S PECIFICATION AND V ERIFICATION OF P ROPERTIES FOR G RAPH -B ASED M - - PowerPoint PPT Presentation

s pecification and v erification of p roperties for g
SMART_READER_LITE
LIVE PREVIEW

S PECIFICATION AND V ERIFICATION OF P ROPERTIES FOR G RAPH -B ASED M - - PowerPoint PPT Presentation

Feb 06, 2023 454 likes •712 views

S PECIFICATION AND V ERIFICATION OF P ROPERTIES FOR G RAPH -B ASED M ODEL T RANSFORMATIONS G EHAN M. K. S ELIM , L EVI L UCIO , J AMES R. C ORDY , J UERGEN D INGEL , B ENTLEY J. O AKES A GENDA Problem Statement DSLTrans Model Transformation

slide-1
SLIDE 1

SPECIFICATION AND VERIFICATION OF PROPERTIES FOR GRAPH-BASED MODEL TRANSFORMATIONS

GEHAN M. K. SELIM, LEVI LUCIO, JAMES R. CORDY, JUERGEN DINGEL, BENTLEY J. OAKES

slide-2
SLIDE 2

AGENDA

Problem Statement DSLTrans Model Transformation Language Symbolic Model Transformation Property Prover

  • Overview
  • Phase 1: Path Condition Generation
  • Phase 2: Property Verification

Industrial Case Study Discussion Conclusion & Future work

slide-3
SLIDE 3

PROBLEM STATEMENT

Prove pre- post- condition structural properties

  • On translation model transformations

○ Example: Industrial migration transformations

  • For all executions

○ No extra elements added/removed

  • Infinite amount of transformation executions means the

proof needs to be done on abstractions ○ Named path conditions in algorithm

slide-4
SLIDE 4

DIFFERENCES FROM CURRENT TRANSFORMATION VERIFICATION TOOLS

  • Input-independent
  • Little mathematical background required (v.s. Maude)
  • Some scalability tests on industrial-size transformations
  • Verifies multiple property types
  • Proof for validity and completeness of verification

technique

slide-5
SLIDE 5

DSLTRANS TRANSFORMATION

PERSONS TO COMMUNITY

Restricted form of graph transformations Turing-incomplete Out-place

slide-6
SLIDE 6

DSLTRANS TRANSFORMATION

PERSONS TO COMMUNITY RULE

slide-7
SLIDE 7

SYMBOLIC MODEL TRANSFORMATION PROPERTY PROVER: OVERVIEW

slide-8
SLIDE 8

Phase 1- Path Condition Generation

1

1

2

1

3

1

1

2

2

2

2

3

23

Process Layer 1 Process Layer 2 Process Layer 3

Unfeasible Control Path

… …

Path Conditions

Based on: L. Lucio, B. Barroca, V. Amaral “A Technique for the Verification of Model Transformations” Proceedings of MoDELS, 2010.

slide-9
SLIDE 9

Abstraction Relation

Prove properties on path condition Holds on abstracted transformation executions

slide-10
SLIDE 10

Combining Path Condition with Rule

Case 1: No Dependencies

slide-11
SLIDE 11

Combining Path Condition with Rule

Case 1: No Dependencies

slide-12
SLIDE 12

Combining a Path Condition with a Rule

Case 2: Rule has Dependencies and Cannot Execute

slide-13
SLIDE 13

Combining a Path Condition with a Rule

Case 2: Rule has Dependencies and Cannot Execute

slide-14
SLIDE 14

Combining a Path Condition with a Rule

Case 3: Rule has Dependencies and Will Execute

slide-15
SLIDE 15

Combining a Path Condition with a Rule

Case 3: Rule has Dependencies and Will Execute

slide-16
SLIDE 16

Combining a Path Condition with a Rule

Case 4: Rule has Dependencies and May Execute

slide-17
SLIDE 17

Combining a Path Condition with a Rule

Case 4: Rule has Dependencies and May Execute

slide-18
SLIDE 18

Reminder: Path Condition Generation

11 21 31 12 22 13 23

Based on: L. Lucio, B. Barroca, V. Amaral “A Technique for the Verification of Model Transformations” Proceedings of MoDELS, 2010.

