automated verification of model transformations in the automotive industry
DESCRIPTION
Automated Verification of Model Transformations in the Automotive Industry. Gehan M. K. Selim , Fabian Büttner , James R. Cordy , Juergen Dingel , Shige Wang. Agenda. Motivation Objective The Model Transformation Problem The Verification Methodology - PowerPoint PPT PresentationTRANSCRIPT
AUTOMATED VERIFICATION OF MODEL TRANSFORMATIONS IN THE AUTOMOTIVE INDUSTRY
GEHAN M. K. SELIM, FABIAN BÜTTNER, JAMES R. CORDY, JUERGEN DINGEL, SHIGE WANG
2
AGENDA- Motivation
- Objective
- The Model Transformation Problem
- The Verification Methodology
- Case Study: Automatically Verifying the GM-2-AUTOSAR Transformation
- Results
- Verifying the 18 OCL Constraints- Performance of the Verification Approach
- Discussion
- Strengths of the Verification Approach- Weaknesses of the Verification Approach
- Conclusion & Future Work
3
MOTIVATION
- MDD
- Model Transformations
- Verification
Are those concepts practical to use in
industry ?
4
MOTIVATION- Industrial experiences in adopting MDD…
- T. Cottenier, A. Van Den Berg, T. Elrad “The Motorola WEAVR: Model Weaving in a Large Industrial Context” AOSD 2007.
- P. Mohagheghi, V. Dehlen “Where is the Proof?-A Review of Experiences from Applying MDE in Industry” ECMDA-FA 2008.
- Few studies on industrial model transformations…- A. Daghsen, K. Chaaban, S. Saudrais, P. Leserf “Applying Holistic
Distributed Scheduling to AUTOSAR Methodology” ERTSS 2010.- H. Giese, S. Hildebrandt, S. Neumann “Model Synchronization at Work:
Keeping SysML and AUTOSAR Models Consistent” Graph Transformations & Model-Driven Engineering 2010.
- G.Selim, S. Wang, J. Cordy, J. Dingel “Model Transformations for Migrating Legacy Models: An Industrial Case Study” ECMFA 2012
- Verifying industrial model transformations ??
5
OBJECTIVE
What?• Validate an industrial model
transformation [1]
How?• Using an automated verification
prototype [2]
Why?
• Report on the practicality of using automated verification in industry
• Discuss any issues that need to be addressed for the industry to readily adopt such prototypes
[1] G. Selim, S. Wang, J. Cordy, J. Dingel "Model Transformations for Migrating Legacy Models: An Industrial Case Study", ECMFA 2012[2] F. Büttner, M. Egea, J. Cabot, M. Gogolla “Verication of ATL Transformations Using Transformation Models and Model Finders”, ICFEM 2012
6
THE MODEL TRANSFORMATION PROBLEM
GM Models GM-2-AUTOSAR Transformation AUTOSAR models
[1] G. Selim, S. Wang, J. Cordy, J. Dingel "Model Transformations for Migrating Legacy Models: An Industrial Case Study", ECMFA 2012
GM
M
etamodel
AU
TO
SA
RM
etamodel
7
THE VERIFICATION METHODOLOGY
Transformation Model:
- Elements representing : T,
- OCL Constraint sets: SEM, PRE, POST
tarsrc MMMM ,
transform
ATL Transformation T
Source Metamodel
Target Metamodel
Transformation Model (OCL)
srcMM
tarMM
[1] F. Büttner, M. Egea, J. Cabot, M. Gogolla “Verication of ATL Transformations Using Transformation Models and Model Finders”, ICFEM 2012
8
THE VERIFICATION METHODOLOGY
Transformation Model:
- Elements representing : T,
- OCL Constraint sets: SEM, PRE, POST
tarsrc MMMM ,
Transformation Model (OCL)
[1] F. Büttner, M. Egea, J. Cabot, M. Gogolla “Verication of ATL Transformations Using Transformation Models and Model Finders”, ICFEM 2012
transform
ATL Transformation T
Source Metamodel
Target Metamodel
srcMM
tarMM
9
THE VERIFICATION METHODOLOGY
For each property , the following must be unsatisfiable:iPost
What• Check partial correctness of transformation
model w.r.t. properties (OCL Constraints)
How
• Check if there is a counter example in a specific scope (i.e. maximum number of objects per class)
