formal analysis of model transformations

Sensoria016004Software Engineering for Service-Oriented Overlay Computers

www.sensoria-ist.eu

D7.1.b

Formal Analysis of Model Transformations

Lead contractor for deliverable: ULEICESAuthor(s): Denes Bisztray (ULEICES), Karsten Ehrig (ULEICES), Reiko Heckel (ULEICES),Paolo Torrini (ULEICES), Andrea Corradini (PISA), Barbara Konig (Duisburg-Essen),Paolo Baldan (Padova), Luciano Baresi (Milano)

Due date of deliverable: March 01, 2008Actual submission date: October 1, 2008Revision: FinalDissemination level: PU

Contract start date: September 1, 2005 Duration: 48 monthsProject coordinator: LMUPartners: LMU, UNITN, ULEICES, UWARSAW, DTU, PISA, DSIUF,

UNIBO, ISTI, FFCUL, UEDIN, ATX, TILab, FAST, BUTE,S&N, LSS-Imperial, LSS-UCL, MIP, ATXT, CIR

Integrated Project funded by theEuropean Community under the“Information Society Technologies”Programme (2002—2006)

D7.1.b Formal Analysis of Model Transformations (Final) October 1, 2008

Contents

1 Introduction 31.1 Concurrency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Denotational Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Operational Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Related Work 42.1 Termination and well-definedness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2 Preservation of semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.3 Temporal properties and model checking . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.3.1 Unfolding and Augur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.2 Partitioning and GROOVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.3 CheckVML and SPIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.4 Other LTL-based approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.3.5 Stochastic methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.4 Automated verification of invariants . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.5 Application of interactive theorem proving . . . . . . . . . . . . . . . . . . . . . . . . . 8

3 Contributions 83.1 Verification of Infinite State Graph Transformation Systems . . . . . . . . . . . . . . . . 9

3.1.1 Graph transformation systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.1.2 Under-approximations (k-truncations). . . . . . . . . . . . . . . . . . . . . . . 93.1.3 Over-approximations (k-coverings). . . . . . . . . . . . . . . . . . . . . . . . . 9

3.2 Compositionality of Model Transformations . . . . . . . . . . . . . . . . . . . . . . . . 103.2.1 Formalising Compositionality . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.2.2 Conditions for Compositional Mapping . . . . . . . . . . . . . . . . . . . . . . 123.2.3 Application to the Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.2.4 CSP as Semantic Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.2.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.3 Executable Business Processes as Activity Diagrams . . . . . . . . . . . . . . . . . . . 133.3.1 Transformations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.3.2 Meta-model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.3.3 Operational Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163.3.4 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4 Relevant SENSORIA Publications and Reports 18

5 Conclusion 19

016004 (Sensoria) 2


1 Introduction

Transformations of models are the key technology of Model-driven Development (MDD), an approachto software development where graphical models (rather than programs) are the focus and primary tech-nical artefact. Transformations between development artefact like models, programs, or formal specifi-cations are also at the heart of the SENSORIA methodology [EHV06]. This includes mappings betweenhigh-level models of services as developed by WP1 and specifications in the core calculi proposed byWP2 and WP5, but also mappings into languages used for formal verification in WP3 and WP4 andfor implementation in WP6. In order to maintain a high quality throughout the development process,it is important that such mappings are performed in a systematic, controlled manner and that they arethemselves open to verification of well-definedness and termination of transformations, the preservationof structural properties of models or behavioural properties expressed by temporal logics, but also thecompatibility of transformations with the semantics of models.

Model transformations in SENSORIA are specified by graph transformations [Roz97] which providea powerful specification formalism combining a visual appearance with a formal semantics and facilitiesfor verification. Given the body of existing work (reviewed in Section 2 below) and the specific re-quirements of the project, where most modelling and specification languages are equipped with a formalsemantics, we are particularly interested in the last aspect of verification, addressing model semantics.

Therefore, this deliverable, after giving a general survey of verification techniques for graph andmodel transformations, discusses three contributions addressing the operational or denotational seman-tics of models as well as the compatibility of model transformations with these semantics.

1.1 Concurrency

Graph Transformations Systems are particularly suited for the specification of concurrent, distributedand mobile systems [EKMR99], generalising another classical model of concurrency, namely Petrinets [Rei85].

For instance, graphs can be used to represent the logical and topological relations among the com-ponents of a distributed system, the connectivity in a network, the rights that system entities have overresources, the structure of the heap for a program with dynamic pointer structures. For highly dynamicsystems, where, e.g., changes in the connectivity or in the structure of the network are part of the normalbehaviour, the dynamics of the system can be naturally expressed by means of graph rewriting rules.

Given the semantical relationship between nets and graph transformation systems, the followingquestion may arise: is it possible to devise automated verification techniques for GTSs which exploittheir concurrent semantics? One of the contributions presented in this deliverable, in presenting thefoundations of a methodology for verifying infinite-state graph transformation systems, and by elabo-rating and generalising the work presented in [BCK01, BK02], may indeed be regarded as a positiveanswer.

1.2 Denotational Semantics

Denotational semantics of programming languages are by definition compositional. In order to enjoy asimilar property in the case of model transformations, every component of the source model should bedistinguishable in the target model and the mapping compatible with syntactic and semantic composition.As a first step, we propose a formal definition of compositionality for mappings from typed graphs to se-mantic domains. Moreover, in order to verify compositionality, a semantic criterion has been establishedfor the implementation of the mappings relying on graph transformations with negative application con-ditions. As an example of compositional transformation we present one that maps architectural modelsdescribed in UML component diagrams to CSP.

016004 (Sensoria) 3


1.3 Operational Semantics

With respect to semantic compatibility in operational semantics, we draw an example from the transfor-mation of executable business processes inspired by BPEL4WS, the Business Process Execution Lan-guage for Web Services [IBM03], and presented using the notation of UML activity diagrams.

In order to formalise a notion of semantic compatibility between the distributed and the originalprocess, taking into account that not all features of one may exist in the other, operational semantics ofcentralised and distributed processes need to be defined. To this end, it is introduced a notion of meta-model that captures the abstract syntax of executable processes, extended by information about theirexecution state. This meta model, formally represented as a type graph with inheritance, is the basis ofa set of operational semantics rules. This approach allows us to specify the operational semantics andtransformations in the same formalism, thus simplifying the analysis. The semantic relation is estab-lished by associating observations with operational rules, generating the labelled transition systems ofprocesses, and applying the standard notion of bisimilarity modulo a suitable projection of transitionsonto common labels.

The proof that the semantic relation holds for all the processes that are obtained from each otherby application of transformation rules realising the distribution is based on the idea of mixed conflu-ence [EE05]: If transformation rules are exchangeable with operational rules, the application of a trans-formation does not reduce the operational semantics. Mixed confluence is shown by critical pair analysis[EEPT06] of model transformation vs. semantic rules. This allows us to establish a simulation relationbetween the given and the derived process. Since graph transformation rules are invertible, the sametechnique can be used to show bisimilarity.

2 Related Work

Graph transformation systems (GTSs) have been given different mathematical foundations. Apart fromthose broadly based on set theory, there are two algebraic approaches based on category theory (referredto as double and single pushout, respectively) and a logical one based on monadic second-order logic[Roz97]. In the double pushout approach (DPA) each production rule is defined as a pair of injectivetotal morphisms from a common interface graph, a match is a total morphism that satisfies two gluingconditions, and rule application results into a double pushout diagram. In the single pushout approach(SPA) each rule is given as a partial morphism, a match is a total morphism, and application results intoa pushout diagram. In contrast with DPA, SPA requires an ad-hoc policy to solve conflicts.

The intuitive character of graph representations, quite independently of their mathematical charac-terisation, makes their use in system modelling useful both at the high, architectural level (e.g. UML,category theory) and at the low, semantical one (e.g. statecharts, finite state machines, Petri nets, Kripkemodels). On the other hand, similarity with rewrite systems makes modelling syntactic transformation asGTSs a natural extension of textual methods such as process calculi. It is perhaps a combination of thesetwo elements that makes the use of GTSs particularly attractive in the semantic modelling of complexsystems, such as concurrent and mobile ones, where dynamic aspects associated to internal evolution andarchitectural interaction is essential, as well as in the representation of model transformations associatedto syntactic rules. In other words, GTSs can be useful for building a system model from its semanticcomponents, as well as for giving a semantics to its formal representation.

