Semantical Correctness of Simulation-to-Animation Model and Rule Transformation Electronic Communications of the EASST Volume 4 (2006) Proceedings of the Second International Workshop on Graph and Model Transformation (GraMoT 2006) Semantical Correctness of Simulation-to-Animation Model and Rule Transformation Claudia Ermel, Hartmut Ehrig, and Karsten Ehrig 14 pages Guest Editors: Gabor Karsai, Gabriele Taentzer Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST Semantical Correctness of Simulation-to-Animation Model and Rule Transformation Claudia Ermel1, Hartmut Ehrig1, and Karsten Ehrig2 1 Institut für Softwaretechnik und Theoretische Informatik Technische Universität Berlin, Germany lieske@cs.tu-berlin.de, ehrig@cs.tu-berlin.de 2 Department of Computer Science, University of Leicester, UK karsten@mcs.le.ac.uk Abstract: In the framework of graph transformation, simulation rules are well- known to define the operational behavior of visual models. Moreover, it has been shown already how to construct animation rules in a domain specific layout from simulation rules. An important requirement of this construction is the semantical correctness which has not yet been considered. In this paper we give a precise definition for simulation-to-animation (S2A) model and rule transformations. Our main results show under which conditions semantical correctness can be obtained. The results are applied to analyze the S2A transformation of a Radio Clock model. Keywords: graph transformation, model and rule transformation, semantical cor- rectness, simulation, animation 1 Introduction In recent years, visual models represented by graphs have become very popular in model-based software development, as the wide-spread use of UML and Petri nets proves. For the definition of an operational semantics for visual models, the transformation of graphs plays a similar central role as term rewriting in the traditional case of textual models. The area of graph transformation provides a rule-based setting to express the semantics of visual models (see e.g. [Roz97]). The objective of simulation rules is their application to the states of a visual model, deriving subse- quent model states, thus characterizing system evolution. A simulation scenario, i.e. a sequence of such simulation steps can be visualized by showing the states before and after each simulation rule application as graphs. For validation purposes, simulation may be extended to a domain specific view, called anima- tion view [EB04, EE05b, EHKZ05], which allows to define scenario visualizations in the layout of the application domain. The animation view is defined by extending the alphabet of the origi- nal visual modeling language by symbols representing entities from the application domain. The simulation rules for a specific visual model are translated to the animation view by performing a simulation-to-animation model and rule transformation (S2A transformation), realizing a consis- tent mapping from simulation steps to animation steps which can be visualized in the animation view layout. S2A transformation is defined by a set of S2A graph transformation rules, and an additional formal construction allowing to apply S2A rules to simulation rules, resulting in a new set of graph transformation rules, called animation rules. 1 / 14 Volume 4 (2006) mailto:lieske@cs.tu-berlin.de mailto:ehrig@cs.tu-berlin.de mailto:karsten@mcs.le.ac.uk Semantical Correctness of S2A Transformation Comparable theoretical research in the area of applying graph transformation rules to rules has been done by Parisi-Presicce [PP96]. His approach has provided the basis of our definition of S2A transformations which additionally allows to transform not only the rule interfaces, and which also treats negative application conditions (NACs), both for the transforming rules and for the transformed rules. An important requirement is the semantical correctness of the S2A transformation in the sense that the behavior of the original model is preserved in the animation view. In this paper, we give a formal definition for S2A transformations and show under which conditions semantical correctness can be obtained. In our approach, an S2A transformation generates one animation rule for each simulation rule. Hence, our notion of semantical correctness implies that each animation step (obtained by applying an animation rule) corresponds to a simulation step of the original model. Please note that there are more general definitions for the semantical correctness of model transformations which establish a correspondence between one simulation step in the source model and a sequence of simulation steps in the target model. For S2A transformation it is sufficient to relate single simulation and animation steps. Intermediate animation states providing smooth state transitions are possible nonetheless: