Verification of Architectural Refactorings: Rule Extraction and Tool Support Electronic Communications of the EASST Volume 16 (2009) Proceedings of the Doctoral Symposium at the International Conference on Graph Transformation (ICGT 2009) Verification of Architectural Refactorings: Rule Extraction and Tool Support Dénes Bisztray, Reiko Heckel and Hartmut Ehrig 16 pages Guest Editors: Andrea Corradini, Emilio Tuosto Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST Verification of Architectural Refactorings: Rule Extraction and Tool Support Dénes Bisztray1, Reiko Heckel2 and Hartmut Ehrig3 1 dab24@mcs.le.ac.uk 2 reiko@mcs.le.ac.uk Department of Computer Science University of Leicester United Kingdom 3 ehrig@cs.tu-berlin.de Institut für Softwaretechnik und Theoretische Informatik Technische Universität Berlin Germany Abstract: Software in use needs to be adapted to changing requirements, otherwise it becomes obsolete. Often, this involves changing the architecture of the system. To avoid the introduction of unwanted or removal of desired behaviour, these changes need verification. While verifying large systems consumes considerable resources, the verification of only the changed parts can, under certain conditions, give the required assurance. This opens the possibility of creating formally verified, reusable refactoring patterns. However, a mechanism for extracting such patterns is needed. To address this problem, a theoretical framework is presented that allow to formally reason about the rule extraction process. In order to harness the theoretical results, a visual editor and tool chain are introduced to aid developers in extracting refactoring rules and prove their behavioural correctness. Keywords: Graph Transformations, Refactoring, Semantics 1 Introduction With the recent success of the component-based and service-oriented paradigm, the complexity of software also increased. To tackle complexity, architectural models aid the developers. How- ever, a software in constant use, must continually evolve, otherwise it becomes progressively less satisfactory [Leh96]. During the adaptation to changed requirements and improvement of inter- nal structure, changes may be required that preserve the observable behaviour of the systems. In OO programming, such behaviour-preserving transformations are called refactorings [FBB+99]. For distributed and service-oriented applications, the important changes take place at the level of architectural models. These changes have to be checked for behaviour preservation. To avoid the costly verification of refactoring steps on large systems, we extract a (usually much smaller) rule from the transformation performed and verify this rule instead. However, the notion of observable behaviour has to be established, formal requirements for extracting the refactoring rule and methods that can verify its behaviour preservation are required. 1 / 16 Volume 16 (2009) mailto:dab24@mcs.le.ac.uk mailto:reiko@mcs.le.ac.uk mailto:ehrig@cs.tu-berlin.de Verification of Architectural Refactorings: Rule Extraction and Tool Support The method of verifying architectural refactorings consists of three ingredients: the modelling language used, its semantics, and the relation capturing our idea of behaviour preservation. For representing the type and instance-level architecture of our system, we use UML component and composite structure diagrams in conjunction with activity diagrams specifying the workflows executed by component instances as described in [BHE08]. To verify the semantic relation between source and target models, the behaviour of the com- bined structure diagram is formalised by denotational semantics, using Communicating Sequen- tial Processes (CSP) [Hoa85] as semantic domain. CSP is a process algebra for concurrent systems. A mapping sem has been defined from the UML diagrams to CSP processes by means of graph transformation rules. The semantic relation of behaviour preservation can conveniently be expressed using one of the refinement and equivalence relations on CSP processes. As mentioned, it would be advantageous if we could focus our verification on those parts of the model that have been changed, that is, verify the refactoring rules rather than the actual steps. This is indeed possible, as we have shown in [BHE08]: assuming a refactoring G =⇒ H, via the graph transformation rule p : L → R, if the