Integration of Triple Graph Grammars and Constraints Electronic Communications of the EASST Volume 54 (2012) Proceedings of the 7th International Workshop on Graph Based Tools (GraBaTs 2012) Integration of Triple Graph Grammars and Constraints Stephan Hildebrandt, Leen Lambers, Basil Becker, Holger Giese 12 pages Guest Editors: Christian Krause, Bernhard Westfechtel Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST Integration of Triple Graph Grammars and Constraints Stephan Hildebrandt1, Leen Lambers1, Basil Becker1, Holger Giese1 1surname.lastname@hpi.uni-potsdam.de Hasso Plattner Institute at the University of Potsdam∗ Abstract: Metamodels are often augmented with additional constraints that must be satisfied by valid instances of these metamodels. Such constraints express com- plex conditions that cannot be expressed in the metamodel itself. Model transforma- tions have to take such constraints of the source and target metamodels into account. Given a valid source model, which satisfies the source constraints, a model trans- formation is expected to return a valid target model (forward validity). However, in current model transformation definition and tool support, such an integration with source and target constraints including validation mechanisms is often ignored or not satisfactory yet. In this paper, we describe how the integration with source and target constraints can be achieved for the special case of model transformations defined by Triple Graph Grammars (TGGs). First, we extend the relational model transformation defini- tion for TGGs and integrate it with source and target constraints. Moreover, we describe how forward/backward validity of TGGs with constraints can be automat- ically checked, either by static analysis using an invariant checker, or by generating and validating metamodel instances. Finally, we describe how to integrate con- straints into our TGG-based model transformation implementation and automatic conformance testing framework. Keywords: Model Transformation, Constraints, Test Case Generation, Invariant Checking 1 Introduction Model-Driven Engineering puts models and model transformations into the focus of the devel- opment process. In practice, models are mostly defined using metamodels, which specify the kinds of elements that can be used in a model of that type. Metamodels are often augmented with constraints, which models must satisfy to be valid instances of a metamodel. Such con- straints are complex conditions that cannot be expressed in the metamodel itself. Modeling tools have to consider these constraints in order to correctly work with models. In particular, model transformation tooling, which plays a key role in Model-Driven Engineering, needs to consider constraints as well. A model transformation is expected to always return a valid target model if it is provided with a valid source model. Valid means that the models not only adhere to the structure defined ∗ This work was developed in the course of the project - Correct Model Transformations - Hasso Plattner Institut, Universität Potsdam and was published on its behalf and funded by the Deutsche Forschungsgemeinschaft. See http://www.hpi.uni-potsdam.de/giese/projekte/ kormoran.html?L=1. 1 / 12 Volume 54 (2012) mailto:surname.lastname@hpi.uni-potsdam.de Integration of TGG Implementations and Constraints -name : string BlockDiagram Block -name : string BlockDiagramElement 0..1 -modelElements * Process SystemBlock 1 -systemBlocks * (a) BlockDiagram metamodel CorrNode Object -left 1 * -right 1 * (b) Correspondence metamodel -name : string ClassDiagram Class -text : string Stereotype Association -container 1 -elements 1..* -name : string Element -stereotypes* 1 -source *1 -target*1 (c) ClassDiagram metamodel Figure 1: Example metamodels by their metamodels, but also satisfy the metamodels’ constraints. We call transformations that always produce valid target models for valid source models forward valid transformations. The definition of backward valid is analogous for bidirectional transformation approaches. However, existing implementations mostly do not consider constraints defined on metamodels at all. Instead, the problem is shifted to the designer of the transformation specification who is expected to define appropriate pre- and postconditions filtering out invalid models, which often resemble constraints already defined in the metamodels. It remains an open question how to ensure consistency between constraints in the metamodel and pre- and postconditions of the transformation specification defined by the designer. For these reasons, we have extended our existing tools for model transformation [GHL12] and conformance testing of model transformations [HLG+12] based on Triple Graph Grammars [Sch94] to consider metamodel constraints, focusing on design-time checks as well as runtime checks revealing problems with forward or backward validity of the transformation. We describe the integration of TGGs with constraints in Section 3 and present two approaches to check the forward/backward validity of forward/backward transformations derived from a TGG in Sec- tion 4, one based on static analysis using an invariant checker, and another one based on counter example generation. Section 5 explains how we extended our conformance testing framework and our model transformation implementation to support constraints. Finally, we discuss related work in Section 6 and conclude the paper in Section 7. 