Completeness and Correctness of Model Transformations based on Triple Graph Grammars with Negative Application Conditions


Electronic Communications of the EASST
Volume 18 (2009)

Proceedings of the
Eighth International Workshop on

Graph Transformation and Visual Modeling Techniques
(GT-VMT 2009)

Completeness and Correctness of Model Transformations based on
Triple Graph Grammars with Negative Application Conditions

Hartmut Ehrig , Frank Hermann and Christoph Sartorius

18 pages

Guest Editors: Artur Boronat, Reiko Heckel
Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer
ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122

http://www.easst.org/eceasst/


ECEASST

Completeness and Correctness of Model Transformations based on
Triple Graph Grammars with Negative Application Conditions

Hartmut Ehrig1 , Frank Hermann1 and Christoph Sartorius1

1 [ehrig, frank, csart](at)cs.tu-berlin.de
Institut für Softwaretechnik und Theoretische Informatik

Technische Universität Berlin, Germany

Abstract: Model transformations are a key concept for modular and distributed
model driven development. In this context, triple graph grammars have been inves-
tigated and applied to several case studies and they show a convenient combination
of formal and intuitive specification abilities. Especially the automatic derivation
of forward and backward transformations out of just one specified set of rules for
the integrated model simplifies the specification and enhances usability as well as
consistency.

Since negative application conditions (NACs) are key ingredient for many model
transformations based on graph transformation we embed them in the concept
of triple graph grammars. As a first main result we can extend the composi-
tion/decomposition result for triple graph grammars to the case with NACs. This
allows us to show completeness and correctness of model transformations based on
rules with NACs and furthermore, we can extend the characterization of information
preserving model transformations to the case with NACs.

The presented results are applicable to several model transformations and in partic-
ular to the well known model transformation from class diagrams to relational data
bases, which we present as running example with NACs.

Keywords: model transformation, triple graph grammars, completeness, correct-
ness, negative application conditions

1 Introduction

Model transformations based on triple graph grammars have been introduced in [Sch94, KS06].
In order to define a general framework independent of the specific domain and target language
the correspondences between source and target models are defined as relational mappings, where
forward and backward transformation rules are derived automatically.

In [EEE+07] we showed how to analyze bi-directional model transformations based on triple
graph grammars with respect to information preservation, which is based on a decomposition and
composition result for triple graph grammar sequences. Moreover, completeness and correctness
of model transformations have been studied on this basis in [EEH08b, EEH08c]. All formal
results in these papers, however, do not consider negative application conditions (NACs), which
are very important for several practical applications (see [SK08]). The main purpose of this
paper is to extend TGGs with NACs on a formal basis.

1 / 18 Volume 18 (2009)

mailto:[ehrig,~frank,~csart](at)cs.tu-berlin.de


Correctness and Completeness of Model Transformation

As a main result we show completeness, correctness and information preservation of model
transformations with NACs. Our new result can be used to check, whether a model transforma-
tion performed by an algorithm using triple graph transformations with NACs such as [SK08] is
correct (see Section 7). The relationship between forward and backward model transformation
sequences was analyzed already in [EEE+07] based on a canonical decomposition and compo-
sition result for triple transformations and this paper extends it to the case with NACs.

In Section 2 we review triple graphs and introduce the case study for a model transformation
from class models to relational data base models. Section 3 reviews triple rules and triple graph
transformations as introduced in [Sch94] and extends them to the case with NACs showing that
the composition and decomposition result is also valid for this extension. The second main re-
sult of correctness and completeness of model transformations based on source consistent model
transformations with NACs is presented in Section 4 and explained on a concrete model trans-
formation sequence of the example. Section 5 shows how the characterization of information
preserving bidirectional model transformations is extended to the case with NACs. Related and
future work are discussed in sections 6 and 7, respectively.

2 Review of Triple Graphs

Triple graph grammars [Sch94] are a well known approach for bidirectional model transfor-
mations. Models are defined as pairs of source and target graphs which are connected via an
intermediate correspondence graph together with its embeddings into these graphs. In [KS06],
Königs and Schürr formalize the basic concepts of triple graph grammars in a set-theoretical way,
which was generalized and extended by Ehrig et. el. in [EEE+07] to typed, attributed graphs. In
this section, we shortly review triple graphs, while triple rules are defined in Sec. 3 together with
the extension to negative application conditions (NACs).

Definition 1 (Triple Graph and Triple Graph Morphism) Three graphs GS, GC, and GT , called
source, connection, and target graphs, together with two graph morphisms sG : GC → GS and
tG : GC → GT form a triple graph G = (GS

sG← GC
tG→ GT ). G is called empty, if GS, GC, and GT

are empty graphs.
A triple graph morphism m = (s, c,t) : G→H between two triple graphs G =(GS

sG← GC
tG→ GT )

and H = (HS
sH← HC

tH→ HT ) consists of three graph morphisms s : GS → HS, c : GC → HC and
t : GT → HT such that s◦sG = sH ◦c and t ◦tG = tH ◦c. It is injective, if morphisms s, c and t are
injective. A typed triple graph G is typed over a triple graph TG = (TGS ← TGC → TGT ) by a
triple graph morphism tG : G → TG.

Example 1 The type graph of the ex-
ample is given in Fig. 1 showing the

colsattrs
parent

:CT

:AC

next

Class
name: String

Attr

name: String

type: String

Column

name: String

type: String

next

Table

name: String

Figure 1: Triple type graph for CD2RDBM

structure of class diagrams in the source
component and relational databases in
the target component. Classes corre-
spond to tables and attributes to columns.
Throughout the example, originating from
[SK08] and [EEE+07], elements are arranged left, center, and right according to the component

Proc. GT-VMT 2009 2 / 18



ECEASST

types source, correspondence and target. Morphisms starting at a connection part are given by
dotted arrow lines. Note that the case study is equipped with attribution, which is based on the
concept of E-graphs [EEPT06].

The extension of the results of this paper to the case with attributes shall be straight forward,
all results can be shown in the framework of weak adhesive HLR categories and hence, also for
the category AGraphsAT G of attributed graphs.

3 Triple Graph Grammars with NACs

Many model transformations use the concept of negative application conditions (NACs) intro-
duced in [HHT96]. NACs can ensure termination and they can control the application of model
transformation rules by defining forbidden structures as extensions of left hand sides of rules. If a
forbidden structure is present around the selected match, the corresponding rule is not applicable
and the match is invalid, i.e. NACs restrict the applicability of model transformation rules.

