Verifying ATL transformations using SMT solvers

On verifying ATL transformations using
‘off-the-shelf’ SMT solvers

Fabian Buttner1 , Marina Egea2 , Jordi Cabot1
¨

1 AtlanMod, ´
INRIA / Ecole de Mines de Nantes
2 ATOS Research, Madrid

MODELS 2012

Our Approach
Motivation
Model transformations should be correct

c AtlanMod – atlanmod-contact@mines-nantes.fr 2/19

Our Approach
Motivation
This should be veriﬁed automatically


Our Approach
Motivation

Our approach
Addresses partial correctness of ATL
transformations w.r.t. OCL
pre-/postconditions


Our Approach
Motivation

Our approach
pre-/postconditions
Translates this into a ﬁrst-order logic
problem


Our Approach
Motivation

Our approach
pre-/postconditions
problem
Employs SMT solvers to check it


Our Approach
Motivation

Our approach
pre-/postconditions
problem
Puts no upper bounds on the model


Our Approach
Motivation

Our approach
pre-/postconditions
problem
Puts no upper bounds on the model
Works well for our case studies


Outline

1 Transformation correctness


Outline

2 Deriving a FOL speciﬁcation


Outline

3 Checking it using SMT solvers


Outline

4 Conclusions


Two Metamodels
ER metamodel -- CONSTRAINTS (PRECONDITIONS)
-- unique schema names
context ERSchema inv:
ERSchema.allInstances()->forall(s1,s2|
1 1
ERSchema s1<>s2 implies s1.name<>s2.name)
* entities * relships -- entity names are unique in schema
Entity type RelshipEnd ends Relship
-- relship names are unique in schema
name : String 1 * name : String 2..* 1 name : String
0..1 {xor} 0..1
-- disjoint entity and relship names
ERAttribute -- attr names are unique in entity
attrs attrs
name : String -- attr names are unique in relship
* isKey : Boolean *
-- entities have a key

REL metamodel -- CONSTRAINTS (POSTCONDITIONS)
1
-- relations have a key
RELSchema context Relation inv:
self.attrs->exists(a | a.isKey)
Relation 1..*
1 -- schema names are unique
name : String relations
-- relation names are unique in schema
RELAttribute -- attribute names unique in relation
1..* name : String
attrs isKey : Boolean


An ATL Transformation
ER
REL
ER2REL

module ER2REL; create OUT : REL from IN : ER;
rule S2S { from s : ER!ERSchema
to t : REL!RELSchema (name<-s.name) }
rule E2R { from s : ER!Entity
to t : REL!Relation (name<-s.name,
schema<-s.schema) }
-- not shown: R2R, EA2A, RA2A, RA2AK ...


ER
REL
ER2REL

schema<-s.schema) }

Execution semantics of ATL:
(i) Match source patterns


ER
REL
ER2REL

schema<-s.schema) }

(i) Match source patterns; (ii) create target objects


ER
REL
ER2REL

to t : REL!RELSchema ( name <- s.name ) }
to t : REL!Relation ( name<-s.name ,
schema<-s.schema ) }

(i) Match source patterns; (ii) create target objects; (iii) bind properties


Checking Correctness
We are interested in Hoare-style partial correctness of
T : MI → MF with respect to pre- and postconditions.



Our approach:
Systematically derive a FOL speciﬁcation (a set of
assertions) from T : MI → MF and its pre- and
postconditions that is logically valid iff the transformation is
correct w.r.t. these conditions



Our approach:
Check validity using an SMT solver (Z3, Yices)



Our approach:
Remarks:
We consider core subsets of OCL and declarative ATL



Our approach:
Remarks:
The proofs we get are valid without model bounds



Our approach:
Remarks:
The proofs we get are valid without model bounds
The problem is undecidable in general


Outline

4 Conclusions


FOL Semantics of MMs

Encode metamodels and constraints as a specification in
first-order logic (based on [Clavel et al., 2009])
Classes, associations, attributes generate
predicates and functions over object identifiers
Constraints generate assertions
Interpretations of the FOL specification correspond to valid
instances of the metamodel


Translation of ER
Predicates: Relship( ),
RelshipEnd ends Relship RelshipEnd( ),
name : String 2..*
ends( , )
Functions: name( )

Assertion:
∀x . Relship(x) → ∃y, z . RelshipEnd(y ) ∧ ends(x, y )∧
RelshipEnd(z) ∧ ends(x, z) ∧ y = z

context ERSchema inv:
ERSchema.allInstances()->forall(s1,s2|
s1<>s2 implies s1.name<>s2.name)

Assertion:
∀x, y . ERSchema(x) ∧ ERSchema(y) ∧ x = y →
name(x) = name(y)


FOL Semantics of ATL

Encode transformation rules in first-order logic
Matched rules become functions over object identifiers
The semantics of the rules is translated into assertions
Interpretations of the FOL specification correspond to valid
traces of the transformation


Translation of ER2REL
to t : REL!RELSchema (name <- s.name)}
to t : REL!Relation (name<-s.name, schema<-s.schema)}
rule R2R { from s : ER!Relship