2 Our Triple Graph Grammar Framework Triple Graph Grammars [Sch94] are an important representative of relational model transforma- tion specifications. To illustrate the following explanations, we will use a model transformation from simple SDL block diagrams1 to UML class diagrams. The metamodels of both modeling languages are shown in Figure 1. Block Diagrams are a hierarchical structure of Blocks. Blocks can be nested and the topmost blocks are SystemBlocks. In addition, Blocks can contain Pro- 1 A simplified version of SDL block diagrams (http://www.itu.int/ITU-T/studygroups/com17/languages/Z100.pdf). Proc. GraBaTs 2012 2 / 12 http://www.itu.int/ITU-T/studygroups/com17/languages/Z100.pdf ECEASST bd1:BlockDiagram cn1:CorrNode cd1:ClassDiagram ++ ++ ++ ++ ++ SA CA TAname := cd1.name name := bd1.name (a) Axiom Rule (BlockDiagram to ClassDiagram) bd1:BlockDiagram cn1:CorrNode cd1:ClassDiagram sb2:SystemBlock cn2:CorrNode cl2:Class ++ ++ ++ ++ ++ ++ ++ SL1 CL1 TL1 SR1 CR1 TR1 name := cl2.name name := sb2.name st2:Stereotype text := „system“ ++ ++ ++ ++ (b) Rule 1 (SystemBlock to Class) cn1:CorrNode cd1:ClassDiagram bl3:Block cn3:CorrNode cl3:Class ++ ++ ++ ++ ++ ++ ++SL2 CL2 TL2 SR2 CR2 TR2 name := cl3.name name := bl3.name st2:Stereotype text := „block“ ++ ++ ++ cn2:CorrNodebl2:Block as3:Association cl2:Class ++ ++ ++++ ++ ++ (c) Rule 2 (Block to Class) cn1:CorrNode cd1:ClassDiagram pr3:Process cn3:CorrNode cl3:Class ++ ++ ++ ++ ++ ++ ++SL3 CL3 TL3 SR3 CR3 TR3 name := cl3.name name := pr3.name st2:Stereotype text := „process“ ++ ++ ++ cn2:CorrNodebl2:Block as3:Association cl2:Class ++ ++ ++++ ++ ++ (d) Rule 3 (Process to Class) Figure 2: Example triple graph grammar Operational Rules Generator Story Diagrams TGG Engine generate execute TGG Rules ? create generate references Invariant Checker Source Meta- model + CS Target Meta- model + CT TGG Editor EMFCompare Expected Target Model Test Model Generator Counter Example Generator TGG Specification Sect. 3 TGG Validation Sect. 4 TGG Implementation Sect. 5 TGG Conformance Testing Sect. 5 ? ? Source Model Target Model CS CT Source Model Target Model CS CT CT generate Figure 3: Triple Graph Grammar tool framework 3 / 12 Volume 54 (2012) Integration of TGG Implementations and Constraints cesses, which cannot contain any elements. Class Diagrams can contain Classes, Stereotypes, which are attached to a Class, and Associations, which connect two classes. We have implemented a framework based on TGGs for model transformation and synchro- nization, as well as for conformance testing of TGG model transformations. It is based on the Eclipse Modeling Framework (EMF)2 and can be downloaded from our Eclipse update site3. The framework’s architecture is shown in Figure 3. We repeat the basic principles here and refer to [GHL12, GNH10, HLG+12] for more detailed information. The Source and Target Metamodels, ST T and TT T , respectively, can be edited using the existing Ecore metamodel editor. TGG Rules can be created and edited using the TGG Editor. The TGG rules of the transformation between Block Diagrams and Class Diagrams are shown in Figure 2. Each rule consists of three domains: A source domain on the left, which contains elements of the Block Diagram, a target domain on the right, which contains elements of the Class Diagram, and a correspondence domain in the middle, which contains the so-called correspondence model. The correspondence model explicitly stores correspondence relationships between source and target model elements. Its metamodel CT T is shown in Figure 1b. A CorrNode maps arbitrary objects in the source model to objects in the target model. These three models form a so-called triple graph, denoted by SCT, where S denotes the source, C the correspondence, and T the target component. The notation used in Figure 2 combines the left-hand side (LHS) and right- hand side (RHS) of a graph transformation rule. Elements contained in the LHS and RHS are black, elements contained in the RHS only are drawn green and marked with “++”. Like ordinary graph grammars, Triple Graph Grammars have a start graph, called axiom4, denoted by SACATA. The axiom creates the root nodes of all three models. The remaining TGG rules create