They are defined by enriching an animation rule by animation operations to specify continuous changes of object properties. Since animation operations leave the states before and after a rule application unchanged, they do not influence the semantical correctness of S2A transformation. Our approach has been implemented in the generic visual modeling environment GENGED [Gen]. The implementation includes an animation editor to define animation operations visually, and to export animation scenarios to the SVG format [WWW03]. There exist related tool-oriented approaches, where different visual representations are used to visualize a model’s behavior. One example is the reactive animation approach by Harel [HEC03], where behavior is specified by UML diagrams. The animated representation of the system behavior is implemented by linking UML tools to pure animation tools like Macromedia FLASH or DIRECTOR [Mac04]. Hence, the mapping from simulation to animation views hap- pens at the implementation level and is not specified formally. Analogously, different Petri net tools also offer support for customized Petri net animations (e.g. the SimPEP tool [Gra99] to animate transition firings of low-level Petri nets). In general, approaches to enhance the front end of CASE tools for simulating/animating the behavior of models are restricted to one specific modeling language. In our approach we integrate animation views at model level with graph transformation representations for different visual modeling languages based on a formal speci- fication. This provides the model designer with more flexibility, as the modeling language to be enhanced by animation features, can be freely chosen. The paper is organized as follows: Section 2 presents the basic concepts of simulation and animation, illustrated by our case study in Section 3. In Section 4, the main result on semantical correctness of S2A transformation is given in the case without NACs. Extensions to cope with NACs are discussed. Explicit proofs for the case with NACs, and the semantical correctness of the complete case study is presented in the technical report [EEE06]. Section 5 discusses related work, and Section 6 concludes the paper. Proc. GraMoT 2006 2 / 14 ECEASST 2 Basic Concepts of Simulation and Animation We use typed algebraic graph transformation systems (TGTS) in the double-pushout-approach (DPO) [EEPT06] which have proven to be an adequate formalism for visual language (VL) modeling. A VL is modeled by a type graph capturing the definition of the underlying visual alphabet, i.e. the symbols and relations which are available. Sentences or diagrams of the VL are given by graphs typed over the type graph. We distinguish abstract and concrete syntax in alphabets and models, where the concrete syntax includes the abstract symbols and relations, and additionally defines their layout. Formally, a VL can be considered as a subclass of graphs typed over a type graph T G in the category GraphsTG. For behavioral diagrams like Statecharts, an operational semantics can be given by a set of simulation rules PS, using the abstract syntax of the modeling VL. A simulation rule p = (L ← I → R) ∈ PS is a graph transformation rule, consisting of a left-hand side L, an interface I, a right-hand side R, and two injective morphisms. Applying rule p to a graph G means to find a match of L m−→ G and to replace the occurrence m(L) of L in G by R leading to the target graph G′. In the DPO approach, the deletion of m(L) and the addition of R are described by two pushouts (a DPO) in the category GraphsTG of typed graphs. A rule p may be extended by a set of negative application conditions (NACs) [EEPT06], describing situations in which the rule should not be applied to G. Formally, match L m−→ G satisfies NAC L n−→ N if there does not exist an injective graph morphism N x−→ G with x◦n = m. A sequence G0 ⇒ G1 ⇒ ... ⇒ Gn of graph transformation steps is called transformation and denoted as G0 ∗⇒ Gn. A transformation G0 ∗⇒ Gn, where rules from P are applied as long as possible (i.e. as long as matches can be found satisfying the NACs), is denoted by G0 P ! =⇒ Gn. We define a model’s simulation language V LS, typed over the simulation alphabet T GS, as a sublanguage of the modeling language V L, such that all diagrams GS ∈ V LS represent different states during simulation. Based on V LS, the operational semantics of a model is given by a simulation specification. Definition 1 (Simulation Specification) Given a visual language VLS typed over T GS, i.e. VLS ⊆ GraphsTGS , a simulation specification SimS pecVLS = (VLS, PS) over VLS is given by a TGTS (T GS, PS) s.t. VLS is closed under simulation steps, i.e. GS ∈ VLS and GS ⇒ HS via pS ∈ PS implies HS ∈ VLS. The rules pS ∈ PS are called simulation rules. In order to transform a simulation specification to an animation