Articulating more a distinction already introduced in [EHV06], we can draw three main lines ofapplications for GTSs — operational semantics, model refactoring and model translation, as follows:

• operational semantics

– small step semantics, e.g. when the system is represented as a state machine where states aregraphs and transitions are production rules

016004 (Sensoria) 4


– large-step semantics, e.g. when the system is represented in terms of process calculus andoperational rules are associated to production rules

• model transformation

– as model refactoring

– as system reconfiguration

• model translation

– between different representation of a system, where production rules represent translationrules

– as parallel development of systems, where production rules associate parallel developmentsteps

The formal verification of GTS can take different forms, depending on the general approach that isused to represent models, to express properties, and to carry out proofs. Each form can be more or lessconvenient depending on what needs to be verified. We can essentially distinguish between three mainapproaches [AGM93, Bun86]:

• mathematical approach: relying on set-theoretic or algebraic characterisations of GTSs in order toprove that certain systems have a property

• model checking approach: translating GTSs to Kripke-style models and carrying out proofs bymodel checking in a decidable logic — typically a temporal, modal or domain-specific one

• formal approach: relying on the logical characterisation of GTSs and of the properties to be veri-fied, carrying out proofs, typically interactive ones, in a fragment of higher-order logic

The mathematical approach has the advantage of expressiveness, domain specificity and mathemati-cal intuitiveness, but it has the drawback of being difficult to deal with in a mechanised way. The formalapproach still offers great expressiveness and is easier to deal with from the point of view of mechanisa-tion, though at the expenses of intuition. The model checking approach offers the most from the point ofview of automation, though at the expenses of expressiveness.

In most cases, the mathematical approach involves manual proofs of general results, and is typi-cally directed to foundational aspects, such as termination, confluence, semantic equivalence. The modelchecking approach, probably the more interesting from the industrial point of view, can be used to dealwith temporal properties expressible in logics such as LTL and CTL, as well as with architectural prop-erties that can be captured in terms of modalities. The formal approach, also oriented toward the mech-anisation of proofs, can cope with properties that involve quantification, allowing for greater generalitythan model checking. However this can lead to proofs that typically may require interaction. Alterna-tively, less expressive formal systems may be automated using resolution-like or tableaux-based theoremproving.

A trendlike distinction between different problems can be drawn here depending on the character ofthe property to be verified, which may be a structural property of a GTS, e.g. confluence and termination,a relation between different GTSs, i.e. some form of semantic equivalence or compatibility, a propertyof a GTS with respect to given states, e.g. a reachability property, or a property of all states of a GTS,i.e. an invariant. We can give a brief summary of different problems, GTS applications and verificationmethodologies that have been considered:

• termination and confluence: associated to the similarity of GTSs with rewriting systems

• semantic equivalence or compatibility: particularly useful in translation and refactoring

016004 (Sensoria) 5


• temporal properties: typically reachability ones, e.g. safety and liveliness; important for opera-tional semantics and reconfiguration; often expressed in a temporal logic to be model checked

• architectural properties: e.g. invariants, reachability properties; often expressible in 2nd-orderlogic; e.g. topological and spatial properties, properties associated to similarity in shape; some no-tions can be modelled in modal logic and model checked, other ones may require more expressivepower

2.1 Termination and well-definedness

The concept of confluence and critical pair analysis presented in [HKT02] can be used to ensure globaldeterminism in the locally non-deterministic application of graph production rules, and to provide uniqueresults for isomorphic source models. A working implementation for checking critical pairs [BTS00] canbe found in AGG [AGG07]. Criteria for termination — the other important ingredient for nondeterminis-tic graph transformations — were introduced in [EEdL+05, LPE07]. An implementation for terminationchecking is also built into AGG [BKPPT05]. These definitions are applied to graph transformations withbasic control conditions in [Kus06], relying on the introduction of transformation units.

Bidirectional transformations can be used to express the semantic relation between models and theirsemantic domain. As far as this kind of transformations are concerned, there are two notable approaches:Triple Graph Grammars (TGGs) [Sch94] and QVT [QVT05] from OMG. TGGs have a reliable toolsupport in [Fuj07]. Compositionality in bidirectional transformations is discussed in [Ste07].

2.2 Preservation of semantics

The most well-known example of behaviour-preserving transformations are refactorings. The term wasintroduced by Fowler [FBB+99] to stand for the restructuring of OO programmes, and since then sev-eral proposals for formalisation and verification based on first-order logics and invariants have beenmade [SPTJ01, LM04, MGB06].

The first formal approach to refactoring based on graph transformations is due to Mens [MDJ02],focussing on the analysis of conflicts and dependencies between rules. Refactoring of architectural mod-els has been studied formally in architectural description languages (ADLs) like WRIGHT [ADG98] orDarwin [MK96], using process calculi like CSP or π-calculus for expressing formal semantics.

The denotational approach reported on in Section 3 follows the outline of [EKGH01, EHK01], whichuse a mapping of UML-RT [Sel98] to CSP as semantic foundation.

2.3 Temporal properties and model checking

The verification of a system with respect to temporal properties is often based on the translation of thesystem to a formal model that can be checked against a logic formula by an automatic tool (i.e. model-checker). Alternatively, systems can be formalised in a logic and verified by carrying out formal proofs,either automatically or interactively, using a theorem prover.

Automated verification, for all the crucial role it may play in the formal analysis of dynamicallyevolving systems, appears to have been covered until recently by a comparatively small section of theotherwise very rich literature on GTSs. A few early major contributions in the static analysis of suchsystems are [Koc00, GHK98, Hec98a]. In [Hec98b] the author introduced an abstract theory of over-approximations (system views) based on graph transformations, aiming at the verification of reactivesystems, relying on the interpretation of a branching time logic into models models built as DPO GTSs.

Since then, several approaches based on model-checking have been introduced. On one hand, GTS-specific model-checking tools have been implemented. GROOVE [Ren04b] is a graph analysis tool thatprovides model checking based on GTS state space models. Augur [KK05, KK08b] is a graph analysistool based on the translation of GTSs to Petri nets and on the application of Petri net analysis techniques.On the other hand, generic model checkers have been used. This is particularly true for SPIN [Hol03],

016004 (Sensoria) 6


an on-the-fly model checker that has a CSP-based input language — Promela. In contrast with statespace-based approaches, on-the-fly model checking can work without generating full Kripke model.Another generic tool that has been used in this context is Bogor [RDH03], an extensible model-checkingframework.

Interesting comparisons between some of the main trends can be found in [BKR05] — between theunfolding approach implemented in Augur and the partitioning approach, and [RSV04] — between theGROOVE-based and the SPIN-based approach. Research has mainly focused on abstraction techniquesto cover large and infinite models [BK02, BCK08, KK06, Ren04a, Ren04c, BBER08, Ren08], on allow-ing for more expressive systems (e.g. with types and attributes) [KK08a, Kas05, Var04, HLM06], and onmaking state-of-the-art generic model-checking techniques available for GTS verification [SV03, Var04,DLRdS03, DMdS05, FFR07].

2.3.1 Unfolding and Augur

The concurrent behaviour of GTSs has been studied in depth, leading to a theory of concurrency whichgeneralises the corresponding semantics of Petri nets, including the semantics of processes and unfolding(see, e.g., [CMR96, Rib96, BCM98, BCMR07]). Several methods have been successfully proposed forthe analysis of Petri nets, ranging from the calculus of invariants [Rei85] to model checking based onfinite complete prefixes [McM93, Esp94]. Some of these methods, notably one originally proposedby McMillan in [McM93], are based on the concurrent semantics of nets, and more precisely on theirunfolding semantics, which may be used to help containing the combinatorial explosion often associatedwith an exploration of the interleavings of concurrent events.

The unfolding approach to GTS model-checking [BCM99, BK02, BKK03, BCK04, BCK08] [KK06,KK08a] relies on a translation of GTSs to models based on Petri nets and on the application of anunfolding strategy. It has been implemented in Augur [KK05, KK08b]. This is also the underlyingapproach in a counterexample-guided abstraction refinement technique implemented [KK06] and morerecently extended to support attributed graphs [KK08a].

2.3.2 Partitioning and GROOVE

The model-checking approach presented in [Ren03, KR06, Ren08] is based on graph transformationtechniques as they have been implemented in the GROOVE tool [Ren04b]. Given a GTS, GROOVEcan generate its state space and convert it to a Kripke model to be checked against temporal logic for-mulas [KR06]. Abstract interpretation techniques based on notions of abstract graph and abstract graphtransformation have been investigated, in order to deal with large systems. An abstraction approach (par-titioning) related to shape analysis and based on structural similarity between nodes of the state graphshas been developed in [Ren04a, Ren04c]. The aim of partitioning is to obtain tractable models basedon a logically intuitive notion of abstraction, in this is done by generating finite models, generic in thesize of data structures, from arbitrary ones. In a further development [BBER08], shape-based abstractionhas been joined with a form of topological abstraction, based on adjacency relations. The combinedabstractions have been shown to satisfy preservation and reflection with respect to a modal logic.