While triple graph grammars (TGGS) are an elegant way to descriptively define model trans-
formations by defining triple rules that specify the synchronous creation of source and target
model, formal results are mainly given for the case of TGGs without NACs. In this section we
review triple rules, derivation of transformation rules and we define NACs for triple rules. The
case study presents rules with NACs motivated by a similar model transformation in [SK08],
where NACs are used to ensure well formed list structures.

A triple rule is used to build up source and target graphs as well as their connection graph, i.e.
they are non-deleting. Structure filtering which deletes parts of triple graphs, is performed by
projection operations only, i.e. structure deletion is not done by rule applications.

Definition 2 (Triple Rule tr and Triple Transformation Step)
A triple rule tr consists of triple graphs L and R, called left-
hand and right-hand sides, and an injective triple graph mor-
phism tr = (s, c,t) : L → R. Given a triple rule tr = (s, c,t) :
L → R, a triple graph G and an injective triple graph morphism
m = (sm, cm,tm) : L → G, called triple match m, a triple graph
transformation step (TGT-step) G =

tr,m
==⇒ H from G to a triple

graph H is given by three pushouts (HS, s′, sn), (HC, c′, cn) and
(HT ,t′,tn) in category Graph with induced morphisms sH :

L = (LS
tr �� s ��

LC
sLoo

c ��

tL // LT )
t��

R = (RS RCsR
oo

tR
// RT )

LS

��

sm xxqq
LCoo //

��

cm ~~
LT

��

tm ||
G = (GS

tr
�� s′ ��

GCoo //

c′ ��

GT )

t′ ��
RS

snxx
RCoo //
cn~~

RT
tn||

H = (HS HCsH
oo

tH
// HT )

HC → HS and tH : HC → HT . Morphism n = (sn, cn,tn) is called comatch.

Moreover, we obtain a triple graph morphism d : G → H with d = (s′, c′,t′) called transforma-
tion morphism. A sequence of triple graph transformation steps is called triple (graph) transfor-
mation sequence, short: TGT-sequence. Furthermore, a triple graph grammar TGG = (S, T R)
consists of a triple start graph S and a set T R of triple rules. Given a triple rule tr we refer by
L(tr) to its left and by R(tr) to its right hand side.

Definition 3 (Triple, Source and Target Language) A set of triple rules T R defines the triple
language VL = {G| /0 ⇒∗ G via TR} of triple graphs. Source language V LS and target language
are derived by projection to the triple components, i.e. V LS = pro jS(V L) and V LT = pro jT (V L),

3 / 18 Volume 18 (2009)



Correctness and Completeness of Model Transformation

where pro jX is a projection defined by restriction to one of the triple components, i.e. X ∈
{S,C, T}.

Definition 4 (Derived Triple Rules) From each triple rule tr = L → R we have the following
source, forward, target and backward rules:

(LS
s ��

/0oo

��

// /0)
��

(RS /0oo // /0)
source rule trS

( /0
��

/0oo

��

// LT )
t ��

( /0 /0oo // RT )
target rule trT

(RS
id ��

LC
s◦sLoo

c ��

tL // LT )
t��

(RS RC
sRoo tR // RT )

forward rule trF

(LS
s ��

LC
sLoo

c ��

t◦tL // RT )
id ��

(RS RC
sRoo tR // RT )

backward rule trB

Source rules allow to create all elements of V LS as restriction of VL, but they contain less
restrictions for matches during transformation in comparison to their corresponding complete
triple rules. Thus, they possibly allow to generate more elements than V LS contains. This means
that in general we have inclusion V LS ⊆ V LS0 = {GS | /0 =⇒∗ GS via TRS} resp. V LT ⊆ V LT 0 =
{GT | /0 =⇒∗ GT via TRT}, where T RS and T RT are the sets of source resp. target rules derived
from T R.

Definition 5 (General Negative Application Condition) Given a triple rule tr = (L tr→ R), a
general negative application condition (NAC) (N, n) consists of a triple graph N and an injective
triple graph morphism n : L → N.
A match m : L → G is NAC consistent if there is no injective q : N → G such that q◦n = m. A
triple transformation G

∗⇒ H is NAC consistent if all matches are NAC consistent.

Definition 6 (Source-Target Negative Application Condition) A source-target NAC (N, n)
is a NAC with injective triple graph morphism n : L → N with n = (nS, idLC , idLT ) or n =
(idLS , idLC , nT ).
This means a source-target NAC is a NAC which only prohibits the existence of certain structures
either in the source (source NAC) or in the target part (target NAC).

:Class

name=n
:CT

:Table

name=n

Class2Table(n:String)

:parent

:Class

:Class

name=n

:CT :Table

:CT

Subclass2Table(n:String)

++
++

++

++++
++

Figure 2: Rules for transforming classes to tables

In most usecases we encounter only source-target NACs, therefore we regard them as the
standard case. In the following when speaking of NACs we always mean source-target NACs. If
this is not the case we will explicitly refer to the term general NAC.

Definition 7 (Derived Triple Rules with NACs) Given a triple rule tr with NACs and let tr be
its underlying triple rule without NACs. Let trS, trT , trF and trB be the derived rules from tr
according to Def. 4. Then, source rule trS, target rule trT , forward rule trF and backward rule
trB are given by the underlying rules trS, trT , trF and trB, where additionally trS as well as trB
contain all source NACs of tr and trT as well as trF contain all target NACs of tr.

Proc. GT-VMT 2009 4 / 18



ECEASST

NAC1
NAC2

NextAttr2NextColumn(n:String, t:String)

:cols

:AC

:Class

:Attr

:Attr

name=n

type=t

:attrs

:attrs
:CT t1:Table

:Column

:cols

++

++++ ++++

:Column

name=n

type=t
++

:cols

:next

:next
:Column

++
:Attr

:attrs

:next

:next

NAC1
NAC2

:cols

:AC

:Class

:Attr

:Attr

name=n

type=t

:attrs

:attrs
:CT t1:Table

:Column

:cols

++

++++ ++
++

:Column

name=n

type=t

:cols

:next

:next
:Column

++

Attr2NextColumn(n:String, t:String)

NAC1
NAC2

:cols

:AC

:Class

:Attr

:Attr

name=n

type=t

:attrs

:attrs
:CT t1:Table

:Column

:cols

++

++++ ++++

:Column

name=n

type=t

Attr2Column(n:String, t:String)