view, we define an S2A trans- formation S2A = (S2AM, S2AR) consisting of a simulation-to-animation model transformation S2AM, and a corresponding rule transformation S2AR. The S2AM transformation applies S2A transformation rules from a rule set Q to each GS ∈ V LS as long as possible, adding symbols from the application domain to the model state graphs. The resulting set of graphs comprises the animation language V LA. Definition 2 (S2AM-Transformation) Given a simulation specification SimS pecV LS = (V LS, PS) with VLS typed over T GS and a type graph T GA, called animation type graph, with T GS ⊆T GA, a simulation-to-animation model transformation, short S2AM-transformation, S2AM : V LS →V LA is given by S2AM = (VLS, T GA, Q) where (T GA, Q) is a TGTS with non-deleting rules q ∈ Q, 3 / 14 Volume 4 (2006) Semantical Correctness of S2A Transformation and S2AM-transformations GS Q ! =⇒ GA with GS ∈ VLS. The animation language VLA is defined by VLA = {GA| ∃ GS ∈ VLS & GS Q ! =⇒ GA}. This means GS Q ! =⇒ GA implies GS ∈ VLS and GA ∈ VLA, where each intermediate step Gi qi=⇒ Gi+1 is called S2AM-step. Our aim is not only to transform model states but to obtain a complete animation specification, including animation rules, from the simulation specification. Hence, we define a construction allowing us to apply the S2A transformation rules from Q also to the simulation rules. The following definition extends the construction for rewriting rules by rules given by Parisi-Presicce in [PP96], where a rule q is only applicable to a rule p if it is applicable to the interface graph of p. In this paper, we want to add animation symbols to simulation rules even if the S2A transformation rule is not applicable to the interface of the simulation rule. Hence, we distinguish three cases in Def. 3. Case (1) corresponds to the notion of rule rewriting in [PP96], adapted to non-deleting S2A transformation rules. In Case (2), the S2A transformation rule q is not applicable to the interface, but only to the left-hand side of a rule p, and in Case (3), q is only applicable to the right-hand side of p. Definition 3 (Transformation of Rules by Non-Deleting Rules) Given a non-deleting rule q = (Lq → Rq) and a rule p1 = (L1 l1← I1 r1→ R1), then q is appicable to p1 leading to a rule transfor- mation step p1 q _ *4 p2 , if the precondition of one of the following three cases is satisfied, and p2 = (L2 l2← I2 r2→ R2) is defined according to the corresponding construction. Lq h �� q // (1) Rq �� I1 r1 �� l1 ���� � qI // I2 l2 ���� � r2 �� L1 qL (1a) // L2 R1 qR (1b) // R2 Lq h′ �� q // (2) Rq �� L1 qL // L2 Lq h′′ �� q // (3) Rq �� R1 qR // R2 Case (1) Precondition (1): There is a match Lq h−→ I1. Construction (1): I2, L2, and R2 are defined by pushouts (1), (1a) and (1b), leading to injective morphisms l2 and r2. Case (2) Precondition (2): There is no match Lq h−→ I1, but a match Lq h′−→ L1. Construction (2): L2 is defined by pushout (2), and I2 = I1, R2 = R1, r2 = r1, and l2 = qL ◦l1. Case (3) Precondition (3): There are no matches Lq h−→ I1 and Lq h′−→ L1, but there is a match Lq h′′−→ R1. Construction (3): R2 is defined by pushout (3), and L2 = L1, I2 = I1, l2 = l1, and r2 = qL ◦r1. Proc. GraMoT 2006 4 / 14 ECEASST The transformation of rules defined above allows now to define an S2AR transformation of rules, leading to an S2A transformation S2A = (S2AM, S2AR) from the simulation specification SimS pecV LS to the animation specification AnimS pecV LA . Definition 4 (S2AR-Transformation) Given a simulation specification SimS pecV LS = (VLS, PS) and an S2AM-transformation S2AM = (VLS, T GA, Q) then a simulation-to-animation rule trans- formation, short S2AR-trafo, S2AR : PS → PA is given by S2AR = (PS, T GA, Q) and S2AR trans- formation sequence pS Q !_*4 pA with pS ∈ PS, where rule transformation steps p1 q _ *4 p2 with q ∈ Q (see Def. 3) are applied as long as possible. The animation rules PA are defined by PA = {pA| ∃ pS ∈ PS ∧ pS Q !_*4 pA }. This means pS Q !_ *4 pA implies pS ∈PS and pA ∈PA, where each intermediate step pi qi _*4 pi+1 is called S2AR-step. Definition 5 (Animation Specification and S2A Transformation) Given a simulation specifica- tion SimS pecV LS = (VLS, PS), an S2AM transformation S2AM : VLS → VLA and an S2AR trans- formation S2AR : PS → PA, then 1. AnimS pecV LA = (VLA, PA) is called animation specification, and each transformation step GA pA=⇒ HA with GA, HA ∈ VLA and pA ∈ PA is called animation step. 2. S2A : SimS pecV LS → AnimS pecV LA , defined by S2A = (S2AM, S2AR) is called simulation- to-animation model and rule transformation, short S2A transformation. 