View-based Modelling and State-Space Generation for Graph Transformation Systems Electronic Communications of the EASST Volume 47 (2012) Proceedings of the 11th International Workshop on Graph Transformation and Visual Modeling Techniques (GTVMT 2012) View-based Modelling and State-Space Generation for Graph Transformation Systems Niaz Arijo and Reiko Heckel 14 pages Guest Editors: Andrew Fish, Leen Lambers Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST View-based Modelling and State-Space Generation for Graph Transformation Systems Niaz Arijo1 and Reiko Heckel2 1 nha2@leicester.ac.uk, 2 reiko@mcs.le.ac.uk Department of Computer Science, University of Leicester, UK Abstract: Modelling complex systems by graph transformation, we face scalability challenges both in our ability to create and understand these models and in the abil- ity of tools to analyse them. To address these problems we propose to model graph transformation systems in views which can be understood and analysed separately. In particular, we show that transition systems can be generated separately for differ- ent views which, when synchronised using a CSP-like operator, yield a system that is bisimilar to the original global system. Keywords: modularity, mobility, performance modelling, graph transformation, process algebra 1 Introduction When modelling applications in domains such as mobile, distributed, socio-technical or biolog- ical systems, we often face the requirement to represent structural dynamics as well as uncer- tainty of outcome or timing. Stochastic graph transformation systems address this combination. One approach to analysis of such systems [AHTG11] requires the generation of labelled transi- tion systems (LTS) to derive a Continuous Time Markov Chains (CTMC) as input to stochastic analysis tools. Models in the aforementioned areas are often complex, addressing different aspects of the system being modelled as well as its interaction with the environment. For example, a traffic information system (TIS) lives in an environment determined by the road network (used by vehi- cles), and existing wireless networks for propagating accident information. Apart from unreliable connections, applications on mobile clients have to be location-aware to deliver the desired func- tionality. To predict the performance of such an application, or optimise its parameters, we have to be aware of this environment and incorporate this into our models. This complexity implies two challenges: How to structure a complex model addressing dif- ferent aspects of a complex domain, and How to overcome the usual scalability problem in generating the LTS of a complex model. We address these questions by a view-based approach to modelling and state space generation. For example, in our model the system is structured into two views, one addressing location and physical mobility and the other one connectivity and communication between vehicles and the TIS. In a bottom-up approach, such views can be cre- ated separately to be composed along common interfaces to yield a global view of the system. In a top-down approach, a global system can be decomposed to allow for the local generation of LTSs and their subsequent synchronisation. 1 / 14 Volume 47 (2012) mailto:nha2@leicester.ac.uk mailto:reiko@mcs.le.ac.uk View-based Modelling and State-Space Generation for Graph Transformation Systems To implement the approach, we use GROOVE [Ren04] for creating graph transforma- tion systems as views and generating their LTSs. These are then translated, using our own tool [AHTG11], into processes in PEPA, the Performance Evaluation Process Algebra [Hil05a, Hil05b] which allows us to synchronise them. PEPA is supported by an Eclipse-based environ- ment [TDG09] giving access to a range of model evaluation and analysis tools. In this paper we focus on the correctness of the view-based approach, describing the conditions under which the composition or decomposition of views is correct with respect to the behaviour of the global system, i.e., such that the synchronisation of the local views’ LTSs yields an LTS bisimilar to that derived directly from the global system. In particular, this requires to identify conditions on rule signatures and negative application conditions to ensure that synchronisation of local steps on shared labels yields consistent global steps and that global steps can be projected into corresponding local ones. This applies to both the top down approach which starts from a global system, decomposing it, and the bottom up approach composing individual components. After discussing related work below and recalling the basic definitions of typed attributed graph transformation in Sect. 3, Sect. 4 introduces the signatures equipped to derive labelled transition systems from graph transformation systems. Sect. 5 introduces the operations of pro- jection and composition at specification level before Sect. 6 studies their semantic counterparts at the level of transition systems. Sect. 7 concludes the paper. 