the other elements of the models in certain contexts: Rule 1 links a SystemBlock to an existing BlockDiagram and a Class to the corresponding ClassDiagram. Likewise, rules 2 and 3 create Blocks and Processes in existing Blocks and a corresponding pattern of a Class, Association, and Stereotype in the ClassDiagram. More formally, a triple graph grammar (TGG) consists of a set of triple graph rules R typed over ST T CT T TT T (the type graph or metamodel, which results by connecting the source and target metamodels via their correspondences) and a triple start graph SACATA, called axiom, also typed over ST T CT T TT T . For more information about the formalization of TGGs, we refer to [GHL12]. As it is, the TGG can be used to create all three models in parallel. The basic principle is depicted in Figure 4, where the nodes represent triple graphs and the arrows represent TGG rule applications. First, the axiom rule is applied once and creates SACATA. A randomly selected TGG rule is then applied to create, e.g., S13C13T13. Then, another rule is selected and applied to create, e.g., S26C26T26. With SiCiTi⇒Si+1Ci+1Ti+1 we denote a rule application from SiCiTi to Si+1Ci+1Ti+1 and we write SGCGTG ∗⇒ SG′CG′TG′ to denote 0 to a random number of rule applications from SGCGTG to SG′CG′TG′. All triple graphs SCT that can be created accordingly from a TGG belonging to L (tgg), the TGG language. More formally, given a particular tgg = (SACATA,R), typed over ST T CT T TT T , then the triple graph language L (tgg) consists of all triple graphs SGCGTG such that SACATA ∗⇒ SGCGTG via rules in R. The Test Model Generator 2 http://www.eclipse.org/modeling/emf 3 http://www.mdelab.de/update-site 4 In particular, we use a so-called axiom rule, which is applied once to the empty graph and thereby sets correct attribute values creating the concrete axiom. Proc. GraBaTs 2012 4 / 12 http://www.eclipse.org/modeling/emf http://www.mdelab.de/update-site ECEASST Legend: S21 C21 T21 S22 C22 T22 S23 C23 T23 S24 C24 T24 S25 C25 T25 S26 C26 T26 ... ... ...... S11 C11 T11 S12 C12 T12 S13 C13 T13 SA CA TA L(tgg) L(tgg,Ctgg) Ci TiSi Ci TiSi L(tgg,¬CS ˄ CT)Ci TiSi L(tgg,CS ˄ ¬CT)Ci TiSi Figure 4: Step-wise derivation of triple graphs using a TGG with constraints (cf. Figure 3) uses this principle to generate a Source Model and an Expected Target Model that can be used as test input and test oracle to automatically verify conformance of a TGG with the corresponding TGG implementation. To test the forward transformation, the Source Model (Si of SiCiTi) is input to the TGG Implementation under test. The TGG Implementation outputs a Target Model, which is compared to the Expected Target Model (Ti of SiCiTi) using EMFCompare. If both models are equal, the TGG Implementation has passed the conformance test. To actually perform a model transformation using TGGs, operational rules have to be derived for the three different transformation directions supported by TGGs: A forward transformation takes a model of the left domain, a Block Diagram in the example, and produces the other two models. A backward transformation is the opposite, a model of the right domain is transformed to a model of the left domain and a correspondence model. A mapping transformation takes two existing models of both domains and produces only the correspondence model. For each of these directions, separate operational rules have to be derived. In our model transformation tool, Story Diagrams5 describe the operationalized form of the TGG Rules. Operational rules add the elements of the source model domain of the respective direction to their LHS, e.g., forward rule 1 (cf. Figure 2b) includes sb2 in its LHS. It does not create a new SystemBlock. In this paper, we focus on the forward direction. The backward direction is always analogous. In practice, the metamodels of source and target language are often augmented with a set of constraints CS and CT , respectively. Our existing framework did not support such constraints. Therefore, we extended the formal definition of TGGs with constraints, added an automatic checking mechanism for forward/backward validity TGGs with constraints based on two tool components (Invariant Checker and Counter Example Generator in Figure 3), and extended our TGG model transformation implementation as well as automatic conformance testing frame- work with support for constraints. These conceptual extensions and the corresponding new tool components are presented in the next sections. 5 Story Diagrams are executable models consisting of a combination of UML Activity Diagrams with graph transfor- mation. 