Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verification of Model Transformations for Real Verifying Model Transformations for Real Levi Lúcio work done jointly with: Bentley James Oakes, McGill.

Published byDamon Payne Modified over 9 years ago

Similar presentations

Presentation on theme: "Verification of Model Transformations for Real Verifying Model Transformations for Real Levi Lúcio work done jointly with: Bentley James Oakes, McGill."— Presentation transcript:

1 Verification of Model Transformations for Real Verifying Model Transformations for Real Levi Lúcio work done jointly with: Bentley James Oakes, McGill University Gehan Selim, Queen’s University Cláudio Gomes, University of Antwerp School of Computer Science, McGill University, Montreal, Canada May 13, 2015

2 Verification of Model Transformations for Real Outlook Theory: properties of DSLTrans model transformations and their proof Practice: implementing a fully automatic property prover Case studies: proving properties of large transformations Going mainstream: proving properties of ATL transformations 2

3 Verification of Model Transformations for Real Problem Statement We want to prove pre- / post- condition structural, properties (contracts) of a translation model transformation, for all its executions. The infinite amount of transformation executions implies the proof needs to be done on a finite abstraction of the transformation’s executions. 3

4 Verification of Model Transformations for Real Problem Statement How can we build this abstraction mechanically and use it to prove properties? Does the technique scale? Can it be used in practice? 4

5 Verification of Model Transformations for Real VCS to AUTOSAR Transformation [1] 5 VCS Metamodel (obfuscated fragment) AUTOSAR Metamodel (fragment) [1] G. Selim, S. Wang, J. R. Cordy, J. Dingel. “Model Transformations for Migrating Legacy Models: An Industrial Case Study”. ECMFA 2012, Lyngby, Denmark (LNCS)

6 Verification of Model Transformations for Real Migrating Legacy Models from VCS to AUTOSAR in DSLTrans [2] Layer 1 Layer 2 Layer 3 [2] DSLTrans: A Turing Incomplete Transformation Language, B. Barroca, L. Lúcio, V. Amaral R. Félix, V. Sousa. Proceedings of SLE 2010, Eindhoven, Netherlands, 2010. (LNCS)

7 Verification of Model Transformations for Real DSLTrans Rule Detail

8 Verification of Model Transformations for Real Requirements [3] for the migration transformation from General Motors 8 [3] G. Selim, S. Wang, J. R. Cordy, J. Dingel. “Model Transformations for Migrating Legacy Models: An Industrial Case Study”. ECMFA 2012, Lyngby, Denmark (LNCS)

9 Verification of Model Transformations for Real Example property [4] 9 P1: “If a PhysicalNode is connected to a Service through the provided association (in the input), then the corresponding CompositionType will be connected to a PPortPrototype (in the output).” [4] G. Selim, L. Lúcio, J. R. Cordy, J. Dingel and B. Oakes. ” Specification and Verification of Graph-Based Model Transformation Properties” ICGT 2014, York, UK. (LNCS)

10 Verification of Model Transformations for Real Path Condition Generation of DSLTrans Model Transformations [5,6]1 2121 3131 12122 2323 2323 10 [5] L. Lúcio, B. Barroca, V. Amaral “A Technique for the Verification of Model Transformations” Proceedings of MoDELS, 2010. [6] A Technique for Symbolically Verifying Properties of Graph-Based Model Transformations, L. Lúcio, B. Oakes and H. Vangheluwe. Technical Report SOCS-TR-2014.1, McGill University, 2014. Process Layer 1 Process Layer 2 Process Layer 3 Unfeasible Control Path …… Path Conditions

11 Verification of Model Transformations for Real Case 1: Rule has no Dependencies 11

12 Verification of Model Transformations for Real Case 2: Rule’s Dependencies are not Satisfied by the Path Condition 12

13 Verification of Model Transformations for Real Case 3: Totally- and Partially- Satisfied Dependencies 13

14 Verification of Model Transformations for Real 14 Case 3: Totally- and Partially- Satisfied Dependencies

15 Verification of Model Transformations for Real Case 3: Totally- and Partially- Satisfied Dependencies 15

16 Verification of Model Transformations for Real 16

17 Verification of Model Transformations for Real Symbolic Execution of Rules with Conditions on Attributes 17 Symbolic conditions on attributes are equations on string values and are represented as graphs Equations are solved using a purposely-built Python String constraint solver

18 Verification of Model Transformations for Real Symbolic Execution of Rules with Conditions on Attributes 18

19 Verification of Model Transformations for Real Proving Properties A property is does not hold for a path condition pc whenever its pre-condition is isomorphically found on pc, but its post-condition is not. Otherwise we say the property holds for pc. A property is holds for a transformation whenever it holds for all of the transformation’s path conditions. 19

20 Verification of Model Transformations for Real Properties of Property Proving [7] Validity Theorem: the result of proving a property for all path conditions generated for a transformation or an all executions of that transformation is the same Completeness Theorem: properties of a transformation can be shown to either hold for all transformation executions, or not hold for at least one transformation execution 20 [7] L. Lúcio, B. Oakes, H. Vangheluwe “A Technique for Symbolically Verifying Properties of Graph-Based Model Transformations”. Technical Report SOCS-TR-2014.1, McGill University, 2014.

