executable metamodeling for model v&v (may 25th, 2010)

Context and ObjectivesExecutable Metamodeling Approach to Support Model V&V

Formal Foundations for Executable MetamodelingConclusion & Future Works

Executable Metamodeling for Model V&V

Benoît Combemale

University of Rennes 1,TRISKELL team (IRISA & INRIA)[email protected]

May 25, 2010

B. Combemale (UR1, IRISA) Executable Metamodeling for Model V&V May 25, 2010 1 / 33

[email protected]



Short CV

2009 – ... Associate ProfessorUniversity of Rennes 1, Triskell team (INRIA & IRISA, Fr.).Research Interests: MDE, MDLE, Formal behavioral semantics of languages, V&V,Models@runtime

2008 – 2009 Post-Doctoral FellowEMN, AtlanMod team (EMN & INRIA, Fr.).Research Interests: Infinite Model (Definition and Transformation)

2005 – 2008 PhD CandidateINPT ENSEEIHT, ACADIE team (IRIT, Fr.).PhD Thesis: « Metamodeling Approach for Model Simulation and Verification »

2004 – 2005 M.Sc. « Software Safety »ENSEEIHT (INPT), ISYCOM team (GRIMM, Fr.)Master Thesis: « Specification and Verification of Process Model »




Context




Context

Modèle <<représente>>




Context

Concepteur

Modèle <<représente>>Langage




Context

générateurs

Concepteur

simulateursvérificateurs


éditeur




Context

générateurs

Concepteur



éditeur

MétaModèle

<<représente>><<conformeA>>




Context

générateurs

Concepteur



Modèle<<représente>>


Modèle

<<représente>>

DSML

éditeur

Concepteur

DSML

Concepteur

DSML

Concepteur

DSML

DSML = Domain Specific Modeling Language




Context

générateurs

Concepteur





Modèle

<<représente>>

DSML

éditeur

générateurs

Concepteur


DSML

éditeur

générateurs

Concepteur


DSML

éditeur

générateurs

Concepteur


DSML

éditeur




Objectives

générateurs

Concepteur





Modèle

<<représente>>

DSML

éditeur

générateurs

Concepteur


DSML

éditeur

générateurs

Concepteur


DSML

éditeur

générateurs

Concepteur


DSML

éditeur

Methodological foundations for executable metamodelingTo capture the necessary information in metamodel for model execution,To support generative approaches that ease the definition of V&V tools.

Formal foundations for executable metamodelingTo validate the use of formal verification tools,To validate the consistencies between the use of different tools.




Operational Semantics Vs. Translational Semantics

MyDSML

Metamodel

Rules

endogenoustransformation

Operational Semantics

+ intuitive definition,

− requires to define tools (e.g.,V&V) for each DSML.

MyDSML

Metamodel

FormalDomain

DataStructure

Rules

exogenoustransformation

Translational Semantics− expression of semantic equivalences,

+ allows to reuse existing tools (in thetarget domain).




DSML semantics using operational semantics

May be achieved thanks to :

meta-programming language (kermeta, action language. . . )

startable() Operation : Kermeta code

operation startable() : Boolean is dovar start_ok : kermeta::standard::Booleanvar previousActivities : seq Activity [0..*]var prevPrecedes : seq Precedes [0..*]if progress==-1 then// Getting the activities which have to be startedprevPrecedes := previous.select{p | p.kind ==

PrecedenceKind.pk_start_start }previousActivities := prevPrecedes.collect{p | p.before}start_ok := previousActivities.forAll{a | a.progress >= 0}// Getting the activities which have to be finishedprevPrecedes := previous.select{p | p.kind ==PrecedenceKind.pk_finish_start }previousActivities := prevPrecedes.collect{p | p.before}start_ok := start_ok and

(previousActivities.forAll{a | a.progress==100})result := start_ok or (previous.size() == 0)

elseresult := false

endend

endogenous transformations (ATL. . . )

Main advantage: Deals with concepts related to the DSL.




DSML semantics using translational semantics

Example : Mapping a SimplePDL model into a time Petri net one to use theTINA toolkit.

SimplePDL.ecore

Process

.pdl

PDL2PN

.atl

Process

.net

Properties

.ltl

Tina

ATL<<instanceOf>> Process.PetriNet

Petrinet.ecore

<<instanceOf>>

Main advantage: reuse the tools available in the target technical space.