2 Related Work Using modularity to reduce complexity is an old idea, even in graph transformation. Specifically the present approach is inspired by proposals on view based modelling [EHTE97, Hec98], but apart from being fully formalised, differs from it in two ways. First, we consider attributes and application conditions, and second, the present approach does not apply a loose semantics. The reason is that, to generate a transition system, loose semantics is not practical because it would allow far too many transitions. At the specification level this means that in this paper we use more restrictive conditions on views and their composition. The formalisation in this paper confirms the earlier, informal approach in [AHTG11] where the TIS case study is developed in more detail and analysed using tool support for projection into views and derivation of PEPA processes. More recently, the idea of “borrowed context” has been used to achieve modularity [BEK06]. Specifically, this idea has been applied in [Ren10] to generate transition systems in GROOVE in a compositional way. This work shares some of our motivation, but achieves modularity by decomposing graphs at the instance rather than at the type level. It does not consider negative application conditions. Outside of graph transformation, the problem of merging behavioural models has attracted attention [NC08]. Usually, the idea is to work at the level of LTS and consider merging as com- mon refinement [UC04]. At this level, our approach appears more basic because, rather than refinement, we use composition of LTS at the same level of abstraction. However, we take into account the internal structure of states and specifications of the operations transforming them, making for a more complex model. Typical examples discussed in [NC08] include state machines and message sequence charts, i.e., high-level behavioural models without reference to complex data states. Proc. GTVMT 2012 2 / 14 ECEASST 3 Typed Attributed Graph Transformation This section introduces the basic notions of typed attributed graph transformation with negative application conditions, illustrating them using our TIS example. The formalisation follows the algebraic approach [EEPT06]. A graph is a tuple (V,E,src,tgt) where V is a set of nodes (or vertices), E is a set of edges and src,tgt : E → V associate, respectively, a source and target node for each edge in E. Given graphs G1 and G2, a graph morphism is a pair ( fV , fE) of total functions fV : V1 →V2 and fE : E1 → E2 such that source and targets of edges are preserved. An E-graph is a graph equipped with an additional set VA of data nodes (or values) and special sets of edges EEA (edge attributes) and ENA (node attributes) connecting, respectively, edges in E and nodes in V to values in VA. An attributed graph is a tuple (EG,A) where EG is an E-graph and A is an algebra with signature Σ = (S,OP) such that ⊎ s∈S As = VA. Intuitively, an attributed graph is an E-graph where VA is the set of all data values available for attribution. A morphism f : (EG,A) → (EG′,A′) of attributed graphs is a pair of an E-graph morphism fEG : EG → EG′ and a compatible algebra homomorphism fA : A→A′. Fixing an attributed graph T G as attributed type graph, we define the category AGraphTG of T G-typed attributed graphs [EEPT06]. Objects are pairs (G,t) of attributed graphs G with typing homomorphisms t : G → T G and morphisms f : G → H are attributed graph morphisms compatible with the typing. We denote by X = (Xs)s∈S a family of countable sets of variables, indexed by sorts s ∈ S, and write x : s ∈ X for x ∈ Xs. A T G-typed graph transformation rule (or production) over X is a span L l←− K r−→ R where l,r are monomorphisms, the algebra component of L,K,R is TΣ(X) (the term algebra of Σ with variables in X ) such that lA = rA = idTΣ(X). That means, variable names are preserved across the rule. The class of all rules over T G with variables in X is denoted Rules(T G,X). We use graphs to model the structure of the application, including the topology of locations, current locations of relevant devices, links between application components and their states. The type graph provides a structural model of the admissible states of the system, similar to the way a class diagram describes valid object structures. Fig. 1 shows the type graph of the TIS model (left) with an instance graph (right) representing a map of Roads and Junctions as well as two Cars following predefined Paths. The model allows to represent Accidents that can be reported to the TIS, to share the information with other Cars. To identify Cars, these nodes have been given id attributes of type integer. In general we allow graph nodes to be attributed by values of predefined data