Towards Verified Model Transformations

1. Towards Verified Model Transformations 3rd Workshop on Model Design and Validation: Perspectives on Integrating MDA and V&VGenoa, Italy Holger Giese1, Sabine Glesner2, Johannes Leitner3, Wilhelm Schäfer1, and Robert Wagner1 1Software Engineering GroupUniversity of Paderborn [hg|wilhelm|wagner]@uni-paderborn.de 2Faculty IV - Electrical Engineering and Computer ScienceTechnical University of Berlin glesner@cs.tu-berlin.de 3Department for Computer and Information ScienceUniversity of Konstanz leitner@uni-konstanz.de

2. Are the transformations correct? Motivation • Model-Driven Software Engineering • increases software quality • reduces development costs • Verified model transformations MDE AnalysisModel Model Code(Model) Towards Verified Model Transformations

3. Case Study Towards Verified Model Transformations

4. Automaton / round_cylinder:=true round_sensor=true /interlock:=true;round_cylinder:=false 3 2 straightunlocked switchinground switch2round=true /interlock:=false VAR state : INT := 1; END_VAR; CASE state OF 1: / * straight */ IF switch2round=true THEN interlock:=false; state:=2; /* straight unlocked */ END_IF; 2: /* straight unlocked */ round_cylinder:=true; state:=3; /* switching round */ … END_CASE PLC-Code 4 1 straight round 6 5 switchingstraight roundunlocked switch2straight=true /interlock:=false; straight_sensor=true /interlock:=true;straight_cylinder:=false / straight_cylinder:=true Example Are the models semanticallyequivalent? Is the transformationcorrect? Towards Verified Model Transformations

5. SourceModel Transformation Checker TargetModel to be verified ok ok ok ¬ok ¬ok ¬ok Model CheckingP SourceModel Rule Developer User TransformationP’=T(P) Transformation Model CheckingP’ TargetModel [Varró et al., “Automated formal verification of model transformations”, Proceedings of CSDUML Workshop 2003] Related Work [Karsai et al., “Towards verifying model transformations”, Electronic Notes in Theoretical Computer Science, 2006] ≠ Towards Verified Model Transformations

6. Execution Model Transformations Specification Verification Towards Verified Model Transformations

7. LHS RHS Triple Graph Grammars [Sch94] Triple Graph Grammar Rule b:CaseBlock a:Automaton :CorrNode ++ ++ ++ ++ ++ s:State c:Case ++ ++ :CorrNode ++ ++ ++ l:Label value=map(s.name) AutomataDomain PLC-Code Domain CorrespondenceDomain [Sch94] A. Schürr, "Specification of Graph Translators with Triple Graph Grammars", in: G. Tinhofer (ed.), Springer Verlag, 1994; Lecture Notes in Computer Science, Vol. 903, 151-163. Towards Verified Model Transformations

8. :Automaton :CorrNode Rule 2 :Label :CaseBlock :Label :IfBlock :Case :CaseBlock :Automaton :CorrNode value=“2” value=“1” ++ ++ ++ ++ :State :CorrNode :State :Case :CorrNode name=„straight“ ++ :Label Rule 3 :Case :State :Transition :CorrNode :CorrNode Rule 1 (Axiom) guard=“…” ++ ++ ++ ++ ++ ++ ++ ++ :Transition :IfBlock :Automaton :CaseBlock :CorrNode :CorrNode :Case :State :CorrNode :State :Case :CorrNode name=“straight unlocked“ Rule Execution Towards Verified Model Transformations

9. Isabelle/HOL interactive theorem prover for second-order logic Verification Approach - Overview I/O-Automaton PLC-Code Towards Verified Model Transformations

10. Formalize metamodels as abstract data types - use records, lists and other primitive data types Formalize metamodels as abstract data types - use records, lists and other primitive data types Verification Approach - Overview Towards Verified Model Transformations

11. Formalize metamodels as abstract data types - use records, lists and other primitive data types Define the operational semantics as a recursive function over the formalized metamodels (abstract data types) Verification Approach - Overview Towards Verified Model Transformations

12. Define modifiers analogously to the modifications specified by triple graph grammar rules • adding states, transitions, actions,… • adding case block, if-statements, assignment expressions, … :CaseBlock :Automaton :CorrNode :State :Case :CorrNode :Label Verification Approach - Overview Towards Verified Model Transformations

13. P0 Pn M0 Mn ≈ ≈ P M ≈ modifier pairs P‘ M‘ ≈ Verification of Transformation • Axiom: Empty Automaton and empty PLC-Program are equivalent • Induction Step: Simultaneous evolution of the models preserves semantic equivalence • Result: For any model Mn and corresponding program code Pn = trans(Mn) produced by the triple graph grammar holds Mn ≈ Pn Mn: Towards Verified Model Transformations

14. Conclusion & Future Work • Conclusion • first step towards verification of transformations • has been verified in Isabelle/HOL for simple transformations (approx. 1500 lopc) • verified transformation results in semantically equivalent source and target models for any given source model • Future Work • prove more complex transformations • include automatic checking of correspondence nodes as preconditions • automatic derivation of the formalization for the theorem prover • combine interactive theorem proving with automated verification techniques Towards Verified Model Transformations