Automated Verification of Model Transformations in the Automotive Industry
description
Transcript of Automated Verification of Model Transformations in the Automotive Industry
AUTOMATED VERIFICATION OF MODEL TRANSFORMATIONS IN THE AUTOMOTIVE INDUSTRY
GEHAN M. K. SELIM, FABIAN BÜTTNER, JAMES R. CORDY, JUERGEN DINGEL, SHIGE WANG
2
AGENDA- Motivation
- Objective
- The Model Transformation Problem
- The Verification Methodology
- Case Study: Automatically Verifying the GM-2-AUTOSAR Transformation
- Results
- Verifying the 18 OCL Constraints- Performance of the Verification Approach
- Discussion
- Strengths of the Verification Approach- Weaknesses of the Verification Approach
- Conclusion & Future Work
3
MOTIVATION
- MDD
- Model Transformations
- Verification
Are those concepts practical to use in
industry ?
4
MOTIVATION- Industrial experiences in adopting MDD…
- T. Cottenier, A. Van Den Berg, T. Elrad “The Motorola WEAVR: Model Weaving in a Large Industrial Context” AOSD 2007.
- P. Mohagheghi, V. Dehlen “Where is the Proof?-A Review of Experiences from Applying MDE in Industry” ECMDA-FA 2008.
- Few studies on industrial model transformations…- A. Daghsen, K. Chaaban, S. Saudrais, P. Leserf “Applying Holistic
Distributed Scheduling to AUTOSAR Methodology” ERTSS 2010.- H. Giese, S. Hildebrandt, S. Neumann “Model Synchronization at Work:
Keeping SysML and AUTOSAR Models Consistent” Graph Transformations & Model-Driven Engineering 2010.
- G.Selim, S. Wang, J. Cordy, J. Dingel “Model Transformations for Migrating Legacy Models: An Industrial Case Study” ECMFA 2012
- Verifying industrial model transformations ??
5
OBJECTIVE
What?• Validate an industrial model
transformation [1]
How?• Using an automated verification
prototype [2]
Why?
• Report on the practicality of using automated verification in industry
• Discuss any issues that need to be addressed for the industry to readily adopt such prototypes
[1] G. Selim, S. Wang, J. Cordy, J. Dingel "Model Transformations for Migrating Legacy Models: An Industrial Case Study", ECMFA 2012[2] F. Büttner, M. Egea, J. Cabot, M. Gogolla “Verication of ATL Transformations Using Transformation Models and Model Finders”, ICFEM 2012
6
THE MODEL TRANSFORMATION PROBLEM
GM Models GM-2-AUTOSAR Transformation AUTOSAR models
[1] G. Selim, S. Wang, J. Cordy, J. Dingel "Model Transformations for Migrating Legacy Models: An Industrial Case Study", ECMFA 2012
GM
M
etamodel
AU
TO
SA
RM
etamodel
7
THE VERIFICATION METHODOLOGY
Transformation Model:
- Elements representing : T,
- OCL Constraint sets: SEM, PRE, POST
tarsrc MMMM ,
transform
ATL Transformation T
Source Metamodel
Target Metamodel
Transformation Model (OCL)
srcMM
tarMM
[1] F. Büttner, M. Egea, J. Cabot, M. Gogolla “Verication of ATL Transformations Using Transformation Models and Model Finders”, ICFEM 2012
8
THE VERIFICATION METHODOLOGY
Transformation Model:
- Elements representing : T,
- OCL Constraint sets: SEM, PRE, POST
tarsrc MMMM ,
Transformation Model (OCL)
[1] F. Büttner, M. Egea, J. Cabot, M. Gogolla “Verication of ATL Transformations Using Transformation Models and Model Finders”, ICFEM 2012
transform
ATL Transformation T
Source Metamodel
Target Metamodel
srcMM
tarMM
9
THE VERIFICATION METHODOLOGY
For each property , the following must be unsatisfiable:iPost
What• Check partial correctness of transformation
model w.r.t. properties (OCL Constraints)
How
• Check if there is a counter example in a specific scope (i.e. maximum number of objects per class)
• Use satisfiability checkers or Model finders, e.g., USE Validator [1][2]