2.3.3 CheckVML and SPIN

Verification of GTSs can also be carried out relying on more standard model-checking techniques [SV03,Var04]. The CheckVML tool presented in [SV03] aims at the verification of arbitrary visual modellinglanguages, and it can be used to generate a model-level specification of a GTS in the form of a Promeladescription for the SPIN model checker. SPIN can be used to check models against LTL formulas. Incontrast with the GROOVE approach, the model translation is an optimised one — e.g. it tends to abstractstatic elements away, in order to avoid state explosion [Var04]. Another line of work based on translationto Promela and model-checking with SPIN can be found in [DLRdS03, DMdS05, FFR07].

016004 (Sensoria) 7


2.3.4 Other LTL-based approaches

The authors of [BGMM08] rely on standard SAT model-checking in order to carry out automaticallythe verification of behaviour models in which graph transformation is used to represent data abstraction.AGG is used to generate a GTS model that gets translated to a linear temporal logic model, and this canbe checked by a SAT-solver, relying on a bounded model-checking approach.

The proposal in [BRRS08] is to rely on Bogor, an extensible model-checking framework that can beused for generic as well as for domain-specific applications. AGG-like GTSs are translated to expressionsin BIR — the the input language of Bogor, and checked against LTL formulas. This approach can copewith typed and attributed graphs.

2.3.5 Stochastic methods

An alternative to methods based on abstract interpretation can be found in the stochastic approach pre-sented in [HLM06, Hec05]. According to the notions of stochastic GTS introduced in these paperstransitions can be associated to firing rate values. In [HLM06] the modelling of transformations is basedon DPO and attributed typed graph, whereas in [Hec05], where the prospected application is to mobilenetworks, it is based on SPO and typed graphs. A stochastic GTS can be translated to a continuous timeMarkov chain, using GROOVE, and then model checked against formulas in a stochastic logic (CSL).

2.4 Automated verification of invariants

The characterisation of GTS in terms of monadic 2nd-order logic [Cou97] has been used as a founda-tion for verification methods based on theorem proving, either automated or interactive. Representinggraphs and graph constraints in terms of formal logic can be used to verify that valid transformationsare constraint-preserving [OEP08, Pen08, BKK03], allowing for negative conditions, with possible ap-plications to visual software modelling [OEP08]. The authors of this paper define different classes ofconstraints and, correspondingly, proof rules that are sound and refutationally complete for each class.A refutational calculus based on a resolution-like rule for an undecidable class has been presented in[Pen08].

2.5 Application of interactive theorem proving

Interest in abstract high-level properties joint with the fact that these are often undecidable has led toapplications of interactive theorem proving, relying mostly on Isabelle-HOL [NPW02], an implementa-tion of higher-order logic with simple types and powerful automated tactics. The authors in [GGL+06]introduce a technique for parallel model and program development based on triple graph grammar trans-formations as implemented in the Fujaba tool [Fuj07]. They also introduce a method based on interactivetheorem proving, using Isabelle-HOL, in order to verify transformations in a general way, independentlyof model size. Another formalisation of graph transformations has been given in [Str08] and implementedas deep embedding in Isabelle-HOL. This formalisation is based on path expressions, defined as a subsetof first-order logic formulas. Determining whether a graph satisfies a path expression is decidable, butthe validity of the expressions is not in general, hence the need for interactive theorem proving. The au-thors of [dCR08] propose a formalisation of state transition models in monadic 2nd-order logic based onrecursive datatypes, allowing for the application of theorem proving techniques based on mathematicalinduction in order to reason about infinite-state models.

3 Contributions

In this section we discuss in more detail three approaches to verification to transformation. The firstis relevant if graph transformations are used directly to model operational semantics [BCK08]. The

016004 (Sensoria) 8


second discusses the verification transformations over models which are equipped with a denotationalsemantics, also specified by graph transformation [BH07]. The third addresses a similar question in thecase of operational semantics [BEH07].

3.1 Verification of Infinite State Graph Transformation Systems

3.1.1 Graph transformation systems

A common pattern used in the literature for verifying infinite-state systems, consists of considering anabstraction A of a concrete semantical model, providing a simpler description of the behaviour of theoriginal system. Such a description is approximative, but still useful to check some properties of interest.

In this paper we follow this pattern, by providing a characterisation of several finite approximationsof the full unfolding of GTSs, and showing how they can be used for verification. The approach isconstructive, and a prototypical tool for the construction of such approximations has been implemented.As in the case of Petri nets, the full unfolding of a GTS is a structure which fully describes the concurrentbehaviour of the system, including all possible rewriting steps and their mutual dependencies, as wellas all reachable states [Rib96, BCMR07]. Given a graph grammar, i.e., a GTS equipped with a starthypergraph, we show how to construct finite approximations of the full unfolding of the grammar, at anychosen level k of accuracy.

In more detail, we consider the following two kinds of approximations:

3.1.2 Under-approximations (k-truncations).

The unfolding of a graph grammar G can be defined as the union (categorically, the colimit) of its pre-fixes of finite causal depth. Hence “under-approximations” of the behaviour of G can be easily producedby stopping the construction of the unfolding at a finite causal depth k, thus obtaining the so-calledk-truncation T k(G) of the unfolding of G. In general, for infinite-state systems, any truncation of theunfolding will be just an under-approximation of the behaviour of the system, in the sense that anycomputation in the truncation can be executed in the original system as well, but not vice versa. Nev-ertheless, finite truncations can still be used to check interesting properties of the grammar, e.g., someliveness properties of the form “eventually A” for a predicate A.

3.1.3 Over-approximations (k-coverings).

A more challenging issue is to provide sensible over-approximations of the behaviour of a grammar G,i.e., finite approximations of the unfolding which “represent” all computations of the original system,but possibly more. To this aim, we propose an algorithm which, given a graph grammar G, produces afinite structure, called Petri graph, consisting of a hypergraph and of a P/T net (possibly not safe, andpotentially cyclic) over it, which can be seen as an (over-)approximation of the unfolding. The outcomeof the algorithm is not uniquely determined by the graph grammar, but changes according to the chosenlevel of accuracy: essentially one can require the approximation to be exact up to a certain causal depthk, thus obtaining the so-called k-covering Ck(G) of the unfolding of G.

The covering Ck(G) over-approximates the behaviour of G in the sense that every computation in Gis mapped to a valid computation in Ck(G) and every hypergraph reachable from the start graph can bemapped homomorphically to (the graphical component of) Ck(G), and its image is reachable in the Petrigraph. This allows us to identify a suitable class of graph properties (those reflected by graph morphisms)such that, if they hold for all graphs reachable in the covering Ck(G) then they also hold for all reachablegraphs in G. Important properties of this kind are the non-existence or non-adjacency of edges withspecific labels, the absence of certain paths (which could be used for checking security properties) orcycles (for checking deadlock-freedom). Temporal properties, such as several safety properties of theform “always A”, can be proved directly on the Petri net component of the coverings.

016004 (Sensoria) 9


The idea that finite under- and over-approximations can be used for checking properties of a graphgrammar G is enforced by identifying significant fragments of the µ-calculus for which the validity of aformula in some approximation implies the validity of the same formula in the original grammar.

Although some parts of the proposed methodology are fairly abstract and theoretical in nature,the application of our results to system verification is quite immediate. We have implemented thealgorithm computing the k-covering of a given graph transformation system. The tool—called AU-GUR—can be downloaded at http://www.ti.inf.uni-due.de/research/augur 1/ (seealso [KK05, KK08b]). The input and output of AUGUR is in GXL and GTXL, which are XML standardsfor the exchange of graphs and graph transformation systems, respectively. Suitable converters have beenadded in order to visualise rules and Petri graphs and to extract the Petri net component of a Petri graph,which can then be used as input for a Petri net analysis tool such as LoLA [Sch03] and other tools whichare included in the implementation. We have used this implementation in order to conduct case studies,analysing dynamic data structures such as red-black trees [BCE+05], properties of communication pro-tocols such as mutual exclusion [DKMdSR04] and absence of deadlocks. Furthermore we have studieda simplified network with a firewall [BCK02].

