“Formal Refactoring for UMLClass Diagrams,” in BSSE, 2005, pp. 152–167.

If certain relations can be established between the semantic domainsof the source and target (meta)models, then the transformation is correct

32


If certain relations can be established between the semantic domainsof the source and target (meta)models, then the transformation is correct


• Bisimulation / simulation [1]• Preservation of temporal logic formulas [2]• (in particular) preservation of safety properties [3,4]• Preservation of structural semantics [5]

[1] A. NARAYANAN and G. KARSAI, “Towards Verifying Model Transformations,” ENTCS, vol. 211, pp. 191–200, April 2008.[2] D. VARRO and A. ́ PATARICZA, “Automated Formal Verification of Model Transformations,” in CSDUML, 2003, pp. 63–78.[3] B.BECKER, D.BEYER, H.GIESE, F.KLEIN and D.SCHILLING, “Symbolic Invariant Verification For Systems With Dynamic Structural Adaptation,”

in ICSE, 2006.[4] J.PADBERG,M.GAJEWSKY andC.ERMEL,“Refinement versus Verification: Compatibility of Net Invariants and Stepwise Development of

High-Level Petri Nets,” Technische Universita t Berlin, Tech. Rep., 1997. ̈[5] T.MASSONI,R.GHEYI,andP.BORBA,“Formal Refactoring for UMLClass Diagrams,” in BSSE, 2005, pp. 152–167.

FORMAL VERIFICATION

Type I:Transformation Independent / Input Independent

Property (kind)

Transformation


Type II:Transformation Dependent / Input Independent

Type II:Transformation Dependent / Input Dependent

36

Verification Techniques

[1] BARROCA, B., LÚCIO, L., AMARAL, V., FÉLIX, R. and SOUSA, V. (2010) DSLTrans: A Turing-Incomplete Transformation Language. In Conference on Software and Language Engineering (SLE), pp. 296–305.

[2] EHRIG, H. & K., TAENTZER, G., DE LARA, J., VARRÓ, D. and VARRÓ-GYAPAI, S. (2005). Termination Criteria for Model Transformation. In FASE, 2005.[3] VARRÓ, D., VARRÓ-GYAPAI, S., EHRIG, H., PRANGE, U., TAENTZER, G. (2006) Termination Analysis of Model Transformations by Petri Nets. In ICGT,

LNCS 4178, pp. 260–274.[4] BRUGGINK, H. S. (2008). Towards a Systematic Method for Proving Termination of Graph Transformation Systems. ENTCS, 213(1).[5] KÜSTER, J. M. (2006). Definition and Validation of Model Transformations. SOSYM, 5(3), pp. 233–259.[6] LÚCIO, L., BARROCA, B., AMARAL, V. (2010). A Technique for Automatic Validation of Model Transformations, In MODELS, pp. .[7] RENSINK, A., SCHMIDT, A., VARRO, D. (2004). Model Checking Graph Transformations: A Comparison of Two Approaches, ICGT.[8] B. BECKER, D. BEYER, H. GIESE, F. KLEIN, AND D. SCHILLING, (2006). Symbolic Invariant Verification For Systems With Dynamic Structural

Adaptation,ICSE.[9] M. ASZTALOS, L. LENGYEL, AND T. LEVENDOVSZKY (2010). Towards Automated, Formal Verification of Model Transformations, ICST.[10] R. F. PAIGE, P. J. BROOKE, AND J. S. OSTROFF (2007).Metamodel-Based Model Conformance and Multi-View Consistency Checking, ACM

TOSEM, 16(3), pp. 1–48.[11] A. NARAYANAN AND G. KARSAI (2008). Verifying Model Transformation By Structural Correspondence, ECEASST, vol. 10, pp. 15–29.[12] A. NARAYANAN AND G. KARSAI (2008) “Towards Verifying Model Transformations,” ENTCS, VOL. 211, PP. 191–200.[13] J. DE LARA AND H. VANGHELUWE, (2010). Automating the Transformation-Based Analysis of Visual Languages, FAC, VOL. 22(3-4), PP. 297–

326.[14] K. ANASTASAKIS, B. BORDBAR, AND J. M. KUSTER, (2007). Analysis of Model Transformations via Alloy, MoDeVVA,, pp. 47–56.

