pragmatic integration of model driven engineering and
play

Pragmatic integration of model driven engineering and formal methods - PowerPoint PPT Presentation

Mar 16, 2024 •472 likes •1.58k views

Pragmatic integration of model driven engineering and formal methods for safety critical systems design Marc Pantel and many others IRIT - ACADIE ENSEEIHT - INPT - Universit de Toulouse Institute of Cybernetics Institute Tallinn

  1. Certification and Qualification DO-178B/ED-12B standards: Certification Software in aeronautics: Design Assurance Level (A down to E) Most constraining standards up to now accepted by other standards (automotive, space, . . . ) Main concern: Safety of passengers Main purpose: Provide confidence in the system and its development Key issue: Choose the strategy and technologies that will minimize risks (no restriction) Process and test-centered approach Definition of a precise process (development/verification) MCDC test coverage truth-table lines of sub-expressions in conditions Asymmetry with independence argument: several implementation by different teams, with different tools, . . . Marc Pantel Pragmatic integration of MDE and FM 11/78

  2. Certification and Qualification DO-178B/ED-12B standards: Qualification Development tools: Tools whose output is part of airborne software and thus can introduce errors (same constraints as the developed system). Verification tools: Tools that cannot introduce errors, but may fail to detect them (much softer constraints: black box V & V). No proof of error absence category Marc Pantel Pragmatic integration of MDE and FM 12/78

  3. Certification and Qualification DO-178C/ED-12C standards: Qualification Introduce detailed Tool Qualification Level (1 downto 5) Criteria 1: A tool whose output is part of the resulting software and thus could insert an error (TQL-1 for DAL A). Criteria 2: A tool that automates verification process(es) and thus could fail to detect an error, and whose output is used to justify the elimination or reduction of: verification process(es) other than that automated by the tool (TQL-4 for DAL A), or development process(es) which could have an impact on the resulting software (TQL-4 for DAL A) Criteria 3: A tool that, within the scope of its intended use, could fail to detect an error (TQL-5 for DAL A). Still no proof of error absence category (might be TQL-2 for DAL A). Marc Pantel Pragmatic integration of MDE and FM 13/78

  4. Certification and Qualification DO-178C/ED-12C standards: Qualification Introduce detailed Tool Qualification Level (1 downto 5) Criteria 1: A tool whose output is part of the resulting software and thus could insert an error (TQL-1 for DAL A). Criteria 2: A tool that automates verification process(es) and thus could fail to detect an error, and whose output is used to justify the elimination or reduction of: verification process(es) other than that automated by the tool (TQL-4 for DAL A), or development process(es) which could have an impact on the resulting software (TQL-4 for DAL A) Criteria 3: A tool that, within the scope of its intended use, could fail to detect an error (TQL-5 for DAL A). Still no proof of error absence category (might be TQL-2 for DAL A). Marc Pantel Pragmatic integration of MDE and FM 13/78

  5. Certification and Qualification DO-178C/ED-12C standards: Qualification Introduce detailed Tool Qualification Level (1 downto 5) Criteria 1: A tool whose output is part of the resulting software and thus could insert an error (TQL-1 for DAL A). Criteria 2: A tool that automates verification process(es) and thus could fail to detect an error, and whose output is used to justify the elimination or reduction of: verification process(es) other than that automated by the tool (TQL-4 for DAL A), or development process(es) which could have an impact on the resulting software (TQL-4 for DAL A) Criteria 3: A tool that, within the scope of its intended use, could fail to detect an error (TQL-5 for DAL A). Still no proof of error absence category (might be TQL-2 for DAL A). Marc Pantel Pragmatic integration of MDE and FM 13/78

  6. Certification and Qualification DO-178C/ED-12C standards: Qualification Introduce detailed Tool Qualification Level (1 downto 5) Criteria 1: A tool whose output is part of the resulting software and thus could insert an error (TQL-1 for DAL A). Criteria 2: A tool that automates verification process(es) and thus could fail to detect an error, and whose output is used to justify the elimination or reduction of: verification process(es) other than that automated by the tool (TQL-4 for DAL A), or development process(es) which could have an impact on the resulting software (TQL-4 for DAL A) Criteria 3: A tool that, within the scope of its intended use, could fail to detect an error (TQL-5 for DAL A). Still no proof of error absence category (might be TQL-2 for DAL A). Marc Pantel Pragmatic integration of MDE and FM 13/78

  7. Certification and Qualification Common documents Phase 1: Cooperative process definition: Plan for software aspects of certification (PSAC) Development plan (SDP) Verification plan (SVP) Configuration management plan (SCMP) Quality assurance plan (SQAP) Tool qualification plan Marc Pantel Pragmatic integration of MDE and FM 14/78

  8. Certification and Qualification Common documents (qualification case) Phase 2: Process application verification User requirements Tool architecture (elementary tools and their assembly) Tool requirements: Can be refined user requirements or derived requirements (linked to technology choices, should be avoided or strongly justified) Development and verification results (each elementary tools) Traceability links Verification results (user level) Marc Pantel Pragmatic integration of MDE and FM 15/78

  9. Certification and Qualification Some comments Standards were designed for systems not tools: Adaptation required MCDC not mandatory for tools, but similar arguments might be required Traceability of all artefacts in the development, relate requirements, design and implementation choices Purpose is to provide confidence Both cooperative and coercive approach Any verification technology can be used, from proofreading to automatic proof if confidence is given Choose the strategy and technologies that will best reduce risks Marc Pantel Pragmatic integration of MDE and FM 16/78

  10. Certification and Qualification Some comments Standards were designed for systems not tools: Adaptation required MCDC not mandatory for tools, but similar arguments might be required Traceability of all artefacts in the development, relate requirements, design and implementation choices Purpose is to provide confidence Both cooperative and coercive approach Any verification technology can be used, from proofreading to automatic proof if confidence is given Choose the strategy and technologies that will best reduce risks Marc Pantel Pragmatic integration of MDE and FM 16/78

  11. Certification and Qualification Some comments II Must be applied as soon as possible (cost reduction) Small is beautiful (simplicity is the key) Certification authorities need to understand the technologies Cross-experiments are mandatory (classical w.r.t. formal methods) Marc Pantel Pragmatic integration of MDE and FM 17/78

