Verification of Model Transformations for Real Verifying Model Transformations for Real Levi Lúcio work done jointly with: Bentley James Oakes, McGill.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University.
Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.
Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.
Technology of Test Case Generation Levi Lúcio University of Geneva Marko Samer Vienna University of Technology.
1 Regression-Verification Benny Godlin Ofer Strichman Technion.
A Technique for Automatic Validation of Model Transformations Levi Lúcio and Bruno Barroca Universidade Nova de Lisboa.
Hüseyin Ergin University of Alabama Software Modeling Lab Software Engineering Group Department of Computer Science College of Engineering.
ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
CS 355 – Programming Languages
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
McGill University School of Computer Science Ph.D. Candidate in the Modelling, Simulation and Design Lab MPM’09 Explicit Transformation Modelling Thomas.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.
Presenter : Shih-Tung Huang Tsung-Cheng Lin Kuan-Fu Kuo 2015/6/15 EICE team Model-Level Debugging of Embedded Real-Time Systems Wolfgang Haberl, Markus.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.
Describing Syntax and Semantics
MCA –Software Engineering Kantipur City College. Topics include  Formal Methods Concept  Formal Specification Language Test plan creation Test-case.
McGill University Proposal Exam School of Computer Science Ph.D. Candidate in the Modelling, Simulation and Design Lab Eugene Syriani.
Spectra Software Defined Radio Products Applying Model Driven Design, Generative Programming, and Agile Software Techniques to the SDR Domain OOPSLA '05.
Logic Programming Based Model Transformations An overview of related work.
Workshop on Integrated Application of Formal Languages, Geneva J.Fischer Mappings, Use of MOF for Language Families Joachim Fischer Workshop on.
Using Mathematica for modeling, simulation and property checking of hardware systems Ghiath AL SAMMANE VDS group : Verification & Modeling of Digital systems.
CSCI 4325 / 6339 Theory of Computation Zhixiang Chen.
CMPS 3223 Theory of Computation Automata, Computability, & Complexity by Elaine Rich ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Slides provided.
Verification of Translation Model Transformations Levi Lúcio †, Bentley James Oakes, and Hans Vangheluwe †,‡ † School of Computer Science, McGill University,
Studying Model Transformation Chains for Model Driven Engineering Levi Lúcio, McGill University.
Testing Theory cont. Introduction Categories of Metrics Review of several OO metrics Format of Presentation CEN 5076 Class 6 – 10/10.
AToM 3 : A Tool for Multi- Formalism and Meta-Modelling Juan de Lara (1,2) Hans Vangheluwe (2) (1) ETS Informática Universidad Autónoma de Madrid Madrid,
Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.
1 Program Correctness CIS 375 Bruce R. Maxim UM-Dearborn.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.
Building Tools by Model Transformations in Eclipse Oskars Vilitis, Audris Kalnins, Edgars Celms, Elina Kalnina, Agris Sostaks, Janis Barzdins Institute.
1 New Development Techniques: New Challenges for Verification and Validation Mats Heimdahl Critical Systems Research Group Department of Computer Science.
1 Levi Lúcio © A Test Selection Language for CO-OPN Specifications Levi Lúcio, Luis Pedro and Didier Buchs University of Geneva.
Levi Lúcio School of Computer Science McGill University Canada (with Joachim Denil, Sadaf Mustafiz, Hans Vangheluwe, Bart Meyers, Maris Jukss and Raphael.
Verification and Validation in the Context of Domain-Specific Modelling Janne Merilinna.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
University of Paderborn Software Engineering Group Prof. Dr. Wilhelm Schäfer Towards Verified Model Transformations Holger Giese 1, Sabine Glesner 2, Johannes.
Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.
1 Introduction to Software Engineering Lecture 1.
MASE : Modeling & Analysis in Software Engineering School of Computing Queen’s University Kingston, Ontario, Canada Juergen Dingel CAMPAM, April 29, 2012.
Fall 2004EE 3563 Digital Systems Design EE 3563 VHSIC Hardware Description Language  Required Reading: –These Slides –VHDL Tutorial  Very High Speed.
ISBN Chapter 3 Describing Semantics.
Semantics for DSL Group Members: Ritu Arora, Diyang Chu, Zekai Demirezen, Jeff Gray, Jacob Gulotta, Luis Pedro, Arturo Sanchez, Greg Sullivan,Ximing Yu.
Chapter 3 Part II Describing Syntax and Semantics.
1 / 48 Formal a Language Theory and Describing Semantics Principles of Programming Languages 4.
1 Technical & Business Writing (ENG-715) Muhammad Bilal Bashir UIIT, Rawalpindi.
Reasoning about the Behavior of Semantic Web Services with Concurrent Transaction Logic Presented By Dumitru Roman, Michael Kifer University of Innsbruk,
Concepts and Realization of a Diagram Editor Generator Based on Hypergraph Transformation Author: Mark Minas Presenter: Song Gu.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
1 Contractual Consistency Between BON Static and Dynamic Diagrams Ali Taleghani July 30, 2004.
R-Verify: Deep Checking of Embedded Code James Ezick † Donald Nguyen † Richard Lethin † Rick Pancoast* (†) Reservoir Labs (*) Lockheed Martin The Eleventh.
Donghyun (David) Kim Department of Mathematics and Computer Science North Carolina Central University 1 Chapter 4 Decidability Some slides are in courtesy.
Model Transformation By Demonstration Yu Sun, Jules White, Jeff Gray This work funded in part by NSF CAREER award CCF CIS Dept. – University of.
Abstraction and Abstract Interpretation. Abstraction (a simplified view) Abstraction is an effective tool in verification Given a transition system, we.
DSM-TP 2016 Verification of Model Transformations and DSLs in Industry Levi Lúcio Joint work with: Bentley James Oakes, Cláudio Gomes, Salman Rahman and.
Sub-fields of computer science. Sub-fields of computer science.
Model Checking for an Executable Subset of UML
Programming Languages 2nd edition Tucker and Noonan
Programming Languages 2nd edition Tucker and Noonan
Presentation transcript:

