model transformation verification some theory and some practice n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Model Transformation Verification: some theory and some practice PowerPoint Presentation
Download Presentation
Model Transformation Verification: some theory and some practice

Loading in 2 Seconds...

play fullscreen
1 / 37

Model Transformation Verification: some theory and some practice - PowerPoint PPT Presentation


  • 134 Views
  • Uploaded on

Model Transformation Verification: some theory and some practice. Levi Lúcio MSDL Lab / NECSIS project. McGill University. Dr. Levi Lúcio. Model Based Testing (SMV, U. Geneva) Model Transformation Verification (SOLAR, U. Nova Lisboa ) Model Evolution in MDE (LASSY, U. Luxembourg).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Model Transformation Verification: some theory and some practice' - jon


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
model transformation verification some theory and some practice

Model Transformation Verification: some theory and some practice

Levi Lúcio

MSDL Lab / NECSIS project

McGill University

dr levi l cio
Dr. Levi Lúcio
  • Model Based Testing

(SMV, U. Geneva)

  • Model Transformation Verification

(SOLAR, U. Nova Lisboa)

  • Model Evolution in MDE

(LASSY, U. Luxembourg)

main interests
Main interests
  • Formal modeling
  • Verification
  • Formal languages and their semantics
  • DSL and MDE fundaments
    • Precise definition of a DSL (is Turing incompleteness a usable definition?)
    • Precise definition of the MDE process
  • Globally intersection between software engineering and formal methods
presentation overview
Presentation Overview
  • Preliminary state of the art in Model Transformation Verification
  • Introduction to the Power Window case study
  • Which MT verification techniques can we use and for what?
presentation overview1
Presentation Overview
  • Preliminary state of the art in Model Transformation Verification
  • Introduction to the Power Window case study
  • Which MT verification techniques can we use and for what?
why is mt verification different from typical program verification
Why is MT verification different from typical program verification?
  • MT are programs with complex inputs, typically MOF/EMF based models;
  • Unlike reactive systems, in MT typically only input and output is interesting. Intermediate states are most of the time disregarded;
  • Most of the current verification technology is built for reactive systems…
testing vs proving
Testing vs. Proving
  • Testing Model Transformation challenges:
    • Input model generation
    • Oracle production and usage
    • Test qualification
  • Proving Model Transformation challenges:
    • Most transformation languages are Turing complete, nondeterministic and have an infinite amount of input models;
    • Proving syntax is hard, proving semantics is harder…
testing vs proving1
Testing vs. Proving
  • Testing Model Transformation challenges:
    • Input model generation
    • Oracle production and usage
    • Test qualification
  • Proving Model Transformation challenges:
    • Most transformation languages are Turing complete, nondeterministic and have an infinite amount of input models;
    • Proving syntax is hard, proving semantics is harder…
input model generation
Input model generation
  • Input model generation from analysis of metamodels and of transformation rules:
    • [Küster,Razik:06] on production of input models based on coverage criteria for metamodels, OCL constraints and critical pairs analysis;
    • [Baudry:09] on black box domain partitioning (metamodel based) and combinatorial interaction;
    • [McQuillan,Power:09] on white box transformation rule coverage;
    • [Mottu,Baudry,Traon:09] on model transformation fault models;
oracle production and usage
Oracle production and usage
  • Means of comparison of MT output model and a reference model:
    • [Lin,Zhang,Grey:05] on an algorithm for output model comparison for oracle implementation;
    • [Mottu,Baudry,Traon:09] on oracle classification, e.g. manual, reference transformation, contracts and assertions;
input model qualification
Input model qualification
  • Criteria to evaluate and improve the quality of generated input models:
    • [Mottu,Baudry,Traon:06] on model transformation mutation operators for input model mutation analysis;
    • [Fleurey,Baudry,etal:07] on the classification of coverage criteria for input model qualification;
testing vs proving2
Testing vs. Proving
  • Testing Model Transformation challenges:
    • Input model generation
    • Oracle production and usage
    • Test qualification
  • Proving Model Transformation challenges:
    • Most transformation languages are Turing complete, nonconfluent (nondeterministic) and have an infinite amount of input models;
    • Proving syntax is hard, proving semantics is harder…
termination
Termination
  • Termination of graph rewriting is undecidable [Plump98]:
    • [Ehrig,Ehrig,etal:05] on a set of termination criteria transformation rules must satisfy;
    • [Varró,Varró,etal:06] on transforming into Petri Nets for deciding on transformation termination;
    • [Lara,Vangheluwe:09] on transforming into Timed Petri Nets for deciding on transformation termination;
    • [Barroca,Lúcio, etal:10] on a transformation language insuring termination and confluence of all transformations by construction;
confluence
Confluence
  • Rule execution order matters:
    • [Heckel,Küster,Taentzer:02] on the definition of confluent critical pairs of rules;
    • [Barroca,Lúcio, etal:10] on a transformation language insuring termination and confluence of all transformations by construction;
infinite amount of input models 1
Infinite amount of Input Models (1)
  • Input models are typically infinite instances of MOF/EMF metamodels. Approaches dependenton a given input model:
    • [Anastasakis,etal:06] on using Alloy for proving the transformation can run for oneinput model;
    • [Narayan,Karsai:08] on proving a structural correspondence will exist between an input model and the transformation’s output;
    • [Lara,Vangheluwe:09] on transforming one input model for a transformation into a Petri Net for analysis;
infinite amount of input models 2
Infinite amount of Input Models (2)
  • Approaches valid for all inputs, independentof any input model:
    • [Asztalos,etal:10] on proving properties of model transformations based on assertions and deduction rules;
    • [Lúcio,Barroca,etal:10] on proving structural relations between source and target model based on rule symbolic execution;
proving syntactic relations between input and output models
Proving syntactic relations between input and output models
  • Show that certain elements or patterns of an input model will always produce other elements or patterns of the output model
    • [Akehurst:02] on defining relations that hold between the input and output models by construction;
    • [Narayan,Karsai:08a] on proving a structural correspondence will exist between an input model and the transformation’s output;
    • [Lúcio,Barroca,etal:10] on proving structural relations between source and target metamodels hold on all transformations;
proving semantic preservation between input and output models
Proving semantic preservation between input and output models
  • The semantics of the original model is preserved after the transformation:
    • [Padberg, etal:97] on Petri Nets safety property preserving morphisms (applicable to statecharts);
    • [Varró,Pataricza:03] on preservation of a given property by model checking it on the input model and its transformed version on the output model;
    • [Narayanan,Karsai:08b] on the verification of preservation of statechartsemantics;
other classification axis
Other classification axis
  • Proof techniques
    • Model checkers (e.g. GROOVE)
    • Constraint solvers (e.g. Alloy)
  • Applicable to which transformation languages?
presentation overview2
Presentation Overview
  • Preliminary state of the art in Model Transformation Verification
  • Introduction to the Power Window case study
  • Which MT verification techniques can we use and for what?
mdd control software development for a power window
MDD control software development for a Power Window