  12. Certification and Qualification Some comments II Must be applied as soon as possible (cost reduction) Small is beautiful (simplicity is the key) Certification authorities need to understand the technologies Cross-experiments are mandatory (classical w.r.t. formal methods) Marc Pantel Pragmatic integration of MDE and FM 17/78

  13. Application to Code generation tools Plan Safe MDE concerns 1 2 Certification and Qualification Application to Code generation tools 3 4 Application to Static analysis tools The Executable DSML metamodeling pattern 5 Marc Pantel Pragmatic integration of MDE and FM 18/78

  14. Application to Code generation tools Transformation verification technologies Verification subject: Transformation: done once, no verification at use, white box, very high cost Transformation application: done at each use, black box, easier, complex error management Classical technologies: Document independant proofreading (requirements, specification, implementation) Test Unit, Integration, Functional, Deployment level Requirement based test coverage Source code test coverage Structural coverage, Decision coverage, Multiple Condition Decision Coverage (MCDC) Marc Pantel Pragmatic integration of MDE and FM 19/78

  15. Application to Code generation tools Transformation verification technologies II Formal technologies (require formal specification): Automated test generation Model checking (abstraction of the system) Static analysis (abstraction of the language) Automated proof Assisted (human in the loop) proof Transformation case Transformation specification: Structural/Behavioral Proof of transformation correctness Links with certification/qualification Marc Pantel Pragmatic integration of MDE and FM 20/78

  16. Application to Code generation tools Classical development and verification process Tool development, verification and qualification plans User requirements Tool requirements (human proofreading) Test plan (requirements based coverage, code coverage verification) Implementation and test application Marc Pantel Pragmatic integration of MDE and FM 21/78

  17. Application to Code generation tools GeneAuto experiment: Proof assistant based Derived from the classical process, validated by french certification bodies Formal specification using Coq of tool requirements, implementation and correctness Proofreading verification of requirements specification Automated verification of specification correctness Extraction of OCaML source implementation Proofreading verification of extracted OCaML source Integration of OCaML implementation with Java/XML implementation (communication through simple text files with regular grammars) Proofreading verification of OCaML/Java wrappers (simple regular grammar parsing) Test-based verification of user requirements conformance Marc Pantel Pragmatic integration of MDE and FM 22/78

  18. Application to Code generation tools GeneAuto Code Generator Architecture Split into independent modules (easier V & V and qualification) Marc Pantel Pragmatic integration of MDE and FM 23/78

  19. Application to Code generation tools Integration Elementary Tool XML Inputs Elementary Tool Specification Inputs Elementary Tool Java Front-end Ocaml Wrapper Ocaml Automatic Theorems Code Extraction & Proofs Outputs Logs Design & proof XML Outputs Elementary Tool Marc Pantel Pragmatic integration of MDE and FM 24/78

  20. Application to Code generation tools An example: User requirements R-CG-040 F6 – Determine execution order of functional model blocks The execution order generated by the ACG must be as close as possible to that in Simulink and it shall be possible to visualise the execution order Same scheduling as Simulink is required to ensure that generated code conforms to Simulink simulations. Refinement F6.1 Sort blocks based on data-flow constraints F6.2 Refine the order according to control flow constraints F6.3 Sort blocks with partial ordering according to priority from the input model. F6.4 Sort blocks that are still partially ordered according to their graphical position in the input model Marc Pantel Pragmatic integration of MDE and FM 25/78

  21. Application to Code generation tools The same one in Coq Marc Pantel Pragmatic integration of MDE and FM 26/78

  22. Application to Code generation tools Open questions ? What are: User requirement for a transformation/verification ? Tool requirement for a transformation/verification ? Formal specification for a transformation/verification ? Test coverage for a transformation/verification ? Test oracle for a transformation/verification ? Qualification constraint for transformation/verification languages ? Best strategy for tool verification (once vs at each use) ? Marc Pantel Pragmatic integration of MDE and FM 27/78

  23. Application to Code generation tools GeneAuto feedbacks From the certification perspective: Very good but... Still some work on qualification of the proof assistant tools Proof verifier Program extractor Complex management of input/output From the developer perspective: High dependence to the technologies Very high cost to use the technology Not easy to subcontract Scalability not ensured Bad separation between semantics-based verification and requirements-based specification Hard to assess development time On the use of Java: How to provide confidence in the libraries ? Marc Pantel Pragmatic integration of MDE and FM 28/78

  24. Application to Code generation tools Going further: CompCert use experiment CompCert: C to PowerPC optimising code generator developed at INRIA by Xavier Leroy Ricardo Bedin-França PhD thesis with Airbus (advisor Marc Pantel): Improve certified code efficiency Metrics: WCET, Code and memory size, Cache and memory accesses Improvements of the various phases from models to embedded binary code New verification process using formal methods First CompCert experiments: -12% WCET, -25% code size, -72% cache read, -65% cadre write Design of a CompCert dedicated verification process Feed static analysis results (Astrée, frama-C) from C to binary through CompCert (improve WCET precision) Improve SCADE block scheduling to reduce memory accesses (signal liveness) Design of a whole development cycle verification process with tools qualification Marc Pantel Pragmatic integration of MDE and FM 29/78

  25. Application to Code generation tools Going further: CompCert use experiment CompCert: C to PowerPC optimising code generator developed at INRIA by Xavier Leroy Ricardo Bedin-França PhD thesis with Airbus (advisor Marc Pantel): Improve certified code efficiency Metrics: WCET, Code and memory size, Cache and memory accesses Improvements of the various phases from models to embedded binary code New verification process using formal methods First CompCert experiments: -12% WCET, -25% code size, -72% cache read, -65% cadre write Design of a CompCert dedicated verification process Feed static analysis results (Astrée, frama-C) from C to binary through CompCert (improve WCET precision) Improve SCADE block scheduling to reduce memory accesses (signal liveness) Design of a whole development cycle verification process with tools qualification Marc Pantel Pragmatic integration of MDE and FM 29/78

  26. Application to Code generation tools Proposal: Mixed approach Separate specification verification from implementation verification Define explicitly semantics link metamodel (relation between source and target) Specify transformation as properties of the links Implementation verification (mostly syntactic/static semantics) Implementation must generate both target and links Implementation verification checks properties on generated links links Specification verification: Prove the dynamic semantics equivalence between source and target in a trace link Rely on the specific of the operational semantics of the source and target languages Andres Toom PhD work (advisors : Tarmo Uustalu and Marc Pantel) Marc Pantel Pragmatic integration of MDE and FM 30/78

