On the Correctness of Model Transformations. Matthew Nizol CSE 814, Fall 2014 Thursday, December 11, 2014

Transcription

1 On the Correctness of Model Transformations Matthew Nizol CSE 814, Fall 2014 Thursday, December 11, 2014

2 Agenda Context: Model-driven development Background on verification techniques Presentation of each technique Comparison of techniques

3 Context: What do we mean by Model? An abstraction of a software system Many types of models in software development: Dimension Formal vs. informal Static vs. dynamic High- vs. low-level Visual vs. textual Examples Alloy spec vs. whiteboard sketch Class diagram vs. state chart Ontology vs. XML schema UML vs. program code

4 Context: Model-driven Development Problem: Complex software hard to develop Related artifacts hard to keep synchronized Solution: Models increase the abstraction level of development Transformations formalize relationships between models

5 Model Transformations Convert source model to target model Composed of transformation rules Rules may be imperative or declarative Example applications: Exogenous Code generation Reverse engineering Language migration Endogenous Refactoring Optimization Refinement

6 Transformation Properties Category Syntax Semantics Execution of the transformation Examples Type correctness Well-formedness Correspondence Preservation Confluence Termination

7 Verification Approaches Informal: Testing Inspection Formal: Model Checking Theorem Proving Graph-theoretic

8 Verification Approaches Informal: Testing Inspection Formal: Model Checking Theorem Proving Graph-theoretic Source Model Transformation Target Direct Indirect

9 Approach 1: Indirect, Model Checking Figure adapted from Varro et al.

10 Example: Source Model

11 Example: Target Model (Petri Net) Tool: pneditor.org

12 Example: Target Model (Petri Net) Tool: pneditor.org

13 Example: Target Model (Petri Net) Tool: pneditor.org

14 Example: Target Model (Petri Net) Tool: pneditor.org

15 Example: Target Model (Petri Net) Tool: pneditor.org

16 Example: Target Model (Petri Net) Tool: pneditor.org

17 Example: Source to NuSMV (Partial) MODULE sensor(resumemsg) VAR state : {imagecapture, processimage, computedist, waiting}; transition : {captured, clear, obstacle, closeobs, resume}; ASSIGN init(state) := imagecapture; next(state) := case state = imagecapture & transition = captured : processimage; state = waiting & transition = resume : imagecapture; TRUE : state; esac; next(transition) := case state = imagecapture : captured; state = processimage : {clear, obstacle}; state = computedist : {clear, closeobs}; state = waiting & resumemsg : resume; TRUE : transition; esac;

18 Example: Source to NuSMV (Partial) MODULE sensor(resumemsg) VAR state : {imagecapture, processimage, computedist, waiting}; transition : {captured, clear, obstacle, closeobs, resume}; ASSIGN init(state) := imagecapture; next(state) := case Define states and transitions state = imagecapture & transition = captured : processimage; state = waiting & transition = resume : imagecapture; TRUE : state; esac; next(transition) := case state = imagecapture : captured; state = processimage : {clear, obstacle}; state = computedist : {clear, closeobs}; state = waiting & resumemsg : resume; TRUE : transition; esac;

19 Example: Source to NuSMV (Partial) MODULE sensor(resumemsg) VAR state : {imagecapture, processimage, computedist, waiting}; transition : {captured, clear, obstacle, closeobs, resume}; ASSIGN init(state) := imagecapture; next(state) := case Define initial state state = imagecapture & transition = captured : processimage; state = waiting & transition = resume : imagecapture; TRUE : state; esac; next(transition) := case state = imagecapture : captured; state = processimage : {clear, obstacle}; state = computedist : {clear, closeobs}; state = waiting & resumemsg : resume; TRUE : transition; esac;

20 Example: Source to NuSMV (Partial) MODULE sensor(resumemsg) VAR state : {imagecapture, processimage, computedist, waiting}; transition : {captured, clear, obstacle, closeobs, resume}; ASSIGN init(state) := imagecapture; next(state) := case state = imagecapture & transition = captured : processimage; state = waiting & transition = resume : imagecapture; TRUE : state; esac; next(transition) := Define next state given a case state = imagecapture : transition captured; state = processimage : {clear, obstacle}; state = computedist : {clear, closeobs}; state = waiting & resumemsg : resume; TRUE : transition; esac;

21 Example: Source to NuSMV (Partial) MODULE sensor(resumemsg) VAR state : {imagecapture, processimage, computedist, waiting}; transition : {captured, clear, obstacle, closeobs, resume}; ASSIGN init(state) := imagecapture; next(state) := case state = imagecapture & transition = captured : processimage; state = waiting & transition = resume : imagecapture; TRUE : state; esac; next(transition) := Define legal transitions from a state case state = imagecapture : captured; state = processimage : {clear, obstacle}; state = computedist : {clear, closeobs}; state = waiting & resumemsg : resume; TRUE : transition; esac;