3 Case Study: Radio Clock In this section, we illustrate the main concepts of Section 2 by the well-known Radio Clock case study from Harel [Har87]. The behavior of a radio clock is modeled by the nested Statechart shown in Fig. 1 (a). The radio clock display can show alternatively the time, the date or allows to set the alarm time. The changes between the modes are modeled by transitions labeled with the event Mode. The nested state Alarm allows to change to modes for setting the hours and the minutes (transition Select) of the alarm time. A Set event increments the number of hours or minutes which are currently displayed. Figure 1: Radio Clock Statechart (a), and Animation View Snapshots (b) A domain-specific animation view of the Radio Clock is illustrated in Fig. 1 (b). The two snapshots from a possible simulation run of the Statechart in Fig. 1 (a) correspond to the active 5 / 14 Volume 4 (2006) Semantical Correctness of S2A Transformation state Set:Hours before and after the set event has been processed. The animation view shows directly the current display of the clock and indicates by a red light that in the current state the hours may be set. Furthermore, buttons are shown either to proceed to the state where the minutes may be set (button Select), or to switch back to the Time display (button Mode). The abstract syntax graph of the Radio Clock Statechart is the given by the graph GI in Fig. 2. Figure 2: Abstract Syntax Graph GI of the Radio Clock Statechart The set of model-specific simulation rules PS = {paddOb ject , paddEvent , pdownTime, pdownDisp, pupAlarm, pupClock, pmodeT D , pmodeDA , pmodeAD , pselectH , pselectM, pselectD, psetH , psetM} to be applied to GI contains initialization rules which generate the object node with attribute values for the initial alarm time, set the current pointer to the top level state Radio Clock, and fill the event queue. Additional simulation rules are defined which realize the actual simulation, processing the events in the queue. For each superstate there is a rule moving the current pointer from the superstate down to its initial substate. Analogously, there are rules moving the pointer from a substate to its superstate. For each transition there is a rule which moves the pointer from the source state of the transition to its target state and removes the triggering event from the queue. The full set PS of simulation rules is given in [EEE06]. Fig. 3 shows the sample simulation rule psetH for the transition set whose source and target is the state Set:Hours. In addition to processing the event set, this rule increments the hour value of the current alarm time. Figure 3: A Simulation Rule psetH The simulation specification SimS pecV LS = (VLS, PS) for the Radio Clock consists of the sim- ulation language VLS typed over T GS, where T GS is the simulation alphabet depicted in the left-hand side of Fig. 4, PS is the set of simulation rules, and VLS consists of all graphs that can occur in any Radio Clock simulation scenario: VLS = {GS|∃GI PS∗=⇒ GS}, where GI is the initial graph shown in Fig. 2. Fig. 4 shows the animation view type graph T GA, which is a disjoint union of the simulation alphabet T GS, and the new visualization alphabet T GV shown in the right part of Fig. 4, which models the visualization symbols for a domain-specific view of the radio clock behavior. The three modes of the clock are visualized by five different displays: a date display, a time display, Proc. GraMoT 2006 6 / 14 ECEASST Figure 4: Simulation and Animation Alphabet and three alarm displays showing the alarm time but differing in the states of two red lights which indicate the states Display (both lights off), Set:Hours (light SetH on), and Set:Minutes (light SetM on). The S2A transformation rules Q = {qClock, qDate, qTime, qDisp, qSetH , qSetM} add visualization symbols to the simulation rule graphs and to the initial radio clock graph. The initial S2A rule qClock adds the root symbol Clock to all graphs it is applied to. The remaining S2A rules add visualization symbols depending on the state of the current pointer. We visualize only basic states which do not have any substates. Superstates are not shown in the animation view, as they are considered as transient, abstract states which are active on the way of the current pointer up and down the state hierarchy between two basic states, but have no concrete layout themselves. The full set Q of S2A rules is given in [EEE06]. The top row of Fig. 5 shows the sample S2A transformation rule qsetH which adds a SetHours symbol and links it to the clock symbol in the case that the current pointer points to the state named “Set:Hours”. The attributes are set accordingly. Note that each S2A rule q has to be applied at most once at the same match, which is formalized by a NAC Lq → Nq, such that Nq and Rq are isomorphic. The Radio Clock S2AM transformation S2AM : VLS → VLA is given by S2AM = (VLS, T GA, Q) with animation language VLA = {GA|∃GS ∈ VLS : GS Q ! =⇒ GA}. The Radio Clock S2AR transformation S2AR : PS → PA is given by S2AR = (PS, T GA, Q) with animation rules PA = {pA|∃pS ∈ PS : pS Q !