5 / 12 Volume 54 (2012) Integration of TGG Implementations and Constraints 3 Integration of TGG Specifications and Constraints As mentioned before, metamodels are often augmented with constraints. Such constraints can be as simple as multiplicities of references but also complex conditions spanning multiple elements of the metamodel are possible. The Object Constraint Language (OCL) is the commonly used language to define metamodel constraints. The example metamodels in Figure 1 already contain multiplicities: Trivial examples are the container ends of containment references, e.g., BlockDiagram and ClassDiagram, which always have a lower and upper bound of 1. But also several more complex constraints can be defined. In Class Diagrams, all Stereotypes of a Class must have different values in their text attributes. This is expressed in OCL as follows: ( C1 ) c o n t e x t C l a s s i n v U n i q u e S t e r e o t y p e s : s e l f . s t e r e o t y p e s −>f o r A l l ( e 1 | s e l f . s t e r e o t y p e s −>f o r A l l ( e 2 | e 1 = e 2 o r e 1 . t e x t <> e 2 . t e x t ) ) For Block Diagrams, we have the following constraints: First, a SystemBlock may not contain other SystemBlocks or Processes. In OCL, this is expressed like this: ( C2 ) c o n t e x t S y s t e m B l o c k i n v N o S y s t e m B l o c k s O r P r o c e s s e s : n o t s e l f . m o d e l E l e m e n t s−>e x i s t s ( e | e . o c l I s K i n d O f ( S y s t e m B l o c k ) o r e . o c l I s K i n d O f ( P r o c e s s ) ) Second, each Block in a Block Diagram may either contain other Blocks or Processes, but not both. If a Block contains other Blocks, then there must be at least two contained Blocks. This constraint is expressed in OCL as follows: ( C3 ) c o n t e x t B l o c k i n v B l o c k H i e r a r c h y C o n s t r a i n t : s e l f . m o d e l E l e m e n t s−>i s E m p t y ( ) o r s e l f . m o d e l E l e m e n t s−>f o r A l l ( e | e . o c l I s K i n d O f ( P r o c e s s ) ) o r ( s e l f . m o d e l E l e m e n t s−>f o r A l l ( e | e . o c l I s K i n d O f ( B l o c k ) ) a n d s e l f . m o d e l E l e m e n t s−>s i z e ( ) >= 2 ) Triple Graph Grammars as presented in Section 2 do not consider such metamodel constraints yet. Considering metamodel constraints in a TGG essentially means restricting the set of triple graphs SCT that can be created with the TGG to those that also satisfy the constraints CS and CT typed over the source and target metamodels ST T and TT T , respectively.6 Given a so-called TGG constraint Ctgg = CS∧CT for a tgg = (SACATA,R), being typed over ST T CT T TT T , then the triple graph language with constraints L (tgg,Ctgg) consists of all triple graphs SGCGTG |= Ctgg such that SACATA ∗⇒ SGCGTG via rules in R. We say that a model is valid w.r.t. a metamodel with constraints, if it is typed over the metamodel and, additionally, satisfies all its constraints. Figure 4 describes a TGG language with constraints. Every node of the tree is a triple graph SiCiTi that can be generated by tgg, i.e., SiCiTi ∈ L (tgg). However, not all of them also satisfy the constraints of the source and target metamodels. In Figure 4, the source and target compo- nents Si and Ti that are valid w.r.t. source and target constraints are marked with check marks to symbolize satisfied constraints. In contrast, invalid components are marked with crosses to symbolize violated constraints. Triple graphs, where the source or target component is valid and marked with a check mark, and the target or source component is not valid and marked with a cross, belong to L (tgg,CS ∧¬CT ) or L (tgg,CT ∧¬CS)), respectively. But only those triple graphs, where both components are valid w.r.t source and target constraints, belong to L (tgg,Ctgg). 6 For space reasons, we do not consider correspondence metamodel constraints here, but these can be handled analo- gously. Moreover, models and constraints typed over ST T and TT T are automatically also typed over ST T CT T TT T . Proc. GraBaTs 2012 6 / 12 ECEASST 4 Automatic Checking of TGGs with Constraints Recall that we say that model transformations are forward valid if they produce valid target models from valid source models. We want to automatically check for a tgg with constraints, whether it is forward valid (or backward valid, which is symmetric): Is there any SCT∈L (tgg), where S � CS and T 2 CT ? Or, equivalently, is there any SCT ∈ L (tgg,CS ∧¬CT )? If not, then we have forward validity. If so, then there exists a counterexample. We can group target constraints in CT w.r.t. forward validation into the following categories: (1) Target constraints satisfied for each T in SCT ∈ L (tgg). We say that these constraints hold by TGG construction. (2) Target constraints satisfied for each T in SCT∈ L (tgg,CS). (3) Target constraints not satisfied for each T in SCT∈ L (tgg,CS). If every target constraint in CT belongs to category (1) or (2), then each forward transformation derived from the tgg is forward valid. In this section, we describe how the above question can be answered via static analysis (similar to [BLD+11], where we did this for refactorings) using our invariant checker or, dynamically, by generating explicit counterexamples. Static Analysis The satisfaction of constraints can be invariant with respect to a set of graph transformation rules R. A constraint C is an inductive invariant of R if for all graphs G and for all rules r ∈ R, it holds that G |= C ∧ G ⇒r G′ implies G′ |= C. We developed a static analysis technique being able to perform invariant checking [BBG+06] for constraints of the following kinds: ”A specific pattern (forbidden pattern) should not occur in the model.” or ”A specific pattern (conditional forbidden pattern) should not occur without some other specific pattern.”