model transformation verification: some theory and some practice levi lúcio msdl lab / necsis...
TRANSCRIPT
![Page 1: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/1.jpg)
Model Transformation Verification: some theory and some practice
Levi LúcioMSDL Lab / NECSIS project
McGill University
![Page 2: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/2.jpg)
2
Dr. Levi Lúcio
• Model Based Testing (SMV, U. Geneva)
• Model Transformation Verification(SOLAR, U. Nova Lisboa)
• Model Evolution in MDE(LASSY, U. Luxembourg)
![Page 3: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/3.jpg)
3
Main interests
• Formal modeling• Verification• Formal languages and their semantics• DSL and MDE fundaments– Precise definition of a DSL (is Turing incompleteness
a usable definition?)– Precise definition of the MDE process
• Globally intersection between software engineering and formal methods
![Page 4: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/4.jpg)
4
Presentation Overview
• Preliminary state of the art in Model Transformation Verification
• Introduction to the Power Window case study• Which MT verification techniques can we use
and for what?
![Page 5: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/5.jpg)
5
Presentation Overview
• Preliminary state of the art in Model Transformation Verification
• Introduction to the Power Window case study• Which MT verification techniques can we use
and for what?
![Page 6: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/6.jpg)
6
Why is MT verification different from typical program verification?
• MT are programs with complex inputs, typically MOF/EMF based models;
• Unlike reactive systems, in MT typically only input and output is interesting. Intermediate states are most of the time disregarded;
• Most of the current verification technology is built for reactive systems…
![Page 7: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/7.jpg)
7
Testing vs. Proving
• Testing Model Transformation challenges:– Input model generation– Oracle production and usage– Test qualification
• Proving Model Transformation challenges:– Most transformation languages are Turing complete,
nondeterministic and have an infinite amount of input models;
– Proving syntax is hard, proving semantics is harder…
![Page 8: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/8.jpg)
8
Testing vs. Proving
• Testing Model Transformation challenges:– Input model generation– Oracle production and usage– Test qualification
• Proving Model Transformation challenges:– Most transformation languages are Turing complete,
nondeterministic and have an infinite amount of input models;
– Proving syntax is hard, proving semantics is harder…
![Page 9: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/9.jpg)
9
Input model generation
• Input model generation from analysis of metamodels and of transformation rules:– [Küster,Razik:06] on production of input models based
on coverage criteria for metamodels, OCL constraints and critical pairs analysis;
– [Baudry:09] on black box domain partitioning (metamodel based) and combinatorial interaction;
– [McQuillan,Power:09] on white box transformation rule coverage;
– [Mottu,Baudry,Traon:09] on model transformation fault models;
![Page 10: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/10.jpg)
10
Oracle production and usage
• Means of comparison of MT output model and a reference model:– [Lin,Zhang,Grey:05] on an algorithm for output
model comparison for oracle implementation;– [Mottu,Baudry,Traon:09] on oracle classification,
e.g. manual, reference transformation, contracts and assertions;
![Page 11: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/11.jpg)
11
Input model qualification
• Criteria to evaluate and improve the quality of generated input models:– [Mottu,Baudry,Traon:06] on model transformation
mutation operators for input model mutation analysis;
– [Fleurey,Baudry,etal:07] on the classification of coverage criteria for input model qualification;
![Page 12: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/12.jpg)
12
Testing vs. Proving
• Testing Model Transformation challenges:– Input model generation– Oracle production and usage– Test qualification
• Proving Model Transformation challenges:– Most transformation languages are Turing complete,
nonconfluent (nondeterministic) and have an infinite amount of input models;
– Proving syntax is hard, proving semantics is harder…
![Page 13: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/13.jpg)
13
Termination
• Termination of graph rewriting is undecidable [Plump98]:– [Ehrig,Ehrig,etal:05] on a set of termination criteria
transformation rules must satisfy;– [Varró,Varró,etal:06] on transforming into Petri Nets for
deciding on transformation termination;– [Lara,Vangheluwe:09] on transforming into Timed Petri
Nets for deciding on transformation termination;– [Barroca,Lúcio, etal:10] on a transformation language
insuring termination and confluence of all transformations by construction;
![Page 14: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/14.jpg)
14
Confluence
• Rule execution order matters: – [Heckel,Küster,Taentzer:02] on the definition of
confluent critical pairs of rules;– [Barroca,Lúcio, etal:10] on a transformation
language insuring termination and confluence of all transformations by construction;
![Page 15: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/15.jpg)
15
Infinite amount of Input Models (1)
• Input models are typically infinite instances of MOF/EMF metamodels. Approaches dependent on a given input model:– [Anastasakis,etal:06] on using Alloy for proving the
transformation can run for one input model;– [Narayan,Karsai:08] on proving a structural
correspondence will exist between an input model and the transformation’s output;
– [Lara,Vangheluwe:09] on transforming one input model for a transformation into a Petri Net for analysis;
