Verification of model transformations

Model transformations are a central element of model-driven development (MDD) approaches such as the model-driven architecture (MDA). The correctness of model transformations is critical to their effective use in practical software development, since users must be able to rely upon the transformations correctly preserving the semantics of models. In this paper we define a formal semantics for model transformations, and provide techniques for proving the termination, confluence and correctness of model transformations

A new approach to the semantics of model diagrams

Sometimes, a diagram can say more than a thousand lines of code. But, sadly, most of the time, software engineers give up on diagrams after the design phase, and all real work is done in code. The supremacy of code over diagrams would be leveled if diagrams were code. This paper suggests that model and instance diagrams, or, which amounts to the same, class and object diagrams, become first level entities in a suitably expressive programming language, viz., type theory. The proposed semantics of diagrams is compositional and self-describing, i.e., reflexive, or metacircular. Moreover, it is well suited for metamodelling and model driven engineering, as it is possible to prove model transformations correct in type theory. The encoding into type theory has the additional benefit of making diagrams immediately useful, given an implementation of type theory

Flexible Views for View-based Model-driven Development

Modern software development faces the problem of fragmentation of information across heterogeneous artefacts in different modelling and programming languages. In this dissertation, the Vitruvius approach for view-based engineering is presented. Flexible views offer a compact definition of user-specific views on software systems, and can be defined the novel ModelJoin language. The process is supported by a change metamodel for metamodel evolution and change impact analysis

Towards the Formal Verification of Model Transformations: An Application to Kermeta

Model-Driven Engineering (MDE) is becoming a popular engineering methodology for developing large-scale software applications, using models and transformations as primary principles. MDE is now being successfully applied to domain-specific languages (DSLs), which target a narrow subject domain like process management, telecommunication, product lines, smartphone applications among others, providing experts high-level and intuitive notations very close to their problem domain. More recently, MDE has been applied to safety-critical applications, where failure may have dramatic consequences, either in terms of economic, ecologic or human losses. These recent application domains call for more robust and more practical approaches for ensuring the correctness of models and model transformations. Testing is the most common technique used in MDE for ensuring the correctness of model transformations, a recurrent, yet unsolved problem in MDE. But testing suffers from the so-called coverage problem, which is unacceptable when safety is at stake. Rather, exhaustive coverage is required in this application domain, which means that transformation designers need to use formal analysis methods and tools to meet this requirement. Unfortunately, two factors seem to limit the use of such methods in an engineer’s daily life. First, a methodological factor, because MDE engineers rarely possess the effective knowledge for deploying formal analysis techniques in their daily life developments. Second, a practical factor, because DSLs do not necessarily have a formal explicit semantics, which is a necessary enabler for exhaustive analysis. In this thesis, we contribute to the problem of formal analysis of model transformations regarding each perspective. On the conceptual side, we propose a methodological framework for engineering verified model transformations based on current best practices. For that purpose, we identify three important dimensions: (i) the transformation being built; (ii) the properties of interest ensuring the transformation’s correctness; and finally, (iii) the verification technique that allows proving these properties with minimal effort. Finding which techniques are better suited for which kind of properties is the concern of the Computer-Aided Verification community. Consequently in this thesis, we focus on studying the relationship between transformations and properties. Our methodological framework introduces two novel notions. A transformation intent gathers all transformations sharing the same purpose, abstracting from the way the transformation is expressed. A property class captures under the same denomination all properties sharing the same form, abstracting away from their underlying property languages. The framework consists of mapping each intent with its characteristic set of property classes, meaning that for proving the correctness of a particular transformation obeying this intent, one has to prove properties of these specific classes. We illustrate the use and utility of our framework through the detailed description of five common intents in MDE, and their application to a case study drawn from the automative software domain, consisting of a chain of more than thirty transformations. On a more practical side, we study the problem of verifying DSLs whose behaviour is expressed with Kermeta. Kermeta is an object-oriented transformation framework aligned with Object Management Group standard specification MOF (Meta-Object Facility). It can be used for defining metamodels and models, as well as their behaviour. Kermeta lacks a formal semantics: we first specify such a semantics, and then choose an appropriate verification domain for handling the analysis one is interested in. Since the semantics is defined at the level of Kermeta’s transformation language itself, our work presents two interesting features: first, any DSL whose behaviour is defined using Kermeta (more precisely, any transformation defined with Kermeta) enjoys a de facto formal underground for free; second, it is easier to define appropriate abstractions for targeting specific analysis for this full-fledged semantics than defining specific semantics for each possible kind of analysis. To illustrate this point, we have selected Maude, a powerful rewriting system based on algebraic specifications equipped with model-checking and theorem-proving capabilities. Maude was chosen because its underlying formalism is close to the mathematical tools we use for specifying the formal semantics, reducing the implementation gap and consequently limiting the possible implementation mistakes. We validate our approach by illustrating behavioural properties of small, yet representative DSLs from the literature

Fundamental Approaches to Software Engineering

This open access book constitutes the proceedings of the 23rd International Conference on Fundamental Approaches to Software Engineering, FASE 2020, which took place in Dublin, Ireland, in April 2020, and was held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2020. The 23 full papers, 1 tool paper and 6 testing competition papers presented in this volume were carefully reviewed and selected from 81 submissions. The papers cover topics such as requirements engineering, software architectures, specification, software quality, validation, verification of functional and non-functional properties, model-driven development and model transformation, software processes, security and software evolution