. Our invariant checker either reports that a constraint is indeed an invariant for a given set of rules, or it automatically computes as symbolic counterexamples all minimal situations indicating why rules might be applied to a constraint-satisfying graph leading to a violating one. Note that some of the counterexamples may represent false negatives because temporarily invalid constraints during the model transformation might be valid in the model transformation result (in case of conditional forbidden patterns) or because the invariant checker is lacking knowledge to reject counterexamples. Our invariant checker currently works with the following restrictions: it needs a flattened type graph as well as flattened rules and forbidden patterns as input [GLB+12]. Stereotypes need to be encoded by specific types. Moreover, since string attributes are not supported, we encode them by edges to data nodes as we also did in [BLD+11]. For more details to the internals of the invariant checker we refer to [BBG+06, BLD+11]. To classify target constraints into category (2) we proceed as follows: Assuming that the source and target constraints CS and CT have the above-described pattern form, we can apply invariant checking to verify if the target constraints CT are invariant w.r.t. forward operational rules derived from a TGG, given that the source constraints CS hold. Intuitively, this means that forward rules do not add any translated target structure which would violate the target constraints assuming that the source constraints hold on the source model. If the invariant checker produces at least one symbolic counterexample, which does not represent a false negative, then the con- straint belongs to category (3). Constraints belong to category (1) if the invariant checker does not need the source constraints as assumed constraints to verify that the target constraints are invariants. Consider the UniqueStereotypes constraint (C1), which can be formulated as a forbidden pat- 7 / 12 Volume 54 (2012) Integration of TGG Implementations and Constraints tern consisting of a Class holding two identical stereotypes. It holds by TGG construction w.r.t. forward validation, since it is satisfied in all Class Diagram models created by the example TGG (cf. Figure 2) independently of the constraints on the Block Diagram meta-model. The example TGG creates classes only together with a single stereotype. Indeed our invariant checker is able to identify via static analysis that this constraint belongs to category (1). Constraint (C2) NoSystemBlocksOrProcesses is an example for category (3) w.r.t. backward validation. It can be described by two forbidden patterns, one that consists of a SystemBlock containing a SystemBlock and the other one of a SystemBlock containing a Process. The latter forbidden pattern is violated by rule 3 in the TGG because it allows to add a Process to a Block, which also includes SystemBlocks due to the generalization hierarchy defined in the metamodel (cf. Figure 1a). Indeed, our invariant checker will output a symbolic counterexample, repre- senting a violation of the constraint when applying rule 3 to a ClassDiagram, holding one Class with Stereotype system and another associated Class with Stereotype process. Rule 2 violates the first forbidden pattern analogously. The counterexamples reported by the invariant checker may represent useful hints to the transformation developer w.r.t. repairing the transformation specification or the different levels of expressiveness of the source and target language under consideration. Defining a specific repair mechanism accordingly is part of future work. The static analysis presented here has its limitations (e.g. constraint (C3) can not be analyzed), since only (conditional) forbidden patterns can be currently analyzed successfully by our invari- ant checker. Enhancing the expressiveness of our invariant checker is ongoing work. However, in [Lam10], it is described more generally how the invariant checking (or constraint preserva- tion) problem can be reduced to the implication problem for conditions. As proven in [HP09], in