NAC1
:Class

:Attr

:Attr

name=n

type=t

:attrs

:attrs

++++

Source rule: Attr2ColumnS(n:String, t:String)

NAC1

:cols

:AC

:Class

:Attr

name=n

type=t

:attrs

:CT t1:Table

:Column

:cols

++

++++

:Column

name=n

type=t

Forward rule: Attr2ColumnF(n:String, t:String)

Figure 3: Rules for transforming attributes to columns and derived source and forward rule

Example 2 (Triple Rules) Examples for triple rules are given in Fig. 2 and Fig. 3 in short
notation. Left and right hand side of a rule are depicted in one triple graph. Elements, which
are created by the rule, are labeled with green ”++” and marked by green line coloring. Rule
” Class2Table” synchronously creates a class in a class diagram with its corresponding table in
the relational database. Accordingly the other rules create parts in all components. NACs are
indicated by red frames with label “NAC” around the extension of the left hand side of a rule.
Each forward rule is derived from a triple tr rule as follows: The source components which are
created in tr are preserved by trF , i.e. they are in the left hand side. The source NAC is omitted
and the rest of tr keeps the same. For example the forward rule of “Attr2Colum” is derived by
omitting “NAC1” and adding to the left hand side the attribute node with its connecting edge to
the class node shown on the right part of Fig. 3.

Theorem 1 as a main technical result of the paper shows that TGT-sequences can be decom-
posed to source and forward sequences and composed out of them. All together this correspon-
dence is bijective. The result uses the following notion of match consistency.

Definition 8 (Match and Source Consistency) Let tr∗S and tr
∗
F be sequences of source rules triS

and forward rules triF , which are derived from the same triple rules tri for i = 1, . . . , n. Let

further G00 =
tr∗S=⇒ Gn0 =

tr∗F=⇒ Gnn be a TGT-sequence with (miS, niS) being match and comatch of
triS (respectively (miF , niF ) for triF ) then match consistency of G00 =

tr∗S=⇒ Gn0 =
tr∗F=⇒ Gnn means

that the S-component of the match mi is uniquely determined by the comatch niS (i = 1, . . . , n).

5 / 18 Volume 18 (2009)



Correctness and Completeness of Model Transformation

A TGT-sequence Gn0 =
tr∗F=⇒ Gnn is source consistent, if there is a match consistent sequence

/0 =
tr∗S=⇒ Gn0 =

tr∗F=⇒ Gnn. Note that by source consistency the application of the forward rules is
controlled by the source sequence, which generates the given source model.

Theorem 1 (Decomposition and Composition of TGT-Sequences with NACs)

1. Decomposition: For each TGT-sequence
G0 =

tr1=⇒ G1 =⇒ . . . =
trn=⇒ Gn (1)

with NACs there is a corresponding match consistent TGT-sequence

G0 = G00 =
tr1S=⇒ G10 =⇒ . . . =

trnS=⇒ Gn0 =
tr1F==⇒ Gn1 =⇒ . . . =

trnF==⇒ Gnn = Gn (2)
with NACs.

2. Composition: For each match consistent transformation sequence (2) with NACs there is
a canonical transformation sequence (1) with NACs.

3. Bijective Correspondence: Composition and decomposition are inverse to each other.

Remark 1 (Injective matches) Opposed to the version without NACs in [EEE+07] the matches
of the triple rules are required to be injective. If we allow non-injective matches, then we must
allow n and q in definition 5 to be non-injective as well.

In order to prove Thm. 1 we we first show the following Lemma 1 and Lemma 2 there-
after. The first lemma shows the correspondence between valid matches of triple rules and valid
matches of their derived forward and source rules.

Lemma 1 The injective match of a triple rule tr is NAC-consistent if and only if the injective
matches of the derived rules trS and trF are NAC-consistent.

Proof of Lemma 1. From [EEE+07] we know that any tr is equal to the E-concurrent rule trS ?E
trF with E = LF .

(NS ← /0 → /0)

q′
�

�
�

�
�

���
�

�
�

�

(LS ← /0 → /0)
trS //

(id, /0, /0)��

n′=(nS, /0, /0) 44jjjjjjjjj
(RS ← /0 → /0)

(id, /0, /0)
''OO

OOO
O

(RS ← LC → LT )
trF //

idwwooo
ooo

(RS ← RC → RT )
id��

(LS ← LC → LT ) //
(mS,mC ,mT ) �� n=(nS,id,id)

��

(RS ← LC → LT ) //
(m′S,mC ,mT )��

(RS ← RC → RT )
��

(GS ← GC → GT ) // (HS ← GC → GT ) // (HS ← HC → HT )

(NS ← LC → LT )
q

jjT T T T T

Figure 4: E-concurrent rule with source NAC

Now we consider the NACs of tr and the corresponding NACs of trS and trF (as described in
Def. 7) using this construction (see Fig. 4 resp. Fig. 7). It remains to show that the matches of

Proc. GT-VMT 2009 6 / 18



ECEASST

the source rule trS and the forward rule trF are NAC consistent if and only if the match of the
triple rule tr is NAC consistent.

• match of tr is NAC-consistent for source NAC ⇒ match of trS is NAC-consistent: Assume
trS is not NAC consistent ⇒ ∃ injective q′ : N′ → G with q′ = (q′S, q

′
C, q
′
T ) such that

q′◦n′ = (mS, /0, /0). Then we are able to construct an injective morphism q : N → G with
q = (q′S, mC, mT ) such that q◦n = (mS, mC, mT ) (Fig. 4). q is a valid triple graph morphism
if (1) and (2) commute in Fig. 5. (2) commutes because (mS, mC, mT ) is a valid morphism
by construction and therefore commutes. sG ◦mC = mS ◦sL = q′S ◦nS ◦sL = q

′
S ◦sN ◦ id =

q′S ◦sN , hence (1) commutes too. This means tr is not NAC consistent ⇒ contradiction!

L

n

��
(mS,mC ,mT )

**

(LS

nS
��

mS

��

LC //sL
oo

id
��

mC

��

LT )

id
��

mT

��

N

q

��

(NS

q′S
��

(1)

LC //sN
oo

mC
��

(2)

LT )

mT
��

G (GS GC //sG
oo GT )

Figure 5: constructed morphism q is valid

• match of trS is NAC-consistent ⇒ match of tr is NAC-consistent for source NAC: Assume
tr is not NAC consistent ⇒ ∃ injective q : N → G with q = (qS, qC, qT ) such that q◦n =
(mS, mC, mT ). Then we are able to construct an injective morphism q′ : N′ → G with
q′ = (qS, /0, /0) such that q′◦n′ = (mS, /0, /0) (Fig. 4). q′ is a valid triple graph morphism
if (1) and (2) commute in Fig. 6, which they obviously do. This means trS is not NAC
consistent ⇒ contradiction!