Contributions

Executable Metamodeling Approach

FinishToStartFinishToStart

FinishToStart

Formal Verification by Model-Checking

Model Simulationby Graphical Animation

Formal Foundations for Executable Metamodeling




Outline

1 Context and Objectives

2 Executable Metamodeling Approach to Support Model V&VA Design Pattern for Executable DSMLApplication for Model SimulationApplication for Model Verification

3 Formal Foundations for Executable MetamodelingMotivations & IssuesCOQ4MDE: a Framework for (meta)Model Formalization

Intuitive approachFormal definitionsApplication to EMOF and OMG pyramid issues

4 Conclusion & Future Works




A Design Pattern for Executable DSMLApplication for Model SimulationApplication for Model Verification

Outline










A Design Pattern for Executable DSML

Events DefinitionMetaModel

EDMM

Domain DefinitionMetaModel

DDMM

States DefinitionMetaModel

SDMM

<<merge>><<merge>>

<<merge>>

Trace ManagementMetaModel

TM3

<<import>>

Semantics Mapping

Semantics

Action Language or Model Transformation

Metamodeling Language (e.g., MOF)

MetaMetaModel (M3)

MetaModel (M2)

<<conformsTo>>

<<conformsTo>>

<<triggeredBy>><<changes>>






Domain Definition MetaModel (DDMM)

Capture the structural information (domain specific concepts, theirrelationships and their constraints.

States Definition MetaModel (SDMM)

Capture the "dynamic" information, characterizing the whole possible states ofmodel (during execution).

Events Definition MetaModel (EDMM)

Capture the events (and their parameters) that evolve the model execution.

Trace Management MetaModel (TM3)

Capture sets of event through traces and scenarios.






Domain Definition MetaModel (DDMM)

States Definition MetaModel (SDMM)

Events Definition MetaModel (EDMM)

Trace Management MetaModel (TM3)


Lm =< AS,CS∗,M∗ac,SD,Mas >, s.t.AS = {DDMM,SDMM,EDMM}∪{TM3}





Using the Design Pattern for Model Simulation


EDMM


DDMM


SDMM

<<merge>><<merge>>

<<merge>>

Animator

Editor

ScenarioBuilder Trace Management

MetaModel

TM3

<<import>>

Execution Engine & Control Panel

Figure: DSML-based Tooling

Control Panel

Graphical Animator

MDDMM

ScenarioBuilder

Model Execution Framework

Generic Execution Engine

A Semantics for an Executable Language

GraphicalEditor

MEDMMMSDMM

control

update

create

create

use

updateuse

visualize

Figure: Interactions between Components







EDMM


DDMM


SDMM

<<merge>><<merge>>

<<merge>>


TM3

<<import>>






reactionOnEv1()...reactionOnEvN()

Semantics2


EDMM


DDMM


SDMM

<<merge>><<merge>>

<<merge>>


Semantics


Semantics1


TM3

<<import>>







Semantics2

Action Languages


EDMM


DDMM


SDMM

<<merge>><<merge>>

<<merge>>


Semantics


Semantics1


TM3

<<import>>







Semantics2

Action Languages


EDMM


DDMM


SDMM

<<merge>><<merge>>

<<merge>>


Semantics


Semantics1

Animateur

Editeur

Constructeur de scénario


TM3

<<import>>

Moteur de simulation & panneau de contrôle






GraphicalEditor






MDDMM

GraphicalEditor






MDDMMScenarioBuilder

GraphicalEditor







GraphicalEditor

MEDMM







Simulation Engine

GraphicalEditor

MEDMM







Simulation Engine

Generic Simulation Engine

DSML_1Semantics

GraphicalEditor

MEDMM







Simulation Engine


DSML_1Semantics

GraphicalEditor

MEDMM

MSDMM






Graphical Animator


Simulation Engine


DSML_1Semantics

GraphicalEditor

MEDMM

MSDMM






Control Panel

Graphical Animator


Simulation Engine


DSML_1Semantics

GraphicalEditor

MEDMM

MSDMM





Using the Design Pattern for Formal Verification

xSPEM.ecore






xSPEM.ecore

myProcess.xspem

myProcess.net

<<conformsTo>>






xSPEM.ecore

PetriNet.ecore

myProcess.xspem

myProcess.PetriNet

myProcess.net

<<conformsTo>><<conformsTo>>






xSPEM.ecore

PetriNet.ecore

myProcess.xspem

myProcess.PetriNet

xSPEM2PetriNet.atl

myProcess.net


ATL(M2M)






xSPEM.ecore

PetriNet.ecore

myProcess.xspem

myProcess.PetriNet

xSPEM2PetriNet.atl

myProcess.net


ATL(M2M)