types, such as strings or natural numbers. In this paper all attribute values will be positive integers. The operational semantics of rules is defined by the double-pushout construction. Given a T G-typed graph G and graph production L l← K r→ R together with a match (a T G-typed graph morphism) m : L → G, a direct derivation G p,m =⇒ H exists if and only if the diagram below can be constructed, where squares (1) and (2) are pushouts in AGraphTG such that G,C,H share the same algebra A and the algebra components l∗A,r ∗ A of morphisms l ∗,r∗ are identities on A. This ensures that data elements are preserved across derivation sequences, which allows their use as actual parameters in a global namespace. We also write G p/d =⇒ H to refer to the entire DPO diagram d = (dL,dK,dR). A derivation is a sequence G0 p1, m1 =⇒ G1 p2, m2 =⇒ ... pn, mn =⇒ Gn of direct 3 / 14 Volume 47 (2012) View-based Modelling and State-Space Generation for Graph Transformation Systems Figure 1: Type and instance graphs of a Traffic Information System (TIS). derivations. L (1)m=dL �� K loo r // dK �� (2) R m∗=dR �� G C l∗ oo r∗ // H L n // m �� L̂ q �� G A negative constraint on a T G-typed graph L is a morphism n : L → L̂ over T G. A morphism m : L → G satisfies n (written m |= n) iff there is no morphism q : L̂ → G such that q◦n = m, A negative application condition (NAC) over L is a set of negative constraints N. A morphism m : L → G satisfies N (written m |= N) if and only if m satisfies every constraint in N, i.e., ∀n ∈ N : m |= n. In GROOVE notation [Ren04] the various components of a rule (called readers, erasers, cre- ators or embargoes) are combined within a single rule graph, distinguishing them by different colours and styles. For example in rule moveCar in Fig. 2, readers in K, such as the nodes of type Car, Path, Road, Junction, and the edges of type follow, has, to, from, are thin and solid ordinary graph elements. Erasers in L\ l(K), such as the edge of type on pointing to the left-most Road node, are shown as thin and dashed elements. Creators in R\r(K), such as the other edge of type on are represented by slightly wider solid lines. Embargoes in negative constraints, such as the nodes of type Accident and the edges of type occurredAt, had and rejoin, are represented with wider and dashed outline. Attribute values are depicted as circles pointed to by an edge from the attributed node. For example, in moveCar the Car node has an attribute id whose value is $1 : int. 4 Signatures and Systems We introduce a notion of observation on transformation steps based on rule names with param- eters, whose declarations are collected in a transformation signature. Throughout the rest of the Proc. GTVMT 2012 4 / 14 ECEASST Figure 2: Top to bottom: Rules moveCar and sendAccidentIn f o Figure 3: Rule detour for Car to avoid location of Accident paper we assume a signature Σ = (S,OP), a family X = (Xs)s∈S of countable sets of variables and a Σ-algebra A. Definition 1 (transformation signature, labels) A transformation signature (over Σ,X,A) is a tuple S = (T G,P,σ) where • T G is an attributed type graph, • P is a countable set of rule names, • σ : P −→ X∗ assigns each rule name a list of parameters σ(p) = (x1 : s1,...,xn : sn) with xi ∈ Xsi for 1 ≤ i ≤ n. For p ∈ P with σ(p) = (x1 : s1,...,xn : sn) we also write p(x1 : s1,x2 : s2,...,xn : sn)∈ S . Given a rule signature p(x1 : s1,...,xn : sn) ∈ S we denote by p(A) the set of all rule la- bels p(a1,...,an) with ai ∈ Asi . The label alphabet L over S is the union over all rule labels∪ p∈P p(A). For example, the signatures of the rules in Fig. 2 are moveCar($1 : int) and sendAccidentIn f o($1 : int), both referring to the id attribute of Car nodes. A graph transfor- mation system over a signature adds definitions of rules with application conditions for all rule names. Definition 2 (TAGTS) Given a transformation signature S = (T G,P,σ), a typed attributed graph transformation system (TAGTS) over S is a tuple G = (S ,π,N) where • π : P −→ Rules(T G,X) assigns each rule name a span sp = L l← K r→ R over T G and X . • N = (Np)p∈P is a family of application conditions such that for π(p) as above, Np is a NAC over L. Observations on transformations are defined by obs(G p,m =⇒ H) = p(a1,a2,...,an) if σ(p) = (x1 : s1,...,xn : sn) and ai = m(xi). A step t = (G p,m =⇒G H) is a transformation such that match m 5 / 14 Volume 47 (2012) View-based Modelling and State-Space Generation for Graph Transformation Systems satisfies Np. A derivation is a sequence G0 p1,m1 =⇒G ... pn,mn =⇒G Gn, also written G0 =⇒∗G Gn. The pair (G ,G0) with G0 a T G-typed graph is called a typed attributed graph grammar (TAGG) over S . Grammar (G ,G0) is deterministic if for all reachable graphs G and transformations via p∈P, obs(G p,m =⇒G H) = obs(G p,m′ =⇒G H′) implies m = m′. Spans are attributed over TΣ(X) and parameters xi ∈ Xsi are