LS

n′

��
(mS, /0, /0)

**

(LS

nS
��

mS

��

/0 //oo

/0
��

/0

��

/0)

/0
��

/0

��

N′

q′

��

(NS

qS
��

(1)

/0 //oo

/0
��

(2)

/0)

/0
��

G (GS GC //oo GT )

Figure 6: constructed morphism q′ is valid

• match of tr is NAC-consistent for target NAC ⇒ match of trF is NAC-consistent: Assume
trF is not NAC consistent ⇒ ∃ injective q′ : N′ → G′ with q′ = (q′S, q

′
C, q
′
T ) such that

q′◦n′ = (m′S, mC, mT ). Then we are able to construct an injective morphism q : N → G
with q = (mS, mC, q′T ) such that q◦n = (mS, mC, mT ) (Fig. 7). q is a valid triple graph

7 / 18 Volume 18 (2009)



Correctness and Completeness of Model Transformation

(LS ← /0 → /0)
trS //

(id, /0, /0)
��

(RS ← /0 → /0)
(id, /0, /0)
&&NN

NNN
NN

(RS ← LC → LT )
trF //

id
wwppp

ppp
p

n′=(id,id,nT )

��

(RS ← RC → RT )
id��

(LS ← LC → LT ) //
(mS,mC ,mT ) ��

n=(id,id,nT )

��

(RS ← LC → LT ) //
(m′S,mC ,mT )��

(RS ← RC → RT )

��
(GS ← GC → GT ) // (HS ← GC → GT ) // (HS ← HC → HT )

(LS ← LC → NT )
q

iiT T T T T
(RS ← LC → NT )
q′

ggN N N N

Figure 7: E-concurrent rule with target NAC

morphism if (1) and (2) commute in Fig. 8. (1) commutes because (mS, mC, mT ) is a valid
morphism by construction and therefore commutes. tG ◦mC = mT ◦ tL = qT ◦nT ◦ tL =
qT ◦tN ◦ id = qT ◦tN , hence (2) commutes too. This means tr is not NAC consistent ⇒
contradiction!

L

n

��
(mS,mC ,mT )

**

(LS

id
��

mS

��

LC
tL //oo

id
��

mC

��

LT )

nT
��

mT

��

N

q

��

(LS

mS
��

(1)

LC
tN //oo

mC
��

(2)

NT )

q′T
��

G (GS GC
tG //oo GT )

Figure 8: constructed morphism q is valid

• match of trF is NAC-consistent ⇒ match of tr is NAC-consistent for target NAC: Assume
tr is not NAC consistent ⇒ ∃ injective q : N → G with q = (qS, qC, qT ) such that q◦n =
(mS, mC, mT ). Then we are able to construct an injective morphism q′ : N′ → G′ with q′ =
(m′S, mC, qT ) such that q

′◦n′ = (m′S, mC, mT ) (Fig. 7). q
′ is a valid triple graph morphism

if (1) and (2) commute in Fig. 9, which they do analoguously. This means trF is not NAC
consistent ⇒ contradiction!

LF

n′

��
(m′S,mC ,mT )

((

(RS

id
��

m′S

��

LC //oo

id
��

mC

��

LT )

nT
��

mT

��

N′

q′

��

(RS

m′S
��

(1)

LC //oo

mC
��

(2)

NT )

qT
��

G′ (HS GC //oo GT )

Figure 9: constructed morphism q′ is valid

Proc. GT-VMT 2009 8 / 18



ECEASST

The next lemma shows that independent derivation steps of source and forward rules can be
switched.

Lemma 2 Given sequentially independent derivation steps via rules tr2S and tr1F with NACs,
then the following holds: The injective matches of G10 =

(tr1F ,m1)=====⇒ G11 =
(tr2S,m2)====⇒ G21 are NAC

consistent if and only if the injective matches of G10 =
(tr2S,m2′)=====⇒ G20 =

(tr1F ,m1′)=====⇒ G21 are NAC con-
sistent, too.

Proof of Lemma 2. Having constructed a NAC consistent match consistent sequence (3) we now
want to reorder the rules according to Fig. 10 until we have sequence (2). We have to show that
upon swapping the rules the NAC consistency is preserved (see Fig. 11 resp. Fig. 13).

L1
m1
��

tr1 // R1

  A
AA

AA
AA

A L2

m2~~}}
}}

}}
}}

tr2 //

d

tti i
i i

i i
i i

i i
i i R2

��
G1 g1

// G2 g2
// G3

G11
(tr2S,m2)

�&
DD

DD
DD

D

DD
DD

DD
D

G10

(tr1F ,m1)
8@zzzzzzz

zzzzzzz

(tr2S,m2′) �&
DD

DD
DD

D

DD
DD

DD
D

G21

G20
(tr1F ,m1′)

8@zzzzzzz

zzzzzzz

Figure 10: sequential independence of source and forward rules

N

q

��

7
/

'
�

�
�

�

q′

��

�

�

�

�

�

�

�

L2
m2
��

tr2S

""D
DD

DD
DD

D

n=(nS, /0, /0)

OO

d

����
��

��
��

��
��

��
�

G11

g2 ""D
DD

DD
DD

D
R2

��

����
��

��
��

��
��

��
�

G10

g1

<<zzzzzzzz

""D
DD

DD
DD

D
G21

G20

<<zzzzzzzz

Figure 11: sequential independence: source rule with NAC

• match m2 of tr2S is NAC consistent ⇒ match m′2 = d of tr2S is NAC consistent: Assume d
is not NAC consistent ⇒ ∃ injective q′ : N → G10 with q′ = (q′S, q

′
C, q
′
T ) = (q

′
S, /0, /0) such

that q′◦n = d. Furthermore we know that g1 ◦d = m2. Thus g1 ◦q′◦n = m2. Because g1
is based on a forward rule we know that (G10)S = (G11)S and g1S = idG10S ⇒ ∃ injective

9 / 18 Volume 18 (2009)



Correctness and Completeness of Model Transformation

q : N →G11 with q = g1◦q′ = (q′S, /0, /0) such that q◦n = m2 because q◦n = g1◦q
′◦n = m2.

q is a valid triple graph morphism if (1) and (2) commute in Fig. 12, which they obviously
do. This means m2 is not NAC consistent ⇒ contradiction!