  27. Application to Code generation tools Proposal: Deductive approach Another kind of separation between specification and implementation verification Rely on Hoare logic kind of axiomatic semantics Specify the different construct of the language using pre/post conditions, invariants and variants Generate the code and the corresponding assertions Use deductive static analysers like frama-C to prove the correctness Use different kind of logics depending on the correction criteria Verify the correctness of the Hoare specification with respect to the operational semantics Might also rely on the previous links to ease the proof Soon to be started Arnaud Dieumegard PhD work with Airbus (advisor : Marc Pantel) Marc Pantel Pragmatic integration of MDE and FM 31/78

  28. Application to Code generation tools Early feedbacks Separation of concerns: Industrial partners: Specification, Implementation, Implementation verification (mainly syntactic) Academic partners: Specification verification (semantics) Very good subcontracting capabilities Almost no technology constraints on the industrial partner (classical technologies) Good scalability Easy to analyse syntactic error reports Enables to modify generated code and links Parallel work between syntactic and semantics concerns Marc Pantel Pragmatic integration of MDE and FM 32/78

  29. Application to Code generation tools Work in progress Positive first experiments on simple use cases from GeneAuto But requires some grayboxing (expose parts of the internals) Flattening of statecharts Either very complex specification (doing the flattening) Or express the fixpoint nature of implementation (in the specification) Require full scale experiments Require exchange with certification authorities Require qualified syntactic verification tool (OCL-like, but simpler) Require explicit relations between syntactic and semantics work Require explicit description of semantics in metamodels Marc Pantel Pragmatic integration of MDE and FM 33/78

  30. Application to Static analysis tools Plan Safe MDE concerns 1 2 Certification and Qualification Application to Code generation tools 3 4 Application to Static analysis tools The Executable DSML metamodeling pattern 5 Marc Pantel Pragmatic integration of MDE and FM 34/78

  31. Application to Static analysis tools Static analysis tools Several kind of tools Qualitative and quantitative properties Fixed or user defined properties Semantic abstraction or Proof technologies Common aspects: Common pre-qualification Product (source of binary code) reader: fully common ? Configuration (properties, . . . ) reader: partly common Result writer and browser: partly common ? Split the verification tool in a sequence of elementary activities Common ones (pre-qualification could be shared) Technology specific ones Easier to specify, to validate and to verify Can be physical or virtual (produce intermediate results even in a single tool) Marc Pantel Pragmatic integration of MDE and FM 35/78

  32. Application to Static analysis tools Required activities Specify user requirements Specify tool architecture (elementary tools and their assembly) Specify tool level requirements (elementary tools and their assembly) Specify functional test cases and results Choose verification strategy: Tool verification or Result verification Integration and unit tests (eventually with test generators and oracles) Proof reading of tool source or test results Formal verification of the verification tool itself (i.e. Coq in Coq, Compcert in Coq, . . . ) Marc Pantel Pragmatic integration of MDE and FM 36/78

  33. Application to Static analysis tools Abstraction kind Translate to non standard semantics Compute recursive equations Compute fixpoint of equations Fixpoint algorithm Abstract domains and operators Widening, narrowing Check that properties are satisfied on the abstract values Produce user friendly feedback (related to product and its standard semantics) Marc Pantel Pragmatic integration of MDE and FM 37/78

  34. Application to Static analysis tools Deductive kind Produce proof obligations (weakest precondition, verification condition, . . . ) Check the satisfaction of proof obligations Proof term rewriting to simpler language Split to different sub-languages (pure logic, arithmetic, . . . ) Apply heuristics to produce a proof term Check the correctness of the proof term Produce failure feedback or proof certificate (related to product and its standard semantics) Produce user friendly feedback Marc Pantel Pragmatic integration of MDE and FM 38/78

  35. Application to Static analysis tools Potential strategy: Common parts Build “semantics”-related trace links during transformations Helps in verification of results w.r.t. parameters Reader and writer: Cross-reading Introduce dual reader/writer: check composition is identity Asymmetric implementation: Several independent implementations and results comparison Code generation and transformation can be formally specified and verified: Formal tool requirements: foreach source construct, what are the generated targets and the links with the source Syntactic verification: properties of the trace links given as tool requirements Semantic verification: validation of the technology User-friendly feedback: Code generation based on trace links Marc Pantel Pragmatic integration of MDE and FM 39/78

  36. Application to Static analysis tools Potential strategy: Common parts Build “semantics”-related trace links during transformations Helps in verification of results w.r.t. parameters Reader and writer: Cross-reading Introduce dual reader/writer: check composition is identity Asymmetric implementation: Several independent implementations and results comparison Code generation and transformation can be formally specified and verified: Formal tool requirements: foreach source construct, what are the generated targets and the links with the source Syntactic verification: properties of the trace links given as tool requirements Semantic verification: validation of the technology User-friendly feedback: Code generation based on trace links Marc Pantel Pragmatic integration of MDE and FM 39/78

  37. Application to Static analysis tools Potential strategy: Common parts Build “semantics”-related trace links during transformations Helps in verification of results w.r.t. parameters Reader and writer: Cross-reading Introduce dual reader/writer: check composition is identity Asymmetric implementation: Several independent implementations and results comparison Code generation and transformation can be formally specified and verified: Formal tool requirements: foreach source construct, what are the generated targets and the links with the source Syntactic verification: properties of the trace links given as tool requirements Semantic verification: validation of the technology User-friendly feedback: Code generation based on trace links Marc Pantel Pragmatic integration of MDE and FM 39/78

  38. Application to Static analysis tools Potential strategy: Common parts Build “semantics”-related trace links during transformations Helps in verification of results w.r.t. parameters Reader and writer: Cross-reading Introduce dual reader/writer: check composition is identity Asymmetric implementation: Several independent implementations and results comparison Code generation and transformation can be formally specified and verified: Formal tool requirements: foreach source construct, what are the generated targets and the links with the source Syntactic verification: properties of the trace links given as tool requirements Semantic verification: validation of the technology User-friendly feedback: Code generation based on trace links Marc Pantel Pragmatic integration of MDE and FM 39/78