Debugging Relational Declarative Models with Discriminating Examples

Models, especially those with mathematical or logical foundations, have proven valuable to engineering practice in a wide range of disciplines, including software engineering. Models, sometimes also referred to as logical specifications in this context, enable software engineers to focus on essential abstractions, while eliding less important details of their software design. Like any human-created artifact, a model might have imperfections at certain stages of the design process: it might have internal inconsistencies, or it might not properly express the engineer’s design intentions. Validating that the model is a true expression of the engineer’s intent is an important and difficult problem. One of the key challenges is that there is typically no other written artifact to compare the model to: the engineer’s intention is a mental object. One successful approach to this challenge has been automated example-generation tools, such as the Alloy Analyzer. These tools produce examples (satisfying valuations of the model) for the engineer to accept or reject. These examples, along with the engineer’s judgment of them, serve as crucial written artifacts of the engineer’s true intentions. Examples, like test-cases for programs, are more valuable if they reveal a discrepancy between the expressed model and the engineer’s design intentions. We propose the idea of discriminating examples for this purpose. A discriminating example is synthesized from a combination of the engineer’s expressed model and a machine-generated hypothesis of the engineer’s true intentions. A discriminating example either satisfies the model but not the hypothesis, or satisfies the hypothesis but not the model. It shows the difference between the model and the hypothesized alternative. The key to producing high-quality discriminating examples is to generate high-quality hypotheses. This dissertation explores three general forms of such hypotheses: mistakes that happen near borders; the expressed model is stronger than the engineer intends; or the expressed model is weaker than the engineer intends. We additionally propose a number of heuristics to guide the hypothesis-generation process. We demonstrate the usefulness of discriminating examples and our hypothesis-generation techniques through a case study of an Alloy model of Dijkstra’s Dining Philosophers problem. This model was written by Alloy experts and shipped with the Alloy Analyzer for several years. Previous researchers discovered the existence of a bug, but there has been no prior published account explaining how to fix it, nor has any prior tool been shown effective for assisting an engineer with this task. Generating high-quality discriminating examples and their underlying hypotheses is computationally demanding. This dissertation shows how to make it feasible

Une approche formelle à la synthèse des applications distribuées et leur déploiement automatique

Complex networked applications are assembled by connecting software componentsdistributed across multiple machines. Building and deploying such systems is achallenging problem which requires a significant amount of expertise: the systemarchitect must ensure that all component dependencies are satisfied, avoidconflicting components, and add the right amount of component replicas toaccount for quality of service and fault-tolerance. In a cloud environment, onealso needs to minimize the virtual resources provisioned upfront, to reduce thecost of operation. Once the full architecture is designed, it is necessary tocorrectly orchestrate the deployment process, to ensure all components areinstalled, started and connected in the right order.In this work, we describe the different variants of the Aeolus formal model andthe Zephyrus tool developed during the Aeolus research project, which attemptsto tackle the scientific challenges related to the administration of moderndistributed systems and solve them in practice. The various parts of the Aeolusmodel allow us to express a high-level specification of the desired system, theset of available components together with their requirements, and the maximalamount of virtual resources to be committed. The associated Zephyrus tool, basedon this formal model, is capable of automating the assembly of complexdistributed applications: it synthesizes the full architecture of the system,placing components in an optimal manner using the minimal number of availablemachines. Other tools developed in the Aeolus project can then be used toautomatically deploy the complete system in a cloud environment.Des applications reparties complexes sont assemblées en connectant descomposants logiciels distribués sur plusieurs machines. Concevoir et déployertels systèmes est un problème difficile, qui nécessite un niveau importantd'expertise: l'architecte système doit s'assurer que toutes les dépendances descomposants sont satisfaits, éviter les composants incompatibles et ajuster laquantité de répliques du chaque composant pour tenir compte de la qualité deservice et la tolérance aux pannes. Dans un environnement cloud il faut aussiminimiser les ressources virtuelles utilisées, afin de réduire le coût. Une foisl'architecture complète est conçue, il est nécessaire d'orchestrer correctementle processus de déploiement, en assurant que tous les composants sont installés,démarrés et connectés dans le bon ordre.Dans ce travail, nous décrivons le modèle formel Aeolus et l'outil Zephyrus,développés au cours du projet de recherche Aeolus, qui tente d'aborder les défisscientifiques liés à l'administration des systèmes distribués modernes et de lesrésoudre en pratique. Le modèle Aeolus nous permet d'exprimer une spécificationde haut niveau du système souhaité, l'ensemble des composants disponibles avecleurs exigences et la quantité maximale de ressources virtuelles à engager.L'outil Zephyrus, basé sur ce modèle formel, est capable d'automatiserl'assemblage des applications distribuées complexes: il synthétisel'architecture complète du système en plaçant les composants de manière optimalesur les machines disponibles. Autres outils développés dans le projet Aeoluspeuvent ensuite être utilisés pour déployer automatiquement le système completdans un environnement cloud