Verification of Model Transformations for Real Verifying Model Transformations for Real Levi Lúcio work done jointly with: Bentley James Oakes, McGill University Gehan Selim, Queen’s University Cláudio Gomes, University of Antwerp School of Computer Science, McGill University, Montreal, Canada May 13, 2015

Verification of Model Transformations for Real Outlook Theory: properties of DSLTrans model transformations and their proof Practice: implementing a fully automatic property prover Case studies: proving properties of large transformations Going mainstream: proving properties of ATL transformations 2

Verification of Model Transformations for Real Problem Statement We want to prove pre- / post- condition structural, properties (contracts) of a translation model transformation, for all its executions. The infinite amount of transformation executions implies the proof needs to be done on a finite abstraction of the transformation’s executions. 3

Verification of Model Transformations for Real Problem Statement How can we build this abstraction mechanically and use it to prove properties? Does the technique scale? Can it be used in practice? 4

Verification of Model Transformations for Real VCS to AUTOSAR Transformation [1] 5 VCS Metamodel (obfuscated fragment) AUTOSAR Metamodel (fragment) [1] G. Selim, S. Wang, J. R. Cordy, J. Dingel. “Model Transformations for Migrating Legacy Models: An Industrial Case Study”. ECMFA 2012, Lyngby, Denmark (LNCS)

Verification of Model Transformations for Real Migrating Legacy Models from VCS to AUTOSAR in DSLTrans [2] Layer 1 Layer 2 Layer 3 [2] DSLTrans: A Turing Incomplete Transformation Language, B. Barroca, L. Lúcio, V. Amaral R. Félix, V. Sousa. Proceedings of SLE 2010, Eindhoven, Netherlands, (LNCS)

Verification of Model Transformations for Real DSLTrans Rule Detail

Verification of Model Transformations for Real Requirements [3] for the migration transformation from General Motors 8 [3] G. Selim, S. Wang, J. R. Cordy, J. Dingel. “Model Transformations for Migrating Legacy Models: An Industrial Case Study”. ECMFA 2012, Lyngby, Denmark (LNCS)

Verification of Model Transformations for Real Example property [4] 9 P1: “If a PhysicalNode is connected to a Service through the provided association (in the input), then the corresponding CompositionType will be connected to a PPortPrototype (in the output).” [4] G. Selim, L. Lúcio, J. R. Cordy, J. Dingel and B. Oakes. ” Specification and Verification of Graph-Based Model Transformation Properties” ICGT 2014, York, UK. (LNCS)