Tina.tcs

TCS






xSPEM.ecore

PetriNet.ecore

myProcess.xspem

myProcess.PetriNet

xSPEM2PetriNet

.atl

myProcess.net


ATL(M2M)

Tina.tcs

TCS

DDMM: réseau de Petri (RdP)SDMM: marquage du RdPEDMM: preuve de bisimulation






Tina

xSPEM.ecore

PetriNet.ecore

myProcess.xspem

myProcess.PetriNet

xSPEM2PetriNet

.atl

myProcess.net


ATL(M2M)

Tina.tcs

TCS







ATL(M2T)

Tina

xSPEM.ecore

PetriNet.ecore

myProcess.xspem

myProcess.PetriNet

xSPEM2PetriNet

.atl

myProcess.net


ATL(M2M)

Tina.tcs

TCS

properties.ltl

TOCL.ecore

properties.tocl

<<conformsTo>>

<<use>>

TOCL2LTL.atl

<<dependOn>>





Motivations & IssuesCOQ4MDE: a Framework for (meta)Model Formalization

Outline










Consistency of multiple semantics

Usefulness of several semanticsDefine operational semantics for model interpretation.

Define translational semantics to reuse tools or code generation.

ProblemHow to assert that all the defined semantics are consistent?

Our solutionDefining a framework based on formal tools like the COQ proof assistant to

1 define operational semantics of the DSL (called reference semantics)2 define operational semantics of the technical space (semantic domain)3 express the mapping from the DSL to the semantic domain4 prove the equivalence of translational semantics and reference semantics





Issues

How to formally express the concepts ofmodels, metamodels,meta-metamodels. . . ?⇒ what are their various types ?⇒ what is the encoding in a formal domain

semantics ?

With this encoding, how to express thestructural and behavioral semantics ?⇒ does a model conform to its language ?⇒ are two languages equivalent from a

structural or behavioral point of view ?

Warning: the OMG vision being oneof the possible MDE view... Theframework must be more general.

M1

M0

M2

M3metamodel(UML, SPEM...)

model(UML models...)

"real" world

metametamodel(MOF)





ReferenceModel and ModelIntuitive approach

REFERENCEMODEL (〈concepts, relations,semantics〉):modelling language from which one can define a family of models,specifies the semantic properties of its models.

MODEL (〈objects, links〉): the instance level.

Model (M) ReferenceModel (RM)

<<promotionOf>>

<<conformsTo>>

A model MUST conform to a RM.

A RM may be directly defined.

A RM may be obtained as the promotion of a model.





Conformity and PromotionIntuitive approach

Conformity1 Every object o in M is the instance of a class C in RM;2 Every link between two objects is such that it exists, in RM, a reference

between the two classes typing the two elements.3 Every semantic property defined in RM is satisfied in M.

Promotion1 Identify the different concepts among the model elements.2 Identify relations between the previous concepts.3 Define the different semantic properties that must hold on the models that

conform to the Reference Model.





Formal ApproachGeneral Definitions

Let us consider:

DefinitionClasses the set of all possible classes,

References the set of reference labels,

Objects the set of instances of such classes.

Definition

C ⊆ Classes be a set of classes,

R ⊆ {〈c1, r ,c2〉 | c1,c2 ∈ C , r ∈References} be the set of referencesamong classes where∀c1 ∈ C , r ∈References, card{〈c1, r ,c2〉 ∈R} ≤ 1.





Formal ApproachModel and ReferenceModel

Definition (Model)

A model 〈MV ,ME〉 ∈ Model(C ,R) is a multigraph built over a finite set MV oftyped objects and a finite set ME of typed edges such that:

MV ⊆ {〈o,c〉 | o ∈ Objects,c ∈ C }ME ⊆

{〈〈o1,c1〉, r ,〈o2,c2〉〉〈o1,c1〉,〈o2,c2〉 ∈MV ,〈c1, r ,c2〉 ∈R

}Definition (ReferenceModel)

A reference model 〈(RV ,RE),conformsTo〉 is a multigraph built over a finiteset RV of classes and a finite set RE of references, with semantic propertiesover the instances of both classes and references.