22 Example: Some properties we can prove UML G (s.state = closeobs -> Petri Net G (closeobs -> F turning) F a.state = turning) G (a.state = turning -> G (turning -> waiting) s.state = waiting) G ((s.state = imagecapture s.state = processimage) -> a.state = moving) G ((imgcap procimg) -> moving)

23 Approach 2: Direct, Deductive Reasoning A model transformation can be represented as a series of rules in a control graph Rule 1 Rule 2 Rule 4 Rule 3 ADL (Assertion Description Language) permits reasoning on such transformations

24 Assertion Description Language (ADL) An ADL sentence is of the form: <location> : <assertion> A location is relative to a node in the control graph, e.g. before(rule 1) or after(rule 1) An assertion has the form: <operator> <pattern>

25 ADL Operators Operator None P Exists P Any P1 P2 ForOne P1 P2 ForEach P1 P2 Terminates Semantics Pattern P is not in the model Pattern P is in the model If Pattern P1 is present, so is P2 P2 replaces one instance of P1 P2 replaces every instance of P1 The rule terminates

26 Example: Flattening a model Example adapted from Asztalos et al.

27 Example: Transformation rules Rule 1 Rule 2 Rule 3

28 Example: Property and Precondition If a path exists before deleting the composite node, the path exists afterwards: Before(rule 3): None P1 Before(rule 3): None P2 Preconditions: Before(rule 1): Any P1 LHS1 Before(rule 1): Any P2 LHS1

29 Example: Proof Deduction Before(r1): Any P2 LHS1 After(r1): None LHS1 After(r1): None P2 After(r2): Exists P2 Before(r2): Exists P2 Before(r2): None P2 After(r2): None P2 After(r2): None P2 Justification Precondition Application of rule 1 (1), (2) + P2 is a subgraph of LHS1 Rule 2 only removes composite edges Contrapositive of (4) Modus Ponens with (3), (5) Note: Control graph is linear so Before(n) is equivalent to After(n)

30 Discussion Verification coverage Transformation considered Generality Indirect, Model Chk Single source model Transient process Everything a black box Direct, Deductive All source models Persistent artifact Requires use of ADL, graph transformations

31 Discussion Expressivity Effort Scalability Indirect, Model Chk Language of chosen tool Transformation to tool formalism and of properties State explosion. Can be alleviated during translation to tool. Direct, Deductive Pattern-based properties Manual proof required. Unclear how theoretical deduction rules can be efficiently decided.

32 References [1] L. Ab. Rahim and J. Whittle. A survey of approaches for verifying model transformations. Software & Systems Modeling, pages 1-26, [2] K. Anastasakis, B. Bordbar, and J. M. Kuster. Analysis of model transformations via Alloy. In Proceedings of the 4th MoDeVVa workshop, Model-Driven Engineering, Verification and Validation, pages 47-56, [3] M. Asztalos, L. Lengyel, and T. Levendovszky. Towards automated, formal verification of model transformations. In Software Testing, Verification and Validation (ICST), 2010 Third International Conference on, pages 15-24, April [4] E. M. Clarke, O. Grumberg, and D. A. Peled. Model Checking. The MIT Press, [5] H. Ehrig. Fundamentals of algebraic graph transformation, chapter General Introduction, pages Springer Verlag, 2006.

33 References [6] B. Hailpern and P. Tarr. Model-driven development: The good, the bad, and the ugly. IBM Syst. J., 45(3): , July [7] R. Heckel. Graph transformation in a nutshell. Electronic Notes in Theoretical Computer Science, 148(1): , Proceedings of the School of SegraVis Research Training Network on Foundations of Visual Modelling Techniques (FoVMT 2004). [8] T. Mens and P. V. Gorp. A taxonomy of model transformation. Electronic Notes in Theoretical Computer Science, 152(0): , Proceedings of the International Workshop on Graph and Model Transformation (GraMoT 2005). [9] T. Murata. Petri nets: Properties, analysis and applications. Proceedings of the IEEE, 77(4): , Apr [10] D. C. Schmidt. Guest editor's introduction: Model-driven engineering. Computer, 39(2):25-31, [11] D. Varro and A. Pataricza. Automated formal verification of model transformations. In CSDUML 2003: Critical Systems Development in UML; Proceedings of the UML'03 Workshop, pages 63-78, September 2003.