3.2 Compositionality of Model Transformations

As a consequence of the widespread use of visual languages, new applications for model transformationsarise presently. Model transformation techniques are not only used for code or platform specific modelgeneration, but also for software refactoring, definition of semantics, formal verification and even archi-tecture migration purposes [HCM+]. Most of these applications are assumed to preserve the structure ofthe participant models, i.e. they should be compositional.

Compositionality is a property of model transformations that may be interpreted in two differentways according to [Ste07]. Sequential compositionality is similar to function composition, i.e. giventwo transformations f : A → B and g : B → C, it is possible to compose them to a transformationg ◦ f : A → C. While sequential composition is obviously an essential property of any transformation,spatial composition is more intriguing.

Spatial composition is similar to the compositionality property of denotational semantics. As forsimple mathematical expressions, we assume that the the meaning of expression 2 + 5 is determined bythe meaning of 2, 5 and the semantics of the + operator, i.e. [[2 + 5]] = [[2]]

⊕[[5]].

Figure 1: Compositinal Semantic Mapping

In terms of model transformations, compositionality is presented in Figure 1. A system consisting ofcomponents A and B with a connector c is mapped to a semantic domain through transformation sem.The result is such a set of semantic expressions where sem(A), sem(B) and sem(c) are distinguishableand their composition represents the semantics of the whole system. We refer to spatial compositionalitywhenever compositionality is mentioned.

Compositionality is an important property for denotational semantics and thus for model transforma-tions that establish a mapping between existing modelling artifacts and denotational semantics. Withoutcompositionality the modular specification and verification of model transformations would be impossi-ble.

A typical semantic verification scenario is depicted in Figure 2. A modelling language (ML) ismapped to a semantic domain (SD) and as a usual application, programming language (PL) code isgenerated. To verify semantic consistency, a semantics of the programming language has to be defined

016004 (Sensoria) 10


BE ⊆))

##

ML //

��

=PL

||xxxxxxxx

SD

Figure 2: Semantic Verification

typically through a mapping PL → SD. The generated source code is semantically correct if thetriangle commutes. Although the different model instances are numerous, they are composed from thebasic elements (BE) of the modelling language. In case of compositional transformations the mappingcan be described in terms of the basic building blocks, enabling the modular verification of varioussemantic properties.

Models and denotational semantics can be represented as instances of metamodels. A mathemati-cal model is provided by type and instance graphs. Model transformations can be described by graphtransformations. In this paper we define a notion of compositionality for any total functions betweensets of graphs (representing models) defined by graph transformations. Conditions are also provided andproved that guarantee compositionality for simple graph transformations and graph transformations withnegative application conditions.

3.2.1 Formalising Compositionality

In this section the necessary definitions and the formal introduction of compositionality are presented.As the results proposed in this paper are generic with respect to semantic domain, we provide its formaldefinition. Intuitively the semantic domain is a set and the necessary partial map relation on it with anotion of context. The formal definition is the following.

Definition 3.1 (semantic domain) A semantic domain is a triple (D,v, C) where D is a set, v is apartial order on D, C is a set of total functions C[ ] ∈ C : D → D, called contexts, such that d v e =⇒C[d] v C[e] (v is closed under contexts).

The equivalence relation ≡ is the symmetric closure of v. Contexts C, D are equivalent if ∀d ∈ D,C[d] ≡ D[d].

As the concept of context is central in compositionality, a contextC in graphG is the set of surround-ing nodes and edges around an arbitrary subgraph D in G, i.e. C = G \D. Context C is not necessarilya graph due to the possible dangling edges.

Definition 3.2 (compositionality) A mapping sem : GraphsTG → (D,v, C) is compositional if foreach injective graph morphisms m : L → G there exists a context E such that sem(G) ≡ E[sem(L)].Moreover, this context is uniquely determined by the part ofG not in the image of L, i.e., given a pushoutdiagram as below with injective morphisms only, and a context F with sem(D) ≡ F [sem(K)], then Eand F are equivalent.

Kl //

d��

L

m

��D

g // G

Intuitively the concept of compositionality is depicted in Figure 3. The semantic expression gener-ated from G contains the one derived from L (through the inclusion morphism m). Also it is uniquelydetermined by the part of G not in the image of L.



Figure 3: Unique determination of the context

3.2.2 Conditions for Compositional Mapping

In this section we present conditions to show that a semantic mapping is compositional. The resultis interesting by itself because it holds for a large class of mappings described by triple graph gram-mars [Sch94]. The idea is that triple graph grammars describe model transformations by creating thetarget from the source model and linking both by a relation model. Hence it is not necessary to removethe source model, and rules can be designed in such a way that also on the relation and target model rulesare non-deleting.

For simple rules (without negative application conditions), compositionality follows directly fromthe fact that the transformations realising the semantic mapping can be embedded into larger contexts.

Theorem 3.1 Assume a mapping sem : G0∗⇒ Gn from typed graphs to semantic domain (D,v, C)

described by a graph transformation system GTS. If all rules of GTS are non-deleting and do notcontain negative application conditions, then sem is compositional.

Negative application conditions (NAC) restrict the applicability of rules by forbidden patterns, i.e.,structures which must not occur in the given graph in order for the transformation to be permitted. Thedefinition of our mapping, as many realistic transformation systems, make heavy use of this feature.In order to extend Theorem 3.1, we require the notions of created points and stable type. Intuitively,created points are those nodes and edges in a graph production rule that are only present in the right-hand side, and are thus created during its application. The stable type is the set of all nodes and edges inthe type graph (metamodel) that are never deleted during a transformation. Formal definitions are givenin [Bis08], as well as the proof of the theorem.

Theorem 3.2 A mapping sem : G0∗⇒ Gn from typed graphs to semantic domain (D,v, C) is compo-

sitional if

1. All rules of sem are non-deleting;

2. All NACs defined for rules in sem only contain elements of created types;

3. Source models do not contain any elements of created types.

Our mapping from UML architectural models to CSP satisfies these restrictions and is thus compo-sitional.

3.2.3 Application to the Case Study

Compositionality is an important property of typed graph transformations in the field of semantic verifi-cation. In this section we present an application of the presented theoretical concepts using the mappingmentioned in [BHE08].



In order to improve the internal structure, performance or scalability of a software system, behaviour-preserving changes are introduced known as refactorings [FBB+99]. As the applications of today tendto be service-oriented we deal with architectural refactorings with encapsulated behaviour.

We use UML component and composite structure diagrams for representing the type and instance-level architecture of our system in conjunction with activity diagrams specifying the workflows executedby component instances [OMG06]. The semantics of the relevant fragment of the UML is expressedin a denotational style, using CSP [Hoa85] as semantic domain and defining the mapping from UMLdiagrams to CSP processes by means of graph transformation rules. The semantic relation of behaviourpreservation can be expressed using one of the refinement and equivalence relations on CSP processes,and checked using FDR2 [FSEL05].

3.2.4 CSP as Semantic Domain

Formally, the UML models are instances of metamodels represented by attributed typed graphs. The ab-stract syntax of CSP can be also represented as a typed graph. The typed graph based metamodel for CSPis defined in [BH07]. This way, the semantic mapping can be defined as a typed graph transformation.

CSP is a semantic domain in the sense of Definition 3.1. D is the set of CSP expressions and vcan be trace, failure or divergence refinement as they are closed under context [Hoa85]. A context is aprocess expression E(X) with a single occurrence of a distinguished process variable X .

3.2.5 Implementation

Although the transformation mechanics was inspired by TGGs, the transformation was implemented inTiger EMF Transformer [Tig07] and thus it is unidirectional. It consists of 43 rules organised in 4 majorgroups (type-level, owned behaviour, instance-level, renaming).

Figure 4: Mapping of Component Definition

To present the definitions in practice, a simple pair of rules are introduced in the following. Figure 4shows their concrete syntax. The rule in Figure 5 is responsible for creating the component process. Theattribute values A and B denote variables that holds the same values in both sides of the rule.

The Component rule in Figure 5 creates the process definition for the corresponding component. TheNAC, defined on CSP expressions, checks the existence of a similar process definition. If none exist,the matched component definition has not been transformed yet. Thus it creates the CSP expressionsCtype = Cbehaviour and the empty Cbehaviour process definition.

The semantic mapping basically reads the architectural model and creates the corresponding set ofCSP expressions. Neither of the rules deleted or modified any element typed from the CSP metamodel.Thus, all elements of the CSP metamodel are stable types, since all instances of them are stable pointsin this semantic mapping. Also, both NACs were defined on CSP expressions only, and the LHS ofthe Component rule, which is always the first, contained no CSP elements. These three observationscorresponds to the three assumptions of Theorem 3.2. As these properties hold for the further 41 rules,the transformation is compositional. It is also important to note, that proving the compositionality of asemantic mapping is in fact simple and does not require complex mathematical knowledge.

