Transformation Models Fabian B uttner AtlanMod Team INRIA / - - PowerPoint PPT Presentation

Transformation Models

Fabian B¨ uttner AtlanMod Team INRIA / ´ Ecole des Mines de Nantes

fabian.buettner@inria.fr

• 15. Sep. 2012

Transformation Models

Next: A methodology for the verification of model transformations [MODELS’12, ICFEM’12, JSS’10]

c AtlanMod – atlanmod-contact@mines-nantes.fr 2/11

Transformation Models

Next: A methodology for the verification of model transformations [MODELS’12, ICFEM’12, JSS’10]

◮ applicable to declarative ATL (and QVT-R) ◮ suited for automatic checking by off-the-shelf solvers ◮ “side-effect”: allows reverse execution (in the small)

c AtlanMod – atlanmod-contact@mines-nantes.fr 2/11

Transformation Models

Next: A methodology for the verification of model transformations [MODELS’12, ICFEM’12, JSS’10]

◮ applicable to declarative ATL (and QVT-R) ◮ suited for automatic checking by off-the-shelf solvers ◮ “side-effect”: allows reverse execution (in the small)

Core idea: Translate the transformation into an equivalent logical satisfiability problem

c AtlanMod – atlanmod-contact@mines-nantes.fr 2/11

Transformation Models

Next: A methodology for the verification of model transformations [MODELS’12, ICFEM’12, JSS’10]

◮ applicable to declarative ATL (and QVT-R) ◮ suited for automatic checking by off-the-shelf solvers ◮ “side-effect”: allows reverse execution (in the small)

Core idea: Translate the transformation into an equivalent logical satisfiability problem My hopes for a collaboration:

• 1. Use our results for reverse execution in the large
• 2. Identify (bigger) decidable fragments of metamodels and

transformations for ATL and UnCAL

• 3. A formal semantics for ATL?

c AtlanMod – atlanmod-contact@mines-nantes.fr 2/11

Motivation: Type-correctness

Several interesting correctness properties: termination, confluence, type-correctness, semantics preservation, . . . .

c AtlanMod – atlanmod-contact@mines-nantes.fr 3/11

Motivation: Type-correctness

Several interesting correctness properties: termination, confluence, type-correctness, semantics preservation, . . . .

c AtlanMod – atlanmod-contact@mines-nantes.fr 3/11

Motivation: Type-correctness

Several interesting correctness properties: termination, confluence, type-correctness, semantics preservation, . . . . We want to verify for T : MI → MF:

Partial type-correctness of T

For each model MI of MI on which T terminates, MF = T(MI) is a model of MF.

c AtlanMod – atlanmod-contact@mines-nantes.fr 3/11

Motivation: Type-correctness

Several interesting correctness properties: termination, confluence, type-correctness, semantics preservation, . . . . We want to verify for T : MI → MF:

Partial type-correctness of T

For each model MI of MI on which T terminates, MF = T(MI) is a model of MF. MI, MF are metamodels consisting of classes, attributes, associations, and constraints (OCL / FOL).

c AtlanMod – atlanmod-contact@mines-nantes.fr 3/11

Motivation: Type-correctness

Several interesting correctness properties: termination, confluence, type-correctness, semantics preservation, . . . . We want to verify for T : MI → MF:

Partial type-correctness of T

For each model MI of MI on which T terminates, MF = T(MI) is a model of MF. MI, MF are metamodels consisting of classes, attributes, associations, and constraints (OCL / FOL). ⇒ Hence, satisfiability is undecidable in general.

c AtlanMod – atlanmod-contact@mines-nantes.fr 3/11

Transformation Models

Given a terminating transformation T : MI → MF A transformation model for T is an extension MT = MI ∪ MF ∪ R

c AtlanMod – atlanmod-contact@mines-nantes.fr 4/11

Transformation Models

Given a terminating transformation T : MI → MF A transformation model for T is an extension MT = MI ∪ MF ∪ R such that, for each models MI, MF of MI, MF, the following holds:

Equivalence Property

MF = T(MI) iff there exists a model MT of MT whose MI-part is MI and whose MF-part is MF.