  39. Application to Static analysis tools Potential strategy: Abstraction kind Non-standard semantics and recursive equation production are similar to code generation Semantic verification: monotony at the equations-level Semantic verification: soundness of the abstraction No verification on the fixpoint computation Verification of the result (if least solution is not required) A qualified (much simpler) verification tool is then required Verification of the properties of the abstract domains (join, meet, operators, α ◦ γ , widening, narrowing, monotony, . . . ) Proof reading Automated test generation with oracles Formal specification and proof Property checks (based on abstract property generation) Related to code generation Semantic verification: soundness of the abstraction Marc Pantel Pragmatic integration of MDE and FM 40/78

  40. Application to Static analysis tools Potential strategy: Abstraction kind Non-standard semantics and recursive equation production are similar to code generation Semantic verification: monotony at the equations-level Semantic verification: soundness of the abstraction No verification on the fixpoint computation Verification of the result (if least solution is not required) A qualified (much simpler) verification tool is then required Verification of the properties of the abstract domains (join, meet, operators, α ◦ γ , widening, narrowing, monotony, . . . ) Proof reading Automated test generation with oracles Formal specification and proof Property checks (based on abstract property generation) Related to code generation Semantic verification: soundness of the abstraction Marc Pantel Pragmatic integration of MDE and FM 40/78

  41. Application to Static analysis tools Potential strategy: Abstraction kind Non-standard semantics and recursive equation production are similar to code generation Semantic verification: monotony at the equations-level Semantic verification: soundness of the abstraction No verification on the fixpoint computation Verification of the result (if least solution is not required) A qualified (much simpler) verification tool is then required Verification of the properties of the abstract domains (join, meet, operators, α ◦ γ , widening, narrowing, monotony, . . . ) Proof reading Automated test generation with oracles Formal specification and proof Property checks (based on abstract property generation) Related to code generation Semantic verification: soundness of the abstraction Marc Pantel Pragmatic integration of MDE and FM 40/78

  42. Application to Static analysis tools Potential strategy: Abstraction kind Non-standard semantics and recursive equation production are similar to code generation Semantic verification: monotony at the equations-level Semantic verification: soundness of the abstraction No verification on the fixpoint computation Verification of the result (if least solution is not required) A qualified (much simpler) verification tool is then required Verification of the properties of the abstract domains (join, meet, operators, α ◦ γ , widening, narrowing, monotony, . . . ) Proof reading Automated test generation with oracles Formal specification and proof Property checks (based on abstract property generation) Related to code generation Semantic verification: soundness of the abstraction Marc Pantel Pragmatic integration of MDE and FM 40/78

  43. Application to Static analysis tools Potential strategy: Deductive kind Proof obligation computation is a kind of code generation Semantic verification: correctness of the axiomatic semantics Satisfaction of the proof obligations: No verification on proof certificate generation Verification of the certificate itself (much simpler than some heuristic-based automatic prover) Term rewriting can be considered as code generation (endogenous) Curry-Howard type checking can be verified in a similar way Rely on Coq In Coq, Isabelle in Isabelle, . . . Marc Pantel Pragmatic integration of MDE and FM 41/78

  44. Application to Static analysis tools What about validation of the technologies ? Mainly scientific work and a lot of publications Brings confidence but paperwork is not enough Mechanized is better but still not enough Functional user level tests still mandatory currently Mixed system verification experiments (both tests and static analysis) Reverse analysis of existing systems Marc Pantel Pragmatic integration of MDE and FM 42/78

  45. Application to Static analysis tools Synthesis Technical exchange with certification authorities mandatory Cross experiments and reverse engineering experiments mandatory Verification strategy must be designed early to choose the right architecture and trace information Semi-formal (even formal) requirements must be written as soon as possible Marc Pantel Pragmatic integration of MDE and FM 43/78

  46. The Executable DSML metamodeling pattern Plan Safe MDE concerns 1 2 Certification and Qualification Application to Code generation tools 3 4 Application to Static analysis tools The Executable DSML metamodeling pattern 5 Marc Pantel Pragmatic integration of MDE and FM 44/78

  47. The Executable DSML metamodeling pattern Adding a new DSML to the TOPCASED platform Classical MDE technologies Process name: String workDefinitions workSequences 0..* 0..* linkToSuccessor 1 WorkDefinition WorkSequence predecessor 0..* 0..* name: String successor kind: WorkSequenceKind 1 linkToPredecessor <<enumeration>> 0..* guidances WorkSequenceKind finishToStart Guidance finishToFinish DSML definition content: String startToStart 0..* Editor guidances startToFinish Abstract SimplePDL metamodel Generator Syntax Concrete Syntax Semantics <<conformsTo>> Domain SimplePDL Editor Conception finishToFinish finishToStart startToStart startToStart RédactionDoc Développement RédactionTest finishToFinish SimplePDL model Marc Pantel Pragmatic integration of MDE and FM 45/78

  48. The Executable DSML metamodeling pattern Needs for an execution semantics What about the dynamic semantics of a DSML? Needs for model animation Does the model behave as expected? Needs for model verification Does some property hold on a model? Two main techniques to express behavioral semantics: exogenous transformation MyDSML MyDSML FormalDomain Metamodel Metamodel Data endogenous transformation Rules Rules Marc Pantel Pragmatic integration of MDE and FM 46/78

  49. The Executable DSML metamodeling pattern Metamodel Extensions Basic meta-model Marc Pantel Pragmatic integration of MDE and FM 47/78

  50. The Executable DSML metamodeling pattern Metamodel Extensions Capture execution state ExecutionContext 1 Process name: EString activities 0..* 0..* 1 Activity Precedes name: EString kind: PrecedenceKind progress: EInt 1 0..* Guidance detail: EString Marc Pantel Pragmatic integration of MDE and FM 48/78

  51. The Executable DSML metamodeling pattern Metamodel Extensions Scenario model definition ExecutionContext 1 Process name: EString 1 activities 0..* 0..* 1 Activity target Event Precedes name: EString kind: PrecedenceKind 1 progress: EInt 1 0..* Guidance Start Stop Progress detail: EString value: EInt Marc Pantel Pragmatic integration of MDE and FM 49/78