the case of graphs, nested conditions are equivalently expressive to first order graph formulas. This means that the implication problem for application conditions is undecidable, in general. In practice, there is also the problem that OCL constraints have to be translated to graph constraints, which is a non-trivial task [WTEK08]. Consequently, if for these reasons static analysis is not available, we apply a dynamic analysis technique, which we present in the next section. generate source and target model validate source and target model [else] [both models valid or both models invalid] output counter example Figure 5: Counter Example Generator using the Test Model Generator (cf. Figure 3) Generation of Counter Examples Our existing conformance testing framework can be reused to automatically check the forward/backward validity of a TGG specification with constraints. In particular, the Test Model Generator can be altered to search for triples SCT, where either the source or target model S or T is valid, but the other one is not. The behavior of this Counter Example Generator is depicted in Figure 5. First, a triple SCT ∈ L (tgg) is generated as before. After that, both models S and T are validated. If one model is valid and the other is invalid, a counter example was found. Otherwise, a new pair is generated. The generator can be configured with a maximum number of iterations to avoid infinite loops, occurring because a TGG generates an infinite number of language instances in general. How- Proc. GraBaTs 2012 8 / 12 ECEASST ever, this also means that it is not guaranteed that there are no counter examples if none can be found. As part of future work, we want to use specific heuristics for a systematic model generation. This should increase the success of finding counter examples. To actually validate the models, the EMF Validation Framework7 is used, an extensible frame- work, which allows to integrate constraints specified in all kinds of languages, commonly OCL, but also Check8 or plain Java. The actual nature of the constraints is completely transparent to clients of the validation framework. The framework lets the appropriate interpreters evaluate the constraints, e.g., the OCL interpreter for OCL constraints. In addition to constraints, multiplici- ties of references are also checked. The BlockHierarchyConstraint belongs to category (3) as introduced in the beginning of Sec- tion 4. Consider for example rule 3 in Figure 2d), which does not check whether Block bl2 already contains another Block before adding a new Process. Moreover, consider rule 2 (cf. Figure 2c), which is not guaranteed to be applied at least two times to make sure that a Block contains at least two subblocks. Our current invariant checker is not capable of checking such a complex constraint and, therefore, we applied our dynamic check directly here. The second randomly generated pair of models indeed already represented a counterexample. 5 Integration of TGG Implementation and Testing with Constraints generate source and target model validate source and target model [source and target model valid] [else] output generated source and target model Figure 6: Extended Test Model Generator of the conformance testing framework (cf. Figure 3) We also extended our conformance testing framework (cf. Figure 3), in particular the Test Model Generator, and our TGG Implementation to support constraints. Conformance Testing: The goal of the testing framework is to check if each SCT obtained by a forward (backward) transformation of S (T ) in the TGG implementation indeed belongs to the TGG language L (tgg) and the other way round. Having integrated the TGG with constraints, our new testing goal is to check if each SCT with valid S and T obtained by a forward (backward) transformation of S (T ) indeed belongs to the constrained TGG language L (tgg,Ctgg). As a consequence, we focus now on generating test models satisfying the constraints Ctgg = CS ∧CT to check conformance.9 Consequently, in addition to our former framework, the Test Model Generator performs a validation on the generated source and target models (shown in Figure 6). If one of the models is invalid, a new random triple SCT is generated until a valid pair of source and target models S and T was found or a predefined number of misses has been reached to avoid infinite loops. The Test Model Generator and the Counter Example Generator share the same algorithm to generate triple graphs. Therefore, it is also possible to combine both components. 7 http://www.eclipse.org/modeling/emf/?project=validation 8 Check is provided as part of Xpand (http://www.eclipse.org/modeling/m2t/?project=xpand). 9 We concentrate on positive testing in our testing framework, meaning that we focus on generating valid input models. 