_ *4 pA }. A sample S2AR transformation step p′setH qsetH_*4 pAsetH is shown in Fig. 5. Here, S2A rule Lq qsetH−→ Rq is applied to the rule p′setH , according to Case (1) of Def. 3. Rule p ′ setH = (L ′ ← I′ → R′) in Fig. 5 corresponds to rule p1 = (L1 ← I1 → R1) in Def. 3. The result of the rule rewriting step in Fig. 5 is rule pAsetH = (LA ← IA → RA), which corresponds to rule p2 = (L2 ← I2 → R2) in Def. 3. Note that variables for node attributes can be assigned to other variables or to expressions. For instance, in Fig. 5, the variable h for attribute AlarmH in I′ is assigned to the expression incr(h) in R′ by the morphism I′ r′−→ R′. Hence, a resulting animation rule can contain variables or expressions for attributes to be assigned to corresponding attribute values in graphs when the animation rule is applied. pAsetH is a completely transformed animation rule, since no more S2A rules are applicable to it. The Radio Clock animation specification AnimS pecV LA = (VLA, PA) based on the S2A trans- 7 / 14 Volume 4 (2006) Semantical Correctness of S2A Transformation Figure 5: S2A Transformation Step p′setH qsetH−→ pAsetH formation S2A = (S2AM, S2AR) is given by the animation language VLA, obtained by the Radio Clock S2AM transformation, and the animation rules PA, obtained by the Radio Clock S2AR transformation. The full set PA of animation rules is given in [EEE06]. Fig. 6 shows a sample animation scenario in the concrete notation of the animation view, where animation rules from PA are applied. The first state of the scenario in Fig. 6 is obtained by applying the initial animation rules setting the alarm time and initializing the event queue with the events mode, mode, select, set, mode. The subsequent animation steps result from applying animation rules for event processing or for moving up and down the state hierarchy. Figure 6: Radio Clock Animation Scenario 4 Semantical Correctness of S2A Transformations In this section, we continue the general theory of Section 2 and study semantical correctness of S2A-transformations. In our case, semantical correctness of an S2A-transformation means that for each simulation step GS pS=⇒ HS there is a corresponding animation step GA pA=⇒ HA where GA (resp. HA) are obtained by S2A model transformation from GS (resp. HS), and pA by S2A rule transformation from pS. Note that this is a special case of semantical correctness defined in [EE05a], where instead of a single step GA pA=⇒ HA more general sequences GA ∗ =⇒ HA and HS ∗ =⇒ HA are allowed. Proc. GraMoT 2006 8 / 14 ECEASST Definition 6 (Semantical Correctness of S2A Transformations) An S2A-transformation S2A : SimS pecV LS → AnimS pecV LA given by S2A = (S2AM : VLS → VLA, S2AR : PS → PA) is called semantically correct, if for each simulation step GS pS=⇒ HS with GS ∈ VLS and each S2AR-transformation sequence pS Q !_*4 pA (see Def. 4) we have 1. S2AM-transformation sequences GS Q ! =⇒ GA and HS Q ! =⇒ HA, and 2. an animation step GA pA=⇒ HA GS Q ! +3 pS �� GA pA �� Q ! _*4 HS Q ! +3 HA Before we prove semantical correctness in Theorem 2, we first show local semantical correct- ness in Theorem 1 where only one S2AM-step (resp. S2AR-step) is considered. Theorem 1 (Local Semantical Correctness of S2A-Transformations) Given an S2A-transfor- mation S2A : SimS pecV LS → AnimS pecV LA with S2A = (S2AM : VLS → VLA, S2AR : PS → PA) and an S2AR-transformation sequence pS Q !_*4 pA with intermediate S2AR-step pi q _*4 pi+1 with q∈Q. Then for each graph transformation step Gi pi=⇒Hi with Gi, Hi ∈GraphsTGA we have 1. Graph transformation steps Gi qi=⇒ Gi+1 in Cases (1) and (2), Gi id =⇒ Gi+1 in Case (3), Hi q =⇒ Hi+1 in Cases (1) and (3), and Hi id =⇒ Hi+1 in Case (2) of Def. 3. 2. Graph transformation step Gi+1 pi+1=⇒ Hi+1 with Gi+1, Hi+1 ∈ GraphsTGA Gi q / id +3 pi �� Gi+1 pi+1 �� q _ *4 Hi q / id +3 Hi+1 Proof. We consider the respective pushout diagrams for pi q _*4 pi+1 according to the three rule transformation cases in Def. 3, and show by pushout composition/decomposition that in each case we obtain the commuting double cube below where the two back squares comprise the given DPO for the transformation step Gi pi=⇒ Hi, and in the front squares we get the required DPO for the transformation step Gi+1 pi+1=⇒ Hi+1. Li ���� � mi �� Ii lioo �� ���� � ri // Ri �� ���� � Li+1 mi+1 �� Ii+1oo �� // Ri+1 �� Gi ���� � Cioo ���� � // Hi ���� � Gi+1 Ci+1oo // Hi+1 Lq h �� q // (POI ) Rq �� Ii qi+1 // Ii+1 In Case (1) of Def. 3, we obtain the top squares as pushouts and then construct Gi+1, Ci+1, Hi+1 as pushouts in the diagonal squares, leading to unique induced morphisms Ci+1 → Gi+1 and Ci+1 → Hi+1 such that the double cube commutes. By pushout composition/decomposition also 9 / 14 Volume 4 (2006) Semantical Correctness of S2A Transformation the front and the bottom squares are