relation R holds for sem(L) R sem(R) then sem(G) R sem(H) also holds. This is feasible due to the compositionality property [BHE08] of the semantic mapping. Figure 1: Example Refactoring An example refactoring is depicted in Figure 1. As the interfaces are unchanged and the behaviour is encapsulated inside the components, the marked parts can be extracted. Then, this transformation rule can be verified instead of the complete system. Although this extraction was obvious, there can be complicated refactorings that span change on the behaviour of multiple components. To determine the mechanics of producing a rule, we perform extractions on proven and successful refactorings. In general for a transformation G =⇒ H with sem(G) R sem(H), we want to extract the smallest rule such that: 1. when applying it on G at the appropriate match, the transformation step produces H 2. sem(L) R sem(R) The rule extraction consists of two steps. In the first step, the difference between G and H is ex- tracted, to form a minimal production rule. The presented method uses initial pushouts [EEPT06], Proc. Doctoral Symposium ICGT 2009 2 / 16 ECEASST Figure 2: The original and refactored system and is shown to fulfill requirement 1. As the minimal rule may represent a semantically incom- plete part of the model, often, a context needs to be added to fulfill requirement 2. This context is determined interactively by the refactoring developer. Being an iterative process, tool support is needed not only for verifying complicated system refactorings but also for supporting the rule extraction mechanisms. The paper is organised as follows. In Section 2 we present our methodology with the help of a case study. Then, we establish a formal framework for the rule extraction process. The extraction of the minimal rule is presented in Section 3, the method to include the necessary context is in Section 4. The reasoning behind the rule-level verification is presented in Section 5. The tool support for rule design is introduced in Section 6. And then, we conclude. 2 Methodology To provide a general overview, we present in this section the rule extraction process using an example based on the Car Accident Scenario from the SENSORIA Automotive Case Study [WCG+06]. The extraction process consists of the following major steps: 1. The minimal graph rule is extracted that produces the refactored system when applied on the original one. 2. Necessary context is added to the minimal rule to make it semantically sound. Our case study is based on the component PersistentDatabase, which is a simplified database component for a car accident server. The accident server is responsible for receiving distress 3 / 16 Volume 16 (2009) Verification of Architectural Refactorings: Rule Extraction and Tool Support pµ : //oo Figure 3: Extracted minimal rule signals from cars. On an incoming signal it calls the driver to verify if the accident is real and ask the dispatch of emergency services if required. The database component contains the phone numbers of the registered users, and also the map of the area within jurisdiction. The accident server can query the phone number of registered users based on their identification or ask for a route plan from the nearest emergency service station to the location of the crashed car. As can be seen in Figure 4, the activity diagrams describing behaviour, are embedded inside the components. We call this a combined structure diagram. Aside from the usual activity elements, there is a port in the component called dataPort which is connected to the send signal and accept event actions. This defines the communication channels precisely. The actions that an instance level channel may engage in are defined by the relevant DataAccess interface. As the port implements the interface, the first mapQuery accept event action receives the function call, and the corresponding send signal action sends the reply back. The PersistentDatabase is a naive design: it synchronises after every phone number access with route query. This assumes that every distress signal is real, and thus needs emergency route plan. Fortunately, in several cases the crash may not need medical attention or may even be a false alarm. As the system needs more independency, the synchronisation node is deleted, and the two database engines work completely independently. Extraction of the minimal graph transformation rule helps us to identify the changes in the system. The extracted minimal rule is shown in Figure 3. Minimality means that it is the smallest rule that produces the refactored system when applied on the original one at the appropriate match. In most cases, including the present one, the minimal rule is not semantically sound. More- over, it seems to suffer from syntactic errors (dangling edges). Note, however, that these dia- grams are instances of metamodels where the edges are represented as nodes. To achieve the semantical completeness of our minimal rule, we have to address two problems. 