9 / 12 Volume 54 (2012) http://www.eclipse.org/modeling/emf/?project=validation http://www.eclipse.org/modeling/m2t/?project=xpand Integration of TGG Implementations and Constraints If a pair of valid models has been generated, these can be used as test input and oracle, if one of the models is invalid, these can be used as counterexamples. TGG Implementation: The TGG Implementation with support for constraints is supposed to deliver a valid target model from a valid source model. It is unnecessary to execute the model transformation if the source model is already invalid. However, because of the limitations of au- tomatically checking validity of TGGs with constraints (cf. Section 4), the TGG implementation still needs to check at runtime if a target model is valid. For these reasons, the TGG implementa- tion has been extended with two validation steps. Before executing the transformation, the source model is validated. During the transformation, it is possible that the target model temporarily vi- olates target constraints. Therefore, checking these constraints while the transformation is still running is not necessary. Instead, the created target model is validated after the transformation. If it is now violating target constraints, a warning is issued along with the invalid model. The BlockHierarchyConstraint (C3) is an example of a constraint that may be temporarily vio- lated during a backward transformation from a Class Diagram containing several Classes, which are transformed to Blocks. After transforming the first Class, the constraint is violated. This constraint is also an example, where a valid source model may be transformed to an invalid tar- get model. Considering the backward transformation (cf. Figure 2) of our running example, the following situation could occur: A Block Diagram with one SystemBlock containing a Block and a Process violates the BlockHierarchyConstraint. Its corresponding Class Diagram, however, would be valid. So, if we perform a backward transformation from that valid Class Diagram, the TGG implementation returns an invalid Block Diagram along with a warning. 6 Related Work There is some related work concerning validation of transformation rules with consideration of constraints. A tool for the static validation of ATL transformation rules is presented in [BCG11], which considers constraints of the source and target metamodel. A transformation (meta-)model integrates the source and target (meta-)models with the execution semantics of ATL. It is possible to search for instances of the transformation metamodel that violate constraints using bounded verifiers. In contrast, we rely on a static and symbolic checking method to verify invariants given as graph constraints for a graph transformation system, which is a complete static analysis. However, constraints, usually specified in OCL, have to be translated to graph patterns first. This drawback of our approach is mitigated by the counter example generator, which generates example models and evaluates constraints directly. To the best of our knowledge, there exist no other model transformation approaches con- sidering the integration of metamodel constraints and allowing for automatic checking of for- ward/backward validity. However, most tools allow to specify additional preconditions in TGG rules using OCL, e.g., [DG09, GR12] as well as our own model transformation tool [GHL12]. In contrast, the TGG formalisms and tools presented in [GEH11, KLKS10] support TGG rule application conditions expressed as graph patterns. [DG09] and [GR12] also allow to specify postconditions in transformation rules, which are checked after the execution of a transformation rule or the complete transformation. Another approach for the verification of arbitrary model transformations based on visual transformation contracts is presented in [GLW+12]. These ap- Proc. GraBaTs 2012 10 / 12 ECEASST proaches do not investigate the interplay of additional application conditions in TGG rules with metamodel constraints, except for [KLKS10], which, however, does not focus on automatic checking mechanisms w.r.t. forward/backward validity as we do in this paper. 