pushouts. Furthermore, we obtain pushouts for the trans- formation steps Gi q =⇒ Gi+1 and Hi q =⇒ Hi+1 by composing pushout (POI ) with the respective pushouts from the double cube. Cases (2) and (3) are handled similarly, with the difference that some morphisms in the respective double cubes are identities. The following notions are used for proving the main Theorem 2. Definition 7 (Termination of S2AM and Rule Compatibility of S2A) An S2AM transformation S2AM : VLS → VLA is terminating if each transformation GS Q ∗ =⇒ Gn can be extended to GS Q ∗ =⇒ Gn ∗ =⇒ Gm such that no q ∈ Q is applicable to Gm anymore. An S2A-transformation S2A = (S2AM : VLS → VLA, S2AR : PS → PA) with S2AM = (VLS, T GA, Q) is called rule compatible, if for all pA ∈ PA and q ∈ Q we have that pA and q are parallel and sequential independent. More precisely, for each G pA=⇒ H with GS Q ∗ =⇒ G and HS Q ∗ =⇒ H for some GS, HS ∈ VLS and each G q =⇒ G′ (resp. H q =⇒ H′) we have parallel (resp. sequential) independence of G pA=⇒ H and G q =⇒ G′ (resp. H q =⇒ H′). Theorem 2 (Semantical Correctness of S2A) Each S2A transformation S2A = (S2AM, S2AR) is semantically correct, provided that S2A is rule compatible, and S2AM is terminating. Proof. Given S2A = (S2AM : VLS → VLA, S2AR : PS → PA) with terminating S2AM, a simula- tion step GS pS=⇒ HS with GS ∈ VLS, and an S2AR transformation sequence pS Q !_*4 pA with pS = p0 q0 _*4 p1 q1 _*4 .. qn−1 _*4 pn = pA with n ≥ 1, then we can apply the Local Semantical Correctness Theorem 1 for i = 0, .., n−1, leading to the diagram below, which includes the case n = 0 with GS = G0, HS = H0 and pS = p0 = pA, where no q ∈ Q can be applied to pS. GS = G0 q0 +3 pS=p0 �� G1 q1 +3 p1 �� G2 q2 +3 p2 �� ... +3 Gn−1 qn−1 +3 pn−1 �� Gn pn=pA �� Q! _ *4 HS = H0 q0 +3 H1 q1 +3 H2 q2 +3 ... +3 Hn−1 qn−1 +3 Hn If no q ∈ Q can be applied to Gn and Hn anymore, we are ready, because the top sequence is GS Q ! =⇒ Gn = GA, and the bottom sequence is HS Q ! =⇒ Hn = HA. Now assume that we have qn ∈ Q which is applicable to Gn leading to Gn qn=⇒ Gn+1. Then, rule compatibility implies parallel independence with GA pA=⇒ HA, and the Local Church Rosser Theorem [EEPT06] leads to square (n): Gn qn +3 pA �� (n) Gn+1 +3 pA �� ... +3 Gm−1 qm−1 +3 pA �� Gm = GA pA �� Hn qn +3 Hn+1 +3 ... +3 Hm−1 qm−1 +3 Hm = HA Proc. GraMoT 2006 10 / 14 ECEASST This procedure can be repeated as long as rules qi ∈ Q are applicable to Gi for i ≥ n. Since S2AM is terminating, we have some m > n such that no q ∈ Q is applicable to Gm anymore, leading to a sequence GS = G0 Q ! =⇒ Gm = GA. Now assume that there is some q ∈ Q which is still applicable to Hm leading to Hm q =⇒ Hm+1. Now rule compatibility implies sequential independence of Gm pA=⇒ Hm q =⇒ Hm+1. In this case, the Local Church Rosser Theorem would lead to a sequence Gm q =⇒ Gm+1 pA=⇒ Hm+1 which contradicts the fact that no q ∈ Q is applicable to Gm anymore. This implies that also H0 Q ∗ =⇒ Hn Q ∗ =⇒ Hm is terminating, leading to the required sequence HS = H0 Q ! =⇒ Hm = HA. Extension by Negative Application Conditions Considering rules with NACs both for the S2A rules in Q (now of the form q = (Nq ← Lq → Rq)), and for the simulation rules in PS (now of the form pS = (Ni ← L ← I → R)), has the following consequences on the construction of the animation specification by S2A transformation: Def. 3 has to be extended to deal with the additional transformation of NACs in Cases (1) and (2) (in Case (3), the NACs remain unchanged). Moreover, a new Case (4) has to be added covering the case that preconditions (1) - (3) are not satisfied, but there are matches into Ni. Furthermore, the preconditions for all cases now also require the satisfaction of NACq = (Lq n−→ Nq). To extend rule compatibility (Def. 7), in addition to parallel and sequential independence in the case without NACs, we have to require that the induced matches satisfy the corresponding NACs. The proof of local semantical correctness of S2A transformations with NACs requires also NAC- compatibility of S2AM and S2AR for all q ∈ Q and Gi pi=⇒ Hi. NAC-compatibility of S2AM means that if q is applicable to a rule pS, then each match of q in Gi (resp. Hi) satisfies NACq. NAC-compatibility of S2AR means that if pi q _*4 pi+1 satisfies NACq, and Gi pi=⇒ Hi satisfies NAC(pi) then Gi+1 pi+1=⇒ Hi+1 satisfies NAC(pi+1). Considering these additional requirements, we can show that each S2A-transformation S2A = (S2AM, S2AR) is semantically correct including NACs, provided that S2A is rule compatible, S2AM is terminating and S2A is NAC-compatible. This extends Theorem 2, where now rule compatibility and termination have to be required with NACs (for the complete extended theorem see [EEE06, Erm06]). Using the extended theorem, we show the semantical correctness of our Radio Clock case study in [EEE06]. Termination is shown to be fulfilled for general S2A transformation systems with suitable rule layers and applied to our case study in [EEE06]. Moreover, it is shown that each S2AR transformation is NAC-compatible provided that we have suitable rule layers as in our case study. Thus, it suffices to show only NAC-compatibility of S2AM explicitly for the Radio Clock. 