Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verification of Translation Model Transformations Levi Lúcio †, Bentley James Oakes, and Hans Vangheluwe †,‡ † School of Computer Science, McGill University,

Published byDarrell Johns Modified over 8 years ago

Similar presentations

Presentation on theme: "Verification of Translation Model Transformations Levi Lúcio †, Bentley James Oakes, and Hans Vangheluwe †,‡ † School of Computer Science, McGill University,"— Presentation transcript:

1 Verification of Translation Model Transformations Levi Lúcio †, Bentley James Oakes, and Hans Vangheluwe †,‡ † School of Computer Science, McGill University, Montreal, Canada ‡ Department of Mathematics and Computer Science, University of Antwerp, Belgium {levi,hv}@cs.mcgill.ca, bentley.oakes@mail.mcgill.ca March 2, 2015

2 Verification of Translation Model Transformations Problem Statement We want to prove pre- post- condition structural, properties of a translation model transformation, for all its executions. The infinite amount of transformation executions implies the proof needs to be done on a finite abstraction of the transformation’s executions. 2

3 Verification of Translation Model Transformations Problem Statement How can we build this abstraction mechanically and use it to prove properties? Does the technique scale? 3

4 Verification of Translation Model Transformations VCS to AUTOSAR Transformation [1] 4 VCS Metamodel (obfuscated fragment) AUTOSAR Metamodel (fragment) [1] G. Selim, S. Wang, J. R. Cordy, J. Dingel. “Model Transformations for Migrating Legacy Models: An Industrial Case Study”. ECMFA 2012, Lyngby, Denmark (LNCS)

5 Verification of Translation Model Transformations Migrating Legacy Models from VCS to AUTOSAR in DSLTrans [2] Layer 1 Layer 2 Layer 3 [2] DSLTrans: A Turing Incomplete Transformation Language, B. Barroca, L. Lúcio, V. Amaral R. Félix, V. Sousa. Proceedings of SLE 2010, Eindhoven, Netherlands, 2010.

6 Verification of Translation Model Transformations DSLTrans Rule Detail

7 Verification of Translation Model Transformations Requirements [3] for the migration transformation from General Motors 7 [3] G. Selim, S. Wang, J. R. Cordy, J. Dingel. “Model Transformations for Migrating Legacy Models: An Industrial Case Study”. ECMFA 2012, Lyngby, Denmark (LNCS)

8 Verification of Translation Model Transformations Example property [4] 8 P1: “If a PhysicalNode is connected to a Service through the provided association (in the input), then the corresponding CompositionType will be connected to a PPortPrototype (in the output).” [4] G. Selim, L. Lúcio, J. R. Cordy, J. Dingel and B. Oakes. ” Specification and Verification of Graph-Based Model Transformation Properties” ICGT 2014, York, UK. (LNCS)

9 Verification of Translation Model Transformations Path Condition Generation of DSLTrans Model Transformations [5,6]1 2121 3131 12122 2323 2323 9 [5] L. Lúcio, B. Barroca, V. Amaral “A Technique for the Verification of Model Transformations” Proceedings of MoDELS, 2010. [6] A Technique for Symbolically Verifying Properties of Graph-Based Model Transformations, L. Lúcio, B. Oakes and H. Vangheluwe. Technical Report SOCS-TR-2014.1, McGill University, 2014. Process Layer 1 Process Layer 2 Process Layer 3 Unfeasible Control Path …… Path Conditions

10 Verification of Translation Model Transformations Case 1: Rule has no Dependencies 10

11 Verification of Translation Model Transformations Case 2: Rule’s Dependencies are not Satisfied by the Path Condition 11

12 Verification of Translation Model Transformations Case 3: Totally- and Partially- Satisfied Dependencies 12

13 Verification of Translation Model Transformations 13 Case 3: Totally- and Partially- Satisfied Dependencies

14 Verification of Translation Model Transformations Case 3: Totally- and Partially- Satisfied Dependencies 14

15 Verification of Translation Model Transformations 15

16 Verification of Translation Model Transformations Proving Properties A property is does not hold for a path condition pc whenever its pre-condition is found on pc, but its post-condition is not. Otherwise we say the property holds for pc. A property is holds for a transformation whenever it holds for all of the transformation’s path conditions. 16

17 Verification of Translation Model Transformations Properties of Property Proving [7] Validity Theorem: the result of proving a property for all path conditions generated for a transformation or an all executions of that transformation is the same Completeness Theorem: properties of a transformation can be shown to either hold for all transformation executions, or not hold for at least one transformation execution 17 [7] L. Lúcio, B. Oakes, H. Vangheluwe “A Technique for Symbolically Verifying Properties of Graph-Based Model Transformations”. Technical Report SOCS-TR-2014.1, McGill University, 2014.