[1] M. Kuhlmann, L. Hamann, M. Gogolla “Extensive Validation of OCL Models by Integrating SAT Solving into USE” TOOLS 2011[2] The USE Validator. available online, http://sourceforge.net/projects/useocl/les/Plugins/ModelValidator/
10
THE VERIFICATION METHODOLOGY
Run the prototype to generate the USE specification & the search configuration
Added the constraints to the USE specification & negate constraint in search configuration
Ran the tool once for each of the postconditions
Relational Logic
Propositional Logic
Ecore + OCLATL + Ecore
+ OCL
11
CASE STUDY: AUTOMATICALLY VERIFYING THE GM-2-AUTOSAR TRANSFORMATION
Old Implementation
• 2 ATL Matched Rules• 9 Functional Helpers• 6 Attribute Helpers
New Implementation
• 3 Matched Rules• 2 Lazy Rules
12
CASE STUDY: AUTOMATICALLY VERIFYING THE GM-2-AUTOSAR TRANSFORMATION
18 OCL PostconditionsTarget Invariants
6 Multiplicity Invariants
1 Security Invariants
Transformation Contracts9 Uniqueness Contracts
2 Pattern Contracts
Autom
atically G
enerated by the P
rototype
Manually
Form
ulated
OCL Preconditions … ?
13
CASE STUDY: AUTOMATICALLY VERIFYING THE GM-2-AUTOSAR TRANSFORMATION
Context CompositionType inv CompositionType_co:self.componentsize>=1
14
RESULTS: VERIFYING THE 18 OCL CONSTRAINTS- 2 Multiplicity Invariants of the 18 constraints are violated
- CompositionType_component- SwcToEcuMapping_component
15
RESULTS: VERIFYING THE 18 OCL CONSTRAINTS
CompositionType_component
16
RESULTS: PERFORMANCE OF THE VERIFICATION APPROACH- Standard laptop (2.50 GHz, 16GB of memory)
- Ran the verification prototype:
- once for each constraint - for scopes up to 12
- For each scope & constraint, 2 numbers were generated:
- Translation Time: Time taken to translate the relational logic representation of the transformation into propositional logic.
- Constraint Solving Time: Time taken by SAT solver to solve the propositional representation of the transformation.
17
RESULTS: PERFORMANCE OF THE VERIFICATION APPROACH
18
DISCUSSION: STRENGTHS OF THE VERIFICATION APPROACH
Full Automation
• Translation from ATL & constrained metamodels to constrained Ecore model & then to relational logic
• Verification of industrial transformation models up to a scope of 12 !
Verifying a Substantial Subset of ATL
• Except for Imperative blocks, recursive lazy rules, & recursive queries
• 83/131 transformations in ATL Zoo are in this fragment…24 of the remaining 48 transformations can be expressed declaratively…too!
19
DISCUSSION: WEAKNESSES OF THE VERIFICATION APPROACH
Correctness of
ATL-2-Relational-Logic Translation
• Testing & Inspection• BUT cannot formally
prove correctness No formal semantics for ATL & OCL
Bound Search Approach
• Scope too small to verify the transformation ?
• Maximum scope to use is transformation-dependent
20
CONCLUSION & FUTURE WORK- Demonstrated using an automated verification prototype
[1] to verify industrial transformation [2]
- Result: The used prototype uncovered 2 bugs !
- Performance: Verifying the transformation up to a scope of 12 was possible !
Application of automated verification to a case study was successful & practical to
use in an industrial context
[1] F. Büttner, M. Egea, J. Cabot, M. Gogolla “Verication of ATL Transformations Using Transformation Models and Model Finders”, ICFEM 2012[2] G. Selim, S. Wang, J. Cordy, J. Dingel "Model Transformations for Migrating Legacy Models: An Industrial Case Study", ECMFA 2012
21
CONCLUSION & FUTURE WORK
More In
dustrial
transfo
rmatio
ns
in case
study
Use Incremental SAT Solvers
Pruning of the
transformation
model