5 Related Work To ensure the correctness of model transformations, Varró et al. [SV03, Var04] use graph trans- formation rules to specify the dynamic behavior of systems and generate a transition system for each instance model. Based on the transition system, a model checker verifies certain dynamic consistency properties by model checking the source and target models. In [NK06], a method is 11 / 14 Volume 4 (2006) Semantical Correctness of S2A Transformation presented to verify the semantical equivalence for particular model transformations. It is shown by finding bisimulations that a target model preserves the semantics of the source model with respect to a particular property. This technique does not prove the correctness of the model transformation rules in general, as we propose in this paper for the restricted case of S2A trans- formation rules. The formal background of bisimulations for graph transformations has been considered also in e.g. [EK04]. For the specification of model transformations, triple graph grammars [Sch94] have been fre- quently used. These grammars are based on a coupling of the syntax rules for the source and target language, which allows derivations in the source language to be translated into deriva- tions of the target language. A third grammar in between source and target produces a mapping structure to keep track of the relation between the source and target structures. Triple graph grammars have been recently used also to model tool integration [KS06] and the integration of multiple views on a system [GDL05]. Here, views are (possibly overlapping) parts of a global alphabet, and graph triples are made of one repository (the complete integrated model), one view and an intermediate graph that relates objects of both. The triple graph grammar specifies the gluing of the views in the repository. This approach has similarities to our approach concerning the relation of simulation and animation alphabets. But the restriction to subtypes of a VL type graph alone is usually not enough to define views which abstract from model details. Given a type graph for Petri nets, for example, it would not be possible to define a view which shows only the markings of particular states and hides the others. In this respect, our approach of S2A transformation is much more flexible. Moreover, our notion of S2AR transformation allows to relate views with behavior. The animation specification resulting from an S2A transformation provides a good basis for user interaction when defining scenarios in the animation view (e.g. by clicking on a radio clock button to apply an animation rule). Here lies the central advantage of coding the animation view information into the rules instead of translating directly simulation steps into animation steps (as realized e.g. in [HEC03]). 6 Conclusion and Ongoing Work In this paper we have given a precise definition for simulation-to-animation (S2A) model and rule transformations. The main results show under which conditions an S2A transformation S2A : SimS pecV LS → AnimS pecV LA is semantically correct in the cases without and with negative application conditions. The results have been used to show semantical correctness of a radio clock case study. For simplicity, the theory has been presented in the DPO-approach for typed graphs, but it can also be extended to typed attributed graphs, where injective graph morphisms are replaced by suitable classes M and M′ of typed attributed graph morphisms for rules and NACs, respectively [EEPT06]. Non DPO-based approaches have not yet been considered. In addition to analyzing the semantical correctness of S2A, it may be interesting to construct also a backward model and rule transformation A2S : AnimS pecV LA → SimS pecV LS , essentially given by restriction of all graphs and rules to the type graph T GS. Semantical correctness of A2S means that for each animation step GA pA=⇒ HA there is also a corresponding simulation Proc. GraMoT 2006 12 / 14 ECEASST step GS pS=⇒ HS using the restrictions GS, HS and pS of GA, HA and pA, respectively. Finally, we can consider semantical equivalence of SimS pecV LS and AnimS pecV LA , which requires exis- tence and semantical correctness of S2A and A2S, such that both are inverse to each other, i.e. A2S◦S2A = Id and S2A◦A2S = Id. Bibliography [EB04] C. Ermel, R. Bardohl. Scenario Animation for Visual Behavior Models: A Generic Approach. Software and System Modeling: Special Section on Graph Transforma- tions and Visual Modeling Techniques 3(2):164–177, 