from the same set, so they refer to the variables used in attribute expressions in rules. The algebra component of attributed graphs is preserved by transformations, allowing actual parameters to be used globally. Grammars are deterministic if labels carry enough information to determine the match into any graph reachable from the start graph. While the notion abstracts from the mechanism by which this happens, we employ id attributes on nodes, referred to by rule parameters as part of transformation labels. If, as in our example, we do not have parallel edges and all relevant nodes are equipped with unique ids, matches can be determined by listing enough left-hand side nodes as parameters. Creating new nodes, we have to assign fresh id numbers using a counter to remember the last unused one, which is increased each time a node is created. We will see in Sec. 6 that the notion of deterministic grammars is required for the composition of grammars to be semantically meaningful. The requirement will be imposed on the interface (intersection) only of the two grammars to be composed, rather than on the component grammars themselves. Applying the same rule at the same match leads to isomorphic DPO diagrams and resulting graphs. The transition system generated by a TAGTS identifies isomorphic graphs, so determin- istic TAGTS lead to deterministic transition systems. Definition 3 (induced labelled transition system) Let (G ,G0) be a TAGG and G = (T G,P,σ,π,N). The labelled transition system LT S(G ,G0) is given by (L,S,T,[G0]) where • S is the set of all isomorphism classes of graphs reachable from G0, i.e. S = { [Gn] | G0 =⇒∗G Gn}; • L is the label alphabet over S ; • T ⊆ S×L×S is the transformation relation, where ⟨[G],l,[H]⟩∈ T iff there is a transfor- mation step t = (G p,m =⇒ H) with obs(t) = l; • [G0] is the isomorphism class of the initial graph G0. 5 Projection and Composition of Systems We would like to distinguish two views, that of the Car and its location and mobility and that of the TIS broadcasting news about Accidents. Given a global model of the system, intuitively a view is defined by identifying in the global type graph the node and edge types that should be abstracted from, such as the TIS in the Car view and Roads and Junctions in the Service view. Start graph and rules are then reduced to the remaining types, removing all instances of types that are no longer present in the smaller type graph. Given a subgraph T G′ ⊆ T G, a T G-typed instance graph G can be projected to an instance G|T G′ of T G′ by removing all elements of G whose types are in T G, but not in T G′. This projec- tion, formally the inverse image of T G′ under the morphism typing G in T G, can be described Proc. GTVMT 2012 6 / 14 ECEASST Figure 4: Type graphs of Car and Service views. abstractly as a pullback of T G′ ⊆ T G and G’s typing morphism. The projection extends to mor- phisms, making it a functor |T G′ : AGraphT G → AGraphT G′ [HEET99]. The functor can be used to define the projection of graph transformation rules and application conditions to a subgraph of their current type graph. We define a more general projection based on a subsignature, which allows to reduce the set of rule names as well as the type graph. Definition 4 (subsignature, projection) A transformation signature S ′ = (T G′,P′,σ ′) is a sub- signature of S = (T G,P,σ), written S ′ ⊆ S , iff T G′ ⊆ T G, P′ ⊆ P, and σ ′ = σ|P′. Given a TAGTS G = (S ,π,N) we define the restriction G |S ′ = (S ′,π′,N′) of G to S ′ for all p ∈ P′ by • π′(p) = L|T G′ l|T G′←− K|T G′ r|T G′−→ R|T G′ if π(p) = L l←− K r−→ R • N′p ={n|T G′ : L|T G′ → L̂|T G′ | n : L → L̂ ∈ Np s.t. the diagram below is a pushout.} L̂|T G′� _ �� L|T G′n|T G′oo � _ �� L̂ Lnoo The projection is sound if for all rules p ∈ P\P′, it reduces π(p) to a span of isomorphisms. A constraint n such that the diagram above forms a pushout is preserved by the projection to T G′. Projecting the global TIS model to the type graphs of the Car and Service views in Fig. 4, rule moveCar is kept unchanged in the Car view, but reduced to an idle span of isomorphisms in the Service view. Rule sendAccidentInfo is idle in the Car view, but kept unchanged in the Service view. Rule detour looses its knows edge in the Car view and is reduced to an idle span in the Service view. In the last case, both projections will be required for recreating the original, but this is an issue of (de)composition, not projection. For a projection to be sound, i.e., to preserve transformations, we must only drop rules that are rendered idle, such as moveCar, detour from the Service view signature and sendAccidentInfo from the Car view signature. Constraints of retained rules are dropped if they are not preserved, i.e., if they loose any negative elements L̂ \ n(L). For example, if we should decide to keep moveCar in the Service view, which would give a sound, if