Business Informatics Group

Institute of Software Technology and Interactive Systems Vienna University of Technology

Favoritenstraße 9-11/188-3, 1040 Vienna, Austriaphone: +43 (1) 58801-18804 (secretary), fax: +43 (1) 58801-18896office@big.tuwien.ac.at, www.big.tuwien.ac.at

Right or Wrong? – Verification of Model Transformations using Colored Petri Nets*M. Wimmer, G. Kappel, A. Kusel, W. Retschitzegger, J. Schönböck and W. Schwinger

9th OOPSLA Workshop on Domain-Specific Modeling, 26th October, 2009, Orlando

Johannes Schönböck

*This work has been partly funded by the Austrian Science Fund (FWF) under grant P21374-N13.

Introduction

2

MDE (Model-Driven Engineering) places models as first-class artifacts throughout the software lifecycle

essential prerequisite are transformation languages

ER DiagramModel

UML Class Model

Hor

izon

tal

Tra

nsfo

rmat

ion

ExampleTROPICIntroduction Taxonomy Lessons Learned

Introduction

Transformationconforms

New TargetModel

New TargetModel

TargetMetamodel

TargetMetamodel

SourceMetamodel

SourceMetamodel

SourceModel

SourceModel

attr

Class

Attribute

SourceMetamodel

name:String

Type

type

*

1

Class XClass X

cols

Table

type:String

Column

TargetMetamodel

*conforms

Source Model

PersonPerson

ID:IntegerName:String

NewTarget Model

ID NameID Name

Table Person

transformation umlToRdbms(class:Class1, rel:Relational1){

top relation ClassToTable{

cn: String; checkonly domain class c:Class{name=cn, attributes=a:Attribute{}}; enforce domain rel t:Table{name=cn, columns=cl:Column{}}; where{ AttributeToColumn(a,cl); }}

relation AttributeToColumn{

an, tn: String; checkonly domain class a:Attribute{name=an, type=ty:Type{name=tn}}; enforce domain rel cl:Column{name=an, type=tn};

}} QVT Relations Code Example

3

• How can one reuse transformation logic?

Transformations have to be defined from

scratch again and again• How does the transformation get executed?

Debugging of the transformation logic is hard• How to ensure correct transformation specifications?

Formal verification methods are missing

ExampleTROPICIntroduction Taxonomy Lessons Learned

attr

Class

Attribute

SourceMetamodel

name:String

Type

type

*

1

Class XClass X

cols

Table

type:String

Column

TargetMetamodel

*

Source Model

PersonPerson

ID:IntegerName:String

NewTarget Model

ID NameID Name

Table Person

TROPIC in a Nutshell (1/2)Mapping View

TransformationMapping Operator

Library

R2RR2RC2AC2A

C2CC2CC2CC2CC2CC2C

R2RR2RC2AC2A How can one reuse transformation logic?

• Interfaces are typed by the types of the

MM-Model (EClass, EAttribute, EReference)• Mapping Operators can be bound to arbitrary

metamodels

4

ExampleTROPICIntroduction Taxonomy Lessons Learned

TROPIC in a Nutshell (2/2)Transformation View

attr

Class

Attribute

SourceMetamodel

name:String

Type

type

*

1

Class XClass X

cols

Table

type:String

Column

TargetMetamodel

*

Source Model

PersonPerson

ID:IntegerName:String

NewTarget Model

ID NameID Name

Table Person

R2RR2R

C2AC2A

C2CC2C

C2CC2C

Class

Class_attr

Attribute

Type

Type_name

Attribute_type

Table

Column

Table_cols

Column_type

C2C

C2C

R2R

C2A

instan

tiated

eriv

e

5Colored Petri Nets

simulate verifytranslate

State Space

construct

How does the transformation get executed?

• Transformation Nets provide an explicit runtime model

• By observing the simulation in the Transformation Nets, errors can

be easily detected

How to ensure correct transformation specifications?