3.3 Executable Business Processes as Activity Diagrams

In this paper, we use the BPEL [IBM03] language to describe business processes, ignoring some ofthe control constructs and features such as asynchronous communication , fault handlers, etc. For an



Figure 5: Implementation of Component Rule

in-depth presentation see [IBM03]. We illustrate the approach by means of the example in Figure 3.3,using UML activity diagrams to visualise a process that manages orders received from clients in cooper-ation between an office and a warehouse. We assume that the Office receives the order through a receiveactivity and implicitly validates it. If it is acceptable, the Warehouse invokes shipment, otherwisethe Office proceeds with a basic (local) undo operation. The two orchestrators are distinguished byso-called swimlanes.

Example

<<receive>>order

<<basic>>undo

<<invoke>>shipment

Warehouse Office

<<receive>>order

<<basic>>undo

<<invoke>>delegate

Warehouse Office

<<receive>>delegate

<<reply>>delegate

monolithic process transformed sub-processes

<<invoke>>shipment

Figure 6: Example BPEL Processes

3.3.1 Transformations

This section demonstrates the use of transformation rules to partition a process into a main process anda set of independent sub-processes. The presentation starts from a simple meta-model introducing thetypes of nodes and edges required to represent processes. Then, we introduce a sample transformationrule.

The presentation is based on the algebraic double-pushout approach to the transformation of typedand attributed graphs [EEPT06]. For a more compact presentation of metamodel and rules we use sub-typing as well as negative application conditions.



3.3.2 Meta-model

The meta-model of Figure 3.3.2, which borrows some concepts from the work proposed in [Ga03], onlycomprises elements that are used by the example in this paper.

Edge Nodeid: String

Basicop: String

Structured

Orchname: Stringid: String

Msgop: Stringid: String

Flowdegree: Nat

Switch Pick Invoke Receive

srctar

to/infrom

partner

request

Reply

response

Elem

corresp

current

resp

Figure 7: Our BPEL metamodel

A business process comprises Elements, which are distinguished into Nodes and Edges, linkedby means of associations source (src) and target (tar). Moreover, Nodes are further classified into

• Basic nodes corresponding to Invoke, Reply, and Receive activities 1.

• Structured nodes corresponding to the typical constructs of workflow languages, likeSwitch, Flow, and Pick.

Each structured activity is presented by two Structured nodes —related by associationcorresponding— to identify the start and the end of the composed activity. The same associationis also used to relate the first and last nodes of a sequence of basic action nodes.

Each Node is characterised by the Orchestrator that is responsible for it (that shall execute it).Before starting the application of partitioning rules, the designer must decide how to split the process byassigning the responsibilities for the different nodes to available orchestrators.

Each Orchestrator has an element (currently) under execution, which is rendered using associa-tion current in Figure 3.3.2. By partner links we point to Orchestrator intended as recipientsof invoke messages. Messages (Msg) specify their sender (from), recipient (to), whether they arealready received but not yet fully processed (in), or if they are the (response) to an earlier invocationmessage.

The meta-model of Figure 3.3.2 is incomplete, missing both a number of constraints and furthertypes, but sufficient to represent the example process in Figure 3.3.

1In this paper, we do not consider Assign activities since the propagation of data values is not addressed here.



3.3.3 Operational Semantics

Graphical operational semantics has been introduced as an extension of meta modelling (the specificationof abstract syntax and/or static semantic by means of class diagrams) to deal with the dynamic aspectof modelling languages [EHS99]. In this section we are using the approach to model the operationalsemantics of executable business processes, based on their graphical representation from their previoussection. We focus on the rules needed for explaining the behaviour of the example (represented by themeta model instance in Fig. 3.3), briefly sketching the remaining rules. Then we define observations andderive a labelled transition system.

Operational Rules Fig. 3.3.3 shows the operational rule for executing the 1:Invoke action, sendingmessage :Msg. The operation mentioned by the message is the same of the action node i, as describedby the condition op = i.op in the :Msg node. A new unique identifier is supplied by getid().As specified be the partner edge from the invoke node, the message is created by the orchestrator3:Orch for the orchestrator 4:Orch.

Semantic Rule: invoke

5:tar 1: Invokeop=i.op

3: Orch

2: Edge

7:current


3: Orch

2: Edge

7:current

4: Orch

6:partner

4: Orch

6:partner

:Msgop=i.opid=getid()

:from :to

:request

Figure 8: Operational rule invoke

The rule switch in Fig. 3.3.3 represent an example of how the semantics of control structures aredescribed. The rule implements both the split operation, moving the :current edge to one of severalbranches outgoing from the 1:Switch node, and the joining of several alternative branches. Notice thatsplit is non-deterministic because, due to the lack of data types in our model, we do not specify anyguards. In practice we can expect that switches are deterministic.

Semantic Rule: invoke


3: Orch

2: Edge

7:current


3: Orch

2: Edge

7:current

4: Orch

6:partner

4: Orch

6:partner

:Msgop=i.opid=getid()

:from :to

:request

Figure 9: Operational rule switch

Labels and Transition System Observations on rules define the labels of the transition system rep-resenting the operational semantics of processes. They contain the name of the rule and list the idattributes of some key elements. For example, inv(i.id, m.id) refers to the application of therule invoke and observes the identity of the invoke action i executed and the message m created.Similarly, the remaining labels include



• rec(r.id, m.id) performing receive action r on message m;

• reply(r.id, m1.id, m2.id) replying to m1 with m2;

• resp(i.id, m2.id) receiving response message m2 for invocation i;

Control flow rules like switch represent internal steps and are uniformly labelled with the silent actionτ .

In transformations, formal parameters from the rules are replaced by identities of the actual nodes inthe graphs representing system states.

Given a graph transformation system G = (TG,P ) with start graph G0, we derive a labelled tran-sition system LTS(G, G0) = (S,L,→) with all graphs reachable from G0 by applications of rules asstates S, observations on rules as labels L, and transformations as transitions.

3.3.4 Verification

Based on the definitions in the previous section we are now able to define a relation of semantic compat-ibility between processes. The idea is to require weak bisimilarity after hiding all labels that are not inthe intersection of the alphabets of the two processes. On a labelled transition system, the operation ofhiding replaces all occurrences of a given label by a silent action τ .

Definition 3.3 (semantic compatibility) Given a graph transformation system GOP = 〈TG,OP 〉(specifying operational semantics), two graphs G1 and G2 (representing processes) are semanticallycompatible if they are weakly bisimilar after hiding all labels not in alph(G1) ∩ alph(G2).

In our case O1, the set of observations produced by a centralised process, will be a subset of O2, theobservations of the distributed process. This is because of the additional communication actions requiredto coordinate the different local processes. The following theorem establishes a condition for semanticcompatibility. For a regular expression r, by s r−→ t we denote a sequence of transitions s l1−→ · · · ln−→ tsuch that l1 . . . ln is in the language described by r.

Theorem 3.3 (semantic compatibility of transformations) Assume graph transformation systemsGOP = 〈TG,OP 〉 (operational semantics) and GT = 〈TG, T 〉 (model transformations) such that for all

operational steps P1l−→ Q1 and transformation steps P1 =⇒ P2

1. l ∈ alph(P2) implies that there exist P2τ∗lτ∗−→ Q2 and Q1 =⇒ Q2;

2. l 6∈ alph(P2) implies that there exist P2τ∗−→ Q2 and Q1 =⇒ Q2;

and the same is true for the inverse of GT , obtained by reversing all productions.

P1//

��

Q1

��P2

// Q2

Then, whenever there exists a transformationG1 =⇒ G2 in GT , typed graphsG1 andG2 are seman-tically compatible.

Notice that Theorem 3.3 is based on a notion of local confluence, restricted by assumptions on thelabels of derived transitions. Such a property, called mixed confluence in [EE05], can be verified staticallyby critical pair analysis and search: First we check if all pairs consisting of a model transformation ruleand a semantic rule are parallel independent, i.e. there are no critical pairs between them. If this fails, we



have to demonstrate confluence for all critical pairs, searching for compatible transformation sequenceswith the right labels that lead to a common successor state.

For our case study, this means that we have to analyse the critical pairs between delegate andthe operational semantic rules: Critical pair analysis is supported by the attributed graph grammar toolenvironment AGG [Tae04, Tec06]. Critical pairs formalise the idea of a minimal example of a conflictingsituation. From the set of all overlapping graphs the objects and links are extracted which cause conflictsor dependencies. Critical Pair Analysis

Figure 10: Critical Pair Analysis in AGG

Fig. 3.3.4 shows the critical pair analysis in AGG where the model transformation rule delegateis indeed independent of all operational semantics rules (last row). The opposite is not true since we havecritical pairs in the last column which are all caused by a delete-use-conflict between 10:current indelegate and the semantic rules.

