Consistency of model transformation contracts

Model-driven development is a generative software development process with increasing relevance both in industry and academia. Model transformations are the generative components in a model-driven development process. As such, their analysis is an important task. We have been developing a technique to specify, validate and implement model transformations. Our technique is based on the concept of transformation contracts, a specification that relates two modeling languages and declares properties that must be fulfilled in such a relation. Since a transformation contract is a model, the verification and validation of a transformation contract use the same techniques that are used to verify and validate any given model. This paper describes our technique, discusses consistency of model transformations and reports on its application to a non-trivial model transformation from access control models to Java security.     

Automatic generation of built-in contract test drivers

Automatic generation of platform-independent and -dependent built-in contract test drivers that check pairwise interactions between client and server components is presented, focusing on the built-in contract testing (BIT) method and the model-driven testing approach. Components are specified by UML diagrams that define the contract between client and server, independent of a specific platform. MDA approaches are applied to formalize and perform automatic transformations from a platform-independent model to a platform-independent test architecture according to a BIT profile. The test architecture is mapped to Java platform models and then to test code. All these transformations are specified by a set of transformation rules written in the Atlas Transformation Language (ATL) that are automatically performed by the ATL engine. The solution named the MoBIT tool is applied to case studies in order to investigate the expected benefits and challenges to be faced.     

Slicing ATL model transformations for scalable deductive verification and fault localization

Model-driven engineering (MDE) is increasingly accepted in industry as an effective approach for managing the full life cycle of software development. In MDE, software models are manipulated, evolved and translated by model transformations (MT), up to code generation. Automatic deductive verification techniques have been proposed to guarantee that transformations satisfy correctness requirements (encoded as transformation contracts). However, to be transferable to industry, these techniques need to be scalable and provide the user with easily accessible feedback. In MT-specific languages like ATL, we are able to infer static trace information (i.e., mappings among types of generated elements and rules that potentially generate these types). In this paper, we show that this information can be used to decompose the MT contract and, for each sub-contract, slice the MT to the only rules that may be responsible for fulfilling it. Based on this contribution, we design a fault localization approach for MT, and a technique to significantly enhance scalability when verifying large MTs against a large number of contracts. We implement both these algorithms as extensions of the VeriATL verification system, and we show by experimentation that they increase its industry readiness.     

Verification and validation of declarative model-to-model transformations through invariants

In this paper we propose a method to derive OCL invariants from declarative model-to-model transformations in order to enable their verification and analysis. For this purpose we have defined a number of invariant-based verification properties which provide increasing degrees of confidence about transformation correctness, such as whether a rule (or the whole transformation) is satisfiable by some model, executable or total. We also provide some heuristics for generating meaningful scenarios that can be used to semi-automatically validate the transformations.As a proof of concept, the method is instantiated for two prominent model-to-model transformation languages: Triple Graph Grammars and QVT.     

From model transformation to incremental bidirectional model synchronization

The model-driven software development paradigm requires that appropriate model transformations are applicable in different stages of the development process. The transformations have to consistently propagate changes between the different involved models and thus ensure a proper model synchronization. However, most approaches today do not fully support the requirements for model synchronization and focus only on classical one-way batch-oriented transformations. In this paper, we present our approach for an incremental model transformation which supports model synchronization. Our approach employs the visual, formal, and bidirectional transformation technique of triple graph grammars. Using this declarative specification formalism, we focus on the efficient execution of the transformation rules and how to achieve an incremental model transformation for synchronization purposes. We present an evaluation of our approach and demonstrate that due to the speedup for the incremental processing in the average case even larger models can be tackled.

一种结合MDA的高阶模型转换方法

模型转换是MDA的关键技术,也是MDA的研究热点。目前,不同的MDA开发平台都有一套相对独立的开发技术和转换框架,这使平台之间缺乏兼容性,模型转换代码重用困难。究其原因是缺少一种与具体转换语言相对应,且与平台无关的转换规则模型。为了解决以上问题,将高阶模型转换的思想与模型驱动软件开发相结合,提出了一种构造模型转换规则的高阶转换元模型,并以ATL语言为例展示了高阶转换元模型的使用方法;最后通过一个实例验证了该方法的可行性和可用性。该方法提高了模型转换语言的抽象层次,降低了模型转换语言的重用难度,在一定程度上解决了模型转换技术不兼容的问题。     