Process Layer 1 Process Layer 2 Process Layer 3

Unfeasible Control Path

… …

Path Conditions

slide-19
SLIDE 19

PHASE 2- PROPERTY VERIFICATION

PC1 PC2 PCn 1. Generated Path Conditions ...

prop holds prop doesn’t hold + counterexample

Takes 2 inputs: 1. Path conditions generated from phase 1 2. Property to verify a) AtomicContracts: Precondition & Postcondition b) Propositional formulae of AtomicContracts (And, Or, Not, If/Then) 2. Input Property prop

slide-20
SLIDE 20

PHASE 2- PROPERTY VERIFICATION

Example of AtomicContract: If a pattern of elements exists in the input Then another pattern of elements must exist in the output

slide-21
SLIDE 21

AtomicContracts Propositional Formula of AtomicContracts

A Household in the input will always be mapped to a Community in the output If The output has a Community Then {That Community will be associated to one Man And Not More than one Man}

Free Variables !

Verification for a pathcondition pc using Subgraph Isomorphism: If ( Precondition in pc & postcondition not in pc) return false Else return true

e.g.,PatternContracts e.g., “1..1” Multiplicity Invariants

slide-22
SLIDE 22

INDUSTRIAL CASE STUDY

  • GM-2-AUTOSAR migration transformation [1]
  • GM-2-AUTOSAR Transformation Size
  • GM-2-AUTOSAR transformation Properties [2]:
  • Multiplicity Invariants: The transformation's output preserves

the multiplicities in the output metamodel

  • Security Invariant: A physical node does not refer to a

software component that is not deployed on that node.

  • Pattern Contracts: If a pattern of elements exists in the input,

then a corresponding pattern must exist in the output

  • Uniqueness Contracts: An output element of a rule is

uniquely named if the corresponding input element is uniquely named, too. (Not handled in our prover)

1.

  • G. Selim, S. Wang, J. R. Cordy, J. Dingel. “Model Transformations for Migrating Legacy Models: An Industrial Case Study”. ECMFA, 2012.

2.

  • G. Selim, F. Büttner, J. R. Cordy, J. Dingel, Shige Wang.”Automated Verification of Model Transformations in the Automotve Industry”. MODELS, 2013.

DSLTrans ATL 3 Layers, 2 or 3 rules per layer 2 matched rules, 9 functional helpers, 6 attribute helpers

slide-23
SLIDE 23

INDUSTRIAL CASE STUDY

  • Time to generate path conditions (performed once) = 0.6 secs
  • Time to verify properties:

Multiplicity Invariants Security Invariant Pattern Contracts Property M1 M2 M3 M4 M5 M6 S1 P1 P2 Time (sec) 0.013 0.017 0.013 0.017 0.017 0.019 0.017 0.02 0.02

  • Maximum time to verify a property = 0.02 sec
slide-24
SLIDE 24

DISCUSSION

Pros

  • Result holds for any input; not limited to a scope
  • No translation needed
  • Verification is much faster using our prover

Cons

  • Cannot prove properties that reason about attributes
  • Cannot verify transformations with NACS

Property M1 M2 M3 M4 M5 M6 S1 P1 P2 Time in our prover (sec) .013 .017 .013 .017 .017 .019 .017 .02 .02 Time in [1] within a scope of 6 (sec) 76 73.4 75 75 75.5 74.5 114 256 251

1.

  • G. Selim, F. Büttner, J. R. Cordy, J. Dingel, Shige Wang.”Automated Verification of Model TransfoSrmations in the Automotve Industry”. MODELS, 2013.

Compared To

slide-25
SLIDE 25

CONCLUSION & FUTURE WORK

Conclusion

  • Extended an input-independent property prover
  • Property prover can verify a variety of property types
  • Proved soundness & completeness of property prover
  • Conducted a case study
  • Compared our prover with another verification tool

Future Work

  • Extended scalability tests
  • Handle properties that reason about attributes
  • Verify transformations with NACs.