21 Verification of Model Transformations for Real Implementation 21 Principle: Development of the tool should be model-driven (as much as as possible) First class citizens: Metamodels Models (Higher-Order) Model Transformations “Eat your own dog food!”

22 Verification of Model Transformations for Real Tooling and developers 22 igraph / Himesis Levi Lúcio McGill U. Bentley Oakes McGill U. Gehan Selim Queen’s U. Cláudio Gomes Antwerp U. T-Core

23 Verification of Model Transformations for Real Tool Architecture 23

24 Verification of Model Transformations for Real Model-Driven Development: Challenges 24 Challenges Insufficient higher-order model transformation technology (AToM3) models are not built for memory-intensive applications Transformations and code have to be developed together in an interleaved fashion

25 Verification of Model Transformations for Real Model-Driven Development: Advantages 25 Advantages (Surprisingly) speed! Adapted to the domain Models simplify the usage of complex data types

26 Verification of Model Transformations for Real Model-Driven Development: Ambivalent 26 Ambivalent Right level of abstraction through the usage of metamodels and model transformations Visual edition and debugging of metamodels, models and model transformations

27 Verification of Model Transformations for Real Case Studies Case study 1: GM To Autosar Partial migration transformation from the proprietary VCS architecture language for automotive hardware and software deployment into AUTOSAR. Small subset of the complete metamodel, for experimentation. Case study 2: UML-RT To Kiltera (Gehan Selim’s PhD) Give semantics to UML-RT in terms of the CSP-like language Kiltera, for simulation. Functional half the UML-RT metamodel is transformed. Case study 3: mbeddr to C Give semantics to specifications in the mbeddr language as C code, for execution. Complete subset of the mbeddr metamodel required for the transformation of connectors between mbeddr components into C function calls. To prove the property: “for every invocation of a function on an instance of a component by an instance of a another component, via a connector, the correct C function generated by the transformation is called”. 27

28 Verification of Model Transformations for Real Case study 1: GM To Autosar 28 Number of rules: 8 Number of layers: 4 Symbolic execution time: 0.6 s Number of path conditions: 3 Property proving times: 0.02 s on average

29 Verification of Model Transformations for Real Case study 2: UML-RT to Kiltera 29 Number of rules: 17 Number of layers: 7 Symbolic execution time: 80 s Number of path conditions: 330 Property proving times: tens of seconds Required implementation of the symbolic execution of conditions on object attributes!

30 Verification of Model Transformations for Real UML-RT to Kiltera: rules vs path conditions 30

31 Verification of Model Transformations for Real UML-RT to Kiltera: rules vs time 31

32 Verification of Model Transformations for Real UML-RT to Kiltera: rules vs space 32

33 Verification of Model Transformations for Real Case study 3: mbeddr to C 33 Number of rules: 49 Number of layers: 7 Symbolic execution time: 1264 s (23 rules) Number of path conditions: ? Property proving times: ?

34 Verification of Model Transformations for Real mbeddr to C: rules vs path conditions 34 number of path conditions

35 Verification of Model Transformations for Real mbeddr to C: rules vs time 35

36 Verification of Model Transformations for Real mbeddr to C: rules vs space 36

37 Verification of Model Transformations for Real Going Mainstream: Proving Properties of ATL Transformations [9] Transforming ATL transformation into DSLTrans Properties of ATL transformations DSLTrans transformation slicing Results 37 [9] B. Oakes, J. Troya, L. Lúcio, M. Wimmer. “Fully Verifying Transformation Contracts for Declarative ATL”. Submitted to MoDELS 2015

38 Verification of Model Transformations for Real Transforming ATL into DSLTrans 38

39 Verification of Model Transformations for Real Transforming ATL into DSLTrans 39

40 Verification of Model Transformations for Real Transforming ATL into DSLTrans 40

41 Verification of Model Transformations for Real Transforming ATL into DSLTrans 41 R1

42 Verification of Model Transformations for Real Transforming ATL into DSLTrans 42

43 Verification of Model Transformations for Real Transforming ATL into DSLTrans 43 R2 B2

44 Verification of Model Transformations for Real Transforming ATL into DSLTrans 44

45 Verification of Model Transformations for Real Transforming ATL into DSLTrans 45 B11

46 Verification of Model Transformations for Real Treated ATL Subset (declarative) 46

47 Verification of Model Transformations for Real Properties of ATL Transformations 47 ‘A family with a mother and a daughter will always produce a community with a man.’