  52. The Executable DSML metamodeling pattern Metamodel Extensions Scenario model definition ExecutionContext 1 1 Scenario Process name: EString {ordered} activities 0..* 0..* events 0..* 1 Activity target Event Precedes name: EString kind: PrecedenceKind 1 progress: EInt 1 0..* Guidance Start Stop Progress detail: EString value: EInt Marc Pantel Pragmatic integration of MDE and FM 50/78

  53. The Executable DSML metamodeling pattern Architecture for an executable DSML TM3 Trace Management MetaModel <<import>> EDMM SDMM Events Definition <<merge>> States Definition MetaModel MetaModel <<merge>> <<merge>> DDMM Domain Definition MetaModel Composed of 4 metamodels Marc Pantel Pragmatic integration of MDE and FM 51/78

  54. The Executable DSML metamodeling pattern Architecture for an executable DSML TM3 Trace Management MetaModel <<import>> EDMM SDMM Events Definition <<merge>> States Definition MetaModel MetaModel <<merge>> <<merge>> DDMM Activity Domain Definition MetaModel Domain Definition MetaModel: “classical” metamodel Marc Pantel Pragmatic integration of MDE and FM 51/78

  55. The Executable DSML metamodeling pattern Architecture for an executable DSML TM3 Trace Management MetaModel Activity <<import>> state: ActivityState EDMM SDMM Events Definition <<merge>> States Definition MetaModel MetaModel <<merge>> <<merge>> DDMM Activity Domain Definition MetaModel States Definition MetaModel: runtime information Marc Pantel Pragmatic integration of MDE and FM 51/78

  56. The Executable DSML metamodeling pattern Architecture for an executable DSML Event TM3 ActivityEvent Trace Management Activity 1 MetaModel Activity <<import>> state: ActivityState EDMM SDMM <<merge>> Events Definition States Definition MetaModel MetaModel <<merge>> <<merge>> DDMM Activity Domain Definition MetaModel Events Definition MetaModel: events inducing changes on SDMM (might be virtual) Marc Pantel Pragmatic integration of MDE and FM 51/78

  57. The Executable DSML metamodeling pattern Architecture for an executable DSML Trace * {ordered} Event kind: EventKind Event TM3 ActivityEvent Trace Management Activity 1 MetaModel Activity <<import>> state: ActivityState EDMM SDMM <<merge>> Events Definition States Definition MetaModel MetaModel <<merge>> <<merge>> DDMM Activity Domain Definition MetaModel Trace Management MetaModel: DSML independent MM for scenarios and traces Marc Pantel Pragmatic integration of MDE and FM 51/78

  58. The Executable DSML metamodeling pattern Main principles for model simulation TM3 Trace Management MetaModel <<import>> EDMM SDMM Events Definition <<merge>> States Definition MetaModel MetaModel <<merge>> <<merge>> DDMM Domain Definition MetaModel Marc Pantel Pragmatic integration of MDE and FM 52/78

  59. The Executable DSML metamodeling pattern Main principles for model simulation TM3 Trace Management MetaModel <<import>> EDMM SDMM Events Definition <<merge>> States Definition MetaModel MetaModel Semantics <<merge>> <<merge>> reactionOnEv1() DDMM ... reactionOnEvN() Domain Definition MetaModel Semantics1 Semantics2 reactionOnEv1() reactionOnEv1() ... ... reactionOnEvN() reactionOnEvN() Marc Pantel Pragmatic integration of MDE and FM 52/78

  60. The Executable DSML metamodeling pattern Main principles for model simulation TM3 Trace Management MetaModel <<import>> EDMM SDMM Events Definition <<merge>> States Definition MetaModel MetaModel Semantics <<merge>> <<merge>> reactionOnEv1() DDMM ... Action Languages reactionOnEvN() Domain Definition MetaModel Semantics1 Semantics2 reactionOnEv1() reactionOnEv1() ... ... reactionOnEvN() reactionOnEvN() Marc Pantel Pragmatic integration of MDE and FM 52/78

  61. The Executable DSML metamodeling pattern Main principles for model simulation TM3 Trace Management MetaModel <<import>> EDMM SDMM Events Definition <<merge>> States Definition MetaModel MetaModel Semantics <<merge>> <<merge>> reactionOnEv1() DDMM ... Action Languages reactionOnEvN() Domain Definition MetaModel Semantics1 Semantics2 reactionOnEv1() reactionOnEv1() ... ... reactionOnEvN() reactionOnEvN() Marc Pantel Pragmatic integration of MDE and FM 52/78

  62. The Executable DSML metamodeling pattern Main principles for model simulation TM3 Trace Management MetaModel <<import>> EDMM SDMM Events Definition <<merge>> States Definition MetaModel MetaModel Semantics <<merge>> <<merge>> reactionOnEv1() DDMM ... Action Languages reactionOnEvN() Domain Definition MetaModel Semantics1 Semantics2 reactionOnEv1() reactionOnEv1() ... ... reactionOnEvN() reactionOnEvN() Marc Pantel Pragmatic integration of MDE and FM 52/78

  63. The Executable DSML metamodeling pattern Main principles for model simulation Simulation Engine & Control Panel TM3 Scenario Trace Management MetaModel Builder <<import>> Animator EDMM SDMM <<merge>> Events Definition States Definition MetaModel MetaModel Semantics <<merge>> <<merge>> Editor reactionOnEv1() DDMM ... Action Languages reactionOnEvN() Domain Definition MetaModel Semantics1 Semantics2 reactionOnEv1() reactionOnEv1() ... ... reactionOnEvN() reactionOnEvN() Marc Pantel Pragmatic integration of MDE and FM 52/78

  64. The Executable DSML metamodeling pattern Architecture of T OP C ASED Animators <<enumeration>> context Scenario inv : RuntimeEventKind self.runtimeEvent->forAll(re | re.kind = #exogenous) endogenous exogenous * Driver Trace 1 Scenario * (from TM3) (from TM3) step() SimplePDL-free execution 1 semantics Agenda 1 {ordered} {ordered} * * add(e:Event) 1 cause currentEvent():Event * RuntimeEvent {ordered} (from TM3) 0..1 <<interface>> Interpreter date: Integer kind: RuntimeEventKind run(re : RuntimeEvent) : Event[*] SimplePDL-specific SimplePDL RuntimeEvent execution SimplePDL Interpreter semantics event() : Event (from DDMM) Marc Pantel Pragmatic integration of MDE and FM 53/78