18 Verification of Translation Model Transformations Implementation 18 Principle: Development of the tool should be model-driven (as much as as possible) First class citizens: Metamodels Models (Higher-Order) Model Transformations “Eat your own dog food!”

19 Verification of Translation Model Transformations Tooling and developers 19 igraph / Himesis Levi Lucio McGill U. Bentley Oakes McGill U. Gehan Selim Queen’s U. Cláudio Gomes Antwerp U. T-Core

20 Verification of Translation Model Transformations Tool Architecture 20

21 Verification of Translation Model Transformations Model-Driven Development: Challenges 21 Challenges Insufficient higher-order model transformation technology (AToM3) models are not built for memory-intensive applications Transformations and code have to be developed together in an interleaved fashion

22 Verification of Translation Model Transformations Model-Driven Development: Advantages 22 Advantages (Surprisingly) speed! Adapted to the domain Models simplify the usage of complex data types

23 Verification of Translation Model Transformations Model-Driven Development: Ambivalent 23 Ambivalent Right level of abstraction through the usage of metamodels and model transformations Visual edition and debugging of metamodels, models and model transformations

24 Verification of Translation Model Transformations Case Studies Case study 1: GM To Autosar Partial migration transformation from the proprietary VCS architecture language for automotive hardware and software deployment into AUTOSAR. Small subset of the complete metamodel, for experimentation. Case study 2: UML-RT To Kiltera Give semantics to UML-RT in terms of the CSP-like language Kiltera, for simulation. Functional half the UML-RT metamodel is transformed. Case study 3: mbeddr to C Give semantics to specifications in the mbeddr language as C code, for execution. Complete subset of the mbeddr metamodel required for the transformation of connectors between mbeddr components into C function calls. To prove the property: “for every invocation of a function on an instance of a component by an instance of a another component, via a connector, the correct C function generated by the transformation is called”. 24

25 Verification of Translation Model Transformations Case study 1: GM To Autosar 25 Number of rules: 8 Number of layers: 4 Symbolic execution time: 0.6 s Number of path conditions: 3 Property proving times: 0.02 s on average

26 Verification of Translation Model Transformations Case study 2: UML-RT to Kiltera 26 Number of rules: 17 Number of layers: 7 Symbolic execution time: 80 s Number of path conditions: 330 Property proving times: tens of seconds Required implementation of the symbolic execution of conditions on object attributes!

27 Verification of Translation Model Transformations Demo 27 If a Listen object is created, it must have at least one ListenBranch object. A Listen object represents a Listener process that awaits input on one or more channels. If we have a Listen object, then we are awaiting input on at least one channel (ListenBranch).

28 Verification of Translation Model Transformations UML-RT to Kiltera: rules vs path conditions 28

29 Verification of Translation Model Transformations UML-RT to Kiltera: rules vs time 29

30 Verification of Translation Model Transformations UML-RT to Kiltera: rules vs space 30

31 Verification of Translation Model Transformations Case study 3: mbeddr to C 31 Number of rules: 49 Number of layers: 7 Symbolic execution time: 1264 s (23 rules) Number of path conditions: ? Property proving times: ?

32 Verification of Translation Model Transformations mbeddr to C: rules vs path conditions 32

33 Verification of Translation Model Transformations mbeddr to C: rules vs time 33

34 Verification of Translation Model Transformations mbeddr to C: rules vs space 34

35 Verification of Translation Model Transformations Challenges Scalability of the tool Memory is the current limitation What is the best solution for trading speed for memory? Theory Right abstraction level to explain soundness and completeness Including NACs in the theory 35

Download ppt "Verification of Translation Model Transformations Levi Lúcio †, Bentley James Oakes, and Hans Vangheluwe †,‡ † School of Computer Science, McGill University,"

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University.

Model Transformation Verification: some theory and some practice Levi Lúcio MSDL Lab / NECSIS project McGill University.
Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.

Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.
Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,

Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
A Technique for Automatic Validation of Model Transformations Levi Lúcio and Bruno Barroca Universidade Nova de Lisboa.

A Technique for Automatic Validation of Model Transformations Levi Lúcio and Bruno Barroca Universidade Nova de Lisboa.
LIFE CYCLE MODELS FORMAL TRANSFORMATION

LIFE CYCLE MODELS FORMAL TRANSFORMATION
Higher-Order Transformation Eugene SyrianiandHans Vangheluwe.

Higher-Order Transformation Eugene SyrianiandHans Vangheluwe.
Hüseyin Ergin University of Alabama Software Modeling Lab Software Engineering Group Department of Computer Science College of Engineering.

Hüseyin Ergin University of Alabama Software Modeling Lab Software Engineering Group Department of Computer Science College of Engineering.
Introduction Complex Engineered Systems

Introduction Complex Engineered Systems
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
Predicate Transformers

Predicate Transformers
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

Similar presentations

Ads by Google