1. It is possible to have a valid instance of the metamodel that is not semantically complete. A send signal action can mean both function call (if connected to a required interface) or replying the return value (if connected to a provided interface). In the minimal rule the send signal action and accept event action is not connected to any port or interface, leaving their meaning ambiguous. 2. The other problem is that the extracted minimal rule is not precisely what the refactoring intended to express. We assume that the fork and the join node form some kind of pair, Proc. Doctoral Symposium ICGT 2009 4 / 16 ECEASST pK : //oo Figure 4: Extracted rule with added context and as such they are connected to the same line of control flow. In the minimal rule, this is not expressed: the join node can synchronise with arbitrary flows in the system. To overcome these faults, context needs to be included from the original system. It is important to ensure that the included context is the same on both sides. After the developer selected the necessary context, the resulting rule is shown in Figure 4. Verification shows it to be behaviour preserving. Thus, when the rule is used for refactoring, there is no further need for verifying the system. Since we proved the behaviour preservation of the rule, we may reuse it as a general refactoring pattern. 3 Extraction of Minimal Rule The theoretical contributions are presented in two sections following the steps outlined in Sec- tion 2. In the present section, we introduce the construction that produces the minimal rule. Section 4 deals with step 2: it shows the context inclusion process. The process of minimal rule extraction assumes that only the original system G with refactored system H and their relation are given. First, we introduce the concept of initial pushout, as it is used extensively throughout the paper. Initial pushout is a complement construction. The context graph C as shown in [EEPT06] is the smallest subgraph of A′ that contains A′\ f (A). Definition 1 (initial pushout [EEPT06]) Given a morphism f : A → A′, an injective morphism b : B → A is called the boundary over f if there is a pushout complement of f and b such that (1) is a pushout initial over f . Initiality of (1) over f means, that for every pushout (2) with injective b′ there exists unique morphism b∗ : B → D and c∗ : C → E with injective b∗ and c∗ such that b′◦b∗ = b, c′◦c∗ = c and (3) is a pushout. B is then called the boundary object and C the context with respect to f . 5 / 16 Volume 16 (2009) Verification of Architectural Refactorings: Rule Extraction and Tool Support B b // �� A f �� (1) C c // A′ B b∗ // (3) �� b '' D (2) �� b′ // A f �� C c∗ // c 77E c′ // A′ For clarity we present the definition of a graph production and a graph transformation. Definition 2 (graph production [CMR+97]) A (typed) graph production p = (L l←− K r−→ R) also called graph transformation rule consists of (typed) graph L,K,R, called the left-hand side, gluing graph and the right-hand side respectively, and the two injective (typed) graph morphisms l and r. Given a (typed) graph production p, the inverse production is defined by p−1 = R r←− K l−→ L. The difference between a graph production and a typed graph production (and thus between a graph transformation and typed graph transformation) is that the latter operates on typed graphs [Ehr87] while the former deals with simple graphs without any typing. Definition 3 (graph transformation [CMR+97]) Given a (typed) graph production p = (L l←− K r−→ R) and a (typed) graph G with a (typed) graph morphism m : L → G, called the match, a direct (typed) graph transformation G p,m ⇒ H from G to a (typed) graph H is given by the following double-pushout (DPO) diagram, where (1) and (2) are pushouts