a dsl to feedback formal verification results

1/33

V&V and MDE Formal language V&V for DSML Current state FeVeReL Conclusion & Perspectives

A DSL to feedback formal verification results

Faiez ZALILA 1 Xavier CREGUT 2 Marc PANTEL 2

1IRT Saint-Exupéry, Toulouse, France

2University of Toulouse, IRIT-CNRS

October 3, 2016

2/33


Goals: Improve the development of critical systems

Resources

Model-driven engineering

Formal verification

model

model

model

represented by

represented by

represented by

conforms to

conforms to

conforms to

Model-Driven EngineeringLanguage Engineering

Formal verification

editorsLanguage

expert

Domain expert

simulators

User

verifiers

generators

DSML

editorssimulators

User

verifiers

generators

DSML

editorssimulators

User

verifiers

generators

DSML

Language expert

Domain expert

Language expert

Domain expert

3/33


Formal model verification

model-checkingtools

DSMLmodel

Formalmodel

Formalproperties

Formalverification

results

DSMLverification

resultsDSML

end-user

defines

obtains

defines/uses

DSMLbehavioral properties

Formal verificationDSML Verifier

3/33


Formal model verification

model-checkingtools

DSMLmodel

Formalmodel

Formalproperties

Formalverification

results

DSMLverification

resultsDSML

end-user

defines

obtains

defines/uses


model-checkingtools

Formalmodel

Formalproperties

Formalverification

results

DSML Verifier

3/33


Translational approach

model-checkingtools

DSMLmodel

Formalmodel

Formalproperties

Formalverification

results

DSMLverification

resultsDSML

end-user

defines

obtains

defines/uses


model-checkingtools

Formalmodel

Formalproperties

Formalverification

results

Translational semantics

Domain expert

Language expert

specifies implementsDSML Verifier

3/33


DSML Verifier: Reuse formal tools

model-checkingtools

DSMLmodel

Formalmodel

Formalproperties

Formalverification

results

DSMLverification

resultsDSML

end-user

defines

obtains

defines/uses


model-checkingtools

Formalmodel

Formalproperties

Formalverification

results


Domain expert

Language expert

specifies implements

Properties generation

Feedbackverification

results

DSML Verifier

3/33


Defining a translational semantics

model-checkingtools

DSMLmodel

Formalmodel

Formalproperties

Formalverification

results

DSMLverification

resultsDSML

end-user

defines

obtains


model-checkingtools

Formalmodel

Formalproperties

Formalverification

results


Domain expert

Language expert




results

Missing

DSML Verifier

3/33


Completing the integration

model-checkingtools

DSMLmodel

Formalmodel

Formalproperties

Formalverification

results

DSMLverification

resultsDSML

end-user

defines

obtains


model-checkingtools

Formalmodel

Formalproperties

Formalverification

results


Domain expert

Language expert




resultsAd-hoc

DSML Verifier

4/33


Outline

1 Integrating V&V in MDE

2 Introducing the formal language

3 Integrating the verification activity for DSML

4 Feedback of verification results to the DSML level: Current state

5 Feedback Verification Results Language (FeVeReL)

6 Conclusion & Perspectives

5/33


Outline







6/33


Defining a DSML

Software & Systems Process Engineering Metamodel (SPEM)

2

finishToFinish2 2

finishToFinish

Programming

Documenting

TestCaseWriting

Designing

startToStartfinishToStart

startToStart

Developer---------------

count = 32

1

Designer---------------

count = 22

1

Computer---------------

count = 31

startToStart

startToStartstartToFinishfinishToStartfinishToFinish

<<enumeration>>WSType

name: StringminTime : IntmaxTime : Int

Process

name : StringminTime : IntmaxTime : Int

WorkDefinitionlinkType : WSType

WorkSequence

quantity: Int

Parameter

name : Stringcount : Int

Resource

0 .. * workDefinitions

1 successor

0 .. * workSequences

1 predecessor linkToSuccessor 0 .. *

linkToPredecessor 0 .. *

0..* parameters

1 workDefinition

1 resource 0..* resources

conforms to

7/33


Defining a DSML

SPEM as a DSML




Process



WorkSequence

quantity: Int

Parameter


Resource


1 successor




0..* parameters

1 workDefinition

1 resource 0..* resources

Abstract syntax Well-formedness properties

Workdefinitions names uniqueness

context Processinv names_uniqueness:self.workDefinitions->forAll(wd1, wd2|wd1 <> wd2implies wd1.name <> wd2.name)

Graphical concrete syntax Textual concrete syntax Execution semantics

8/33


The executable DSML pattern

Explicit the execution semantics

The executable DSML pattern (Combemale et al.)