Verification of Model Transformations for Real Path Condition Generation of DSLTrans Model Transformations [5,6] [5] L. Lúcio, B. Barroca, V. Amaral “A Technique for the Verification of Model Transformations” Proceedings of MoDELS, [6] A Technique for Symbolically Verifying Properties of Graph-Based Model Transformations, L. Lúcio, B. Oakes and H. Vangheluwe. Technical Report SOCS-TR , McGill University, Process Layer 1 Process Layer 2 Process Layer 3 Unfeasible Control Path …… Path Conditions

Verification of Model Transformations for Real Case 1: Rule has no Dependencies 11

Verification of Model Transformations for Real Case 2: Rule’s Dependencies are not Satisfied by the Path Condition 12

Verification of Model Transformations for Real Case 3: Totally- and Partially- Satisfied Dependencies 13

Verification of Model Transformations for Real 14 Case 3: Totally- and Partially- Satisfied Dependencies

Verification of Model Transformations for Real Case 3: Totally- and Partially- Satisfied Dependencies 15

Verification of Model Transformations for Real 16

Verification of Model Transformations for Real Symbolic Execution of Rules with Conditions on Attributes 17 Symbolic conditions on attributes are equations on string values and are represented as graphs Equations are solved using a purposely-built Python String constraint solver

Verification of Model Transformations for Real Symbolic Execution of Rules with Conditions on Attributes 18

Verification of Model Transformations for Real Proving Properties A property is does not hold for a path condition pc whenever its pre-condition is isomorphically found on pc, but its post-condition is not. Otherwise we say the property holds for pc. A property is holds for a transformation whenever it holds for all of the transformation’s path conditions. 19

Verification of Model Transformations for Real Properties of Property Proving [7] Validity Theorem: the result of proving a property for all path conditions generated for a transformation or an all executions of that transformation is the same Completeness Theorem: properties of a transformation can be shown to either hold for all transformation executions, or not hold for at least one transformation execution 20 [7] L. Lúcio, B. Oakes, H. Vangheluwe “A Technique for Symbolically Verifying Properties of Graph-Based Model Transformations”. Technical Report SOCS-TR , McGill University, 2014.

Verification of Model Transformations for Real Implementation 21 Principle: Development of the tool should be model-driven (as much as as possible) First class citizens: Metamodels Models (Higher-Order) Model Transformations “Eat your own dog food!”

Verification of Model Transformations for Real Tooling and developers 22 igraph / Himesis Levi Lúcio McGill U. Bentley Oakes McGill U. Gehan Selim Queen’s U. Cláudio Gomes Antwerp U. T-Core

Verification of Model Transformations for Real Tool Architecture 23

Verification of Model Transformations for Real Model-Driven Development: Challenges 24 Challenges Insufficient higher-order model transformation technology (AToM3) models are not built for memory-intensive applications Transformations and code have to be developed together in an interleaved fashion

Verification of Model Transformations for Real Model-Driven Development: Advantages 25 Advantages (Surprisingly) speed! Adapted to the domain Models simplify the usage of complex data types

Verification of Model Transformations for Real Model-Driven Development: Ambivalent 26 Ambivalent Right level of abstraction through the usage of metamodels and model transformations Visual edition and debugging of metamodels, models and model transformations

Verification of Model Transformations for Real Case Studies Case study 1: GM To Autosar Partial migration transformation from the proprietary VCS architecture language for automotive hardware and software deployment into AUTOSAR. Small subset of the complete metamodel, for experimentation. Case study 2: UML-RT To Kiltera (Gehan Selim’s PhD) Give semantics to UML-RT in terms of the CSP-like language Kiltera, for simulation. Functional half the UML-RT metamodel is transformed. Case study 3: mbeddr to C Give semantics to specifications in the mbeddr language as C code, for execution. Complete subset of the mbeddr metamodel required for the transformation of connectors between mbeddr components into C function calls. To prove the property: “for every invocation of a function on an instance of a component by an instance of a another component, via a connector, the correct C function generated by the transformation is called”. 27

Verification of Model Transformations for Real Case study 1: GM To Autosar 28 Number of rules: 8 Number of layers: 4 Symbolic execution time: 0.6 s Number of path conditions: 3 Property proving times: 0.02 s on average

Verification of Model Transformations for Real Case study 2: UML-RT to Kiltera 29 Number of rules: 17 Number of layers: 7 Symbolic execution time: 80 s Number of path conditions: 330 Property proving times: tens of seconds Required implementation of the symbolic execution of conditions on object attributes!