in the category Graphs (or GraphsT G respectively): L m �� (1) K (2) loo r // k �� R n �� G Dfoo g // H A sequence G0 ⇒ G1 ⇒ ... ⇒ Gn of direct (typed) graph transformations is called a (typed) graph transformation and is denoted by G0 ∗⇒ Gn. For n = 0, we have the identical (typed) graph transformation G0 id⇒ G′0. Moreover, for n0 we allow also graph isomorphisms G0 ∼= G ′ 0, because pushouts and hence also direct graph transformations are only unique up to isomorphism. Minimality, as mentioned intuitively means the smallest rule, that produces H when applied on G. The formal definition is the following: Definition 4 (minimality) A graph transformation rule p : L ←− K −→ R is minimal over direct graph transformation G ←− D −→ H if K → D is injective and for each rule p′ : L′ ←− K′ −→ R′ with injective morphism K′ → D and pushouts (5) and (6), there are unique L → L′, K → K′ and R → R′ morphisms such that the following diagram commutes and (7), (8), (5) + (7) and (6) + (8) are pushouts. Proc. Doctoral Symposium ICGT 2009 6 / 16 ECEASST L (7) �� �� K �� �� oo // R (8) �� �� L′ (5) �� K′ �� oo // R′ (6) �� G Doo // H Now, we present the construction that leads to the minimal rule. Definition 5 (minimal rule) Given a span of injective graph morphisms G ←− D −→ H with initial pushouts IPO1 over D → G and IPO2 over D → H. The following construction will define transformation rule pµ : L ←− K −→ R over G ←− D −→ H. L1 (IPO1) �� B1oo @ @@ @@ @@ B2 // ~~~~ ~~ ~~ ~ R1 (IPO2) �� G Doo // H 1. Define B1 ←− P −→ B2 as a pullback of B1 −→ D ←− B2 and B1 ←− K −→ B2 as a pushout of B1 ←− P −→ B2 with induced morphism K → D. 2. Construct L1 −→ L ←− K as a pushout of L1 ←− B1 −→ K with induced morphism L → G. Similarly, R1 −→ R ←− K is a pushout of R1 ←− B2 −→ K with induced morphism R → H. 3. Since IPO1 = (1) + (3) and (1) is a pushout, because of the pushout decomposition prop- erty (3) is also a pushout. Similarly IPO2 = (2) + (4) and (2) being a pushout implies pushout (4). 4. By the constructions of the initial pushouts, B1 → D and B2 → D are injective and hence also P → B1, P → B2, B1 → K, B2 → K as well. This implies by the pushout and pullback properties that also K → D is injective. P ~~~~ ~~ ~~ ~~ @ @@ @@ @@ @ (PO)L1 (1) �� �� B1 @ @@ @@ @@ oo �� B2 ~~~~ ~~ ~~ ~ �� // R1 (2) �� �� L (3) �� K �� oo // R �� (4) G D //oo H Then L ←− K −→ R with pushouts (3) and (4) is pµ over G ←− D −→ H with injective morphisms L → G, K → D and R → H. Moreover injective G ←− D −→ H implies injective L ←− K −→ R. 7 / 16 Volume 16 (2009) Verification of Architectural Refactorings: Rule Extraction and Tool Support Theorem 1 (minimal rule) Assuming a span of injective graph morphisms G ←− D −→ H, the graph transformation rule pµ : L ←− K −→ R created according to Definition 5 is minimal. Proof. Given pushouts (5) and (6) over G ←− D −→ H with injective morhpism K′ → D, we have by IPO1 and IPO2, unique L1 → L′, B1 → K′, B2 → K′ and R1 → R′ such that (9) and (10) are pushouts. P ~~}} }} }} }} A AA AA AA A (PO)L1 (9) �� �� B1 A AA AA AA oo �� B2 ~~}} }} }} } �� // R1 (10) �� �� L′ (5) �� K′ �� oo // R′ �� (6) G D //oo H As P → B1 → D and P → B2 → D commutes and K′→ D is an injective morphism, it implies that P → B1 → K′ and P → B2 → K′ also commutes and hence a unique K → K′ morphism exists and the diagram below commutes. B1 ��@ @@ @@ @@ @ ''OO OOO OOO OOO OOO ## P (PO) ??�������� ��? ?? ?? ?? ? K // K′ // D B2 ??~~~~~~~~ 77oooooooooooooo ;; Now pushouts (1) and (2) implies unique morphisms L1 → L and R1 → R such that the fol- lowing diagram commutes and (7) and (8) are pushouts because of the pushout-decomposition of pushouts (9) and (10). L1 (1) �� �� B1 A AA AA AA A oo B2 ~~}} }} }} }} // R1 (2) �� �� L (7) �� K �� oo // R �� (8) L′ K′ //oo R′ And also L → L′ → G commutes with L → G using the pushout properties of L and similarly R → R′ → H commutes with R → H using the pushout properties of R. Uniqueness of L → L′, K → K′ and R → R′ in the minimality diagram follows from the injec- tivity of K′ → D, L′ → G and R′ → H. Proc. Doctoral Symposium ICGT 2009 8 / 16 ECEASST 4 Inclusion of Necessary Context As shown before, the sheer structural difference between the old and the new system is seman- tically not always comprehensible. To tackle this problem, the refactoring designer includes necessary context that makes the rule semantically complete. In Section 2 we