150 likes | 277 Views
Right or Wrong? – Verification of Model Transformations using Colored Petri Nets*. M. Wimmer, G. Kappel, A. Kusel, W. Retschitzegger, J. Schönböck and W. Schwinger. 9 th OOPSLA Workshop on Domain-Specific Modeling, 26 th October, 2009, Orlando. Johannes Schönböck.
E N D
Right or Wrong? – Verification of Model Transformations using Colored Petri Nets* M. Wimmer, G. Kappel, A. Kusel, W. Retschitzegger, J. Schönböck and W. Schwinger 9th OOPSLA Workshop on Domain-Specific Modeling, 26th October, 2009, Orlando Johannes Schönböck *Thisworkhasbeenpartlyfundedby the Austrian Science Fund (FWF) undergrant P21374-N13.
TROPIC Taxonomy LessonsLearned Introduction Example Introduction • MDE (Model-Driven Engineering) places models as first-class artifacts throughout the software lifecycle • essential prerequisite are transformation languages UML Class Model ER DiagramModel HorizontalTransformation
transformation umlToRdbms(class:Class1, rel:Relational1){ top relationClassToTable{ cn: String; checkonlydomainclass c:Class{name=cn, attributes=a:Attribute{}}; enforcedomainrel t:Table{name=cn, columns=cl:Column{}}; where{ AttributeToColumn(a,cl); } } relation AttributeToColumn{ an, tn: String; checkonlydomain class a:Attribute{name=an, type=ty:Type{name=tn}}; enforcedomainrel cl:Column{name=an, type=tn}; }} • How can one reuse transformation logic?Transformations have to be defined from scratch again and again • How does the transformation get executed?Debugging of the transformation logic is hard • How to ensure correct transformation specifications?Formal verification methods are missing QVT Relations Code Example TROPIC Taxonomy LessonsLearned Introduction Example Introduction SourceMetamodel TargetMetamodel Transformation conforms conforms SourceModel New TargetModel
How can one reuse transformation logic? • Interfaces are typed by the types of the MM-Model (EClass, EAttribute, EReference) • Mapping Operators can be bound to arbitrary metamodels TROPIC Taxonomy LessonsLearned Introduction Example TROPIC in a Nutshell (1/2) Mapping View Transformation Mapping Operator Library
How does the transformation get executed? • Transformation Nets provide an explicit runtime model • By observing the simulation in the Transformation Nets, errors can be easily detected • How to ensure correct transformation specifications? • Since Transformation Nets form a DSL on top of Standard Colored Petri Nets, properties can be used for formalverification TROPIC Taxonomy LessonsLearned Introduction Example TROPIC in a Nutshell (2/2) Transformation View Class Table Class_attr Attribute Table_cols Attribute_type Column Type instantiate Column_type Type_name derive translate simulate verify construct Colored Petri Nets State Space
A1 : Attribute name A4 : Column creditLimit A2 : Column address A1 : Column name A3 : Column custId Attribute A2 : Attribute address A4 : Attribute creditLimit A3 : Attribute custId Column Table C1 : Table Person PPerson Class Source Target parent * attr cols * MMs (M2) * parent attr Transformation cols C1: Class Person attr cols Models (M1) cols cols C2 : Class C Customer attr C3 : Class CustomerSpcial attr parent TROPIC Taxonomy LessonsLearned Introduction Example Class2Relational Example Translating Transformation Nets to CPNs verification specification translate construct Transformation Problem TROPIC CPN State Space simulation
Example realized in Transformation Nets • To be simulated • To be verified Example TROPIC Taxonomy LessonsLearned Introduction Class2Relational Example Translating Transformation Nets to CPNs verification specification translate construct Transformation Problem TROPIC CPN State Space simulation
DSL (Transformation Nets) hides complexity of CPNs • DSL (Transformation Nets) introduces specific concepts for the domain of model transformations • But CPN Tools provide • Efficient execution engine for simulation • State space analysis for verification Example TROPIC Taxonomy LessonsLearned Introduction Class2Relational Example Translating Transformation Nets to CPNs verification specification translate construct Transformation Problem TROPIC CPN State Space simulation
Construction of State Space allows exploration of formal properties • Boundedness • Liveness • Home State • Dead Marking Example TROPIC Taxonomy LessonsLearned Introduction Class2Relational Example Translating Transformation Nets to CPNs verification specification translate construct Transformation Problem TROPIC CPN State Space simulation
Example TROPIC Taxonomy LessonsLearned Introduction Class2Relational Example Verification using Properties Model Comparison using Boundedness properties • Comparison of generated target model to an expected target model Integer Bounds Upper Lower … Table_cols 3 0 ….. Upper Multi-Set Bounds … Table_cols 1`(1200,"Person",1,"name")++ 1`(1200,"Person",2,"addr")++ 1`(1200,"Person",6,"custID") … Home Markings [1320] Dead Markings [1320] Dead Transition Instances TransitiveClosureLinker Expected Target Model
Corrected Solution Example TROPIC Taxonomy LessonsLearned Introduction Class2Relational Example Verification using Properties Transition error detection using Liveness properties • L0-Liveness to detect Dead Transition Instances Integer Bounds Upper Lower … Table_cols 3 0 ….. Upper Multi-Set Bounds … Table_cols 1`(1200,"Person",1,"name")++ 1`(1200,"Person",2,"addr")++ 1`(1200,"Person",6,"custID") … Home Markings [1320] Dead Markings [1320] Dead Transition Instances TransitiveClosureLinker
Example TROPIC Taxonomy LessonsLearned Introduction Class2Relational Example Verification using Properties Termination and confluence verification using Dead and Home Markings • Dead Marking is prerequisite for termination • Home Marking is prerequisite for confluence • Equal Dead and Home marking are necessary to ensure termination Upper Multi-Set Bounds … Table_cols 1`(1200,"Person",1,"name")++ 1`(1200,"Person",2,"addr")++ 1`(1200,"Person",6,"custID")++ 1`(1200,”Person”,8,”creditLimit) … Home Markings [1320] Dead Markings [1320]
Example TROPIC Taxonomy LessonsLearned Introduction Taxonomy of Transformation Errors and CPN Properties Location Transformation Net CPN Property Granularity Type wrong source MM element wrong arc from place to transition Liveness Boundedness Reachability LHS wrong/too strong/too weak matching pattern wrong/incomplete color pattern in LHS of transition non-satisfiable matching pattern non-satisfiable color pattern with respect to MM Liveness Intra-Rule wrong target MM element wrong arc from transition to target place RHS Reachability Boundedness wrong instantiation of target elements wrong/incomplete color pattern in RHS of transition TransformationLogic Source MM coverage missing/redundant arcs from source place to transition missing/redundant source MM elements Reachability Boundedness wrong tokens in/wrong connection to trace place wrong intermediate results/dependencies Target MM coverage Inter-Rule missing/redundant arcs from transition to target place missing/redundant target MM elements Home State Persistence non-determinism/non-confluence hungry transitions sharing same source place Runtime behavior loops producing new colored tokens non-termination Dead State 13
Example TROPIC Taxonomy LessonsLearned Introduction Lessons Learned • History ensures termination • Difficult to check in other transformation languages (graph transformations) • Visual syntax and live programming fosters debugging • Flow of tokens undergoing certain transformations can be followed • Concurrency in Petri Nets allows parallel execution of model transformations • Parts of transformation logic can run in parallel • State Space explosion limits model size • CPN Tools only support full state space • State Space reduction methods (Stubborn Sets) • ASAP Tool (http://www.daimi.au.dk/~ascoveco/)
Thank you for your attention! Questions http://www.modeltransformation.net