Verification of Model Transformations for Real UML-RT to Kiltera: rules vs path conditions 30

Verification of Model Transformations for Real UML-RT to Kiltera: rules vs time 31

Verification of Model Transformations for Real UML-RT to Kiltera: rules vs space 32

Verification of Model Transformations for Real Case study 3: mbeddr to C 33 Number of rules: 49 Number of layers: 7 Symbolic execution time: 1264 s (23 rules) Number of path conditions: ? Property proving times: ?

Verification of Model Transformations for Real mbeddr to C: rules vs path conditions 34 number of path conditions

Verification of Model Transformations for Real mbeddr to C: rules vs time 35

Verification of Model Transformations for Real mbeddr to C: rules vs space 36

Verification of Model Transformations for Real Going Mainstream: Proving Properties of ATL Transformations [9] Transforming ATL transformation into DSLTrans Properties of ATL transformations DSLTrans transformation slicing Results 37 [9] B. Oakes, J. Troya, L. Lúcio, M. Wimmer. “Fully Verifying Transformation Contracts for Declarative ATL”. Submitted to MoDELS 2015

Verification of Model Transformations for Real Transforming ATL into DSLTrans 38

Verification of Model Transformations for Real Transforming ATL into DSLTrans 39

Verification of Model Transformations for Real Transforming ATL into DSLTrans 40

Verification of Model Transformations for Real Transforming ATL into DSLTrans 41 R1

Verification of Model Transformations for Real Transforming ATL into DSLTrans 42

Verification of Model Transformations for Real Transforming ATL into DSLTrans 43 R2 B2

Verification of Model Transformations for Real Transforming ATL into DSLTrans 44

Verification of Model Transformations for Real Transforming ATL into DSLTrans 45 B11

Verification of Model Transformations for Real Treated ATL Subset (declarative) 46

Verification of Model Transformations for Real Properties of ATL Transformations 47 ‘A family with a mother and a daughter will always produce a community with a man.’

Verification of Model Transformations for Real Properties of ATL Transformations 48 ‘The produced Person has been correctly created from the last name of the Family and the first name of the Member.‘

Verification of Model Transformations for Real Properties of ATL Transformations 49 ‘A Community is connected to one and only one Person element’.

Verification of Model Transformations for Real DSLTrans Transformation Slicing Select only rules from a DSLTrans transformation which contribute to the proof of a property Very conservative rule selection algorithm: rules containing input elements rules containing output elements rules containing dependencies for rules where input or output elements occur Extremely effective for not-too-large properties Tradeoff between verification time and property size (for example, does not work for the mbeddr transformation) 50

Verification of Model Transformations for Real Results 51 TransformationATL / DSLTrans rules Path Conds. Gen. Time (s)Properties Proved Time (s)Memory (MB) Families-to-Person5 / ER-Copier5 / Ecore-Copier11 / Sliced Ecore-copier (prop with 2 input types, 2 output types) 15 / 63 > Sliced Ecore-copier (prop with 2 input types, 2 output types) 15 / 63 > GM to Autosar5 /

Verification of Model Transformations for Real Properties used to Slice the Ecore-Copier 52 “All bi-directional associations (represented by two inverse EReferences instances) between EClass instances should have the same end points, i.e., the EClass Instances should have the same names.” “If there is an EStructuralFeature instance in the target model, it must have the equivalent EClass instance as a container as the corresponding source model EStructuralFeature instance has in the source model.”

Verification of Model Transformations for Real Conclusion We built a theoretically sound property prover for model for syntactic pre- / post-condition contracts Based on a transformation language of reduced expressiveness We experimentally validated that technique is applicable to a large class of out-place transformations Experiments indicate the technique scales well We validated that properties are expressive and intuitive to use We have evidence that properties about the preservation of the semantics of transformed models can also be proved Can be used for other model transformation languages than DSLTrans as demonstrated by the easy “port” into ATL 53

Verification of Model Transformations for Real Future Work Tool Finish Eclipse integration with DSLTrans and ATL editors (work with Manuel Wimmer, T.U. Wien) More experimentation with slicing Performance improvements (parallelization) Theory Right abstraction level to explain soundness and completeness (work with Bernhard Schaetz, fortiss) Including NACs in the theory of path condition construction 54

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.