7 Conclusion We have shown the importance of considering constraints defined on metamodels in TGG model transformation definition, conformance testing and implementation. Automatic checking of for- ward/backward validity using static analysis is merely possible for a restricted kind of con- straints. Therefore, we also showed how to perform this check by generating meaningful coun- terexamples. The graph patterns required as input for the invariant checker have to be derived from con- straints, often expressed in OCL. This complex task [WTEK08] is currently not automated, but for a restricted part of OCL, especially simple navigation expressions, we plan to implement such a translation. Moreover, the flattening of metamodels with inheritance, rules and constraints in order to serve as input for the invariant checker still needs to be automated. It is ongoing work to improve the expressiveness of our invariant checker and to investigate also weakest pre- and post-conditions [HP09] techniques. We also want to examine how the source and target model generators can be extended with more systematic generation mechanisms. This would increase the confidence in the results of the Counter Example Generator as well as our conformance test- ing framework. The generator also needs to be integrated with the static analysis to, e.g., check if counter examples found by the static analysis are no false negatives. Finally, after the user has found out that his transformation rules are not forward/backward valid, he needs tool support to change his transformation accordingly. However, the causes for violation of metamodel constraints may be manifold. It may be hard for the user to deduce the cause from a counter example and a violated constraint. This remains a complex open issue for future work. Bibliography [BBG+06] B. Becker, D. Beyer, H. Giese, F. Klein, D. Schilling. Symbolic Invariant Verifica- tion for Systems with Dynamic Structural Adaptation. In Proc. of ICSE 2006. ACM, 2006. [BCG11] F. Büttner, J. Cabot, M. Gogolla. On validation of ATL transformation rules by transformation models. In Proc. of MoDeVVa 2011. ACM, 2011. [BLD+11] B. Becker, L. Lambers, J. Dyck, S. Birth, H. Giese. Iterative Development of Consistency-Preserving Rule-Based Refactorings. In Proc. of ICMT 2011. LNCS 6707, pp. 123–137. Springer, 2011. [DG09] D.-H. Dang, M. Gogolla. On Integrating OCL and Triple Graph Grammars. In Chaudron (ed.), Models in Software Engineering. Lecture Notes in Computer Sci- ence 5421, pp. 124–137. Springer Berlin / Heidelberg, 2009. 11 / 12 Volume 54 (2012) Integration of TGG Implementations and Constraints [GEH11] U. Golas, H. Ehrig, F. Hermann. Formal Specification of Model Transformations by Triple Graph Grammars with Application Conditions. ECEASST 39:1 – 26, 2011. [GHL12] H. Giese, S. Hildebrandt, L. Lambers. Bridging the gap between formal seman- tics and implementation of triple graph grammars. Software and Systems Modeling, Springer Berlin / Heidelberg, pp. 1–27, 2012. [GLB+12] H. Giese, L. Lambers, B. Becker, S. Hildebrandt, S. Neumann, T. Vogel, S. Wätzoldt. Graph Transformations for MDE, Adaptation, and Models at Runtime. LNCS 7320. Springer, 2012. [GLW+12] E. Guerra, J. de Lara, M. Wimmer, G. Kappel, A. Kusel, W. Retschitzegger, J. Schönböck, W. Schwinger. Automated Verification of Model Transformations Based on Visual Contracts. Automated Software Engineering, pp. 1–42, 2012. [GNH10] H. Giese, S. Neumann, S. Hildebrandt. Model Synchronization at Work: Keeping SysML and AUTOSAR Models Consistent. In Lewerentz et al. (eds.), Graph Trans- formations and Model Driven Enginering - Essays Dedicated to Manfred Nagl on the Occasion of his 65th Birthday. LNCS 5765, pp. 555–579. Springer, 2010. [GR12] J. Greenyer, J. Rieke. Applying Advanced TGG Concepts for a Complex Transfor- mation of Sequence Diagram Specifications to Timed Game Automata. In Schürr et al. (eds.), 4th International Symposiom, AGTIVE 2011, LNCS 7233. 2012. [HLG+12] S. Hildebrandt, L. Lambers, H. Giese, D. Petrick, I. Richter. Automatic Confor- mance Testing of Optimized Triple Graph Grammar Implementations. In Schürr et al. (eds.), 4th International Symposiom, AGTIVE 2011, LNCS 7233. Springer, 2012. [HP09] A. Habel, K.-H. Pennemann. Correctness of high-level transformation systems rel- ative to nested conditions. Mathematical Structures in Computer Science 19, 2009. [KLKS10] F. Klar, M. Lauder, A. Königs, A. Schürr. Extended Triple Graph Grammars with Efficient and Compatible Graph Translators. In Lewerentz et al. (eds.), Graph Trans- formations and Model Driven Enginering - Essays Dedicated to Manfred Nagl on the Occasion of his 65th Birthday. LNCS 5765, pp. 141–174. Springer, 2010. [Lam10] L. Lambers. Certifying Rule-Based Models using Graph Transformation. PhD the- sis, Technische Universität Berlin, 2010. [Sch94] A. Schürr. Specification of graph translators with triple graph grammars. In Mayr et al. (eds.), Proc. of the 20th International Workshop on Graph-Theoretic Concepts in Computer Science. LNCS 903, pp. 151–163. Springer, June 1994. [WTEK08] J. Winkelmann, G. Taentzer, K. Ehrig, J. M. Küster. Translation of Restricted OCL Constraints into Graph Constraints for Generating Meta Model Instances by Graph Grammars. Electron. Notes Theor. Comput. Sci. 211:159–170, 2008. Proc. GraBaTs 2012 12 / 12 Introduction Our Triple Graph Grammar Framework Integration of TGG Specifications and Constraints Automatic Checking of TGGs with Constraints Integration of TGG Implementation and Testing with Constraints Related Work Conclusion