Identify

  • Modeling languages and artifacts
  • Software development activities
  • Model transformations
environment description language
Environment Description Language

Inspired from Dhaussy and Roger, “Spécification du langage CDL v.1 : Syntaxe et sémantique”, 2011

software development activities
Software development activities
  • Simulation
  • Verification
    • Model checking
    • Model based testing
  • Code generation
simulation
Simulation

Environment

Control

Plant

+

+

Causal Block Diagram

model checking
Model Checking

Environment

Control

Plant

+

+

Petri Nets

model based testing
Model Based Testing

Environment

Control

Plant

+

Test Cases

Oracle

code generation
Code Generation

Environment

Control

Plant

+

Autosar

identified transformation types
Identified transformation types
  • Composition
    • Environment + Control + Plant
  • Same abstraction
    • Environment + Control + Plant -> Causal Block D.
  • Abstract (lose detail)
    • Environment + Control + Plant -> Petri Nets
  • Refine (add detail)
    • Control + Plant ->Autosar
presentation overview3
Presentation Overview
  • Preliminary state of the art in Model Transformation Verification
  • Introduction to the Power Window case study
  • Which MT verification techniques can we use and for what?
which mt verification techniques to use and for what
Which MT verification techniques to use and for what?

It depends…

  • On the type of the transformation (composition, abstraction, refinement…)
  • On the purpose of the transformation (verification, simulation, composition…)
  • On the domain of application (automotive software development, control systems…)
most likely direction
Most likely direction
  • Use either proofs of:
    • Syntactic relations hold between input and output models;
    • Semantics is preserved during transformation
  • Challenge: using these two general types of proofs and the available techniques understand which specific properties are important to prove in the Power Window case study.
bibliography
Bibliography
  • [Plump98] D.Plump “Termination of graph rewriting is undecidable”, FundamentaInformaticae 33(2), 1998.
  • [Ehrig,Ehrig,etal:05] H.Ehrig, K.Ehrig, J.Lara, G.Taentzer, D. Varró and S.Varró-Gyapay “Termination Criteria for Model Transformation”, LNCS 3442, 2005.
  • [Varró,Varró,etal:06]