slightly redundant projection, this rule would loose both the rejoin and the Accident occurredAt constraints, while keeping the had Accident constraint where all types are kept in the Service view. 7 / 14 Volume 47 (2012) View-based Modelling and State-Space Generation for Graph Transformation Systems Lemma 1 (projection of steps) Assume signatures and systems S ′ ⊆ S and G as above such that the projection G ′ = G |S ′ is sound. Then, for each step t = (G p,m =⇒G H), either there exists a step t|S ′ = (G|T G′ p,m|T G′ =⇒ G ′ H|T G′) with obs(t) = obs(t|S ′), or G|T G′,H|T G′ are isomorphic. Proof. If p ∈ P\P′ the projection of π(p) is a span of identities. Since AGraph is adhesive, the projection functor preserves pushouts where one of the given morphisms is mono, such as the pushouts in a double-pushout diagram. That means, the projection of double pushout t is a DPO over T G′ where the top span is made of identities. Since pushouts preserve isos, graphs G|T G′,H|T G′ at the bottom of the DPO are isomorphic. If p ∈ P′ we have t|S ′ because (1) the projection functor preserves double pushouts and (2) m|T G′ |= N′p iff m |= Np. To see (2), consider the cube diagram below, whose back face represents the pushout of Def. 4.1 while the sides and front are pullbacks arising from the projection functor. The back square, with its two opposing monos, is a pullback too. Using the pushout property of the back square it follows that existence of q1 commuting the top triangles implies existence of q commuting the bottom triangles and the resulting diagonal vertical square. The reverse implication can be established with the help of the pullback property of the front square. That means, m satisfies n iff m|T G′ satisfies n|T G′. L̂|T G′ ||yy yy yy yy q1 ## � _ �� L|T G′ m|T G′ xx x {{xx x � _ �� n|T G′oo T G′� _ �� G|T G′� _ �� oo L̂ {{ww ww ww ww w q $$ L mv vv vv zzvvv vv noo T G Goo Composition of systems is based on composition of rules, defined by the union of two rules agreeing on a common projection. Constraints of the two given rules have to be transferred to the enlarged left-hand side of the new rule. Definition 5 (extension and union) Assume rule span s1 = (L1 l1←− K1 r1−→ R1) embedded into s = (L l←− K r−→ R) by inclusions iL1,iK1,iR1 as in the diagram below, denoted s1 ⊆ s. If n1 is a constraint over L1, the extension of n1 to L is defined by the pushout (1) where iL̂1 is the inclusion of L̂1 into L̂ and n is the extended constraint over L. If N1 is a set of constraints over L1, we denote by NL1 the corresponding set of constraints extended to L. L̂1 (1) � _ iL̂1 �� L1 n1oo � _ iL1 �� K1 l1oo r1 // � _ iK1 �� R1 � _ iR1 �� L̂ L noo K loo r // R Proc. GTVMT 2012 8 / 14 ECEASST The union of two rule spans s1 and s2 with si = (Li li←− Ki ri−→ Ri) is defined if they have a well- defined intersection, that is, the componentwise intersection s1 ∩s2 = L1 ∩L2 l1∩l2←− K1 ∩K2 r1∩r2−→ R1∩R2 is a rule span. In this case, their union is s1∪s2 = L1∪L2 l1∪l2←− K1∪K2 r1∪r2−→ R1∪R2 where X1 ∪X2 is the pushout of X1,X2 over X1 ∩X2 with inclusions as morphisms, for X ∈{L,K,R}. Extending this notion from rules to systems, we arrive at the composition of TAGTS. Definition 6 (composition of TAGTS) Assume a signature S with subsignatures S1 ⊆ S and S2 ⊆S . Let S0 = (T G0,P0,σ0) be defined by component-wise intersection T G0 = T G1∩T G2, P0 = P1 ∩P2 and σ0 = σ1|P0 = σ2|P0 . Given two systems G1 = (S1,π1,N1) and G2 = (S2,π2,N2), their composition G1 ⊕G2 is defined if G1|S0 = G2|S0 . We then call the systems composable, and define G1 ⊕G2 = (S1 ∪ S2,π,N) by • S1 ∪S2 = (T G1 ∪T G2,P1 ∪P2,σ1 ∪σ2); • π(p) = π1(p) if p ∈ P1 \P2 π2(p) if p ∈ P2 \P1 π1(p)∪π2(p) = L1 ∪L2 l1∪l2←− K1 ∪K2 r1∪r2−→ R1 ∪R2 if p ∈ P1 ∩P2 • Np = N1 p if p ∈ P1 \P2 N2 p if p ∈ P2 \P1 N1L1∪L2p ∪N2L1∪L2p if p ∈ P1 ∩P2 The composition of grammars (G1,G10) and (G2,G 2 0) is defined if G1,G2 are composable and G00 = G 1 0|T G0 = G 2 0|T G0 . In this case, (G1,G 1 0)⊕(G2,G 2 0) = (G1⊕G2,G 0) with G0 = G10∪G 2 0, the pushout representing the union of G10,G 2 0 over G 0 0. Hence two systems are composable if they agree on the projection to S0, the intersection of their signatures. The same is true of transformations in these two views, i.e., if their projections to S0 coincide, they gives rise to a composed transformation using the composed rule. Lemma 2 (composition of steps) Assume two systems G1 and G2, their projection G0 = G1|S0 = G2|S0 and composition G = G1 ⊕G2 as above. Given steps ti = (Gi p,mi =⇒Gi Hi) for i = 0,1,2 with t1|S0 = t2|S0 = t0, there exists a step t1 ⊕t2 = (G1 ∪G2 p,m1∪m2 =⇒ G H1 ∪H2). Proof. Let us start by constructing the underlying DPO diagram of t1 ⊕ t2 from those of the given transformations. First, observe that t1 ← t0 → t2 form a span of DPO diagrams with six- tuples of graph morphisms between corresponding left, right, and interface graphs at rule and