Inductively Verifying Invariant Properties of Parameterized Systems

Verification of distributed algorithms can be naturally cast as verifying parameterized systems, the parameter being the number of processes. In general, a parameterized concurrent system represents an infinite family (of finite state systems) parameterized by a recursively defined type such as chains, trees. It is therefore natural to verify parameterized systems by inducting over this type. However, construction of such proofs require combination of model checking with deductive capability. In this paper, we develop a logic program transformation based proof methodology which achieves this combination. One of our transformations (unfolding) represents a single resolution step. Thus model checking can be achieved by repeated application of unfolding. Other transformations (such as folding) represent deductive reasoning and help recognize the induction hypothesis in an inductive proof. Moreover the unfolding and folding transformations can be arbitrarily interleaved in a proof, resulting in a tight integration of decision procedures (such as model checking) with deductive verification.Based on this technique, we have designed and implemented an invariant prover for parameterized systems. Our proof technique is geared to automate nested induction proofs which do not involve strengthening of induction hypothesis. The prover has been used to automatically verify invariant properties of parameterized cache coherence protocols, including broadcast protocols and protocols with global conditions. Furthermore, we have employed the prover for automatic verification of mutual exclusion in the Java Meta-Locking Algorithm. Meta-Locking is a distributed algorithm developed recently by designers in Sun Microsystems for ensuring secure access of Java objects by an arbitrary number of Java threads.     

Module superimposition: a composition technique for rule-based model transformation languages

As the application of model transformation becomes increasingly commonplace, the focus is shifting from model transformation languages to the model transformations themselves. The properties of model transformations, such as scalability, maintainability and reusability, have become important. Composition of model transformations allows for the creation of smaller, maintainable and reusable transformation definitions that together perform a larger transformation. This paper focuses on composition for two rule-based model transformation languages: the ATLAS Transformation Language (ATL) and the QVT Relations language. We propose a composition technique called module superimposition that allows for extending and overriding rules in transformation modules. We provide executable semantics as well as a concise and scalable implementation of module superimposition based on ATL.     

Automated verification of model transformations based on visual contracts

Model-Driven Engineering promotes the use of models to conduct the different phases of the software development. In this way, models are transformed between different languages and notations until code is generated for the final application. Hence, the construction of correct Model-to-Model (M2M) transformations becomes a crucial aspect in this approach. Even though many languages and tools have been proposed to build and execute M2M transformations, there is scarce support to specify correctness requirements for such transformations in an implementation-independent way, i.e., irrespective of the actual transformation language used. In this paper we fill this gap by proposing a declarative language for the specification of visual contracts, enabling the verification of transformations defined with any transformation language. The verification is performed by compiling the contracts into QVT to detect disconformities of transformation results with respect to the contracts. As a proof of concept, we also report on a graphical modeling environment for the specification of contracts, and on its use for the verification of transformations in several case studies.     

Formal foundation of consistent EMF model transformations by algebraic graph transformation

Model transformation is one of the key activities in model-driven software development. An increasingly popular technology to define modeling languages is provided by the Eclipse Modeling Framework (EMF). Several EMF model transformation approaches have been developed, focusing on different transformation aspects. To validate model transformations with respect to functional behavior and correctness, a formal foundation is needed. In this paper, we define consistent EMF model transformations as a restricted class of typed graph transformations using node type inheritance. Containment constraints of EMF model transformations are translated to a special kind of graph transformation rules such that their application leads to consistent transformation results only. Thus, consistent EMF model transformations behave like algebraic graph transformations and the rich theory of algebraic graph transformation can be applied to these EMF model transformations to show functional behavior and correctness. Furthermore, we propose parallel graph transformation as a suitable framework for modeling EMF model transformations with multi-object structures. Rules extended by multi-object structures can specify a flexible number of recurring structures. The actual number of recurring structures is dependent on the application context of such a rule. We illustrate our approach by selected refactorings of simplified statechart models. Finally, we discuss the implementation of our concepts in a tool environment for EMF model transformations.     