• Since Transformation Nets form a DSL on top of Standard Colored

Petri Nets, properties can be used for formal verification

ExampleTROPICIntroduction Taxonomy Lessons Learned

Class2Relational Example

6

Translating Transformation Nets to CPNs

TROPICIntroduction Taxonomy Lessons LearnedExample

Transformation Problem

TROPIC CPN State Space

specification

verification

simulation

translate construct

Mo

del

s (M

1)M

Ms

(M2)

AttributeAttributeClassClass

parent **attr

C1: ClassPerson

C1: ClassPerson

A2 : AttributeaddressA2 : Attributeaddress

A1 : AttributenameA1 : Attributenameattr

parent

attr

C2 : ClassC

Customer

C2 : ClassC

Customer

C3 : ClassCustomerSpcial

C3 : ClassCustomerSpcial

A3 : AttributecustIdA3 : AttributecustId

A4 : AttributecreditLimitA4 : AttributecreditLimit

attr

attrparent

TableTableColumnColumn

*cols

Source Target

A3 : ColumncustIdA3 : ColumncustId

C1 : TablePersonPPerson

C1 : TablePersonPPerson

A1 : ColumnnameA1 : Columnname

A2 : ColumnaddressA2 : Columnaddress

A4 : ColumncreditLimitA4 : ColumncreditLimitcols

cols

colscols

Transformation

Mo

de

ls (

M1)

MM

s(M

2)

AttributeAttributeClassClass

parent **attr

C1: ClassPerson

C1: ClassPerson A2 : Attribute

addressA2 : Attributeaddress

A1 : AttributenameA1 : Attributenameattr

parent

attr

C2 : ClassC

Customer

C2 : ClassC

Customer

C3 : ClassCustomerSpcial

C3 : ClassCustomerSpcial

A3 : AttributecustIdA3 : AttributecustId

A4 : AttributecreditLimitA4 : AttributecreditLimit

attr

attrparent

TableTable ColumnColumn*cols

Source Target

A3 : ColumncustIdA3 : ColumncustId

C1 : TablePersonPPerso n

C1 : TablePersonPPerso n

A1 : Columnname

A1 : Columnname

A2 : ColumnaddressA2 : Columnaddress

A4 : ColumncreditLimitA4 : ColumncreditLimitcols

cols

colscols

Transformation

Mo

de

ls (

M1)

MM

s(M

2)

AttributeAttributeAttributeAttributeClassClassClassClass

parent **attr

C1: ClassPerson

C1: ClassPerson A2 : Attribute

addressA2 : AttributeaddressA2 : AttributeaddressA2 : Attributeaddress

A1 : AttributenameA1 : AttributenameA1 : AttributenameA1 : Attributenameattr

parent

attr

C2 : ClassC

Customer

C2 : ClassC

Customer

C3 : ClassCustomerSpcial

C3 : ClassCustomerSpcial

A3 : AttributecustIdA3 : AttributecustIdA3 : AttributecustIdA3 : AttributecustId

A4 : AttributecreditLimitA4 : AttributecreditLimitA4 : AttributecreditLimitA4 : AttributecreditLimit

attr

attrparent

TableTableTableTable ColumnColumnColumnColumn*cols

Source Target

A3 : ColumncustIdA3 : ColumncustIdA3 : ColumncustIdA3 : ColumncustId

C1 : TablePersonPPerso n

C1 : TablePersonPPerso n

C1 : TablePersonPPerso n

C1 : TablePersonPPerso n

A1 : Columnname

A1 : ColumnnameA1 : Columnname

A1 : Columnname

A2 : ColumnaddressA2 : ColumnaddressA2 : ColumnaddressA2 : Columnaddress

A4 : ColumncreditLimitA4 : ColumncreditLimitA4 : ColumncreditLimitA4 : ColumncreditLimitcols

cols

colscols

Transformation

Class2Relational Example

7

Translating Transformation Nets to CPNs

TROPICIntroduction Taxonomy Lessons LearnedExample

Transformation Problem

TROPIC CPN State Space

specification

verification

simulation

translate construct

Example realized in Transformation Nets

• To be simulated

• To be verified

Class2Relational Example

8

Translating Transformation Nets to CPNs

Transformation Problem

TROPIC CPN State Space

specification

verification

simulation

translate construct

• DSL (Transformation Nets) hides complexity of CPNs

• DSL (Transformation Nets) introduces specific

concepts for the domain of model transformations

• But CPN Tools provide

- Efficient execution engine for simulation

- State space analysis for verification

TROPICIntroduction Taxonomy Lessons LearnedExample

Class2Relational Example

9

Translating Transformation Nets to CPNs

• Construction of State Space allows

exploration of formal properties

- Boundedness

- Liveness

- Home State

- Dead Marking

Transformation Problem

TROPIC CPN State Space

specification

verification

simulation

translate construct

TROPICIntroduction Taxonomy Lessons LearnedExample

10

Class2Relational ExampleVerification using Properties

Model Comparison using Boundedness propertiesComparison of generated target model to an expected target model