![Page 16: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/16.jpg)
16
Infinite amount of Input Models (2)
• Approaches valid for all inputs, independent of any input model:– [Asztalos,etal:10] on proving properties of model
transformations based on assertions and deduction rules;
– [Lúcio,Barroca,etal:10] on proving structural relations between source and target model based on rule symbolic execution;
![Page 17: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/17.jpg)
17
Proving syntactic relations between input and output models
• Show that certain elements or patterns of an input model will always produce other elements or patterns of the output model– [Akehurst:02] on defining relations that hold between
the input and output models by construction;– [Narayan,Karsai:08a] on proving a structural
correspondence will exist between an input model and the transformation’s output;
– [Lúcio,Barroca,etal:10] on proving structural relations between source and target metamodels hold on all transformations;
![Page 18: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/18.jpg)
18
Proving semantic preservation between input and output models
• The semantics of the original model is preserved after the transformation:– [Padberg, etal:97] on Petri Nets safety property
preserving morphisms (applicable to statecharts);– [Varró,Pataricza:03] on preservation of a given
property by model checking it on the input model and its transformed version on the output model;
– [Narayanan,Karsai:08b] on the verification of preservation of statechart semantics;
![Page 19: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/19.jpg)
19
Preliminary classification axis for MT Verification Techniques
Testing Proving
Input model generation Termination
Oracle production and usage Confluence
Test qualification Infinite input models
Syntactic relations
Semantic preservation
![Page 20: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/20.jpg)
20
Other classification axis
• Proof techniques– Model checkers (e.g. GROOVE)– Constraint solvers (e.g. Alloy)
• Applicable to which transformation languages?
![Page 21: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/21.jpg)
21
Presentation Overview
• Preliminary state of the art in Model Transformation Verification
• Introduction to the Power Window case study
• Which MT verification techniques can we use and for what?
![Page 22: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/22.jpg)
22
MDD control software development for a Power Window
Identify– Modeling languages
and artifacts– Software development
activities– Model transformations
![Page 23: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/23.jpg)
23
Modeling artifacts for describing a Power Window
Control PlantEnvironment
![Page 24: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/24.jpg)
24
Plant Description Language
![Page 25: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/25.jpg)
25
Control Description Language
![Page 26: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/26.jpg)
26
Environment Description Language
Inspired from Dhaussy and Roger, “Spécification du langage CDL v.1 : Syntaxe et sémantique”, 2011
![Page 27: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/27.jpg)
27
Software development activities
• Simulation• Verification– Model checking– Model based testing
• Code generation
![Page 28: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/28.jpg)
28
Simulation
Control PlantEnvironment + +
Causal Block Diagram
![Page 29: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/29.jpg)
29
Model Checking
Control PlantEnvironment + +
Petri Nets
![Page 30: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/30.jpg)
30
Model Based Testing
Control PlantEnvironment +
Test Cases Oracle
![Page 31: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/31.jpg)
31
Code Generation
Control PlantEnvironment +
Autosar
![Page 32: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/32.jpg)
32
Identified transformation types
• Composition– Environment + Control + Plant
• Same abstraction– Environment + Control + Plant -> Causal Block D.
• Abstract (lose detail)– Environment + Control + Plant -> Petri Nets
• Refine (add detail)– Control + Plant -> Autosar
![Page 33: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/33.jpg)
33
Presentation Overview
• Preliminary state of the art in Model Transformation Verification
• Introduction to the Power Window case study• Which MT verification techniques can we use
and for what?
![Page 34: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/34.jpg)
34
Which MT verification techniques can we use and for what?
?
![Page 35: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/35.jpg)
35
Which MT verification techniques to use and for what?
It depends…• On the type of the transformation
(composition, abstraction, refinement…)• On the purpose of the transformation
(verification, simulation, composition…)• On the domain of application (automotive
software development, control systems…)
![Page 36: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/36.jpg)
36
Most likely direction
• Use either proofs of:– Syntactic relations hold between input and output
models;– Semantics is preserved during transformation
• Challenge: using these two general types of proofs and the available techniques understand which specific properties are important to prove in the Power Window case study.
![Page 37: Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5517e2dc550346d5568b45ba/html5/thumbnails/37.jpg)
37
Bibliography• [Plump98] D.Plump “Termination of graph rewriting is undecidable”,
Fundamenta Informaticae 33(2), 1998.• [Ehrig,Ehrig,etal:05] H.Ehrig, K.Ehrig, J.Lara, G.Taentzer, D. Varró and S.Varró-
Gyapay “Termination Criteria for Model Transformation”, LNCS 3442, 2005.• [Varró,Varró,etal:06]