Matching semantics

∀e . Entity(e) → ∃t . Relation(t) ∧ E2R(e) = t

∀e . Relship(rh) → ∃t . Relation(t) ∧ R2R(rh) = t



Creation semantics

∀t . Relation(t) → (∃e . Entity(e) ∧ E2R(e) = t) ∨
(∃rh . Relship(rh) ∧ R2R(rh) = t)


to t : REL!Relation ( name<-s.name , schema<-s.schema)}

Simple property bindings

∀e, t . Entity(e) ∧ Relation(t) ∧ E2R(e) = t →
name(e) = name(t)


to t : REL!Relation (name<-s.name, schema<-s.schema )}

Resolved property bindings
∀e, t . (Entity(e) ∧ Relation(t) ∧ E2R(e) = t) →
(∀p . ERSchema(p) ∧ erschema(e, p) →
∃s . RELSchema(s) ∧ relschema(t, s) ∧ resolve1 (p, s)) ∧
(∀s . RELSchema(s) ∧ relschema(t, s) →
∃p . ERSchema(p) ∧ erschema(e, p) ∧ resolve1 (p, s))

resolve1 (x, y) =def .
(ERSchema(x) ∧ RELSchema(y ) ∧ S2S(x) = y) ∨
(Entity(x) ∧ Relation(y ) ∧ E2R(x) = y ) ∨
(Relship(x) ∧ Relation(y ) ∧ R2R(x) = y)


(and some more details...)
The paper describes the complete translation
Two complete examples are available online
http://www.emn.fr/z-info/atlanmod/index.php/MODELS_2012_SMT


Veriﬁcation

Deﬁnition
Let T = {r 1 , . . . , rn } be an ATL model transformation [. . . ].
Then, T is correct with respect to preconditions {ς1 . . . ςl } and
postconditions {τ1 , . . . , τw } if and only if, upon termination of T ,
for every τi , i = 1, . . . , w, the following formula always holds:
   
l n
 ocl2fol(ςj ) ∧  atl2fol(rj ) ⇒ ocl2fol(τi )
j=1 j=1


Verification

Definition
Let T = {r1 , . . . , rn } be an ATL model transformation [. . . ].
Then, T is correct with respect to preconditions {ς1 . . . ςl } and
postconditions {τ1 , . . . , τw } if and only if, upon termination of T ,
for every τi , i = 1, . . . , w, the following formula is unsatisfiable
   
l n
 ocl2fol(ςj ) ∧  atl2fol(rj ) ∧¬(ocl2fol(τi ))
j=1 j=1


Outline

4 Conclusions


SMT solvers

Automatic Boolean SAT solving + Theories
Uninterpreted functions
Arithmetic
...
Support for quantiﬁers (incomplete procedures)
> 15 implementations (SMT-COMP)
Standardized language and libraries (SMT-LIB)


Employing the solver

Feeding our first-order logic specification to the SMT solver:
Both Z3 and Yices can be used in the verification



The speciﬁcation ﬁle mirrors our formalization one-to-one



The specification file mirrors our formalization one-to-one
Solving
Z3 solves our examples fully automatically using
Model-based Quantifier Instantiation
Yices sometimes requires Lemmas


Some Observations
Proofs found automatically for ER2REL by Z3 and Yices∗
Preconditions Postcondition Unsat core
(total = 69)
pre1 (ERSchema.name) post1 (RELSchema.name) 4
E::schema[1..1], RS::schema[1..1] R::schema[1..1] 9
pre2, pre3, pre4, post2 (Relation.name) 16
E::schema[1..1], RS::schema[1..1]
RSE:relship[1..1] RA::relation[1..1] 11
pre4, RSE::type[1..1], RS::ends[2..*] post4 (RELAttr.isKey) 14
... ... ...


Some Observations
(total = 69)
... ... ...

For all our examples:
Implied constraints can be found fast and automatically


Some Observations
(total = 69)
... ... ...

Unsat cores are nice to understand the implications


Some Observations
(total = 69)
... ... ...

Counter examples are much harder and often time out


Some Observations
(total = 69)
... ... ...

Counter examples are much harder and often time out
Bounded-model search seems more useful here
(c.f. [Troya et al., JOT, 2011], [Buttner et al., ICFEM, 2012])
¨

Outline

4 Conclusions


Conclusions
Summary:
Partial correctness of declarative ATL transformations w.r.t.
pre- and postconditions can be nicely formulated in FOL


Conclusions
Summary:
Modern SMT solvers seem to be quite good to
automatically ﬁnd proofs in this setting (but beware:
incomplete procedure)


Conclusions
Summary:
The approach complements bounded search approaches
for counter example ﬁnding


Conclusions
Summary:
Future work:
Provide improved tooling


Conclusions
Summary:
Future work:
Extend the supported sets of ATL and OCL


Conclusions
Summary:
Future work:
Verify larger case studies


Conclusions
Summary:
Future work:
Proofs of executability


Conclusions
Summary:
Future work:
Proofs of executability
Identify decidable fragments of ATL transformations

Verifying ATL transformations using SMT solvers

Recommended

More Related Content

Recently uploaded

Recently uploaded (20)

Verifying ATL transformations using SMT solvers