L2

n

��
m2

%%

(L2S

nS
��

m2S

��

/0 //oo

/0
��

/0

��

/0)

/0
��

/0

��

N

q

��

(NS

q′S
��

(1)

/0 //oo

/0
��

(2)

/0)

/0
��

G11 (G11S G11C //oo G11T )

Figure 12: constructed morphism q is valid

• match d of tr2S is NAC consistent ⇒ match m2 of tr2S is NAC consistent: Assume m2 is
not NAC consistent ⇒ ∃ injective q : N → G11 with q = (qS, qC, qT ) = (qS, /0, /0) such
that q◦n = m2. We know that g1 ◦d = m2. Thus g1 ◦d = q◦n. Because g1 is based on a
forward rule we know that (G10)S = (G11)S and g1S = idG10S ⇒ dS = qS◦nS ⇒ ∃ injective
q′ : N → G10 with q′ = (qS, /0, /0) such that q′◦n = d because q′S◦nS = dS. q

′ is a valid triple
graph morphism by the same arguments as in Fig. 12. This means d is not NAC consistent
⇒ contradiction!

N

q

��

�
�

�
�

'
/

7

q′

��

7
2

.

+

)

&

#

R1

��
L1
m1
��

tr1F <<zzzzzzzz
n

OO

g3◦m1
22

22
22

2

��2
22

22
22

G11

""D
DD

DD
DD

D

G10

g1zzz

<<zzz

g3
DD

D

""D
DD

G21

G20

<<zzzzzzzz

Figure 13: sequential independence: forward rule with NAC

• match m1 of tr1F is NAC consistent ⇒ match m′1 = g3 ◦ m1 of tr1F is NAC consis-
tent: Assume m′1 in Fig. 13 is not NAC consistent ⇒ ∃ injective q

′ : N → G20 with
q′ = (q′S, q

′
C, q
′
T ) such that q

′◦n = m′1. We know that (L1)S = NS and (L1)C = NC with
nS = idL1S and nC = idL1C . Furthermore g3 is based on a source rule which means that
(G10)T = (G20)T and g3T = idG10T . Thus ∃ injective q : N → G10 with q = (m1S , m1C , q

′
T )

such that q◦n = m1. q is a valid triple graph morphism if (1) and (2) commute in Fig.
14. (1) commutes obviously. tG10 ◦m1C = m1T ◦tL1 = q

′
T ◦nT ◦tL1 = q

′
T ◦tN ◦ id = q

′
T ◦tN ,

hence (2) commutes too. This means m1 is not NAC consistent ⇒ contradiction!

Proc. GT-VMT 2009 10 / 18



ECEASST

L1

n

��
m1

%%

(L1S

id
��

m1S

��

L1C
tL1 //oo

id
��

m1C

��

L1T )

nT
��

m1T

��

N

q

��

(NS

m1S
��

(1)

NC
tN //oo

m1C
��

(2)

NT )

q′T
��

G10 (G10S G10C
tG10 //oo G10T )

Figure 14: constructed morphism q is valid

• match m′1 = g3 ◦m1 of tr1F is NAC consistent ⇒ match m1 of tr1F is NAC consistent:
Assume m1 is not NAC consistent ⇒ ∃ injective q : N → G10 with q = (qS, qC, qT ) such
that q◦n = m1. We know that (L1)S = NS and (L1)C = NC with nS = idL1S and nC = idL1C .
Furthermore g3 is based on a source rule which means that (G10)T = (G20)T and g3T =
idG10T . Thus ∃ injective q

′ : N → G20 with q′ = (m′1S, m
′
1C, qT ) such that q

′◦n = g3 ◦m1.
q′ is a valid triple graph morphism by the same arguments as for Fig. 14. This means m′1
is not NAC consistent ⇒ contradiction!

Proof of Theorem 1. This proof is based on the proof without NACs in [EEE+07] and the fol-
lowing triangle diagram.

G00
tr1S +3

tr1 �&
DD

DD
DD

D

DD
DD

DD
D

G10
tr2S +3

tr1F
��

G20 . . .
trnS +3

tr1F
��

Gn0

tr1F
��

G11
tr2S +3

tr2
 (

JJ
JJ

JJ
JJ

J

JJ
JJ

JJ
JJ

J
G21 . . .

trnS +3

tr2F
��

Gn1
tr2F
��. . .

trn  (
JJ

JJ
JJ

JJ
J

JJ
JJ

JJ
JJ

J . . .

trnF
��

Gnn
In a first step we want to decompose the match consistent NAC-consistent TGT-sequence (1)

with injective matches into an intermediate version

G0 = G00 =
tr1S=⇒ G10 =

tr1F==⇒ G11 =
tr2S=⇒ . . . =trnS=⇒ Gn(n−1) =

trnF==⇒ Gnn = Gn (3)

which is match consistent and NAC-consistent.
In [EEE+07] it has been shown that any tr is equal to the E-concurrent rule trS ?E trF without

NACs with E = LF - the left hand side of the forward rule. Using this result following Lemma 1
multiple times we are able to split the triple rules with NACs until we obtain sequence (3).

Thereafter we can reorder the rules until we have sequence (2). In [EEE+07] it has been
shown that triS and tr jF are sequentially independent for i > j without NACs. Following Lemma
2 multiple times finally leads to sequence (2) which is still match consistent and NAC-consistent.

11 / 18 Volume 18 (2009)



Correctness and Completeness of Model Transformation

Analogously we can transform sequence (2) back into sequence (1). The bijective correspon-
dence follows from the bijective correspondence of the Concurrency Theorem and the Local
Church-Rosser Theorem in conjunction with the equivalence of the NAC-consistency according
to Lemma 1 and 2.

4 Completeness and Correctness of Model Transformations with
NACs

Model transformations with NACs from models of the source language VLS0 to models of the
target language VLT 0 can be defined on the basis of forward rules as shown in [EEE+07] without
NACs. Vice versa, it is also possible to define backward transformations from target to source
graphs using derived backward rules leading to bidirectional model transformations. In this
section we analyze completeness and correctness of model transformations. Main results are
based on the composition and decomposition result in Thm. 1 in Sec. 3.