A general approach to assist in the definition of an execution semantics for a DSML

Make explicit the various concerns for the execution of DSMLs

<<im

port>

>

<<merge>>DDMM

EDMMSPEMEvent

WorkDefinitionEvent

StartWD FinishWD

TM3

Scenario

Tracename : Stringdate : IntInternal : Boolean

RuntimeEvent




Process



WorkSequence

Parameter


Resource


1 successor




0..* parameters

1 workDefinition

1 ressource 0..* ressources

0 .. * traces runtimeEvents 0..*

1 workDefinition

SDMM

state: ExecutionStateWorkDefinition

notStartedrunningfinished

<<enumeration>>ExecutionState

0..* dynamic_wds

<<merge>>

<<merge>>

8/33







<<im

port>

>

<<merge>>DDMM

EDMMSPEMEvent

WorkDefinitionEvent

StartWD FinishWD

TM3

Scenario


RuntimeEvent




Process



WorkSequence

Parameter


Resource


1 successor




0..* parameters

1 workDefinition



1 workDefinition

SDMM




0..* dynamic_wds

<<merge>>

<<merge>>

States

8/33







<<im

port>

>

<<merge>>DDMM

EDMMSPEMEvent

WorkDefinitionEvent

StartWD FinishWD

TM3

Scenario


RuntimeEvent




Process



WorkSequence

Parameter


Resource


1 successor




0..* parameters

1 workDefinition



1 workDefinition

SDMM




0..* dynamic_wds

<<merge>>

<<merge>>

StatesEvents

StartWD DesigningFinishWD DesigningStartWD TestCaseWriting........

8/33







<<im

port>

>

<<merge>>DDMM

EDMMSPEMEvent

WorkDefinitionEvent

StartWD FinishWD

TM3

Scenario


RuntimeEvent




Process



WorkSequence

Parameter


Resource


1 successor




0..* parameters

1 workDefinition



1 workDefinition

SDMM




0..* dynamic_wds

<<merge>>

<<merge>>

StatesTracesEvents

StartWD DesigningFinishWD DesigningStartWD TestCaseWriting........

9/33


DSML verification

Behavioral properties

SPEM behavioral properties

Can the process finish?

OCL fit for simple cases

context WorkDefinitioninv not_reflexive:self.predecessor <> self.successor

TestCaseWriting

startToStart

Does the model behaves as expected during the execution?

=⇒ Model execution is required


Define a translational semantics

FIACRE as formal semantics

State/Event Linear Temporal Logic (SE-LTL) to express properties

The pattern as a support to formalize the translational semantics

10/33


Outline







11/33


The FIACRE language

Intermediate Format for the Architectures of Embedded DistributedComponents

Formal intermediate model to describe embedded and distributed systems

Process= basic component

Describe the behaviour of sequential components

a set of control states and transitions

Data handling

Communication (messages, shared variables)

Component= compositions + constraints

Describe the composition of processes

Associate timing constraints with communications

Define priority between communication events

12/33


The FIACRE language

Example: Alternating bit protocol

type seqno is booltype packet is seqnoprocess Buffer [pin: in packet, pout: out packet] is states idle

var buff : queue 1 of packet := {||}, pkt: packet from idle select pin?pkt; on not (full buff);buff := enqueue (buff,pkt); to idle [] on not (empty buff); pout!first buff; buff := dequeue buff; to idle [] wait [0,1]; on not (empty buff); buff := dequeue buff; to idle end

process Sender [mbuff: out packet, abuff: in packet] is states idle, send, waitavar ssn, n: seqno := false

from idle to waita from send mbuff! ssn; to waita from waita select abuff? n; if n=ssn then ssn := not ssn; to idle else to idle end [] wait ]4,5]; to send end

12/33


The FIACRE language

Example: Alternating bit protocol

process Receiver [mbuff: in packet, abuff: out packet] is states rcve, ack var rsn: seqno := false, m: packet := true from rcve mbuff? m; if m = rsn then rsn := not rsn; to ack else to ack end from ack abuff! m; to rcve

/* Main component */ component abp is

port minp : packet in [0,0], mout : packet in [0,1],

ainp : packet in [0,2], aout : packet in [0,1]

par * in Sender [minp, aout] || Buffer [minp, mout] || Buffer [ainp, aout] || Receiver [mout, ainp] end/* Entry point */ abp