48 Verification of Model Transformations for Real Properties of ATL Transformations 48 ‘The produced Person has been correctly created from the last name of the Family and the first name of the Member.‘

49 Verification of Model Transformations for Real Properties of ATL Transformations 49 ‘A Community is connected to one and only one Person element’.

50 Verification of Model Transformations for Real DSLTrans Transformation Slicing Select only rules from a DSLTrans transformation which contribute to the proof of a property Very conservative rule selection algorithm: rules containing input elements rules containing output elements rules containing dependencies for rules where input or output elements occur Extremely effective for not-too-large properties Tradeoff between verification time and property size (for example, does not work for the mbeddr transformation) 50

51 Verification of Model Transformations for Real Results 51 TransformationATL / DSLTrans rules Path Conds. Gen. Time (s)Properties Proved Time (s)Memory (MB) Families-to-Person5 / 9521.54431.4545 ER-Copier5 / 9700.4811.7043 Ecore-Copier11 / 24578902894.4411401.457800 Sliced Ecore-copier (prop with 2 input types, 2 output types) 15 / 63 > 13733.5019.1172 Sliced Ecore-copier (prop with 2 input types, 2 output types) 15 / 63 > 17280.9510.4671 GM to Autosar5 / 930.1790.2648

52 Verification of Model Transformations for Real Properties used to Slice the Ecore-Copier 52 “All bi-directional associations (represented by two inverse EReferences instances) between EClass instances should have the same end points, i.e., the EClass Instances should have the same names.” “If there is an EStructuralFeature instance in the target model, it must have the equivalent EClass instance as a container as the corresponding source model EStructuralFeature instance has in the source model.”

53 Verification of Model Transformations for Real Conclusion We built a theoretically sound property prover for model for syntactic pre- / post-condition contracts Based on a transformation language of reduced expressiveness We experimentally validated that technique is applicable to a large class of out-place transformations Experiments indicate the technique scales well We validated that properties are expressive and intuitive to use We have evidence that properties about the preservation of the semantics of transformed models can also be proved Can be used for other model transformation languages than DSLTrans as demonstrated by the easy “port” into ATL 53

54 Verification of Model Transformations for Real Future Work Tool Finish Eclipse integration with DSLTrans and ATL editors (work with Manuel Wimmer, T.U. Wien) More experimentation with slicing Performance improvements (parallelization) Theory Right abstraction level to explain soundness and completeness (work with Bernhard Schaetz, fortiss) Including NACs in the theory of path condition construction 54

Download ppt "Verification of Model Transformations for Real Verifying Model Transformations for Real Levi Lúcio work done jointly with: Bentley James Oakes, McGill."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University.

Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University.
Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.

Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.
Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,

Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.

1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.
Technology of Test Case Generation Levi Lúcio University of Geneva Marko Samer Vienna University of Technology.

Technology of Test Case Generation Levi Lúcio University of Geneva Marko Samer Vienna University of Technology.
1 Regression-Verification Benny Godlin Ofer Strichman Technion.

1 Regression-Verification Benny Godlin Ofer Strichman Technion.
A Technique for Automatic Validation of Model Transformations Levi Lúcio and Bruno Barroca Universidade Nova de Lisboa.

A Technique for Automatic Validation of Model Transformations Levi Lúcio and Bruno Barroca Universidade Nova de Lisboa.
Hüseyin Ergin University of Alabama Software Modeling Lab Software Engineering Group Department of Computer Science College of Engineering.

Hüseyin Ergin University of Alabama Software Modeling Lab Software Engineering Group Department of Computer Science College of Engineering.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
Fall 20021 Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.

Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
CS 355 – Programming Languages

CS 355 – Programming Languages
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
McGill University School of Computer Science Ph.D. Candidate in the Modelling, Simulation and Design Lab MPM’09 Explicit Transformation Modelling Thomas.

McGill University School of Computer Science Ph.D. Candidate in the Modelling, Simulation and Design Lab MPM’09 Explicit Transformation Modelling Thomas.

Similar presentations

Ads by Google