• Use satisfiability checkers or Model finders, e.g., USE Validator [1][2]
[1] M. Kuhlmann, L. Hamann, M. Gogolla “Extensive Validation of OCL Models by Integrating SAT Solving into USE” TOOLS 2011[2] The USE Validator. available online, http://sourceforge.net/projects/useocl/les/Plugins/ModelValidator/
10
THE VERIFICATION METHODOLOGY
Run the prototype to generate the USE specification & the search configuration
Added the constraints to the USE specification & negate constraint in search configuration
Ran the tool once for each of the postconditions
Relational Logic
Propositional Logic
Ecore + OCLATL + Ecore
+ OCL
11
CASE STUDY: AUTOMATICALLY VERIFYING THE GM-2-AUTOSAR TRANSFORMATION
Old Implementation
• 2 ATL Matched Rules• 9 Functional Helpers• 6 Attribute Helpers
New Implementation
• 3 Matched Rules• 2 Lazy Rules
12
CASE STUDY: AUTOMATICALLY VERIFYING THE GM-2-AUTOSAR TRANSFORMATION
18 OCL PostconditionsTarget Invariants
6 Multiplicity Invariants
1 Security Invariants
Transformation Contracts9 Uniqueness Contracts
2 Pattern Contracts
Autom
atically G
enerated by the P
rototype
Manually
Form
ulated
OCL Preconditions … ?
13
CASE STUDY: AUTOMATICALLY VERIFYING THE GM-2-AUTOSAR TRANSFORMATION
Context CompositionType inv CompositionType_co:self.componentsize>=1
14
RESULTS: VERIFYING THE 18 OCL CONSTRAINTS- 2 Multiplicity Invariants of the 18 constraints are violated
- CompositionType_component- SwcToEcuMapping_component
15
RESULTS: VERIFYING THE 18 OCL CONSTRAINTS
CompositionType_component
16
RESULTS: PERFORMANCE OF THE VERIFICATION APPROACH- Standard laptop (2.50 GHz, 16GB of memory)
- Ran the verification prototype:
- once for each constraint - for scopes up to 12
- For each scope & constraint, 2 numbers were generated:
- Translation Time: Time taken to translate the relational logic representation of the transformation into propositional logic.
- Constraint Solving Time: Time taken by SAT solver to solve the propositional representation of the transformation.
17
RESULTS: PERFORMANCE OF THE VERIFICATION APPROACH
18
DISCUSSION: STRENGTHS OF THE VERIFICATION APPROACH
Full Automation
• Translation from ATL & constrained metamodels to constrained Ecore model & then to relational logic
• Verification of industrial transformation models up to a scope of 12 !
Verifying a Substantial Subset of ATL
• Except for Imperative blocks, recursive lazy rules, & recursive queries
• 83/131 transformations in ATL Zoo are in this fragment…24 of the remaining 48 transformations can be expressed declaratively…too!
19
DISCUSSION: WEAKNESSES OF THE VERIFICATION APPROACH
Correctness of
ATL-2-Relational-Logic Translation
• Testing & Inspection• BUT cannot formally
prove correctness No formal semantics for ATL & OCL
Bound Search Approach
• Scope too small to verify the transformation ?
• Maximum scope to use is transformation-dependent
20
CONCLUSION & FUTURE WORK- Demonstrated using an automated verification prototype
[1] to verify industrial transformation [2]
- Result: The used prototype uncovered 2 bugs !
- Performance: Verifying the transformation up to a scope of 12 was possible !
Application of automated verification to a case study was successful & practical to
use in an industrial context
[1] F. Büttner, M. Egea, J. Cabot, M. Gogolla “Verication of ATL Transformations Using Transformation Models and Model Finders”, ICFEM 2012[2] G. Selim, S. Wang, J. Cordy, J. Dingel "Model Transformations for Migrating Legacy Models: An Industrial Case Study", ECMFA 2012
21
CONCLUSION & FUTURE WORK
More In
dustrial
transfo
rmatio
ns
in case
study
Use Incremental SAT Solvers
Pruning of the
transformation
model