  65. The Executable DSML metamodeling pattern S IMPLE PDL Simulator Marc Pantel Pragmatic integration of MDE and FM 54/78

  66. The Executable DSML metamodeling pattern UML2 StateChart Simulator (TOPCASED 2) Topcased UML State Machines Graphical Animator Scenario Builder as dialog boxes Eclipse Editor when right clicking Explorer Palette Outline fireable transition current state Ecore Graphical Concrete Syntax Tree View with decorations from SDMM Execution Engine Control Panel Marc Pantel Pragmatic integration of MDE and FM 55/78

  67. The Executable DSML metamodeling pattern Multiple Semantics Definition Defining a model animator implies to: implement the Interpreter interface and define the run method. test the Event argument to run the right reaction ⇒ error prone (events may be missed) = Solution: Apply the Visitor pattern Visitor interface and a dispatch method are generated from the EDMM Benefits: eases the definition a related semantics Commonalities may be grouped in an abstract superclass. A new semantics may be defined as a specialization of an existing one. Visitor pattern would also be useful for the SDMM. But transformation languages such as ATL, SmartQVT or Kermeta achieve the same purpose through aspects. Marc Pantel Pragmatic integration of MDE and FM 56/78

  68. The Executable DSML metamodeling pattern Architecture of the generated code Marc Pantel Pragmatic integration of MDE and FM 57/78

  69. The Executable DSML metamodeling pattern Architecture of the generated code Marc Pantel Pragmatic integration of MDE and FM 58/78

  70. The Executable DSML metamodeling pattern Improvement of the Model Graphical Visualization definition of GMF decorations on the editor graphical elements relying on EMF notifications to update graphical decorations Marc Pantel Pragmatic integration of MDE and FM 59/78

  71. The Executable DSML metamodeling pattern Controllers for Event Creation automatic generation based on EDMM Marc Pantel Pragmatic integration of MDE and FM 60/78

  72. The Executable DSML metamodeling pattern Refactoring of existing T OP C ASED Animators The UML State Machines Animator Half a day has been enough to existing T OP C ASED animators (UML and SAM) Topcased UML State Machines Graphical Animator Scenario Builder as dialog boxes Eclipse Editor when right clicking Explorer Palette Outline fireable transition current state Ecore Graphical Concrete Syntax Tree View with decorations from SDMM Execution Engine Control Panel Marc Pantel Pragmatic integration of MDE and FM 61/78

  73. The Executable DSML metamodeling pattern TOPCASED proposal (through case study) DSL definition Abstract Syntax Concrete Editor Syntax Generator Semantics SimplePDL metamodel <<instanceOf>> PDL Editor ATL Properties .ltl Conception  nishToFinish PDL2PN startToStart  nishToStart startToStart Tina .atl RedactionDoc Development RedactionTest  nishToFinish Process PDL model .net Marc Pantel Pragmatic integration of MDE and FM 62/78

  74. The Executable DSML metamodeling pattern Principles applied to SimplePDL using Petri nets DDMM: Petri net SDMM: Petri net marking EDMM: bisimulation proof TOCL xSPEM PetriNet .ecore .ecore .ecore ATL TCS <<conformsTo>> <<conformsTo>> (M2M) <<conformsTo>> xSPEM2 PetriNet Tina .tcs .atl <<use>> properties myProcess myProcess myProcess .tocl .xspem .PetriNet .net <<dependOn>> Tina ATL (M2T) properties TOCL2 .ltl LTL .atl Marc Pantel Pragmatic integration of MDE and FM 63/78

  75. The Executable DSML metamodeling pattern What do we want to check ? resource constraints computers manpower timing constraints minimum achievement time maximum achievement time causality constraints startToStart startToFinish finishToStart finishToFinish . . . for some execution or for all executions Marc Pantel Pragmatic integration of MDE and FM 64/78

  76. The Executable DSML metamodeling pattern What do we want to check ? resource constraints computers manpower timing constraints minimum achievement time maximum achievement time causality constraints startToStart startToFinish finishToStart finishToFinish . . . for some execution or for all executions Marc Pantel Pragmatic integration of MDE and FM 64/78

  77. The Executable DSML metamodeling pattern Some SimplePDL-expert properties For all executions every WD must start and then finish once a WD is finished, it remains so resource and causality constraints must hold For some execution every WD must take between min and max time units to complete the overall process is able to finish Marc Pantel Pragmatic integration of MDE and FM 65/78

  78. The Executable DSML metamodeling pattern A sample run Illustrating operational semantics <<Process>> P ------------------ min_time = 5 max_time = 11 t = 0: WD s are notStarted <<WorkDefinition>> A t = 1: A starts <<WorkDefinition>> C -------------------- -------------------- state = finishedOk startToStart state = finishedOk t = 3: B starts min_time = 2 min_time = 1 max_time = 4 max_time = 4 t = 4: A completes finishtToStart finishToFinish t = 5: C starts <<WorkDefinition>> B -------------------- t = 7: B completes state = finishedOk min_time = 2 t = 8: C completes max_time = 3 Marc Pantel Pragmatic integration of MDE and FM 66/78

  79. The Executable DSML metamodeling pattern The Temporal Object Contraint Language TOCL (Gogolla & al., 2002) embeds the Object Constraint Language for spatial relations the Linear Temporal Logic for time relations TOCL is used to express fine behavioral spec ( next , existsNext , always , sometime , . . . ) about some execution or all executions Some properties of WD alone ∀ w , ( w . state = notStarted ∧ sometime w . state = inProgress ) ∀ w , always ( w . state = inProgress ⇒ sometime w . state ∈ { finishedOk , tooEarly , tooLate } ) ∀ w , always ( w . state = finishedOk ⇒ always w . state = finishedOk ) ¬∃ w , always w . state � = finishedOk Marc Pantel Pragmatic integration of MDE and FM 67/78