According to [LEO06] two direct graph transformations G(p1,m1)=⇒ H1 and G

(p2,m2)=⇒ H2 are in

delete-use-conflict (resp. use-delete-conflict) if rule p1 (resp. p2) deletes part of the graph G, which isused by rule p2 (resp. p2) in the second (resp. first) direct transformation.

As a result we obtain mixed confluence, consequently, the compatibility of distributed process withthe centralised ones they have been obtained from using rule delegate.

4 Relevant SENSORIA Publications and Reports

This deliverable is based on the following SENSORIA publications and deliverables:

• [BCK08] Paolo Baldan, Andrea Corradini, and Barbara Konig. A framework for the verificationof infinite-state graph transformation systems. In Information and Computation, 2008

• [BH07] Denes Bisztray and Reiko Heckel. Rule-Level Verification of Business Process Transfor-mations using CSP. In Proc. of the 6th International Workshop on Graph Transformations andVisual Modeling Techniques (GTVMT’07), 2007



• [BEH07] Luciano Baresi, Karsten Ehrig, and Reiko Heckel. Verification of model transformations:a case study with BPEL. In Trustworthy Global Computing, pages 183–199, Springer LNCS 4661,2007

• [EHV06] Karsten Ehrig, Reiko Heckel, and Daniel Varro. SENSORIA deliverable D7.1.a: Graphtransformation-based methods for services and calculi. EU IST Programme, 2006

5 Conclusion

Model transformation plays a major role in the SENSORIA methodology [EHV06]. Formal analysis ofgraph transformation systems is essential from the point of view of the definition of validation techniquesthat can be applied to this methodology. Such applications may include

• verification of system models with respect to abstract properties, typically expressed in terms of alogic, such as temporal and topological ones

• verification of properties concerning the relationship between models, such as compatibility andequivalence with respect to a given semantics

• verification of system properties such as confluence and termination

The first point is usually associated with the automatic or semi-automatic verification of propertiessuch as safety and liveliness. The second tend to arise in refactoring and refinement.

We have presented three relevant contributions that can be representative of each of these differentdirections. [BCK08] introduces a framework for the verification of graph transformation systems throughmodel-checking with respect to properties including liveliness and safety. [BH07] presents an approachto model refactoring based on translation to CSP. [BEH07] uses graph transformation theory to verifyformal properties of an operational semantics of business processes. The choice of approach will dependon semantics given (i.e., operational or denotational) and the verification problem at hand (checking forequivalence / refinement between different versions or verifying dynamic properties of systems).

References

[ADG98] Robert Allen, Remi Douence, and David Garlan. Specifying and analyzing dynamicsoftware architectures. Lecture Notes in Computer Science, 1382, 1998.

[AGG07] AGG - Attributed Graph Grammar System Environment. http://tfs.cs.tu-berlin.de/agg, 2007.

[AGM93] S. Abramski, M. D. Gabbay, and T. S. E. Maibaum, editors. Handbook of Logic inComputer Science, vol. 2. Oxfor University Press, 1993.

[BBER08] J. Bauer, I. Boneva, Kurban M. E., and A. Rensink. A modal-logic based graph abstrac-tion. In ICGT 2008, 2008.

[BCE+05] P. Baldan, A. Corradini, J. Esparza, T. Heindel, B. Konig, and V. Kozioura. Verifyingred-black trees. In Proceedings of COSMICAH ’05, 2005. Proceedings available as reportRR-05-04 (Queen Mary, University of London).

[BCK01] P. Baldan, A. Corradini, and B. Konig. A static analysis technique for graph transfor-mation systems. In K.G. Larsen and M. Nielsen, editors, Proceedings of CONCUR ’01,volume 2154 of Lecture Notes in Computer Science, pages 381–395. Springer Verlag,2001.


http://tfs.cs.tu-berlin.de/agg



[BCK02] P. Baldan, A. Corradini, and B. Konig. Static analysis of distributed systems with mo-bility specified by graph grammars—a case study. In H. Ehrig, B. Kramer, and A. Ertas,editors, Proceedings of IDPT ’02 (Sixth International Conference on Integrated Design& Process Technology). Society for Design and Process Science, 2002.

[BCK04] P. Baldan, A. Corradini, and B. Konig. Verifying finite-state graph tranformation gram-mars: an unfolding-based approach. In Proceedings of CONCUR ’04, number 3170 inLNCS, pages 83–98. Springer, 2004.

[BCK08] P. Baldan, A. Corradini, and B. Konig. A framework for the verification of infinite-stategraph transformation systems. Information and Computation, 2008. to appear.

[BCM98] P. Baldan, A. Corradini, and U. Montanari. Concatenable graph processes: relating pro-cesses and derivation traces. In S. Larsen, K. Skyum and G. Winskel, editors, Proceed-ings of ICALP’98, volume 1443 of Lecture Notes in Computer Science, pages 283–295.Springer Verlag, 1998.

[BCM99] P. Baldan, A. Corradini, and U.. Montanari. Unfolding and event structure semantics forgraph grammars. In W. Thomas, editor, Proceedings of FoSSaCS ’99, number 1578 inLNCS, pages 73–89. Springer, 1999.

[BCMR07] P. Baldan, A. Corradini, U. Montanari, and L. Ribeiro. Unfolding Semantics of GraphTransformation. Information and Computation, 205:733–782, 2007.

[BEH07] L. Baresi, K. Ehrig, and R. Heckel. Verification of model transformations: a case studywith BPEL. In Trustworthy Global Computing, number 4661 in LNCS, pages 183–199.Springer, 2007.

[BGMM08] L. Baresi, C. Ghezzi, A. Mocci, and M. Monga. Using graph transformation systems tospecify and verify data abstractions. In Claudia Ermel, Reiko Heckel, and Juan de Lara,editors, Proceedings of the Seventh International Workshop on Graph Transformationand Visual Modeling Techniques (GT-VMT 2008), volume X, pages 277–290, Budapest,Hungary, March 2008. EASST.

[BH07] Denes Bisztray and Reiko Heckel. Rule-level verification of business process transfor-mations using CSP. In Proc of 6th International Workshop on Graph Transformationsand Visual Modeling Techniques (GTVMT’07), 2007.

[BHE08] Denes Bisztray, Reiko Heckel, and Hartmut Ehrig. Verification of architectural refactor-ings by rule extraction. In Fundamental Approaches to Software Engineering, volume4961 of Lecture Notes in Computer Science, pages 347–361. Springer Berlin / Heidel-berg, 2008.

[Bis08] Denes Bisztray. Verification of architectural refactoring rules. Technical report, Depart-ment of Computer Science, University of Leicester, 2008. http://www.cs.le.ac.uk/people/dab24/refactoring-techrep.pdf.

[BK02] P. Baldan and B. Konig. Approximating the behaviour of graph transformation systems.In A. Corradini, H. Ehrig, H.-J. Kreowski, and G. Rozenberg, editors, Proceedings ofICGT’02, volume 2505 of Lecture Notes in Computer Science, pages 14–30. SpringerVerlag, 2002.

[BKK03] P. Baldan, B. Konig, and B. Konig. A logic for analysing abstractions of graph transfor-mation systems. In R. Cousot, editor, Proceedings of SAS ’03, number 2694 in LNCS,pages 255–272. Springer, 2003.


http://www.cs.le.ac.uk/people/dab24/refactoring-techrep.pdf

http://www.cs.le.ac.uk/people/dab24/refactoring-techrep.pdf


[BKPPT05] Paolo Bottoni, Manuel Koch, Francesco Parisi-Presicce, and Gabriele Taentzer. Termi-nation of high-level replacement units with application to model transformation. Electr.Notes Theor. Comput. Sci., 127(4):71–86, 2005.

[BKR05] P. Baldan, B. Konig, and A. Rensink. Graph grammar verification through abstraction. InGraph transforamtion and process algebras for modeling distributed and mobile systems,volume 04241 of Dagstuhl Seminar, 2005.

[BRRS08] L. Baresi, V. Rafe, A. T. Rahmani, and P. Spoletini. Towards automated software modelchecking using graph transforamtion systems and Bogor. Journal of Zhejiang, 2008.