Definition 9 (Model Transformation) MT = (GS, G =
tr∗F=⇒ H, HT ) is a model transformation

from GS to HT , if G =
tr∗F=⇒ H is source consistent with NACs, where GS and HT are the source and

target graphs of G and H, respectively.

As pointed out already source consistency with NACs of G =
tr∗F=⇒ H means that the forward

sequence is controlled by the corresponding source sequence /0 =
tr∗S=⇒ G which generates G. Model

transformations are correct and complete with respect to the source and target language V LS =
pro jS(V L) and V LT = pro jT (V L) (see Def. 3).

Theorem 2 (Correctness with NACs) Each model transformation MT = (GS, G =
tr∗F=⇒ H, HT )

is correct, i.e. GS ∈V LS and HT ∈V LT .

Proof. (G =
tr∗
=⇒ H) source consistent ⇒ ∃ ( /0 =

tr∗S=⇒ G =
tr∗F=⇒ H) match consistent and GS = HS

⇒ ∃ ( /0 =tr
∗

=⇒ H) by Thm. 1 ⇒ H ∈V L and HT ∈V LT and GS = HS ∈ VLS.

Theorem 3 (Completeness with NACs) For each H ∈ VL : ∃ model transformation MT =
(GS, G =

tr∗F=⇒ H, HT ) with GS ∈V LS, HT ∈V LT . This means in particular:
• For each HT ∈V LT : ∃ GS ∈V LS and model transformation MT = (GS, G =

tr∗F=⇒ H, HT ),

• For each GS ∈V LS : ∃ HT ∈V LT and model transformation MT = (GS, G =
tr∗F=⇒ H, HT ).

Proof. H ∈V L ⇒ ∃ ( /0 =tr
∗

=⇒ H) =T hm.1===⇒ ∃ match consistent ( /0 =
tr∗S=⇒ G =

tr∗F=⇒ H) and GS = HS ⇒
GS ∈V LS, HT ∈ VLT and G =

tr∗F=⇒ H is source consistent ⇒ MT = (GS, G =
tr∗F=⇒ H, HT ) is model

transformation.

Coming back to the example of a model transformation from class diagrams to database mod-
els, the relevance and value of the given theorems can be described from the more practical view.

Proc. GT-VMT 2009 12 / 18



ECEASST

Forward Sequence Elements Backward Sequence Elements
Step Matched Created Matched Created
1 s1 c1,t1 t1 s1,c1
2 s1,c1,t1,s4,s9 c4 s1,c1,t1 s4,s9,c4
3 s1,s2,s7,c1,t1 c2,t2,t5 s1,c1,t1,t2,t5 s2,s7,c2
4 s1-s3,s6-s8,c1,t1,t2,t5 c3,t3,t6,t7 s1,c1,t1-t3,s2,c2,s7,t5-t7 c3,s3,s6,s8
5 s4,s5,s10,c4,t1,t3,t6 c5,t4,t8,t9 s4,c4,t1,t3,t4,t8,t9 c5,s5,s10

Table 1: Steps forward and backward model transformation

The resulting data base of the following model transformation is correctly typed and completely
corresponds to the class diagram, which is the source model of the transformation.

Example 3 Fig. 15 shows triple graph G5 of the model transformation (GS = G0,S, G0 =
tr∗F=⇒

G5, GT = G5,T ) with the following forward sequence: G0 =
Class2Table
======⇒ G1 =

Subclass2Table
========⇒ G2 =

Attr2Col
====⇒

G3 =
NextAttr2NextCol
=========⇒ G4 =

Attr2NextCol
=======⇒ G5,

where G0 is generated by the corre-

t5:cols

s9:parent

c2:

AC

s8:next

s1:Class

name=“Person“

s5:Attr

name=“customer_id“

type=Integer

t2:Column

name=“S-ID“

type=String

t7:next

s4:Class

name=“Customer“

s3:Attr

name=“birth“

type=String

s2:Attr

name=“S-ID“

type=String

s7:attrss6:attrs

s10:attrs

c3:

AC

c5:

AC

c1:

CT

t1:Table

name=“Person“

t3:Column

name=“birth“

type=String

t4:Column

name=“customer_id“

type=Integer

c4:

CT

t6:cols

t8:cols
t9:next

Figure 15: G5 of Forward Sequence

sponding source sequence /0 =
tr∗S=⇒ G0.

All elements are labeled with numbers
specifying the matches and the created
objects for each transformation step ac-
cording to the left part of Table 1. GS
is given by G5 restricted to elements of
the class diagram part. After creating
the table and building up the correspon-
dences to the class nodes in the first
two derivation steps, rules for translat-
ing attributes are applied. All steps
of the sequence respect the NACs and
furthermore, they correspond to a suit-
able source sequence making the for-
ward transformation source consistent.
In the third step, rule “Attr2Column” is
applied and translates attribute “s2” to column “t2”. Attribute s3 is generated after s2 in the
source sequence, which is required by the source NAC of “NextAttr2NextColumn”. Thus, the
corresponding forward transformation translates s3 after s2. The remaining two attributes are
translated by “NextAttr2NextColumn” and “Attr2NextColumn”, where the target NACs ensure
that the created columns are inserted after the last existing one of table “t1”. Thus, the ordering
of the created columns is not completely determined by the source model itself, but depends on
the chosen source sequence. The nodes and edges of correspondence and target component as
well as the morphisms (G5,S ← G5,C → G5,T ) are created during the forward transformation.

13 / 18 Volume 18 (2009)



Correctness and Completeness of Model Transformation

5 Information Preserving Model Transformations

In [EEE+07] we have shown that there is an equivalence between corresponding forward and
backward TGT sequences. This equivalence is based on the canonical decomposition and com-
position result, which is extended to the case with NACs in this paper (see Theorem 1).

Theorem 1 and its dual version lead to the following equivalence of forward and backward
TGT-sequences with source-target NACs, which can be derived from the same general TGT-
sequence.

Theorem 4 (Equivalence of Forward and Backward TGT-sequences with source-target NACs)
Each of the following TGT-sequences with source-target NACs implies the other ones where the
matches are uniquely determined by each other.

1. G0
tr1=⇒ G1

tr2=⇒ G2 =⇒ ...
trn=⇒ Gn (1)

2. G0 = G00
tr1S=⇒ G10 =⇒ ...

trnS=⇒ Gn0
tr1F=⇒ Gn1 =⇒ ...

trnF=⇒ Gnn = Gn, (2)
which is match consistent. In this case we have: G00,T = Gn0,T , Gn0,S = Gnn,S.