  80. The Executable DSML metamodeling pattern Expressing WorkDefinition Semantics through Petri Nets Encoding states, time and resource constraints: notStarted timeA 2 started [5,5] 4 <<Resource>> inProgress 2 Machine timeB -------------------- occurenceNb = 4 [6,6] 2 timeC <<WorkDefinition>> finished Design -------------------- state = finishedOk min_time = 5 [0,0] max_time = 11 tooLate tooEarly Marc Pantel Pragmatic integration of MDE and FM 68/78

  81. The Executable DSML metamodeling pattern Expressing WorkDefinition Semantics through Petri Nets notStarted Finally, we add causality constraints: notStarted timeA timeA started [2,2] started [1,1] inProgress timeB <<Process>> P inProgress timeB ------------------ [2,2] min_time = 5 [3,3] max_time = 11 timeC finished timeC finished <<WorkDefinition>> A [0,0] <<WorkDefinition>> C -------------------- [0,0] -------------------- state = notStarted startToStart state = notStarted min_time = 2 min_time = 1 max_time = 4 notStarted max_time = 4 tooLate tooEarly tooLate tooEarly finishtToStart timeA finishToFinish started [2,2] <<WorkDefinition>> B -------------------- state = notStarted inProgress timeB min_time = 2 max_time = 3 [1,1] timeC finished [0,0] tooLate tooEarly Marc Pantel Pragmatic integration of MDE and FM 69/78

  82. The Executable DSML metamodeling pattern A sample run Translation into Petri nets A WD with min _ time = 5 and max _ time = 11 time units notStarted timeA started [5,5] t = 0: WD is notStarted inProgress timeB [6,6] timeC finished [0,0] tooLate tooEarly Marc Pantel Pragmatic integration of MDE and FM 70/78

  83. The Executable DSML metamodeling pattern A sample run Translation into Petri nets A WD with min _ time = 5 and max _ time = 11 time units notStarted timeA started [5,5] t = 0: WD is notStarted inProgress timeB t = 1: WD starts [6,6] timeC finished [0,0] tooLate tooEarly Marc Pantel Pragmatic integration of MDE and FM 70/78

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Model-Driven Software Engineering Foundations of Model-Driven Software Engineering Dr. Jochen

Model-Driven Software Engineering Foundations of Model-Driven Software Engineering Dr. Jochen

IBM Research Zurich Model-Driven Software Engineering Foundations of Model-Driven Software Engineering Dr. Jochen Kster ( jku@zurich.ibm.com) IBM Research Zurich Contents Introduction to Models and Modeling Concepts of

612 views • 43 slides
Embedded implicatures as pragmatic inferences under compositional lexical uncertainty Christopher

Embedded implicatures as pragmatic inferences under compositional lexical uncertainty Christopher

Overview Scalar implicature Grammar-driven models Our model Experiment Model assessment Conclusion Appendix Embedded implicatures as pragmatic inferences under compositional lexical uncertainty Christopher Potts Stanford Linguistics

1.2k views • 87 slides
Positioning our workforce for the future Industry driven Pragmatic Practical outcomes 30 April

Positioning our workforce for the future Industry driven Pragmatic Practical outcomes 30 April

Positioning our workforce for the future Industry driven Pragmatic Practical outcomes 30 April 2018 Professor John Pollaers Transformational Change Our responsibility An aged care workforce strategy that To develop an industry driven

451 views • 29 slides
Testing Model Transformations in Model Driven Engineering Benoit Baudry INRIA IRISA

Testing Model Transformations in Model Driven Engineering Benoit Baudry INRIA IRISA

Testing Model Transformations in Model Driven Engineering Benoit Baudry INRIA IRISA (currently visiting CSU) Outline What about model transformation testing? Triskells contributions Coverage criteria Model synthesis

389 views • 35 slides
Model-Driven Software Development for Robotics: an overview IEEE-ICRA2011 Workshop on Software

Model-Driven Software Development for Robotics: an overview IEEE-ICRA2011 Workshop on Software

Model-Driven Software Development for Robotics: an overview IEEE-ICRA2011 Workshop on Software Development and Integration in Robotics Jan F. Broenink , Maarten M. Bezemer Control Engineering, University of Twente, The Netherlands Contents

509 views • 21 slides
Engineering Christian Berger Stefan Biffl Franck Fleurey Scott Hissam Christine Julien Filip

Engineering Christian Berger Stefan Biffl Franck Fleurey Scott Hissam Christine Julien Filip

and Pragmatic vs. Systematic Engineering Christian Berger Stefan Biffl Franck Fleurey Scott Hissam Christine Julien Filip Krikava Conceptual Summary traditional systematic, views of software formal, engineering model-driven

422 views • 9 slides
Model-Driven Software Engineering of Self- Adaptive Systems NTH Graduate School, 28.01.2011

Model-Driven Software Engineering of Self- Adaptive Systems NTH Graduate School, 28.01.2011

Model-Driven Software Engineering of Self- Adaptive Systems NTH Graduate School, 28.01.2011 Holger Giese System Analysis &amp; Modeling Group, Hasso Plattner Institute for Software Systems Engineering at the University of Potsdam, Germany

560 views • 45 slides
Model-Driven Softw are Engineering of Self- Adaptive System s Charles University, 16.02.2010

Model-Driven Softw are Engineering of Self- Adaptive System s Charles University, 16.02.2010

Model-Driven Softw are Engineering of Self- Adaptive System s Charles University, 16.02.2010 Holger Giese System Analysis &amp; Modeling Group, Hasso Plattner Institute for Software Systems Engineering at the University of Potsdam, Germany

610 views • 42 slides
02291: System Integration Model-Driven Architecture (MDA) Hubert Baumeister huba@dtu.dk DTU

02291: System Integration Model-Driven Architecture (MDA) Hubert Baumeister huba@dtu.dk DTU

02291: System Integration Model-Driven Architecture (MDA) Hubert Baumeister huba@dtu.dk DTU Compute Technical University of Denmark Spring 2020 Traditional Development to MDA Traditional Development to MDA Traditional Development to MDA

549 views • 25 slides
02291: System Integration Model-Driven Architecture (MDA) Hubert Baumeister huba@dtu.dk DTU

02291: System Integration Model-Driven Architecture (MDA) Hubert Baumeister huba@dtu.dk DTU

02291: System Integration Model-Driven Architecture (MDA) Hubert Baumeister huba@dtu.dk DTU Compute Technical University of Denmark Spring 2019 Traditional Development to MDA Traditional Development to MDA Traditional Development to MDA