Transformation Independent Transformation Dependent

Input Independent Type I: [1], [2], [3], [4], [5]

Type II: [6], [7], [8], [9], [10]

Input Dependent ?Type III: [11], [12], [13], [14]

37

Verification Techniques: Type IType I

Proposing (Proving a property) a theorem (e.g. Church-Rosser Theorem) & realizing the theorem in

a language [1] or an approach [2,3,4,5]

By construction of the TL:E.g., DSLTrans guarantees termination

& confluence [1]

By construction of the transformation:

- e.g., critical pair analysis in AGG [2];- e.g., termination criteria [2, 3, 4, 5].



LNCS 4178, pp. 260–274.[4] BRUGGINK, H. S. (2008). Towards a Systematic Method for Proving Termination of Graph Transformation Systems. ENTCS, 213(1).[5] KÜSTER, J. M. (2006). Definition and Validation of Model Transformations. SOSYM, 5(3), pp. 233–259.

38










Type II: [6], [7], [8], [9], [10]


39

Verification Techniques: Type IIType II

Model Checking

E.g. DSLTrans Model Checker[6], Spin & Groove [7]

Static Analysis

E.g. Backward application of rules

to forbidden patterns [8]

Theorem Proving

E.g. Deduction rules [9], using

theorem provers [10]

[6]L. L´UCIO, B. BARROCA, AND V. AMARAL (2010). A Technique for Automatic Validation of Model Transformations, MODELS. [7] A. RENSINK, A` . SCHMIDT, AND D. VARRO´(2004). Model Checking Graph Transformations: A Comparison of Two Approaches, ICGT.[8] B. BECKER, D. BEYER, H. GIESE, F. KLEIN, AND D. SCHILLING, (2006). Symbolic Invariant Verification For Systems With Dynamic Structural Adaptation,ICSE.[9] M. ASZTALOS, L. LENGYEL, AND T. LEVENDOVSZKY (2010). Towards Automated, Formal Verification of Model Transformations, ICST.[10] R. F. PAIGE, P. J. BROOKE, AND J. S. OSTROFF (2007).Metamodel-Based Model Conformance and Multi-View Consistency Checking, ACM TOSEM, vol. 16, no. 3, pp. 1–48,.

40










Type II: [6], [7], [8], [9], [10]


41

Verification Techniques: Type IIIType III

Traceability links

E.g. Verifying structural

correspondence [11], & state reachability

[12]

Petri Net Analysis

E.g. Transformation & manipulated models

transformed into Petri Nets for analysis[13]

Constraint Solvers

E.g. Alloy for simulation &

assertion checking [14]

[11] A. NARAYANAN AND G. KARSAI (2008). Verifying Model Transformation By Structural Correspondence, ECEASST, vol. 10, pp. 15–29. [12] A. NARAYANAN AND G. KARSAI (2008) “Towards Verifying Model Transformations,” ENTCS, VOL. 211, PP. 191–200.[13] J. DE LARA AND H. VANGHELUWE, (2010). Automating the Transformation-Based Analysis of Visual Languages, FAC, VOL. 22(3-4), PP. 297–326.[14] K. ANASTASAKIS, B. BORDBAR, AND J. M. K¨USTER, (2007). Analysis of Model Transformations via Alloy, MODEVVA,, pp. 47–56.

42

Verification TechniquesTransformation

Independent Transformation Dependent


Type II: [6], [7], [8], [9], [10]








Property (kind)

Transformation


Impact of the transformation’s intention on the properties of interest

Impact of the transformation’s paradigm and form on the FV technique used

Conclusion & Future Work

A Tridimensional Approach for Studying the Formal Verification of Model Transformations

Documents

Transcript of A Tridimensional Approach for Studying the Formal Verification of Model Transformations