Contrasting dedicated model transformation languages versus general purpose languages: a historical perspective on ATL versus Java based on complexity and size

Model transformations are among the key concepts of model-driven engineering (MDE), and dedicated model transformation languages (MTLs) emerged with the popularity of the MDE pssaradigm about 15 to 20 years ago. MTLs claim to increase the ease of development of model transformations by abstracting from recurring transformation aspects and hiding complex semantics behind a simple and intuitive syntax. Nonetheless, MTLs are rarely adopted in practice, there is still no empirical evidence for the claim of easier development, and the argument of abstraction deserves a fresh look in the light of modern general purpose languages (GPLs) which have undergone a significant evolution in the last two decades. In this paper, we report about a study in which we compare the complexity and size of model transformations written in three different languages, namely (i) the Atlas Transformation Language (ATL), (ii) Java SE5 (2004–2009), and (iii) Java SE14 (2020); the Java transformations are derived from an ATL specification using a translation schema we developed for our study. In a nutshell, we found that some of the new features in Java SE14 compared to Java SE5 help to significantly reduce the complexity of transformations written in Java by as much as 45%. At the same time, however, the relative amount of complexity that stems from aspects that ATL can hide from the developer, which is about 40% of the total complexity, stays about the same. Furthermore we discovered that while transformation code in Java SE14 requires up to 25% less lines of code, the number of words written in both versions stays about the same. And while the written number of words stays about the same their distribution throughout the code changes significantly. Based on these results, we discuss the concrete advancements in newer Java versions. We also discuss to which extent new language advancements justify writing transformations in a general purpose language rather than a dedicated transformation language. We further indicate potential avenues for future research on the comparison of MTLs and GPLs in a model transformation context.

     

Scheduling model‐to‐model transformations with continuations

Model transformations are at the heart of model‐driven engineering because they allow the automation of diverse kinds of model manipulations. Transformation scheduling is a key issue in the design and implementation of many transformation languages. This paper reports our results using continuations as the underlying technique for building a scheduling mechanism implicitly driven by data dependence among transformation rules. To support our experiments, we have built a proof‐of‐concept model transformation language, which is also reported here. First, we motivate the problem by analyzing the scheduling mechanism of current model transformation languages. Then, we introduce the notion of continuation, showing its applicability to model transformations. Afterwards, we present our approach, notably explaining how dependence is specified and giving the scheduling algorithm. We also analyze the lazy resolution of rules and how to deal with collection operations. The approach is validated by an implementation that targets the Java Virtual Machine and by running of the performance benchmarks that show its efficiency and scalability. Besides, we discuss how it can be applied to other existing transformation languages and present several applicability scenarios. Copyright © 2013 John Wiley & Sons, Ltd.     

Comparative Evaluation of Model Transformation Specification Approaches

Model transformations have become a key element of model-driven software development, being used to transform platform-independent models to platform-specific models, to improve model quality, to introduce design patterns and refactorings, and to map models from one language to another. A large number of model transformation notations and tools exist. However, there are no guidelines on how to select appropriate notations for particular model transformation tasks, and no comprehensive comparisons of the relative merits of particular approaches. In this paper we provide a unified semantic treatment of model transformations, and show how correctness properties of model transformations can be defined using this semantics. We evaluate several approaches which have been developed for model transformation specification, with respect to their expressivity, complexity and support for verification, and make recommendations for resolving the outstanding problems concerning model transformation specification.     

Specification-driven model transformation testing

Testing model transformations poses several challenges, among them the automatic generation of appropriate input test models and the specification of oracle functions. Most approaches for the generation of input models ensure a certain coverage of the source meta-model or the transformation implementation code, whereas oracle functions are frequently defined using query or graph languages. However, these two tasks are usually performed independently regardless of their common purpose, and sometimes, there is a gap between the properties exhibited by the generated input models and those considered by the transformations. Recently, we proposed a formal specification language for the declarative formulation of transformation properties (by means of invariants, pre-, and postconditions) from which we generated partial oracle functions used for transformation testing. Here, we extend the usage of our specification language for the automated generation of input test models by SAT solving. The testing process becomes more intentional because the generated models ensure a certain coverage of the transformation requirements. Moreover, we use the same specification to consistently derive both the input test models and the oracle functions. A set of experiments is presented, aimed at measuring the efficacy of our technique.     

From UML/SPT models to schedulability analysis: approach and a prototype implementation using ATL

Model Driven Architecture (MDA) is a software development approach promoted by the OMG. MDA is based on two key concepts, models and model transformations. Several kinds of models are generally used throughout the development process to specify a software system and to support its analysis and validation. UML and its extensions, such as the UML profile for real-time systems (UML/SPT), are commonly used to define the structure and the behavior of software systems while other models, such as performance models or schedulability models, are more suitable for performance or schedulability analysis, respectively. In this paper we discuss a model transformation enabling the derivation of schedulability analysis models from UML/SPT models. As a proof of concepts, we present a prototype implementation of this model transformation using ATL. We provide a definition of the source and target metamodels using the metamodel specification language KM3 and we specify the transformation in an ATL module. We discuss the merits and limitations of our approach and of its implementation.     

