Embed Size (px)
DESCRIPTION
Automated Verification of Model Transformations in the Automotive Industry. Gehan M. K. Selim , Fabian Büttner , James R. Cordy , Juergen Dingel , Shige Wang. Agenda. Motivation Objective The Model Transformation Problem The Verification Methodology - PowerPoint PPT Presentation
Citation preview
AUTOMATED VERIFICATION OF MODEL TRANSFORMATIONS IN THE AUTOMOTIVE INDUSTRY
GEHAN M. K. SELIM, FABIAN BÜTTNER, JAMES R. CORDY, JUERGEN DINGEL, SHIGE WANG
2
AGENDA- Motivation- Objective- The Model Transformation Problem- The Verification Methodology- Case Study: Automatically Verifying the GM-2-AUTOSAR
Transformation- Results
- Verifying the 18 OCL Constraints- Performance of the Verification Approach
- Discussion- Strengths of the Verification Approach- Weaknesses of the Verification Approach
- Conclusion & Future Work
3
MOTIVATION
- MDD- Model Transformations- Verification
Are those concepts practical to use in
industry ?
4
MOTIVATION- Industrial experiences in adopting MDD…
- T. Cottenier, A. Van Den Berg, T. Elrad “The Motorola WEAVR: Model Weaving in a Large Industrial Context” AOSD 2007.
- P. Mohagheghi, V. Dehlen “Where is the Proof?-A Review of Experiences from Applying MDE in Industry” ECMDA-FA 2008.
- Few studies on industrial model transformations…- A. Daghsen, K. Chaaban, S. Saudrais, P. Leserf “Applying Holistic
Distributed Scheduling to AUTOSAR Methodology” ERTSS 2010.- H. Giese, S. Hildebrandt, S. Neumann “Model Synchronization at Work:
Keeping SysML and AUTOSAR Models Consistent” Graph Transformations & Model-Driven Engineering 2010.
- G.Selim, S. Wang, J. Cordy, J. Dingel “Model Transformations for Migrating Legacy Models: An Industrial Case Study” ECMFA 2012
- Verifying industrial model transformations ??
5
OBJECTIVEWhat?
• Validate an industrial model transformation [1]
How?• Using an automated verification
prototype [2]
Why?
• Report on the practicality of using automated verification in industry
• Discuss any issues that need to be addressed for the industry to readily adopt such prototypes
[1] G. Selim, S. Wang, J. Cordy, J. Dingel "Model Transformations for Migrating Legacy Models: An Industrial Case Study", ECMFA 2012[2] F. Büttner, M. Egea, J. Cabot, M. Gogolla “Verication of ATL Transformations Using Transformation Models and Model Finders”, ICFEM 2012
6
THE MODEL TRANSFORMATION PROBLEM
GM Models GM-2-AUTOSAR Transformation AUTOSAR models
[1] G. Selim, S. Wang, J. Cordy, J. Dingel "Model Transformations for Migrating Legacy Models: An Industrial Case Study", ECMFA 2012
GM
M
etamodel
AU
TOS
AR
Metam
odel
7
THE VERIFICATION METHODOLOGY
Transformation Model:- Elements representing : T,
- OCL Constraint sets: SEM, PRE, POST
tarsrc MMMM ,
Transformation Model (OCL)
[1] F. Büttner, M. Egea, J. Cabot, M. Gogolla “Verication of ATL Transformations Using Transformation Models and Model Finders”, ICFEM 2012
transform
ATL Transformation T
Source Metamodel
Target Metamodel
srcMM
tarMM
8
THE VERIFICATION METHODOLOGY
For each property , the following must be unsatisfiable:iPost
What• Check partial correctness of transformation
model w.r.t. properties (OCL Constraints)
How
• Check if there is a counter example in a specific scope (i.e. maximum number of objects per class)
• Use satisfiability checkers or Model finders, e.g., USE Validator [1][2]
[1] M. Kuhlmann, L. Hamann, M. Gogolla “Extensive Validation of OCL Models by Integrating SAT Solving into USE” TOOLS 2011[2] The USE Validator. available online, http://sourceforge.net/projects/useocl/les/Plugins/ModelValidator/
)(Pr...Pr 1 in PostnotandeandandeandSem
9
THE VERIFICATION METHODOLOGY
Run the prototype to generate the USE specification & the search configuration
Added the constraints to the USE specification & negate constraint in search configuration
Ran the tool once for each of the postconditions
Relational Logic
Propositional LogicEcore + OCLATL + Ecore
+ OCL
10
CASE STUDY: AUTOMATICALLY VERIFYING THE GM-2-AUTOSAR TRANSFORMATION
Old Implementation
• 2 ATL Matched Rules• 9 Functional Helpers• 6 Attribute Helpers
New Implementation
• 3 Matched Rules• 2 Lazy Rules
11
CASE STUDY: AUTOMATICALLY VERIFYING THE GM-2-AUTOSAR TRANSFORMATION
18 OCL Postconditions
Target Invariants
6 Multiplicity Invariants
1 Security Invariants
Transformation Contracts
9 Uniqueness Contracts
2 Pattern Contracts
Autom
atically G
enerated by the P
rototypeM
anuallyForm
ulated
OCL Preconditions … ?