Integer Bounds Upper Lower…Table_cols 3 0…..Upper Multi-Set Bounds …Table_cols 1`(1200,"Person",1,"name")++ 1`(1200,"Person",2,"addr")++ 1`(1200,"Person",6,"custID")…Home Markings [1320]Dead Markings [1320]Dead Transition InstancesTransitiveClosureLinker

Expected Target Model

A3 : ColumncustIdA3 : ColumncustIdA3 : ColumncustIdA3 : ColumncustId

C1 : TablePersonPPerson

C1 : TablePersonPPerson

C1 : TablePersonPPerson

C1 : TablePersonPPerson

A1 : Columnname

A1 : ColumnnameA1 : Columnname

A1 : Columnname

A2 : ColumnaddressA2 : ColumnaddressA2 : ColumnaddressA2 : Columnaddress

A4 : ColumncreditLimitA4 : ColumncreditLimitA4 : ColumncreditLimitA4 : ColumncreditLimitcols

cols

colscols

TROPICIntroduction Taxonomy Lessons LearnedExample

Class2Relational Example

11

Verification using Properties

Transition error detection using Liveness propertiesL0-Liveness to detect Dead Transition Instances

Integer Bounds Upper Lower…Table_cols 3 0…..Upper Multi-Set Bounds …Table_cols 1`(1200,"Person",1,"name")++ 1`(1200,"Person",2,"addr")++ 1`(1200,"Person",6,"custID")…Home Markings [1320]Dead Markings [1320]Dead Transition InstancesTransitiveClosureLinker

A : Class(White)

A : Class(White)

parent

B : ClassC

(Black)

B : ClassC

(Black)C : Class(Grey)

C : Class(Grey)

parent

Corrected Solution

A : Class(Grey)

A : Class(Grey)

parent

B : ClassC

(White)

B : ClassC

(White)

C : Class(Black)

C : Class(Black)

parent

TROPICIntroduction Taxonomy Lessons LearnedExample

Class2Relational Example

12

Verification using Properties

Termination and confluence verification using Dead and Home MarkingsDead Marking is prerequisite for terminationHome Marking is prerequisite for confluenceEqual Dead and Home marking are necessary to ensure termination

Upper Multi-Set Bounds …Table_cols 1`(1200,"Person",1,"name")++ 1`(1200,"Person",2,"addr")++ 1`(1200,"Person",6,"custID")++ 1`(1200,”Person”,8,”creditLimit)…

Home Markings [1320]Dead Markings [1320]

TROPICIntroduction Taxonomy Lessons LearnedExample

Taxonomy of Transformation Errors and CPN Properties

TransformationLogic

Intra-Rule

Inter-Rule

LHS

RHS

wrong source MM element

wrong/too strong/too weak matching pattern

non-satisfiable matching pattern

LivenessBoundednessReachability

Liveness

wrong arc from place to transition

wrong/incomplete color pattern in LHS of transition

non-satisfiable color pattern with respect to MM

wrong target MM element

wrong instantiation of target elements

ReachabilityBoundedness

wrong arc from transition to target place

wrong/incomplete color pattern in RHS of transition

missing/redundant source MM elements

missing/redundant target MM elements

wrong intermediate results/dependencies

ReachabilityBoundedness

missing/redundant arcs from source place to transition

wrong tokens in/wrong connection to trace place

missing/redundant arcs from transition to target place

Source MM

coverage

Target MM

coverage

Runtime behavior

non-termination Dead State

hungry transitions sharing same source place

Home StatePersistence

non-determinism/non-confluence

loops producing new colored tokens

Location Granularity Type Transformation Net CPN Property

13

TROPICIntroduction Taxonomy Lessons LearnedExample

Lessons Learned

14

History ensures terminationDifficult to check in other transformation languages (graph

transformations)

Visual syntax and live programming fosters debuggingFlow of tokens undergoing certain transformations can be followed

Concurrency in Petri Nets allows parallel execution of model transformations

Parts of transformation logic can run in parallel

State Space explosion limits model sizeCPN Tools only support full state spaceState Space reduction methods (Stubborn Sets)ASAP Tool (http://www.daimi.au.dk/~ascoveco/)

TROPICIntroduction Taxonomy Lessons LearnedExample

Thank you for your attention!Questions

http://www.modeltransformation.net