294 views • 27 slides
Integrating Model-Driven Engineering Techniques in the Personal Software Process Joo Pascoal

Integrating Model-Driven Engineering Techniques in the Personal Software Process Joo Pascoal

TSP Symposium 2012 St. Petersburg, Florida, USA, September 17-20, 2012 Integrating Model-Driven Engineering Techniques in the Personal Software Process Joo Pascoal Faria Faculty of Engineering, University of Porto, Portugal (jpf@fe.up.pt)

440 views • 18 slides
Outsourcing Overview Value Driven Engineering Value Driven Engineering Outsourcing is one

Outsourcing Overview Value Driven Engineering Value Driven Engineering Outsourcing is one

Outsourcing Overview Value Driven Engineering Value Driven Engineering Outsourcing is one available tool in Mustangs diversified toolkit, but not an all encompassing primary strategy Outsourcing will be used when it makes sense

439 views • 8 slides
Model-driven Engineering of Software Product Lines P. Heymans, P-Y. Schobbens, J-C. Trigaux, G.

Model-driven Engineering of Software Product Lines P. Heymans, P-Y. Schobbens, J-C. Trigaux, G.

University of Namur, Belgium P ReCISE R esearch Ce ntre in I nformation S ystems E ngineering Model-driven Engineering of Software Product Lines P. Heymans, P-Y. Schobbens, J-C. Trigaux, G. Saval R. Matulevicius, A. Classen, A. Hubaux, Y.

1.43k views • 50 slides
SOFTWARE-SELECTION AND Model-Driven Software Engineering Research Group Department of Software

SOFTWARE-SELECTION AND Model-Driven Software Engineering Research Group Department of Software

SOLVING THE QUALITY-BASED SOFTWARE-SELECTION AND Model-Driven Software Engineering Research Group Department of Software Engineering University of Isfahan HARDWARE-MAPPING PROBLEM Samaneh Hoseindoost s.hoseindoost@eng.ui.ac.ir WITH ACO

320 views • 15 slides
Model-Driven Requirements Engineering and Quality Joo Arajo (In collaboration with Miguel

Model-Driven Requirements Engineering and Quality Joo Arajo (In collaboration with Miguel

Model-Driven Requirements Engineering and Quality Joo Arajo (In collaboration with Miguel Goulo and Ana Moreira) NOVALINCS, Universidade Nova de Lisboa, Portugal Requirements Modeling Issues Quality of goal-oriented models How

580 views • 54 slides
Visual Modelling Environment for CBDs Final project for Model Driven Engineering, 2014-2015

Visual Modelling Environment for CBDs Final project for Model Driven Engineering, 2014-2015

Visual Modelling Environment for CBDs Final project for Model Driven Engineering, 2014-2015 Michal Deckers 2/28 Introduction &amp; contents Implementation (part 2 of project) Designing CBD formalism for AToMPM Export model to

499 views • 28 slides
Could SCIM become lingua franca of Identity Provisioning (Un)conference on Open Source Identity

Could SCIM become lingua franca of Identity Provisioning (Un)conference on Open Source Identity

Could SCIM become lingua franca of Identity Provisioning (Un)conference on Open Source Identity and Access Management, Vienna 18.02.2020 Peter Gietz, DAASI International Agenda Why Standards in Open Source Short Introduction into SCIM

460 views • 18 slides
Modlisation lIngnierie Systme Base sur les Modles : conception dune mthode

Modlisation lIngnierie Systme Base sur les Modles : conception dune mthode

Apport de lIngnierie des Langages de Modlisation lIngnierie Systme Base sur les Modles : conception dune mthode outille pour la gnration de Langages Mtier interoprables, analysables et prouvables Blazo Nastov

540 views • 13 slides
Rdsm: Distributed (Quasi-)Threads Programming in R , Gaithersburg, MD July 21, 2010 Norm

Rdsm: Distributed (Quasi-)Threads Programming in R , Gaithersburg, MD July 21, 2010 Norm

Rdsm: Distributed (Quasi-)Threads Programming in R , Gaithersburg, MD July 21, 2010 Norm Matloff Department of Computer Science University of California at Davis Davis, CA 95616 USA matloff@cs.ucdavis.edu Parallel R Many excellent packages

947 views • 80 slides
Life-Cycle Assessment (LCA) as a well-acknowledged approach for Sustainable Development (SD) of

Life-Cycle Assessment (LCA) as a well-acknowledged approach for Sustainable Development (SD) of

Practical experiences with multi-level modeling using FMML x : A hierarchy of domain-specific modeling languages in support of life-cycle assessment Monika Kaczmarek-He 1 Mario Nolte 1 Andreas Fritsch 2 Stefanie Betz 3 5 th International Workshop

696 views • 32 slides
2.1.1 URDF: Introduction Gijs van der Hoorn URDF? robot model storage format? simulation

2.1.1 URDF: Introduction Gijs van der Hoorn URDF? robot model storage format? simulation

2.1.1 URDF: Introduction Gijs van der Hoorn URDF? robot model storage format? simulation format? required? URDF What is it? Domain specific modeling language (DSML) XML Stores: Kinematics Dynamics parameters

578 views • 11 slides
Introduction to Programming Assist. Prof. Dr. Moharram Challenger Ege University, International

Introduction to Programming Assist. Prof. Dr. Moharram Challenger Ege University, International

Introduction to Programming Assist. Prof. Dr. Moharram Challenger Ege University, International Computer Institute Who are the teaching team? Lecturer: Moharram Challenger, PhD. Email: m.challenger@gmail.com

650 views • 17 slides
Safely Reusing Model Transformations through Family Polymorphism

Safely Reusing Model Transformations through Family Polymorphism

02/10/2014 Safely Reusing Model Transformations through Family Polymorphism Director of IRISA

430 views • 24 slides
Managing security policy in distributed systems Tim Moses 13 April 2004 v2 1 1 PDF created

Managing security policy in distributed systems Tim Moses 13 April 2004 v2 1 1 PDF created

Managing security policy in distributed systems Tim Moses 13 April 2004 v2 1 1 PDF created with FinePrint pdfFactory trial version www.pdffactory.com Agenda Definitions Motivation Policy models Policy languages Future w ork

226 views • 18 slides

More recommend