RV ⊆ ClassesRE ⊆ {〈c1, r ,c2〉 | c1,c2 ∈ RV , r ∈ References}conformsTo : Model(RV ,RE)→ Bool





EMOF Core as a Reference ModelTraditional notation (class diagram notation)

Propertylower: Natural⊤ = 1 upper : Natural⊤ = 1isOrdered : Boolean = false isComposite: Boolean = falsedefault: String = ""

ClassisAbstract: Boolean = false

{ordered} 0..*ownedAttribute

0..1opposite

NamedElementname: String

0..*superClass

Type TypedElementtype1

DataType

Boolean String Natural

owner

⊤





EMOF Core as a Reference ModelFormal notation

Definition (EMOF Core)

The EMOF Core Reference Model is 〈〈RV ,RE〉,conformsTo〉 where :

RV , { NamedElement,Type,TypedElement,DataType,Boolean,String,Natural>,Class,Property }

RE , { 〈Class,ownedAttribute,Property〉,〈Class,isAbstract,Boolean〉,〈Class, inh,Type〉, . . . }

conformsTo(〈MV ,ME〉) , 〈MV ,ME〉 ∈ Model(RV, RE)∧ lower(TypedElement,type,1)∧ upper(TypedElement,type,1)∧ and other semantic properties (next slide). . .





EMOF Core as a Reference Model: semantics

Definition (Lower Property)

lower(c1 ∈ RV , r1 ∈ RE ,n ∈ Natural>) , 〈MV ,ME〉 7→∀〈o,c〉 ∈MV ,c = c1⇒ card({m2 ∈MV | 〈〈o,c1〉, r1,m2〉 ∈ME})≥ n

Definition (Opposite Property)

isOpposite(r1, r2 ∈ RE) , 〈MV ,ME〉 7→∀m1,m2 ∈MV ,〈m1, r1,m2〉 ∈ME ⇔ 〈m2, r2,m1〉 ∈ME

Definition (Abstract Classes)

isAbstract(r ∈ RE ,c1 ∈ RV ) , 〈MV ,ME〉 7→∀〈o,c〉 ∈MV ,c = c1⇒∃c2 ∈ RV ,〈〈o,c2〉, r ,〈o,c1〉〉 ∈ME

And also: upper, inheritance, composite, ordered . . . .B. Combemale (UR1, IRISA) Executable Metamodeling for Model V&V May 25, 2010 27 / 33




An Evaluation of COQ4MDE

Formalization of the EMOF_Corereference model (MCMOF ).

Verification of the EMOF_Coremetacircularity: definition of the MMOF

model conforms to MCMOF , and thepromotion P, s.t. P(MMOF ) = MCMOF

Formalization of the OMG’s pyramid.

MOF:MC










MOF:M

MOF:MC<<promotionOf>>

<<conformsTo>>










MOF:M

MOF:MC<<promotionOf>>

<<conformsTo>>

xSPEM:M xSPEM:MC<<promotionOf>>

<<conformsTo>>

Process:M<<conformsTo>>

Real World M0M1

M2

M3

metam

etamodel

metam

odel

model




Outline









Conclusion & Future Works

Main contributions:Methodological foundations for executable metamodeling⇒ a design pattern reifying information for model execution⇒ application1 to define simulators (UML, SysML, SAM...), and

transformations to model checker (TINA).

Formal foundations for executable metamodeling⇒ a formal framework implemented using the COQ proof assistant⇒ application to formally verify properties preserving transformations.

Other contributions:

Use of the previous foundations for process engineering (definition of aneXecutable SPEM2.0, with simulation and verification facilities) [APSEC’07],

Use of the previous foundations for models@runtime (specification andformalization of adaptation policies) [MoDELS’08].

1in the TOPCASED project (http://www.topcased.org)B. Combemale (UR1, IRISA) Executable Metamodeling for Model V&V May 25, 2010 30 / 33

http://www.topcased.org



Research Program

Methodological and Formal Foundations for Executable MetamodelingHow to build an executable DSML ? What systematic approach ?How to provide a formal support for MDE (executable metamodeling,transformation, composition) ? can a theory of model be defined ?

⇒ Hope to define a generic and formal framework for model execution (basedon Kermeta).

Model Validation & VerificationHow to integrate verification techniques by meta-approaches ?How to combine verification techniques (mainly testing, simulation,model-checking and proofs)

Models at runtimeHow to consider adaptation policies like a DSML’s behavioral semantics ?How to support V&V techniques at runtime ?




Interests at CSU

To prepare collaboration about the use of MDE for hardware andembedded systems,

To share experiences about semantics definition (e.g., fUML),

To define formal operator for model composition,I am also (generally) open minded, and curious about funny andchallenging problems...⇒ If you have this kind of problem, and the courage to bear my english...,

don’t hesitate !




Thank youfor your attention...

Questions?