shown two bar- riers to semantical completeness, however the list is not complete. The constraints that define the context is different each case and based on human intuition. Thus formalising a general semantical completeness is unlikely. The following process describes the theoretical framework of the context inclusion. Definition 6 (context inclusion process) Given minimal rule pµ : L ← K → R over G ← D → H with pushouts (1) and (2). L �� (1) K (2) oo // �� R �� G Doo // H L (3) �� m �� K (4) oo �� // R �� �� LK mK �� (5) KK (6) oo // �� RK �� G Doo // H The context inclusion is defined by a suitable factorisation K → KK → D of K → D with injective KK → D, where LK and RK are defined by pushouts (3) and (4). By pushout decompo- sition this leads to pushouts (5) and (6) and pK : LK ← KK → RK , where pushout (1) = (3) + (5) and pushout (2) = (4) + (6). Hence we have G⇒H via (pK , mK ) by pushouts (5) and (6) with span G←D→H. Moreover the injectivity of pµ : (L ← K → R) implies that pK : (LK ← KK → RK ) is injective as well. The construction of the minimal and extracted rule based on the refactorisation K → KK → D of K → D using our database example is shown in Figure 5. 5 Towards Refactoring Design Patterns As the aim of rule extraction is to verify only the refactoring rules, we present the theoretical background that enables such feat. In Section 2 we assumed that the refactoring on system level is behaviour preserving. As mentioned in Section 1, when using a compositional mapping to a semantic domain, the verification results of rules can substitute the system verification. 9 / 16 Volume 16 (2009) Verification of Architectural Refactorings: Rule Extraction and Tool Support �� ��; ;; ;; ;; ;; ;; ;; ;; ;; ;; ;; ;; ;; ;; ;; ;; ;; ;; ; K = B1 = B2 (PB) oo // �� ���� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � �� �� L = L1 (PO) �� (PO) K = B1 = B2oo // �� R = R1 (PO) �� (PO) �� (PO) //oo �� �� (PO) //oo Figure 5: The construction of the minimal and extracted rule Proc. Doctoral Symposium ICGT 2009 10 / 16 ECEASST L m �� H sem �� // Rv sem �� m∗ �� G_ sem �� // H_ sem �� sem(G) R sem(H) sem(L) OO R KS sem(R) OO The overall idea behind this is illustrated in the figure above [BHE08]. The original model (component, composite structure and activity diagrams) is given by graph G. The refactoring results in graph H by the application of rule p : L → R at match m. Applying the semantic mapping sem (itself described by a graph transformation from models to CSP) to the rule’s left- and right-hand side, we obtain the CSP processes sem(L) and sem(R). Whenever the relation sem(L) R sem(R) (say R = v is trace refinement, so all traces of the left processes are also traces of the right), we would like to be sure that also sem(G) R sem(H) (traces of sem(G) are preserved in sem(H)). The main assumption is the compositionality of the semantic mapping sem. Compositionality is similar to the compositionality property of denotational semantics. As for simple mathematical expressions, we assume that the the meaning of expression 2 + 5 is determined by the meaning of 2, 5 and the semantics of the + operator, i.e. [[2 + 5]] = [[2]] ⊕ [[5]]. Figure 6: Compositional Semantic Mapping In terms of model transformations, compositionality is presented in Figure 6. A system con- sisting of components A and B with a connector c is mapped to a semantic domain through transformation sem. The result is such a set of semantic expressions where sem(A), sem(B) and sem(c) are distinguishable and their composition represents the semantics of the whole system. Intuitively, the mapping must be closed under context, i.e., the semantics of a model L is em- bedded within the semantics of an extension G of L. Embedding of CSP processes is expressed by the notion of context, i.e., a CSP expression with a single occurrence of a distinguished free variable. Definition 7 (semantic domain) A semantic domain is a triple (D,v, C ) where D is a set, v is a partial preorder on D, C is a set of total functions C[ ] : D → D, called contexts, such that d v e =⇒ C[d] vC[e] (v is closed under contexts). The equivalence relation ≡ is the symmetric closure of v. 11 / 16 Volume 16 (2009) Verification of Architectural Refactorings: Rule Extraction and Tool Support Definition 8 (compositionality) A semantic mapping sem : GraphsT G → (D,v, C ) is compo- sitional if, for any injective m0 : G0 → H0 and pushout (1) , there is a context E with sem(H0) ≡ E[sem(G0)] and sem(H′0) ≡ E[sem(G ′ 0)] G0 // (1)m0 �� G′0 m′0 �� H0 // H′0 Definition 8 applies particularly where G0 is the left hand side of a rule and H0 is the given graph of a transformation. In this case, the CSP expression generated from G0 contains the one derived from H0 up to traces, failures or divergences equivalence, while the context E is uniquely determined by H0 \sem(G0). The proof [BHE08] also relies on the fact that semantic relations R in CSP are closed under context. Theorem 2 Assume a compositional mapping sem : GraphsT G → (D,v, C ). Then, for all transformations G p,m =⇒H via rule p : L→R with injective match m, it holds that sem(L) v sem(R) implies sem(G) v sem(H). 6 Tool Support This section discusses tool support that enables the developers to refactor system architecture, extract refactoring rules and verify them. The chain of tools that are used for rule extraction and verification is in Figure 7 Figure 7: Block diagram of the tool chain 6.1 Visual Editor A visual editor is necessary to perform the architectural refactoring on model level. The editor has been implemented using the Eclipse Graphical Modelling Framework (GMF) [GMF07]. As mentioned in Section 2, the components and their instances are situated in the same di- agram, which is called a combined structure diagram. Such a diagram is shown in Figure 8. The round rectangle with label PersistentDatabase a type-level component, along with the regis- tration and databaseFrontEnd interfaces. The behaviour is encapsulated within the component. The other rectangle with label pdatabase is a component instance. It contains two interaction points (i.e. port instances): data1 and register1. Interface implementation is denoted by the usual inheritance and dependance connections: both interfaces are provided by the relevant ports. Proc. Doctoral Symposium ICGT 2009 12 / 16 ECEASST Figure 8: Basic Functionality of the Visual Editor The metamodel of the combined structure [Bis08] is represented as an Eclipse Modeling Framework (EMF) model, which is essentially an attributed typed graph. To help rule creation, every object in the diagram has an integer id value, which is 0 by default. This id expresses matches between the left- and right-hand side diagrams. Elements with the same id are matched. 6.2 Rule Extraction It is desirable to have an automated method for minimal rule extraction. Although there are algorithms solving this problem [Var06], in our case the automated minimal rule extraction is future work. Figure 9: Selected attribute Aside from editing, the visual editor enables the extraction of the refactoring rule. The attribute Selected is used for this purpose: it defines if the particular element is in the rule or not, regardless of its mach status. In Figure 9 the accept event action acquireMap is not included in the rule yet. 13 / 16 Volume 16 (2009) Verification of Architectural Refactorings: Rule Extraction and Tool Support pG : //oo Figure 10: Generic Action in Rule 6.3 Context Inclusion Consider the refactoring rule in Figure 10. It is similar to the context-included rule in Figure 4. Instead of communication actions, we used generic actions that match with accept event actions as well as send signal actions. It is obvious that this rule produces the same H when applied on G. The two rules are equivalent from the verification perspective. It is possible to give guidelines that helps developers to either extract the rules themselves, or implement heuristics that suggest possible contexts. However, the included context, even in such a simple case is ambiguous. Semantical completeness may depend not only on the model itself, but also on the implementation of the semantic mapping. In our case, the general guidelines for context inclusion are the following: • if an action is present in G then all connected edges should be present as well • if a port is present in G then all the connected interfaces should be present as well. • if a send signal action or accept event action is present in G, then the engaged port should be present as well • if a component is present in G, then its owned initial node should be present as well. 6.4 Mapping and Formal Verification The transformation that maps the combined structure diagram to CSP is implemented using the Tiger EMF Transformer tool [Tig]. It consists of 45 rules organised in 4 major groups (type-level, owned behaviour, instance-level, renaming) as detailed in [Bis08]. The rules were designed using the EMT Visual Editor. After the mapping to CSP, the expressions are checked for trace refinement with FDR2, a refinement checker for establishing properties of models expressed in CSP [FSEL05]. 