3. G0 = G00
tr1T=⇒ G01 =⇒ ...

trnT=⇒ G0n
tr1B=⇒ G1n =⇒ ...

trnB=⇒ Gnn = Gn, (3)
which is match consistent. In this case we have: G00,S = G0n,S, G0n,T = Gnn,T .

Proof. Theorem 4 is a direct consequence of Theorem 1 concerning decomposition and com-
position of forward TGT-sequences with NACs and its dual version for target rules triT and
backward rules triB where match consistency in Part 3 is defined by the T-components of the
matches.

Theorem 5 (Information Preserving Forward Transformation)
Each source consistent forward TGT-sequence G =

tr∗F=⇒ H is backward information preserving,
i.e. for K = ( /0 ← /0 → HT ), there is a backward TGT-sequence K =

tr∗B=⇒ H, which means that the
source model GS can be reconstructed from the target model HT :

G =
tr∗F=⇒ H −pro jT−−−→ K =

tr∗B=⇒ H with GS = HS.

Proof. G =
tr∗F=⇒ H is source consistent which implies the existence of (2) /0 =

tr∗S=⇒ G =
tr∗F=⇒ H being

match consistent with GS = HS. By Theorem 4 with G0 = /0, Gn0 = G, G0n = K and Gn = H
we obtain (3) /0 =

tr∗T=⇒ K =
tr∗B=⇒ H being match consistent with KT = HT and HS = GS leading to

G =
tr∗F=⇒ H −pro jT−−−→ K =

tr∗B=⇒ H. Hence, G =
tr∗F=⇒ H is backward information preserving.

Example 4 Example 3 Table 1 shows that for the given model transformation G0 =
tr∗F=⇒ G5 ac-

cording to Thm. 5 there is an inverse backward transformation G5|T =
tr∗B=⇒ G5, i.e. the source

model can be reconstructed. However, there are also target consistent backward transformations

G5|T =
tr∗B=⇒ G′5 with G

′
5,S 6= G0,S, because there are some class models with different inheritance

relations corresponding to the given data base model.

Proc. GT-VMT 2009 14 / 18



ECEASST

6 Related Work

Correctness of model transformations can be analyzed from different perspectives. Baleani et.
al. motivate in [BFM+05] that correctness of model transformations for industrial tools should
be based on formal models in order to ensure correctness by construction. For this purpose they
suggest to use a block diagram formalism, called synchronous reactive model of computation
(SR MoC). However, correct interpretation of the model transformation rules does not imply a
correct result, such that it is a model of the target language. Semantical correctness is discussed
by Karsai et. al. in [KN06], where specific behavior properties of the source model shall be
reflected in the target model. This property can be checked for a restricted class of models. In
[EE08] semantical correctness is ensured by using the rules for the model transformation also
for the transformation of the operational semantics, which is given by graph rules. This way the
behaviour of the source model can be compared with the one of the target model by checking
mixed confluence. However, this paper concentrates on syntactical correctness based on the
integrated language generated by the triple rules.

Our example in this paper presents a model transformation with NACs from class diagrams
to relational data bases and it is based on the grammars defined in [EEE+07] and especially on
[SK08]. In contrast to the presented algorithm in [SK08] for controlling the model transfor-
mations we introduced NAC consistency based on source consistent forward sequences. In this
way we could extend several important results to the case of TGGs with NACs. In particular,
model transformations given by source consistent forward transformations are correct and com-
plete with respect to V L by Theorems 2 and 3. While a formal proof of correctness for the above
mentioned algorithm is not given in [SK08], completeness of the algorithm is effectively not
ensured, because recursion calls may cause transformations that produce structures forbidden by
other necessary rule applications.

But still the algorithm in [SK08] convinces to be an elegant approach for a restricted class of
relations to efficiently detect correct rule orderings for a subset of model transformations. This
opens the possibility to combine efficiency with the here presented results in the following way:
Each model transformation with NACs given by an efficient algorithm can be checked to be
correct by performing the test of source consistency presented as Fact 2 in [EEH08c], which is
now also valid for model transformations with NACs according to Thm. 1.

Model transformations based on triple rules with NACs were also analyzed in [EP08] for a
restricted class of triple rules with distinct kernel elements. Special NACs of forward rules ensure
that kernels are not translated twice and kernel typing guarantees that each rule produces exactly
one kernel. For this restricted class of triple graph grammars local confluence and termination
can be analyzed and thus, model transformations can be checked for functional behaviour.

7 Conclusion

This paper focusses on syntactical correctness and completeness. In order to analyze these impor-
tant properties we extended the composition and decomposition result for triple graph transfor-
mations in [EEE+07] to the case with NACs, i.e. TGT sequences with NACs can be decomposed
into source and forward as well as target and backward transformations, respectively, and vice

15 / 18 Volume 18 (2009)



Correctness and Completeness of Model Transformation

versa. Based on this fundamental property we have shown that source consistent model transfor-
mations are correct and complete with respect to the language given by the original triple rules.
This extends the result in [EEH08a] to triple rules with NACs.

Source consistency of model transformations guarantees that each element of the source model
was matched by a model transformation rule and correspondences to target model elements were
created. A suitable source sequence can be calculated by parsing the source model using the
source rules and the corresponding forward transformation can be checked to be source consis-
tent. Alternatively, forward transformations can be created by an arbitrary strategy and checked
afterwards using the algorithm for checking source consistency presented in [EEH08c]. Source
consistency is not restricted to cases, where all source nodes have to be connected via corre-
spondence nodes. Therefore, correctness of many algorithms for model transformations based
on triple rules with NACs can be checked using the source consistency check.

According to [EEH08a] model integration sequences can be characterized as special model
transformation sequences, such that the results of this paper for model transformation can be
transferred to model integrations based on triple rules in a next step.

In this paper we focused on NACs which specify conditions on separately source and target
elements. They are sufficient to most model transformations, which were considered by case
studies so far. However, future work will include the analysis of how to handle general NACs
and their relevance for language specification. An interesting problem - which could be solved
with general NACs - is termination, where a parsing of the source model is omitted. A possibil-
ity may be to introduce additional NACs for the forward rules, such that source elements, which
are already in correspondence with target elements, cannot be matched again for translation. In
this way termination for a restricted class of rules could be ensured automatically. But note that
NACs, which are equal to the right hand side of a forward rule, are not sufficient, because in this
case matches of the transformation are required to be essential.