2004. http://www.springerlink.com/content/pfhmyfu60l7f/ [EE05a] H. Ehrig, K. Ehrig. Overview of Formal Concepts for Model Transformations based on Typed Attributed Graph Transformation. In Proc. Intern. Workshop on Graph and Model Transformation (GraMoT’05). ENTCS 152. Elsevier Science, 2005. [EE05b] C. Ermel, K. Ehrig. View Transformation in Visual Environments applied to Petri Nets. In Rozenberg et al. (eds.), Proc. Workshop on Petri Nets and Graph Transfor- mation (PNGT). ENTCS 127(2), pp. 61–86. Elsevier Science, 2005. [EEE06] C. Ermel, H. Ehrig, K. Ehrig. Semantical Correctness of Simulation-to-Animation Model and Rule Transformation: Long Version. Technical report 2006/10, TU Berlin, Fak. IV, 2006. http://iv.tu-berlin.de/TechnBerichte/2006/2006-10.pdf [EEPT06] H. Ehrig, K. Ehrig, U. Prange, G. Taentzer. Fundamentals of Algebraic Graph Transformation. EATCS Monographs in Theoretical Computer Science. Springer, 2006. http://www.springer.com/3-540-31187-4 [EHKZ05] C. Ermel, K. Hölscher, S. Kuske, P. Ziemann. Animated Simulation of Integrated UML Behavioral Models based on Graph Transformation. In Erwig and Schürr (eds.), Proc. IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC’05). IEEE Computer Society, 2005. [EK04] H. Ehrig, B. Koenig. Deriving Bisimulation Congruences in the DPO Approach to Graph Rewriting. In Proc. FOSSACS 2004. LNCS 2987, pp. 151–166. Springer, 2004. [Erm06] C. Ermel. Simulation and Animation of Visual Languages based on Typed Algebraic Graph Transformation. PhD thesis, Technische Universität Berlin, Fak. IV, 2006. http://opus.kobv.de/tuberlin/volltexte/2006/1368/ [GDL05] E. Guerra, P. Diaz, J. de Lara. A Formal Approach to the Generation of Visual Language Environments Supporting Multiple Views. In Proc. IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC’05). IEEE Computer Society, 2005. [Gen] GenGED Homepage. http://tfs.cs.tu-berlin.de/genged. 13 / 14 Volume 4 (2006) http://www.springerlink.com/content/pfhmyfu60l7f/ http://iv.tu-berlin.de/TechnBerichte/2006/2006-10.pdf http://www.springer.com/3-540-31187-4 http://opus.kobv.de/tuberlin/volltexte/2006/1368/ http://tfs.cs.tu-berlin.de/genged Semantical Correctness of S2A Transformation [Gra99] B. Grahlmann. The State of PEP. In A. (ed.), Proceedings of AMAST’98 (Algebraic Methodology and Software Technology). LNCS 1548. Springer, 1999. [Har87] D. Harel. Statecharts: a visual formalism for complex systems. Science of Computer Programming 8:231–274, 1987. [HEC03] D. Harel, S. Efroni, I. Cohen. Reactive Animation. In Boer et al. (eds.), Proc. First Int. Symposium on Formal Methods for Components and Objects (FMCO’02). LNCS 2852, pp. 136–153. Springer, 2003. [KS06] A. Königs, A. Schürr. Tool Integration with Triple Graph Grammars - A Survey. In Proc. SegraVis School on Foundations of Visual Modelling Techniques. ENTCS 148, pp. 113–150. Elsevier Science, 2006. http://www.sciencedirect.com/science/journal/15710661 [Mac04] Macromedia, Inc. Macromedia Flash MX 2004 and Director MX 2004. 2004. http://www.macromedia.com/software/. [NK06] A. Narayanan, G. Karsai. Towards Verifying ModelTransformations. In Proc. Work- shop on Graph Transformation and Visual Modeling Techniques (GT-VMT’06). ENTCS, Elsevier Science, 2006. http://www.sciencedirect.com/science/journal/15710661 [PP96] F. Parisi-Presicce. Transformation of Graph Grammars. In 5th Int. Workshop on Graph Grammars and their Application to Computer Science. LNCS 1073. Springer, 1996. [Roz97] G. Rozenberg (ed.). Handbook of Graph Grammars and Computing by Graph Transformations, Volume 1: Foundations. World Scientific, 1997. [Sch94] A. Schürr. Specification of Graph Translators with Triple Graph Grammars. In Tin- hofer (ed.), WG94 20th Int. Workshop on Graph-Theoretic Concepts in Computer Science. LNCS 903, pp. 151–163. Springer, 1994. [SV03] Á. Schmidt, D. Varró. CheckVML: A Tool for Model Checking Visual Modeling Languages. In Stevens et al. (eds.), Proc. UML 2003 - The Unified Modeling Lan- guage, Modeling Languages and Applications, 6th Intern. Con., San Francisco, CA, USA, October 20-24, 2003. LNCS 2863, pp. 92–95. Springer, 2003. [Var04] D. Varró. Automated formal verification of visual modeling languages by model checking. Software and System Modeling 3(2):85–113, 2004. http://www.springerlink.com/index/10.1007/s10270-003-0050-x [WWW03] WWW Consortium (W3C). Scalable Vector Graphics (SVG) 1.1 Specification. 2003. http://www.w3.org/TR/svg11/. Proc. GraMoT 2006 14 / 14 http://www.sciencedirect.com/science/journal/15710661 http://www.macromedia.com/software/ http://www.sciencedirect.com/science/journal/15710661 http://www.springerlink.com/index/10.1007/s10270-003-0050-x http://www.w3.org/TR/svg11/ Introduction Basic Concepts of Simulation and Animation Case Study: Radio Clock Semantical Correctness of S2A Transformations Related Work Conclusion and Ongoing Work