transformation level relating them. Because they are obtained as projections, these morphisms form pullback diagrams wherever a square can be found. Forming the component-wise pushout t1 ← t1⊕t2 → t2 of t1 ← t0 → t2, it follows from adhesiveness that the object obtained is a double pushout and all new squares are pullbacks, too. This is a variant of the Distribution Theorem for graph transformation [EHK+97]. It remains to show that the combined DPO forms a step in G , 9 / 14 Volume 47 (2012) View-based Modelling and State-Space Generation for Graph Transformation Systems i.e., that the constraints of the combined rule are satisfied. By Def. 6 these are given by extending constraints of the two component rules. Thus, by the same argument as in the proof of Lemma 1 and the fact that they are satisfied for t1 and t2 it follows that they are satisfied for t1 ⊕t2. 6 Operations on Transition Systems With the semantics of a TAGTS defined as its induced labelled transition system, we interpret their composition by a corresponding notion of composition of LTS, synchronising transitions with shared labels while interleaving those whose labels only occur in one or the other LTS. This matches the PEPA coordination operator [Hil05b] which itself is based on composition in CSP. Definition 7 (composition of transition systems) Given LT S1 = (S1,L1,=⇒1,s01) and LT S2 = (S2,L2,=⇒2,s02), their product LT S1 ⊗LT S2 = (S,L,=⇒,s 0) has as states S all pairs of states (s1,s2) with si ∈ Si. The set of labels is defined by L = L1 ∪L2 and the transition relation is the smallest one satisfying • if l ∈ L1 \L2 and s1 l =⇒1 s′1, then (s1,s2) l =⇒ (s′1,s2); • if l ∈ L2 \L1 and s2 l =⇒2 s′2, then (s1,s2) l =⇒ (s1,s′2); • if l ∈ L1 ∩L2, s1 l =⇒1 s′1 and s2 l =⇒2 s′2, then (s1,s2) l =⇒ (s′1,s ′ 2). The initial state s0 is (s01,s 0 2), the pair of initial states of the two systems. Under suitable assumptions, composition of TAGTS is reflected by the corresponding compo- sition of their LTS. This supports the bottom-up approach of our methodology. Proposition 1 (composition) Assume grammars (G1,G01) and (G2,G 0 2), with Gi = (Si,πi,Ni) and S0 = S1 ∩S2 = (T G0,P0,σ0), such that the grammar’s composition is defined, 1. (G1|S0,G 0 1|T G0) is deterministic, and 2. for all rules p1 ∈ P1\P2 (resp., p2 ∈ P2\P1), the projection π1(p1)|T G0 (resp., π2(p2)|T G0 ) is a span of isomorphisms. Then, transition systems LT S(G ,G0) and LT S(G1,G01)⊗LT S(G2,G 0 2) are bisimilar. Proof. We write [G1,G2]∼ [G] iff Gi = G|T Gi for i = 1,2. States of the composed LT S(G1,G 0 1)⊗ LT S(G2,G02) are pairs of isomorphism classes ([G1],[G2]), denoted as [G1,G2]. States of LT S(G ,G0) are isomorphism classes of graphs [G]. We will show that relation ∼ as defined above is a bisimulation between LT S(G1,G01)⊗LT S(G2,G 0 2) and LT S(G ,G 0). Recall that a bisimula- tion is a relation R between the states of two systems such that, if P1 R P2, then both P1 l−→1 Q1 implies P2 l−→2 Q2 and Q1 R Q2 as well as P2 l−→2 Q2 implies P1 l−→1 Q1 and Q1 R Q2. Assume that [G1,G2] ∼ [G] and let [G] l−→ [H] be a transition in LT S(G ,G0). That means, there exists a transformation t = (G p,m =⇒G H) with obs(t) = l. The projections G |Si are sound because of Assumption 2 in the proposition above. Proc. GTVMT 2012 10 / 14 ECEASST Hence, with Lemma 1, Gi = G|T Gi and Hi = H|T Gi , there are either two projections ti = (Gi p,m|T Gi =⇒ Gi Hi) with obs(t) = obs(ti) = l for i = 1,2, or one such projection, say WLOG for i = 1, while G2 ∼= H2. In the first case, [Gi] l−→i [H1] are transitions in LT S(Gi,G0i ). By the third clause in Def. 7, [G1,G2] l−→ [H1,H2] is a transition in LT S(G1,G01)⊗LT S(G2,G 0 2). In the second case, [G1,G2] l−→ [H1,G2] = [H1,H2] by the first clause and [G2] = [H2]. Vice versa, let [G1,G2] l−→ [H1,H2] be given in LT S(G1,G01)⊗LT S(G2,G 0 2). By Def. 7 either there are transitions [Gi] l−→ [Hi] in LT S(Gi,G0i ) for i = 1,2, based on steps ti = (Gi p,mi =⇒Gi Hi), or there is one such transition, say WLOG for i = 1, and [G2] = [H2]. In the first case, it is easy to see that the projections from Si to S0 are sound because, e.g., P1 \P1 ∩P2 = P1 \P2 and so soundness from S1 to S0 follows from Assumption 2 above. The projections yield ti|S0 = (Gi|T G0 p,mi|T G0 =⇒ Hi|T G0) with obs(ti|T G0) = l. [G1,G2]∼ [G] implies G1|T G0 = G2|T G0 =: G0. Since (G0,G 0 0) = (G1|S0,G 0 1|T G0) is deterministic and G0 is reachable, m0 = m1|T G0 = m2|T G0 , so ti|S0 = (G0 p,m0 =⇒G0 Hi|T G0) for i = 1,2 are related by unique isomor- phisms on intermediate and derived graphs. To apply Lemma 2 we require steps in G1,G2 which project to the same step in G0. Using the unique isos between t1|S0 and t2|S0 and the fact that t2|S0 ⊆ t2 we can rename t2 into t ′ 2 = (G2 p,m2 =⇒G2 H ′ 2) such that t ′ 2|S0 = t1|S0 . In particular, H1|T G0 = H ′ 2|T G0 = H1∩H ′ 2 and so t1⊕t ′ 2 = (G1 ∪G2 p,m1∪m2 =⇒ G H1 ∪H′2) with obs(t1 ⊕ t ′ 2) = l is a transformation in the composed TAGTS delivering transition [G] l−→ [H1∪H′2]. Then, [H1,H2]∼ [H1∪H ′ 2] because H2 ∼= H′2 and therefore [H1,H2] = [H1,H′2]∼ [H1 ∪H ′ 2]. In the second case, by Def. 7, l ∈ L1 \L2 so by Def. 1 p ∈ P1 \P2. By Assumption 2 in the proposition above the projection π1(p)|T G0 yields a span of isomorphisms which extends to a transformation t0 = (G1|T G0 p,m1|T G0 =⇒ H1|T G0) with G1|T G0 ∼= H1|T G0 . Any G2 ∼= H2 can be ex- tended to a DPO diagram over T G2 that projects to t0, and following a similar argument as above we can build (G1 ∪G2 p,m1 =⇒G1 H1 ∪H2), extending (G1 p,m1 =⇒G1 H1) by the idle context G2 ∼= H2. Thus [H1,H2]∼ [H1 ∪H2] and [G] l−→ [H1 ∪H2]. The condition for the projection to S0 to be deterministic ensures that, on the interface, labels uniquely determine transformations. Thus transitions carrying the same labels in the two views can be synchronised. The corollary below derives the conditions for decomposition of systems by projection. Corollary 1 (decomposition) Assume a system G over S with sub-signatures S1 and S2 such that S = S1 ∪S2, the projections G |S1 and G |S2 are sound, 1. G |S1∩S2 is deterministic; 2. for all rules p ∈ P1 \P2, π(p)|T G1 = π(p) and Np|T G1 = Np while π(p)|T G2 is a span of isomorphisms, and vice versa swapping T G1,P1 and T G2,P2; 3. for all p ∈ P1∩P2, any constraint n ∈ Np is preserved by projection to either T G1 or T G2. Then LT S(G ,G) and LT S(G |S1,G|T G1)⊗LT S(G |S2,G|T G2) are bisimilar. 11 / 14 Volume 47 (2012) View-based Modelling and State-Space Generation for Graph Transformation Systems Proof. To apply Prop. 1 it suffices to show that G |S1 ⊕G |S2 = G and Assumptions 1, 2 are satisfied. Assumption 1 follows directly from Assumptions 1 above. Assumption 2 in Prop. 1 follows from Def. 4. Finally, G |S1 ⊕G |S2 = G because, due to Assumptions 2 and 3 above, rule spans and application conditions in G can be reconstructed from their projections. Note that, with T G = T G1∩T G2, projection of graphs and rules is inverse to their union. This can be shown by formalising the union of type graphs as a van Kampen square, which extends to a cube with the union of instance graphs, such as the left-hand sides of corresponding rules, and their typing morphisms. Let us analyse the conditions of Cor. 1 by considering the three sample rules in Fig. 2 and 3. Specifically, condition 2 distinguishes rules like sendAccidentInfo and moveCar, both retained entirely in one view and mapped to spans of isos in the other, from rules like detour, also mapped to isos in the Service views, but loosing an edge of type knows in the Car view. While the reconstruction of the first two examples is trivial, with the rules being complete in one of the two views each, in the third case we require synchronisation to recover the projected edge. Hence in this case the rule must be retained in both views. Similarly, for a rule present in both views, each of its constraints must be preserved in at least one view. In the case of detour, all constraints remain in the Car view. An interesting case beyond the scope of the example in this paper is the creation of nodes in the interface, briefly discussed in Sec. 4. Assume that the common projection of the two views contains a rule the creates a new node. By our assumption of determinism, matches for this rule into all reachable graphs are fixed by the label, which is shared with the corresponding rules in the two views. Since the match determines, up to iso, the DPO diagram, and the DPOs of views and interface are related by projection, transformations in the views starting from corresponding states and sharing the label agree on their projection to the interface. This includes the creation of the new node. For example, if the node is assigned an attribute in the intersection, the same value will be assigned in both views. Since graphs are taken up to isomorphism, structural properties (such as attributes, labels, or connections) are the only possible identifiers of nodes within these graphs, so we can claim that “the same node” is being generated by both views independently. Finally, it is interesting to analyse the reduction in size of the state spaces produced by the two views. The table below shows the size of the global and local views as generated by GROOVE for two and three Cars, respectively. It turns out that we are unable to generate the LTS from the global view directly, but the synchronisation in PEPA of the LTS generated from the two local views produces a CTMC with 117098 states. In the first case, the ratio in size between local and global views is in the order of 1:10, in the second of 1:100. Global model Car view Service view 2 Cars 756 states 84 states 36 states 3 Cars out of memory 936 states 1000 states 7 Conclusion We have formalised notions of views for typed attributed graph transformation