c AtlanMod – atlanmod-contact@mines-nantes.fr 4/11

Example ER2REL: Metamodels

INPUT MM

name : String RelshipEnd elements−>forAll(e1,e2| e1.name = e2.name implies e1 = e2) context ERSchema inv ER_EN: attrs−>exists(a | a.isKey) context Entity inv ER_EK: not attrs−>exists(a | a.isKey) context Relship inv ER_ER: name : String Relation RELSchema name : String isKey : Boolean RELAttribute 0..1 1..* relations 0..1 1..* attrs r1.name = r2.name implies r1 = r2) relations−>forAll(r1,r2| context RELSchema inv REL_RN: a1.name = a2.name implies a1 = a2) attrs−>forAll(a1,a2| context RELSchema inv REL_AN: attrs−>exists(a | a.isKey) context Relation inv REL_RK: attrs {xor} ends 2..* 1 name : String isKey : Boolean ERAttribute attrs type 1 Relship name : String SchemaElement ERSchema 1 elements 1..* Entity −− and further constraints

OUTPUT MM c AtlanMod – atlanmod-contact@mines-nantes.fr 5/11

Example ER2REL: Transformation

attrs name : String RelshipEnd attrs {xor} ends 2..* 1 name : String isKey : Boolean ERAttribute attrs type 1 Relship Entity name : String SchemaElement ERSchema 1 elements 1..* name : String Relation RELSchema name : String isKey : Boolean RELAttribute 0..1 1..* relations 0..1 1..*

rule S2S { from s : ER!ERSchema to t : REL!RELSchema ( relations <- s.entities->union(s.relships) )} rule E2R { from s : ER!Entity to t : REL!Relation (name<-s.name, schema<-s.schema) } rule R2R { from s : ER!Relship to t : REL!Relation (name <-s.name, schema<-s.schema) } rule EA2A { from att : ER!ERAttribute, ent : ER!Entity (att.entity=ent) to t : REL!RELAttribute (name<-att.name, isKey<-att.isKey, relation<-ent)} rule RA2A { from att : ER!ERAttribute, rs : ER!Relship (att.relship=rs) to t : REL!RELAttribute (name<-att.name, isKey<-att.isKey, relation<-rs)} rule RA2AK { from att : ER!ERAttribute, rse : ER!RelshipEnd (att.entity=rse.entity and att.isKey=true) to t : REL!RELAttribute (name<-att.name, isKey<-att.isKey, relation<-rse.relship)} c AtlanMod – atlanmod-contact@mines-nantes.fr 6/11

Example ER2REL: Transf.Model

Creation constraints

name : String RelshipEnd attrs {xor} ends 2..* 1 name : String isKey : Boolean ERAttribute attrs type 1 Relship Entity name : String SchemaElement ERSchema 1 elements 1..* EA2A S2S E2R R2R RA2A RA2AK 0..1 0..1 0..1 0..1 0..1 0..1 0..1 0..1 0..1 context x1 : ERAttribute inv match_EA2A: Entity.allInstances()−>forAll(x2 | x1.ent = x2 implies EA2A.allInstances()−>one(z | z.att = x1 and z.ent = x2) context EA2A inv match_EA2A_cond: self.att.entity = self.ent context S2S inv bind_S2S_t_relations: Set{self.s.elements−>collect(z|z.oclAsType(Entity).e2r.t), self.s.elements−>collect(z|z.oclAsType(Relship).r2r.t)}−>flatten()−>select(z|z <> null) name : String Relation RELSchema name : String isKey : Boolean RELAttribute 0..1 1..* relations 0..1 1..* attrs context EA2A inv bind_EA2A_t_name: self.t.name = self.att.name −− ... context EA2A inv bind_EA2A_t_relation: self.t.relation = self.ent.e2r.t −− ... context Relation inv create_Relation: self.e2r−>size() + self.r2r−>size() = 1 −− ...

Matching constraints Binding constraints c AtlanMod – atlanmod-contact@mines-nantes.fr 7/11

Deriving Transformation Models

Encode the model finding as a satisfiability problem in a logic: Find ⌈MT⌉ such that ⌈MT⌉ | = ⌈MT⌉ Two different approaches.

