A Deductive Approach for Fault Localization in ATL Model Transformations

International audienceIn model-driven engineering, correct model transformation is essential for reliably producing the artifacts that drive software development. While the correctness of a model transformation can be specified and checked via contracts, debugging unverified contracts imposes a heavy cognitive load on transformation developers. To improve this situation, we present an automatic fault localization approach, based on natural deduction, for the ATL model transformation language. We start by designing sound natural deduction rules for the ATL language. Then, we propose an automated proof strategy that applies the designed deduction rules on the postconditions of the model transformation to generate sub-goals: successfully proving the sub-goals implies the satisfaction of the postconditions. When a sub-goal is not verified, we present the user with sliced ATL model transformation and predicates deduced from the postcondition as debugging clues. We provide an automated tool that implements this process. We evaluate its practical applicability using mutation analysis, and identify its limitations

On verifying ATL transformations using 'off-the-shelf' SMT solvers

International audienceMDE is a software development process where models constitute pivotal elements of the software to be built. If models are well-specified, transformations can be employed for various purposes, e.g., to produce final code. However, transformations are only meaningful when they are 'correct': they must produce valid models from valid input models. A valid model has conformance to its meta-model and fulfils its constraints, usually written in OCL. In this paper, we propose a novel methodology to perform automatic, unbounded verification of ATL transformations. Its main component is a novel first-order semantics for ATL transformations, based on the interpretation of the corresponding rules and their execution semantics as first-order predicates. Although, our semantics is not complete, it does cover a significant subset of the ATL language. Using this semantics, transformation correctness can be automatically verified with respect to non-trivial OCL pre- and postconditions by using SMT solvers, e.g. Z3 and Yices

Incremental Deductive Verification for Relational Model Transformations

International audienceIn contract-based development of model transformations, continuous deductive verification may help the transformation developer in early bug detection. However, because of the execution performance of current verification systems, re-verifying from scratch after a change has been made would introduce impractical delays. We address this problem by proposing an incremental verification approach for the ATL model-transformation language. Our approach is based on decomposing each OCL contract into sub-goals, and caching the sub-goal verification results. At each change we exploit the semantics of relational model transformation to determine whether a cached verification result may be impacted. Consequently, less postconditions/sub-goals need to be re-verified. When a change forces the re-verification of a postcondition, we use the cached verification results of sub-goals to construct a simplified version of the postcondition to verify. We prove the soundness of our approach and show its effectiveness by mutation analysis. Our case study presents an approximate 50% reuse of verification results for postconditions, and 70% reuse of verification results for sub-goals. The user perceives about 56% reduction of verification time for postconditions, and 51% for sub-goals

Evaluating well-formedness constraints on incomplete models

In modern modeling tools used for model-driven development, the validation of several well-formedness constraints is continuously been carried out by exploiting advanced graph query engines to highlight conceptual design flaws. However, while models are still under development, they are frequently partial and incomplete. Validating constraints on incomplete, partial models may identify a large number of irrelevant problems. By switching off the validation of these constraints, one may fail to reveal problematic cases which are difficult to correct when the model becomes sufficiently detailed. Here, we propose a novel validation technique for evaluating well-formedness constraints on incomplete, partial models with may and must semantics, e.g. a constraint without a valid match is satisfiable if there is a completion of the partial model that may satisfy it. To this end, we map the problem of constraint evaluation over partial models into regular graph pattern matching over complete models by semantically equivalent rewrites of graph queries