systems with rule signatures and developed operations for projection, composition and decomposition of systems Proc. GTVMT 2012 12 / 14 ECEASST that are compatible with corresponding notions of composition of transition systems based on synchronisation over shared labels. Conceptually, composition and decomposition correspond to the top down and the bottom up methodologies of modular graph transformation systems. The approach has been implemented based on GROOVE by providing an automated pro- jection of graph transformation systems and a translation into stochastic analysis tools such as PEPA [AHTG11]. The formalisation in this paper confirms the earlier, more empirical approach. In the future, we envisage language support for the bottom up approach to composing systems from views and investigate how the modularity achieved can be extended to the stochastic aspect. Another concern is the limitation of the present theory to the DPO approach, while GROOVE supports the more general SPO-like behaviour. This requires an encoding of rules that delete nodes with an unbounded number of incident edges, typically leading to additional states and transitions. Bibliography [AHTG11] N. Arijo, R. Heckel, M. Tribastone, S. Gilmore. Modular performance modelling for mobile applications. In Kounev et al. (eds.), ICPE. Pp. 329–334. ACM, 2011. [BEK06] P. Baldan, H. Ehrig, B. König. Composition and Decomposition of DPO Transfor- mations with Borrowed Context. In Corradini et al. (eds.), ICGT. Lecture Notes in Computer Science 4178, pp. 153–167. Springer, 2006. [EEPT06] H. Ehrig, K. Ehrig, U. Prange, G. Taentzer. Fundamentals of Algebraic Graph Transformation (Monographs in Theoretical Computer Science. An EATCS Series). Springer, 2006. [EHK+97] H. Ehrig, R. Heckel, M. Korff, M. Löwe, L. Ribeiro, A. Wagner, A. Corradini. Al- gebraic Approaches to Graph Transformation, Part II: Single Pushout Approach and Comparison with Double Pushout Approach. In Rozenberg (ed.), Handbook of Graph Grammars and Computing by Graph Transformation, Volume 1: Founda- tions. Pp. 247–312. World Scientific, 1997. [EHTE97] G. Engels, R. Heckel, G. Taentzer, H. Ehrig. A Combined Reference Model- and View-Based Approach to System Specification. Int. Journal of Software and Knowl- edge Engeneering 7(4):457–477, 1997. [Hec98] R. Heckel. Compositional Verification of Reactive Systems specified by Graph Transformation. In Proc. Fundamental Approaches to Software Engineering (FASE’98), Lisbon, Portugal. LNCS 1382, pp. 138–153. Springer Verlag, 1998. [HEET99] R. Heckel, G. Engels, H. Ehrig, G. Taentzer. A View-Based Approach to System Modelling based on Open Graph Transformation Systems. In Engels et al. (eds.), Handbook of Graph Grammars and Computing by Graph Transformation, Volume 2: Applications, Languages, and Tools. World Scientific, 1999. 13 / 14 Volume 47 (2012) View-based Modelling and State-Space Generation for Graph Transformation Systems [Hil05a] J. Hillston. Process Algebras for Quantitative Analysis. In Proceedings of the 20th Annual IEEE Symposium on Logic in Computer Science (LICS’ 05). Pp. 239–248. IEEE Computer Society Press, Chicago, June 2005. [Hil05b] J. Hillston. Tuning Systems: From Composition to Performance. The Computer Journal 48(4):385–400, May 2005. The Needham Lecture paper. [NC08] S. Nejati, M. Chechik. Behavioural model fusion: an overview of challenges. In Proceedings of the 2008 international workshop on Models in software engineering. MiSE ’08, pp. 1–6. ACM, New York, NY, USA, 2008. doi:http://doi.acm.org/10.1145/1370731.1370733 http://doi.acm.org/10.1145/1370731.1370733 [Ren04] A. Rensink. The GROOVE Simulator: A Tool for State Space Generation. In Pfaltz et al. (eds.), Applications of Graph Transformations with Industrial Relevance (AG- TIVE). Lecture Notes in Computer Science 3062, pp. 479–485. Springer Verlag, Berlin, 2004. http://doc.utwente.nl/66357/ [Ren10] A. Rensink. Compositionality in Graph Transformation. In Abramsky et al. (eds.), ICALP (2). Lecture Notes in Computer Science 6199, pp. 309–320. Springer, 2010. [TDG09] M. Tribastone, A. Duguid, S. Gilmore. The PEPA Eclipse Plug-in. Performance Evaluation Review 36(4):28–33, Mar. 2009. [UC04] S. Uchitel, M. Chechik. Merging partial behavioural models. In Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering. SIGSOFT ’04/FSE-12, pp. 43–52. ACM, New York, NY, USA, 2004. doi:http://doi.acm.org/10.1145/1029894.1029904 http://doi.acm.org/10.1145/1029894.1029904 Proc. GTVMT 2012 14 / 14 http://dx.doi.org/http://doi.acm.org/10.1145/1370731.1370733 http://doi.acm.org/10.1145/1370731.1370733 http://doc.utwente.nl/66357/ http://dx.doi.org/http://doi.acm.org/10.1145/1029894.1029904 http://doi.acm.org/10.1145/1029894.1029904 Introduction Related Work Typed Attributed Graph Transformation Signatures and Systems Projection and Composition of Systems Operations on Transition Systems Conclusion