7 Conclusions In this paper we addressed the the rule extraction problem for verification techniques based on compositional semantic mappings. A formal framework was presented that establishes the theo- Proc. Doctoral Symposium ICGT 2009 14 / 16 ECEASST retical background of the rule creation process enabling the development of refactoring patterns. To apply the theoretical results in practice, a tool chain was presented that supports the develop- ers to create and verify their refactoring rules. Future work includes the continual development of the editing environment methods for pos- sible automated rule extraction and further research on usable case studies. Acknowledgements: This work has been partially sponsored by the project SENSORIA, IST- 2005-016004. References [BHE08] D. Bisztray, R. Heckel, H. Ehrig. Verification of Architectural Refactorings by Rule Extraction. In Fundamental Approaches to Software Engineering. Lecture Notes in Computer Science 4961/2008, pp. 347–361. Springer Berlin / Heidelberg, 2008. [Bis08] D. Bisztray. Verification of Architectural Refactoring Rules. Technical report, De- partment of Computer Science, University of Leicester, 2008. http://www.cs.le.ac. uk/people/dab24/refactoring-techrep.pdf. [CMR+97] A. Corradini, U. Montanari, F. Rossi, H. Ehrig, R. Heckel, M. Löwe. Algebraic Approaches to Graph Transformation - Part I: Basic Concepts and Double Pushout Approach. In Handbook of Graph Grammars. Pp. 163–246. 1997. [EEPT06] H. Ehrig, K. Ehrig, U. Prange, G. Taentzer. Fundamentals of Algebraic Graph Transformation (Monographs in Theoretical Computer Science). An EATCS Series. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2006. [Ehr87] H. Ehrig. Tutorial introduction to the algebraic approach of graph grammars. In Proceedings of the 3rd International Workshop on Graph-Grammars and Their Ap- plication to Computer Science. Pp. 3–14. Springer-Verlag, London, UK, 1987. [FBB+99] M. Fowler, K. Beck, J. Brant, W. Opdyke, D. Roberts. Refactoring: Improving the Design of Existing Code. Addison-Wesley Professional, 1st edition edition, 1999. [GMF07] Eclipse Graphical Modeling Framework. http://www.eclipse.org/gmf, 2007. [Hoa85] C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall International Series in Computer Science. Prentice Hall, April 1985. [Leh96] M. M. Lehman. Laws of Software Evolution Revisited. In European Workshop on Software Process Technology. Pp. 108–124. 1996. citeseer.ist.psu.edu/lehman96laws.html [FSEL05] Formal Systems Europe Ltd. FDR2 User Manual. 2005. http://www.fsel.com/ documentation/fdr2/html/index.html. 15 / 16 Volume 16 (2009) http://www.cs.le.ac.uk/people/dab24/refactoring-techrep.pdf http://www.cs.le.ac.uk/people/dab24/refactoring-techrep.pdf http://www.eclipse.org/gmf citeseer.ist.psu.edu/lehman96laws.html http://www.fsel.com/documentation/fdr2/html/index.html http://www.fsel.com/documentation/fdr2/html/index.html Verification of Architectural Refactorings: Rule Extraction and Tool Support [Tig] Tiger Developer Team. Tiger EMF Transformer. http://www.tfs.cs.tu-berlin.de/ emftrans. [Var06] D. Varró. Model Transformation by Example. In Proc. Model Driven Engineer- ing Languages and Systems (MODELS 2006). LNCS 4199, pp. 410–424. Springer, Genova, Italy, 2006. [WCG+06] M. Wirsing, A. Clark, S. Gilmore, M. Hölzl, A. Knapp, N. Koch, A. Schroeder. Semantic-Based Development of Service-Oriented Systems. In al. (ed.), Proc. 26th IFIP WG 6.1 International Conference on Formal Methods for Networked and Distributed Systems(FORTE’06), Paris, France. LNCS 4229, pp. 24–45. Springer- Verlag, 2006. http://rap.dsi.unifi.it/sensoria/Sensoria Forte.pdf Proc. Doctoral Symposium ICGT 2009 16 / 16 http://www.tfs.cs.tu-berlin.de/emftrans http://www.tfs.cs.tu-berlin.de/emftrans http://rap.dsi.unifi.it/sensoria/Sensoria_Forte.pdf Introduction Methodology Extraction of Minimal Rule Inclusion of Necessary Context Towards Refactoring Design Patterns Tool Support Visual Editor Rule Extraction Context Inclusion Mapping and Formal Verification Conclusions