[BTS00] Paolo Bottoni, Gabriele Taentzer, and Andy Schurr. Efficient parsing of visual languagesbased on critical pair analysis and contextual layered graph transformation. In VL ’00:Proceedings of the 2000 IEEE International Symposium on Visual Languages (VL’00),page 59, Washington, DC, USA, 2000. IEEE Computer Society.

[Bun86] A. Bundy. The computer modelling of mathematical reasoning. Academic Press, 1986.

[CMR96] A. Corradini, U. Montanari, and F. Rossi. Graph processes. Fundamenta Informaticae,26:241–265, 1996.

[Cou97] B. Courcelle. The expression of graph properties and graph transformation in monadicsecond-order logic. In G. Rozenberg, editor, Handbook of Graph Grammars and Com-puting by Graph Transformation, volume 1, pages 313–400. World Scientific, 1997.

[dCR08] S. A. da Costa and L. Ribeiro. Formal verification of graph grammars using mathematicalinduction. In ICGT 2008, 2008.

[DKMdSR04] F.L. Dotti, B. Konig, O. Marchi dos Santos, and L. Ribeiro. A case study: Verifyinga mutual exclusion protocol with process creation using graph transformation systems.Technical Report 08/2004, Universitat Stuttgart, 2004.

[DLRdS03] F. L. Dotti, Foss L., L. Ribeiro, and O. M. dos Santos. Verification of distributed object-based systems. In FMOODS ’03, pages 261–275, 2003.

[DMdS05] F. L. Dotti, O. M. Mendizabal, and O. M. dos Santos. Verifying fault-tolerant distributedsystems using object-based graph grammars. In LADC ’05, pages 80–100, 2005.

[EE05] Hartmut Ehrig and Karsten Ehrig. Overview of Formal Concepts for Model Transforma-tions based on Typed Attributed Graph Transformation. In Proc. International Workshopon Graph and Model Transformation (GraMoT’05), ENTCS, Estonia, Tallinn, Septem-ber 2005. Elsevier Science.

[EEdL+05] Hartmut Ehrig, Karsten Ehrig, Juan de Lara, Gabriele Taentzer, Daniel Varro, and SzilviaVarro-Gyapay. Termination criteria for model transformation. In Maura Cerioli, edi-tor, Proc. FASE 2005: Internation Conference on Fundamental Approaches to SoftwareEngineering, volume 3442 of LNCS, pages 49–63, Edinburgh, UK,, April 2005. Springer.

[EEPT06] H. Ehrig, K. Ehrig, U. Prange, and G. Taentzer. Fundamentals of Algebraic Graph Trans-formation. EATCS Monographs in Theoretical Computer Science. Springer, 2006.

[EHK01] G. Engels, R. Heckel, and J.M. Kuster. Rule-based specification of behavioral consis-tency based on the UML meta model. In M. Gogolla and C. Kobryn, editors, Proc. UML2001, Toronto, Kanada, volume 2185. Springer-Verlag, 2001.



[EHS99] G. Engels, R. Heckel, and St. Sauer. Dynamic meta modeling: A graphical approachto operational semantics. In Proc. OOPSLA’99 Workshop on Rigorous Modeling andAnalysis with the UML: Challenges and Limitations, Denver, CO, USA, November 21999.

[EHV06] K. Ehrig, R. Heckel, and D. Varro. Deliverable D7.1.a: Graph transformation-basedmethods for services and calculi. Technical report, IST Programme, 2006.

[EKGH01] G. Engels, J.M. Kuster, L. Groenewegen, and R. Heckel. A methodology for specify-ing and analyzing consistency of object-oriented behavioral models. In V. Gruhn, editor,Proc. European Software Engineering Conference (ESEC/FSE 01), Vienna, Austria, vol-ume 1301, pages 327–343. Springer Verlag, 2001.

[EKMR99] H. Ehrig, H.-J. Kreowski, U. Montanari, and G. Rozenberg, editors. Handbook of GraphGrammars and Computing by Graph Transformation, Vol.3: Concurrency, Parallellism,and Distribution. World Scientific, 1999.

[Esp94] J. Esparza. Model checking using net unfoldings. Science of Computer Programming,23(2–3):151–195, 1994.

[FBB+99] Martin Fowler, Kent Beck, John Brant, William Opdyke, and Don Roberts. Refactoring:Improving the Design of Existing Code. Addison-Wesley Professional, 1st edition edition,1999.

[FFR07] A. P. L. Ferreira, L. Foss, and L. Ribeiro. Formal verification of object-oriented graphgrammars specifications. Electron. Notes Theor. Comput. Sci., 175(4):101–114, 2007.

[FSEL05] Formal Systems Europe Ltd. FDR2 User Manual, 2005. http://www.fsel.com/documentation/fdr2/html/index.html.

[Fuj07] Fujaba Tool Suite. http://wwwcs.uni-paderborn.de/cs/fujaba, 2007.

[Ga03] T. Gardner and al. Draft UML 1.4 profile for automated business processes with a map-ping to the BPEL 1.0. IBM alphaWorks, 2003.

[GGL+06] H. Giese, S. Glesner, J. Leitner, W. Schafer, and R. Wagner. Towards verified modeltransformations. In MoDELS ’06 — MoDeVa Workshop, pages 78–93, 2006.

[GHK98] F. Gadducci, R. Heckel, and M. Koch. A fully abstract model for graph-intepreted tem-poral logic. In H. Ehrig, G. Engels, H.-J. Kreowski, and G. Rozenberg, editors, 6thInternational Workshop on Theory and Application of Graph Transformations, volume1764 of Lecture Notes in Computer Science. Springer Verlag, 1998.

[HCM+] Reiko Heckel, Rui Correia, Carlos Matos, Mohammad El-Ramly, Georgios Koutsoukos,and Luis Andrade. Architectural Transformations: From Legacy to Three-tier and Ser-vices, chapter Architectural Transformations: From Legacy to Three-tier and Services.Springer. To appear.

[Hec98a] R. Heckel. Compositional verification of reactive systems specified by graph transforma-tion. In E. Astesiano, editor, Proceedings of FASE’98, volume 1382 of Lecture Notes inComputer Science, pages 138–153. Springer Verlag, 1998.

[Hec98b] R. Heckel. Compositional verification of reactive systems specified by graph transforma-tion. In FASE ’98, volume 1382 of LNCS, pages 138–153. Springer-Verlag, 1998.


http://www.fsel.com/documentation/fdr2/html/index.html

http://www.fsel.com/documentation/fdr2/html/index.html

http://wwwcs.uni-paderborn.de/cs/fujaba


[Hec05] Reiko Heckel. Stochastic Analysis of Graph Transformation Systems: A Case Studyin P2P Networks. In H. Dan Van and M. Wirsing, editors, Proc. Intl. Colloquium onTheoretical Aspects of Computing (ICTAC’05), Hanoi, Vietnam, volume 3722 of LNCS.Springer-Verlag, October 2005. Invited paper.

[HKT02] Reiko Heckel, Jochen Malte Kuster, and Gabriele Taentzer. Confluence of typed at-tributed graph transformation systems. In ICGT ’02: Proceedings of the First Inter-national Conference on Graph Transformation, pages 161–176, London, UK, 2002.Springer-Verlag.

[HLM06] Reiko Heckel, Georgios Lajios, and Sebastian Menge. Stochastic graph transformationsystems. Fundamenta Informaticae, 72:1–22, 2006. To appear.

[Hoa85] Charles Antony Richard Hoare. Communicating Sequential Processes. Prentice HallInternational Series in Computer Science. Prentice Hall, April 1985.

[Hol03] G. J. Holzmann. The SPIN Model Checker. Addison-Wesley, 2003.

[IBM03] IBM, BEA Systems, Microsoft, SAP AG, Siebel Systems. Business Process Execu-tion Language for Web Services version 1.1, May 2003. http://www.ibm.com/developerworks/library/ws-bpel/.

[Kas05] H. Kastenberg. Towards attributed graphs in groove. In GT-VC ’05, Electronic Notes inComputer Science. Elseviee, 2005.

[KK05] B. Konig and V. Kozioura. AUGUR—a tool for the analysis of graph transformationsystems. EATCS Bulletin, 87:125–137, November 2005. Appeared in The Formal Spec-ification Column.

[KK06] B. Koenig and V. Kozioura. Counterexample-guided abstraction refinement for the anal-ysis of graph transformation systems. In TACAS 2006, volume 3920 of LNCS, pages197–211. Springer, 2006.

[KK08a] B. Koenig and V. Kozioura. Towards the verification of attributed graph transformationsystems. In ICGT 2008, 2008.