• 1. Generate metamodel extensions (classes, OCL

constraints) and then use existing logic translations ⌈MT⌉ = MM2L

• MI ∪ MF ∪ T2MM[T]
• ⇒ Orthogonal, tool-agnostic approach
• 2. Directly generate a (first-order) logic formula

⌈MT⌉ = MM2L[MI] ∪ MM2L[MF] ∪ T2L[T] ⇒ Better suited for automated theorem proving

c AtlanMod – atlanmod-contact@mines-nantes.fr 8/11

Verifying type correctness

Type correctness revisited

The transformation T : MI → MF is type-correct iff the transformation model for T : MI → MF c is unsatisfiable for each type constraint c of MF. (MF c is constrained only by the negation of c)

c AtlanMod – atlanmod-contact@mines-nantes.fr 9/11

Verifying type correctness

Type correctness revisited

The transformation T : MI → MF is type-correct iff the transformation model for T : MI → MF c is unsatisfiable for each type constraint c of MF. (MF c is constrained only by the negation of c)

Checking ...REL RN

c AtlanMod – atlanmod-contact@mines-nantes.fr 9/11

Verifying type correctness

Type correctness revisited

The transformation T : MI → MF is type-correct iff the transformation model for T : MI → MF c is unsatisfiable for each type constraint c of MF. (MF c is constrained only by the negation of c)

Checking ...REL RN, REL K

c AtlanMod – atlanmod-contact@mines-nantes.fr 9/11

Verifying type correctness

Type correctness revisited

The transformation T : MI → MF is type-correct iff the transformation model for T : MI → MF c is unsatisfiable for each type constraint c of MF. (MF c is constrained only by the negation of c)

Checking ...REL RN, REL K, REL AN

Counter example:

ER fulfilled

: ERAttribute isKey = true name = x : RelshipEnd : RelshipEnd : Relship : Relation : E2R : EA2A : R2R : RA2AK : RA2AK : RELAttribute isKey = true name = x : RELAttribute isKey = true name = x : Entity : Relation : RELAttribute name = x isKey = true

all constraints of T fulfilled REL_AN violated all constraints of c AtlanMod – atlanmod-contact@mines-nantes.fr 9/11

Verifying type correctness

Type correctness revisited

The transformation T : MI → MF is type-correct iff the transformation model for T : MI → MF c is unsatisfiable for each type constraint c of MF. (MF c is constrained only by the negation of c)

Checking ...REL RN, REL K, REL AN, REL M1, REL M2, ...

c AtlanMod – atlanmod-contact@mines-nantes.fr 9/11

Verifying type correctness

Type correctness revisited

The transformation T : MI → MF is type-correct iff the transformation model for T : MI → MF c is unsatisfiable for each type constraint c of MF. (MF c is constrained only by the negation of c)

Checking ...REL RN, REL K, REL AN, REL M1, REL M2, ...

Runtimes Kodkod/MiniSAT:

Obj/Class Obj/Total REL RN REL AN REL K REL M1 . . . 2 28 0.06 * 0.06 0.05 0.05 3 42 0.15 0.11 0.10 0.11 5 70 3.12 0.51 0.70 0.40 7 98 38.62 0.58 4.21 1.21 10 140 543.93 1.70 136.61 4.96

c AtlanMod – atlanmod-contact@mines-nantes.fr 9/11

Reverse execution

Reverse execution by partial model completion

◮ Valid instance of MF ◮ Invalid (incomplete) instance of MT

c AtlanMod – atlanmod-contact@mines-nantes.fr 10/11

Reverse execution

Reverse execution by partial model completion

◮ Valid instance of MF ◮ Invalid (incomplete) instance of MT

Technically not much different from counter example finding

◮ Not applicable to large models ◮ But a component in reverse execution (of ATL)?

c AtlanMod – atlanmod-contact@mines-nantes.fr 10/11

Conclusion

Summary:

◮ Transformation models are a nice vehicle to reason about

declarative ATL (and QVT)

◮ Particular applications: partial correctness checking and

reverse execution (in the small)

◮ Various “back ends” are possible (bounded search as

well as SMT) Possible fields of collaboration:

◮ Use our results for reverse execution (in the large) ◮ Identify (bigger) decidable fragments of metamodels and

transformations

◮ A formal semantics for ATL?

c AtlanMod – atlanmod-contact@mines-nantes.fr 11/11