This paper has been published as technical report in [EHS09].

Bibliography

[BFM+05] M. Baleani, A. Ferrari, L. Mangeruca, A. L. Sangiovanni-Vincentelli, U. Freund,
E. Schlenker, H.-J. Wolff. Correct-by-Construction Transformations across Design
Environments for Model-Based Embedded Software Development. Design, Automa-
tion and Test in Europe Conference and Exhibition 2:1044–1049, 2005.
doi:http://doi.ieeecomputersociety.org/10.1109/DATE.2005.105

[EE08] H. Ehrig, C. Ermel. Semantical Correctness and Completeness of Model Transfor-
mations using Graph and Rule Transformation. In Proc. International Conference
on Graph Transformation (ICGT’08). LNCS 5214, pp. 194–210. Springer Verlag,
Heidelberg, 2008.
http://tfs.cs.tu-berlin.de/publikationen/Papers08/EE08a.pdf

[EEE+07] H. Ehrig, K. Ehrig, C. Ermel, F. Hermann, G. Taentzer. Information Preserving
Bidirectional Model Transformations. In Dwyer and Lopes (eds.), Fundamental Ap-

Proc. GT-VMT 2009 16 / 18

http://dx.doi.org/http://doi.ieeecomputersociety.org/10.1109/DATE.2005.105
http://tfs.cs.tu-berlin.de/publikationen/Papers08/EE08a.pdf


ECEASST

proaches to Software Engineering. LNCS 4422, pp. 72–86. Springer, 2007.
http://tfs.cs.tu-berlin.de/publikationen/Papers07/EEE+07.pdf

[EEH08a] H. Ehrig, K. Ehrig, F. Hermann. From Model Transformation to Model Integration
based on the Algebraic Approach to Triple Graph Grammars. In Ermel et al. (eds.),
Proc. Workshop on Graph Transformation and Visual Modeling Techniques (GT-
VMT’08). Volume 10. EC-EASST, 2008.
http://eceasst.cs.tu-berlin.de/index.php/eceasst/issue/view/19

[EEH08b] H. Ehrig, C. Ermel, F. Hermann. On the Relationship of Model Transformations
Based on Triple and Plain Graph Grammars. In Karsai and Taentzer (eds.), Proc.
Third International Workshop on Graph and Model Transformation (GraMoT’08).
ACM, New York, NY, USA, 2008.
doi:http://doi.acm.org/10.1145/1370175.1370244
http://tfs.cs.tu-berlin.de/publikationen/Papers08/EEH08.pdf

[EEH08c] H. Ehrig, C. Ermel, F. Hermann. On the Relationship of Model Transforma-
tions Based on Triple and Plain Graph Grammars (Long Version). Technical re-
port 2008/05, Technische Universität Berlin,Fakultät IV, 2008.
http://iv.tu-berlin.de/TechnBerichte/2008/2008-05.pdf

[EEPT06] H. Ehrig, K. Ehrig, U. Prange, G. Taentzer. Fundamentals of Algebraic Graph Trans-
formation. EATCS Monographs in Theoretical Computer Science. Springer Verlag,
2006.
http://www.springer.com/3-540-31187-4

[EHS09] H. Ehrig, F. Hermann, C. Sartorius. Completeness and Correctness of Model Trans-
formations based on Triple Graph Grammars with Negative Application Conditions
(Long Version). Technical report 2009/3, TU Berlin, 2009.
http://www.eecs.tu-berlin.de/fileadmin/f4/TechReports/2009/tr-2009-03.pdf

[EP08] H. Ehrig, U. Prange. Formal Analysis of Model Transformations Based on Triple
Graph Rules with Kernels. In Ehrig et al. (eds.), Proc. International Conference
on Graph Transformation (ICGT’08). LNCS 5214, pp. 178–193. Springer Verlag,
Heidelberg, 2008.
http://tfs.cs.tu-berlin.de/publikationen/Papers08/EP08a.pdf

[HHT96] A. Habel, R. Heckel, G. Taentzer. Graph Grammars with Negative Application Con-
ditions. Special issue of Fundamenta Informaticae 26(3,4):287–313, 1996.

[KN06] G. Karsai, A. Narayanan. On the Correctness of Model Transformations in the De-
velopment of Embedded Systems. In Kordon and Sokolsky (eds.), Monterey Work-
shop. LNCS 4888, pp. 1–18. Springer, 2006.

[KS06] A. Königs, A. Schürr. Tool Integration with Triple Graph Grammars - A Survey. In
Proc. SegraVis School on Foundations of Visual Modelling Techniques. Volume 148,
pp. 113–150. Electronic Notes in Theoretical Computer Science, Elsevier Science,

17 / 18 Volume 18 (2009)

http://tfs.cs.tu-berlin.de/publikationen/Papers07/EEE+07.pdf
http://eceasst.cs.tu-berlin.de/index.php/eceasst/issue/view/19
http://dx.doi.org/http://doi.acm.org/10.1145/1370175.1370244
http://tfs.cs.tu-berlin.de/publikationen/Papers08/EEH08.pdf
http://iv.tu-berlin.de/TechnBerichte/2008/2008-05.pdf
http://www.springer.com/3-540-31187-4
http://www.eecs.tu-berlin.de/fileadmin/f4/TechReports/2009/tr-2009-03.pdf
http://tfs.cs.tu-berlin.de/publikationen/Papers08/EP08a.pdf


Correctness and Completeness of Model Transformation

Amsterdam, 2006.
http://www.sciencedirect.com/science/journal/15710661

[Sch94] A. Schürr. Specification of Graph Translators with Triple Graph Grammars. In Tin-
hofer (ed.), WG94 20th Int. Workshop on Graph-Theoretic Concepts in Computer
Science. LNCS 903, pp. 151–163. Springer Verlag, Heidelberg, 1994.

[SK08] A. Schürr, F. Klar. 15 Years of Triple Graph Grammars. In Ehrig et al. (eds.), ICGT.
LNCS 5214, pp. 411–425. Springer, 2008.
doi:10.1007/978-3-540-87405-8 28

Proc. GT-VMT 2009 18 / 18

http://www.sciencedirect.com/science/journal/15710661
http://dx.doi.org/10.1007/978-3-540-87405-8_28

	Introduction
	Review of Triple Graphs
	Triple Graph Grammars with NACs
	Completeness and Correctness of Model Transformations with NACs
	Information Preserving Model Transformations
	Related Work
	Conclusion