Certifying a Rule-Based Model Transformation Engine for Proof Preservation

International audienceExecutable engines for relational model-transformation languages evolve continuously because of language extension, performance improvement and bug fixes. While new versions generally change the engine semantics, end-users expect to get backward-compatibility guarantees, so that existing transformations do not need to be adapted at every engine update.The CoqTL model-transformation language allows users to define model transformations, theorems on their behavior and machine-checked proofs of these theorems in Coq. Backward-compatibility for CoqTL involves also the preservation of these proofs. However, proof preservation is challenging, as proofs are easily broken even by small refactorings of the code they verify.In this paper we present the solution we designed for the evolution of CoqTL, and by extension, of rule-based transformation engines. We provide a deep specification of the transformation engine, including a set of theorems that must hold against the engine implementation. Then, at each milestone in the engine development, we certify the new version of the engine against this specification, by providing proofs of the impacted theorems. The certification formally guarantees end-users that all the proofs they write using the provided theorems will be preserved through engine updates. We illustrate the structure of the deep specification theorems, we produce a machine-checked certification of three versions of CoqTL against it, and we show examples of user theorems that leverage this specification and are thus preserved through the updates

Un entorno de pruebas de mutación en Eclipse

Una técnica para medir la efectividad de un conjunto de casos de prueba y ayudar a mejorarlo son las pruebas de mutación. En las pruebas de este tipo, se insertan fallos en un programa para obtener distintas versiones erróneas del mismo. Al error introducido en el programa se le denomina mutación y a las nuevas versiones del programa inicial se les llama mutantes, y se utilizan para comprobar si, dado un conjunto de casos de prueba, éste es capaz de detectar los fallos introducidos en cada mutante. En caso de no detectarlos, el desarrollador debe proporcionar nuevos casos de prueba que detecten los mutantes creados, mejorando de este modo la calidad del conjunto de casos de prueba inicial. El objetivo de este Trabajo de Fin de Grado es construir una herramienta de mutación que genere de forma automática mutantes de un programa escrito en el lenguaje ATL (Atlas Transformation Language), para posteriormente poder medir la eficacia del conjunto de casos de prueba diseñado para probar el programa. ATL es un lenguaje de programación para definir transformaciones de modelos, que son un tipo de programa software cuyos argumentos de entrada y salida son modelos. Se utilizan dentro del paradigma de Desarrollo Dirigido por Modelos, que es un método de desarrollo de software en el que los datos que se manejan son modelos. Las mutaciones que se generan y describen en el presente trabajo están orientadas a este tipo de software.Mutation testing is a technique to measure the efficacy of a set of test cases and help to improve it. On this kind of testing, faults are injected into a program to get faulty versions of it. Errors introduced in the program are called mutations and the new versions of the original program are called mutants, and they are used to check whether, given a set of test cases, this is able to detect the faults introduced in each mutant. If they are not detected, the developer must provide new test cases that detect the created mutants, thus improving the overall quality of the initial test set. The objective of this Bachelor’s Project is to build a mutation tool to generate automatically mutants of a program written with the ATL language (Atlas Transformation Language), and measure the efficacy of a set of test cases designed for testing the program. ATL is a programming language to implement model transformations, which are programs whose input and output arguments are models. They are used in the context of Model Driven Development, which is a software development method where the manipulated data are models. The mutations generated and described on this work are oriented to this kind of software

CoqTL: A Coq DSL for Rule-Based Model Transformation

International audienc

Verification of ATL Transformations Using Transformation Models and Model Finders Verification of ATL Transformations Using Transformation Models and Model Finders

Abstract. In model-driven engineering, models constitute pivotal elements of the software to be built. If models are specified well, transformations can be employed for different purposes, e.g., to produce final code. However, it is important that models produced by a transformation from valid input models are valid, too, where validity refers to the metamodel constraints, often written in OCL. Transformation models are a way to describe this Hoare-style notion of partial correctness of model transformations using only metamodels and constraints. In this paper, we provide an automatic translation of declarative, rule-based ATL transformations into such transformation models, providing an intuitive and versatile encoding of ATL into OCL that can be used for the analysis of various properties of transformations. We furthermore show how existing model verifiers (satisfiability checkers) for OCL-annotated metamodels can be applied for the verification of the translated ATL transformations, providing evidence for the effectiveness of our approach in practice