[KK08b] B. Konig and V. Kozioura. AUGUR 2—a new version of a tool for the analysis of graphtransformation systems. In Proceedings of GT-VMT ’06 (Workshop on Graph Trans-formation and Visual Modeling Techniques), Electronic Notes in Theoretical ComputerScience. Elsevier Science, 2008.

[Koc00] M. Koch. Integration of Graph Transformation and Temporal Logic for the Specificationof Distributed Systems. PhD thesis, Technische Universitat Berlin, 2000.

[KR06] H. Kastenberg and A. Rensink. Model checking dynamic states in groove. In A. Valmari,editor, SPIN ’06, number 3925 in LNCS, pages 229–305, 2006.

[Kus06] Jochen M. Kuster. Definition and validation of model transformations. Software andSystems Modeling, 5(3):233–259, September 2006.

[LEO06] Leen Lambers, Hartmut Ehrig, and Fernando Orejas. Conflict Detection for Graph Trans-formation with Negative Application Conditions. In A. Corradini et al. (Eds.): Proceed-ings of the Third International Conference on Graph Transformation (ICGT 2006), vol-ume 4178 of Lecture Notes in Computer Science, pages 61–76. Springer-Verlag, 2006.


http://www.ibm.com/developerworks/library/ws-bpel/

http://www.ibm.com/developerworks/library/ws-bpel/


[LM04] K. R. M. Leino and P. Muller. Object invariants in dynamic contexts. In M. Odersky,editor, European Conference on Object-Oriented Programming (ECOOP), volume 3086of Lecture Notes in Computer Science, pages 491–516. Springer-Verlag, 2004.

[LPE07] Tihamer Levendovszky, Ulrike Prange, and Hartmut Ehrig. Termination criteria for dpotransformations with injective matches. Electron. Notes Theor. Comput. Sci., 175(4):87–100, 2007.

[McM93] K.L. McMillan. Symbolic Model Checking. Kluwer, 1993.

[MDJ02] Tom Mens, Serge Demeyer, and Dirk Janssens. Formalising behaviour preserving pro-gram transformations. In ICGT ’02: Proceedings of the First International Conferenceon Graph Transformation, pages 286–301, London, UK, 2002. Springer-Verlag.

[MGB06] Tiago Massoni, Rohit Gheyi, and Paulo Borba. An approach to invariant-based programrefactoring. In Software Evolution through Transformations 2006. Electronic Communi-cations of the EASST, 2006.

[MK96] Jeff Magee and Jeff Kramer. Dynamic structure in software architectures. In SIGSOFT’96: Proceedings of the 4th ACM SIGSOFT symposium on Foundations of software en-gineering, pages 3–14, New York, NY, USA, 1996. ACM Press.

[NPW02] T. Nipkow, L. C. Paulson, and M. Wenzel. A proof-assistant for higher-order logic.Springer, 2002.

[OEP08] F. Orejas, H. Ehrig, and U. Prange. A logic of graph constraints. In FASE ’08, volume4961 of LNCS, pages 179–198. Springer, 2008.

[OMG06] OMG. Unified Modeling Language, version 2.1.1, 2006. http://www.omg.org/technology/documents/formal/uml.htm.

[Pen08] K.H. Pennemann. Resolution-like theorem proving for high-level conditions. In ICGT2008, 2008.

[QVT05] MOF Query/View/Transformation (QVT) Final Adopted Specification. http://www.omg.org/docs/ptc/05-11-01.pdf, 2005.

[RDH03] Robby, M. B. Dwyer, and J. Hatcliff. Bogor: An extensible and highly-modular modelchecking framework. In Proceedings of the Fourth Joint Meeting of the European Soft-ware Engineering Conference and ACM SIGSOFT Symposium on the Foundations ofSoftware Engineering (ESEC/FSE 2003), 2003.

[Rei85] W. Reisig. Petri Nets: An Introduction. EACTS Monographs on Theoretical ComputerScience. Springer Verlag, 1985.

[Ren03] A. Rensink. Towards model checking graph grammars. In M. Leuschel, S. Gruner, andS. Lo Presti, editors, Workshop on Automated Verification of Critical Systems (AVoCS),Technical Report DSSE–TR–2003–2, pages 150–160. University of Southampton, 2003.

[Ren04a] Arend Rensink. Canonical graph shapes. In D. A. Schmidt, editor, Programming Lan-guages and Systems — European Symposium on Programming (ESOP), volume 2986 ofLecture Notes in Computer Science, pages 401–415. Springer-Verlag, 2004.

[Ren04b] Arend Rensink. The GROOVE simulator: A tool for state space generation. In J. Pfalz,M. Nagl, and B. Bohlen, editors, Applications of Graph Transformations with IndustrialRelevance (AGTIVE), volume 3062 of Lecture Notes in Computer Science, pages 479–485. Springer-Verlag, 2004.


http://www.omg.org/technology/documents/formal/uml.htm

http://www.omg.org/technology/documents/formal/uml.htm

http://www.omg.org/docs/ptc/05-11-01.pdf

http://www.omg.org/docs/ptc/05-11-01.pdf


[Ren04c] Arend Rensink. State space abstraction using shape graphs. In Automatic Verification ofInfinite-State Systems (AVIS), Electronic Notes in Theoretical Computer Science. Else-vier, 2004.

[Ren08] A. Rensink. Explicit state model checking for graph grammars. In P. Degano,R. De Nicola, and J. Meseguer, editors, Concurrency, Graphs and Models. Essays Dedi-cated to Ugo Montanari on the Occasion of His 65th Birthday, volume 5065 of LectureNotes in Computer Science. Springer Verlag, 2008.

[Rib96] L. Ribeiro. Parallel Composition and Unfolding Semantics of Graph Grammars. PhDthesis, Technische Universitat Berlin, 1996.

[Roz97] G. Rozenberg, editor. Handbook of Graph Grammars and Computing by Graph Trans-formation, Vol. 1: Foundations. World Scientific, 1997.

[RSV04] A. Rensink, A. Schmidt, and D. Varro. Model checking graph transformations: a compar-ison of two approaches. In ICGT ’04, number 3256 in LNCS, pages 226–241. Springer,2004.

[Sch94] Andy Schurr. Specification of graph translators with triple graph grammars. In Tinhofer,editor, Proc. WG’94 Int. Workshop on Graph-Theoretic Concepts in Computer Science,number 903 in LNCS, pages 151–163. Springer-Verlag, 1994.

[Sch03] K. Schmidt. Distributed verification with LoLA. Fundamenta Informaticae, 54(2–3):253–262, 2003.

[Sel98] Bran Selic. Using uml for modeling complex real-time systems. In LCTES ’98: Proceed-ings of the ACM SIGPLAN Workshop on Languages, Compilers, and Tools for EmbeddedSystems, pages 250–260, London, UK, 1998. Springer-Verlag.

[SPTJ01] Gerson Suny, D. Pollet, Y. Le Traon, and J.-M. Jzquel. Refactoring uml models. InProceedings of UML 2001, LNCS, pages 134–148. Springer Verlag, 2001.

[Ste07] Perdita Stevens. Bidirectional model transformations in qvt: Semantic issues and openquestions. In Proceedings of 10th International Conference on Model Driven Engineer-ing Languages and Systems (MODELS 2007), volume 4735, pages 1–15. Springer LNCS,October 2007.

[Str08] M. Strecker. Modeling and verifying graph transformations in proof assistants. ElectronicNotes in Theoretical Computer Science, 203:135–148, 2008.

[SV03] A. Schmidt and D. Varro. CheckVML: a tool for model checking visual modeling lan-guages. In UML ’03, volume 2863 of LNCS, pages 92–95. Springer-Verlag, 2003.

[Tae04] G. Taentzer. AGG: A Graph Transformation Environment for Modeling and Validationof So ftware. In J. Pfaltz, M. Nagl, and B. Boehlen, editors, Application of Graph Trans-formations with Industrial Relevance (AGTIVE’03), volume 3062 of Lecture Notes inComputer Science, pages 446 – 456. Springer, 2004.

[Tec06] Technical University of Berlin, Department of Computer Science. AGG Version 1.4.1 -http://tfs.cs.tu-berlin.de/agg, 2006.

[Tig07] Tiger Developer Team. Tiger EMF Transformer, 2007. http://www.tfs.cs.tu-berlin.de/emftrans.

[Var04] D. Varro. Automated formal verification of visual modelign languages. Software andSystem Modeling, 3(2):85–113, 2004.



http://www.tfs.cs.tu-berlin.de/emftrans

http://www.tfs.cs.tu-berlin.de/emftrans

formal analysis of model transformations

Documents