Verification of clocked and hybrid systems

This paper presents a new computational model for real-time systems, called the clocked transition system (CTS) model. The CTS model is a development of our previous timed transition model, where some of the changes are inspired by the model of timed automata. The new model leads to a simpler style of temporal specification and verification, requiring no extension of the temporal language. We present verification rules for proving safety a nd liveness properties of clocked transition systems. All rules are associated with verification diagrams. The verification of response properties requires adjustments of the proof rules developed for untimed systems, reflecting the fact that progress in the real time systems is ensured by the progress of time and not by fairness. The style of the verification rules is very close to the verification style of untimed systems which allows the (re)use of verification methods and tools, developed for u ntimed reactive systems, for proving all interesting properties of real-time systems. We conclude with the presentation of a branching-time based approach for verifying that an arbitrary given CTS isnon-zeno. Finally, we present an extension of the model and the invariance proof rule for hybrid systems. Received: 23 September 1998 / 7 June 1999     

Model checking temporal knowledge and commitments in multi-agent systems using reduction

Though modeling and verifying Multi-Agent Systems (MASs) have long been under study, there are still challenges when many different aspects need to be considered simultaneously. In fact, various frameworks have been carried out for modeling and verifying MASs with respect to knowledge and social commitments independently. However, considering them under the same framework still needs further investigation, particularly from the verification perspective. In this article, we present a new technique for model checking the logic of knowledge and commitments (CTLKC⁺). The proposed technique is fully-automatic and reduction-based in which we transform the problem of model checking CTLKC⁺ into the problem of model checking an existing logic of action called ARCTL. Concretely, we construct a set of transformation rules to formally reduce the CTLKC⁺ model into an ARCTL model and CTLKC⁺ formulae into ARCTL formulae to get benefit from the extended version of NuSMV symbolic model checker of ARCTL. Compared to a recent approach that reduces the problem of model checking CTLKC⁺ to another logic of action called GCTL¹, our technique has better scalability and efficiency. We also analyze the complexity of the proposed model checking technique. The results of this analysis reveal that the complexity of our reduction-based procedure is PSPACE-complete for local concurrent programs with respect to the size of these programs and the length of the formula being checked. From the time perspective, we prove that the complexity of the proposed approach is P-complete with regard to the size of the model and length of the formula, which makes it efficient. Finally, we implement our model checking approach on top of extended NuSMV and report verification results for the verification of the NetBill protocol, taken from business domain, against some desirable properties. The obtained results show the effectiveness of our model checking approach when the system scales up.     

Towards the systematic measurement of ATL transformation models

The Model‐Driven Engineering paradigm is aimed at raising the abstraction level of Software Engineering approaches through the systematic use of models as primary artifacts, not only in software design and development, but also to understand, interact, configure, and modify the runtime behavior of software. It tries to overcome the wall between the documentation and the real state of the implementation. For that matter, our long‐term goal seeks to reach a higher degree of interoperability among available meta‐modeling technologies through bridges among technological spaces (TS bridges). The proposed system provides several ATL (ATLAS Transformation Language) transformations that enable the application of measuring operations over ATL transformation models and rules, and the generation of different complementary end‐user models, such as SVG charts and (X)HTML reports. For this work, we have evaluated a set of meta‐modeling TS bridges among UML, MOF, Ecore, KM3, and Microsoft DSL Tools. These results provide quantitative measurements of the declarative and imperative constructs of these transformations and relative quality factors as well. In addition to this, all the top‐level results extracted from the measurement of these TS bridges are merged into one unique model in order to assist in performing a comparative study among them. This comparative study suggests that it is feasible to apply automatic transformations over transformation models, i.e. meta‐transformations. In this regard, there are many open research trends towards complete management, validation, optimization, and inference of TS bridges between complementary meta‐modeling technologies. Copyright © 2010 John Wiley & Sons, Ltd.     

Model-driven development of reactive information systems: from graph transformation rules to JML contracts

The model-driven architecture focuses on the evolution and integration of applications across heterogeneous platforms by means of generating implementations from platform-independent models. Most of the existing realizations of this idea are limited to static models. We propose a model-driven approach to the development of reactive information systems, like dynamic Web pages or Web services, modeling their typical request-query-update-response pattern by means of graph transformation rules. Rather than generating executable code from these models we focus on the verification of the consistency between different sub-models and an implementation that may have been produced manually. The main technical tool for achieving this goal is a mapping of graph transformation rules to contracts expressed in the Java Modeling Language.