12
CASE STUDY: AUTOMATICALLY VERIFYING THE GM-2-AUTOSAR TRANSFORMATION
Multiplicity Invariants (6): M’ conforms to MM’
Uniqueness Contracts (9): If ‘name’ unique for Module, then ‘shortName’ unique for ComponentPrototype
Security Invariant (1): Every ComponentPrototype assigned to an EcuInstance by a mapping of a System is also contained in the System
Pattern Contracts (2): If a PhysicalNode provides some Service, then the corresponding System will be connected to a PPortPrototype
GM Metamodel MM
Model M<<conforms to>>
AUTOSAR Metamodel MM’
Model M’<<conforms to>>
T
<<transforms>>
13
RESULTS: VERIFYING THE 18 OCL CONSTRAINTS- 2 Multiplicity Invariants of the 18 constraints are violated,
i.e., got 2 counter-examples- CompositionType_component- SwcToEcuMapping_component
- 2 bugs fixed and 18 constraints rechecked
14
RESULTS: PERFORMANCE OF THE VERIFICATION APPROACH- Standard laptop (2.50 GHz, 16GB of memory)- Ran the verification prototype:
- once for each constraint - for scopes up to 12
- For each scope & constraint, 2 numbers were generated:- Translation Time: Time taken to translate the relational
logic representation of the transformation into propositional logic.
- Constraint Solving Time: Time taken by SAT solver to solve the propositional representation of the transformation.
15
RESULTS: PERFORMANCE OF THE VERIFICATION APPROACH
Translation time (sec) \ constraint solving time (sec)
16
DISCUSSION: STRENGTHS OF THE VERIFICATION APPROACH
Full Automation
• Translation from ATL & constrained metamodels to constrained Ecore model & then to relational logic
• Verification of industrial transformation models up to a scope of 12 !
Verifying a Substantial Subset of ATL• Except for Imperative blocks, recursive lazy rules, &
recursive queries• 83/131 transformations in ATL Zoo are in this fragment…24
of the remaining 48 transformations can be expressed declaratively…too!
17
DISCUSSION: WEAKNESSES OF THE VERIFICATION APPROACH
Correctness of ATL-2-Relational-Logic
Translation
• Testing & Inspection• BUT cannot formally
prove correctness No formal semantics for ATL & OCL
Bound Search Approach
• Scope too small to verify the transformation ?
• Maximum scope to use is transformation-dependent
18
CONCLUSION & FUTURE WORK- Demonstrated using an automated verification prototype
[1] to verify industrial transformation [2]- Result: The used prototype uncovered 2 bugs !- Performance: Verifying the transformation up to a scope
of 12 was possible !
Application of automated verification to a case study was successful & practical to
use in an industrial context
[1] F. Büttner, M. Egea, J. Cabot, M. Gogolla “Verication of ATL Transformations Using Transformation Models and Model Finders”, ICFEM 2012[2] G. Selim, S. Wang, J. Cordy, J. Dingel "Model Transformations for Migrating Legacy Models: An Industrial Case Study", ECMFA 2012
19
CONCLUSION & FUTURE WORKMore In
dustrial
transfo
rmatio
ns in
case
study
Use Incremental
SAT Solvers
Pruning of the transformation model
Thank You Questions ?