Receiver

Buffer

Sender

Buffer

minp

aout

mout

ainp

13/33


The FIACRE language

Works around FIACRE

AADL2Fiacre

Fiacre: an Intermediate Language for Model Verification in the Topcased EnvironmentBerthomieu B., Bodeveix J.-P., Farail P., Filali M., Garavel H., Gaufillet P., Lang F., VernadatF. ERTS 2008

BPEL2Fiacre

Verification of Timed BPEL 2.0 Models.Elie Fares, Jean-Paul Bodeveix, Mamoun Filali.BPMDS 2011

Formal Requirement Verification for Timed Choreographies.Nawal Guermouche, Silvano Dal Zilio

Ladder2Fiacre

A model-driven engineering approach to formal verification of PLC programs.de Queiroz, M.H., da Rocha, V.G., Carpes, A.M.M., Vernadat, F.,Cregut, X.ETFA 2011

14/33


The FIACRE language

Fiacre tooling

Front: front-end (common for flac and frac)

Parser & Typing controlTyping, initialisations, communications, ...

Frac: back-end pour Tina-TTS

Reducing derived constructions (select, any, etc)

Static composition of components

OptimisationsVariables analysisTransitions normalisation

Code generation.tts = PetriNet (.net) + Data processing (.c, API TTS)

15/33


Outline







16/33


Defining DSML queries

Formalization behavioral properties

-- Does the process finish? (P1 requirement)context SPEM!Process

inv willFinish:eventually self.isFinished()

-- The process will never finish (P2 requirement)context SPEM!Process

inv willNeverFinish:not (eventually self.isFinished())

Formalization of queries

-- Composite queriescontext SPEM!Processdef: isFinished(): String =

self.workDefinitions->forAll(wd | wd.isFinished());

-- Primitive queriescontext SPEM!WorkDefinitiondef : isFinished(): String =

deferred;

17/33


Defining the translational semantics

process Documenting [Start: sync, Finish : sync] (& wds: WDsQueries) is

states notStarted, Running, Finished

from notStartedif ( wds[$(DesigningId)].isStarted)then

Start;wds[$(DocumentingId)].isStarted:= true; to Running

elseloop

end if

from Runningif ( WorkDefinition[$(DesigningId)].isFinished )then

Finish;WorkDefinition[$(DocumentingId)].isFinished:= true;to Finished

elseloop

end if

component Process isvar wds: WDsQueries := [{isStarted=false,isFinished=false}, {isStarted=false,isFinished=false}, {isStarted=false,isFinished=false}, {isStarted=false,isFinished=false}] port DesigningStart : sync in [0,0], DesigningFinish : sync in [0,0], ProgrammingStart : sync in [0,0], ProgrammingFinish : sync in [0,0], DocumentingStart : sync in [0,0], DocumentingFinish : sync in [0,0], TestCaseWritingStart : sync in [0,0], TestCaseWritingFinish : sync in [0,0]par * inDesigning [DesigningStart, DesigningFinish](&wds)|| Programming [ ProgrammingStart, ProgrammingFinish](&wds)|| Documenting [ DocumentingStart, DocumentingFinish](&wds)|| TestCaseWriting [ TestCaseWritingStart, TestCaseWritingFinish](&wds)end

finishToFinish

finishToFinish

ProgrammingDocumenting TestCaseWriting

Designing

startToStart finishToStart startToStart

startToStart

Process2Component

WorkSequence2ConditionalStatement

WorkDefinition2Process

18/33


Update SPEM primitive queries

Update the primitive queries

context SPEM!WorkDefinitiondef : isFinished(): String =

’Main/1/value WorkDefinition[$(’ + self.name + ’id)].isFinished’;

Generated Fiacre properties

property w i l l F i n i s h is l t l<> ( Main / 1 / value WorkDef in i t i on [ $ ( DesigningWD ) ] . i sF in i shed

and Main / 1 / value WorkDef in i t i on [ $ ( ProgrammingWD ) ] . i sF in i shedand Main / 1 / value WorkDef in i t i on [ $ ( DocumentingWD ) ] . i sF in i shedand Main / 1 / value WorkDef in i t i on [ $ ( TestCaseWritingWD ) ] . i sF in i shed)

property w i l l N e v e r F i n i s h is l t l( not ( <> ( Main / 1 / value WorkDef in i t i on [ $ ( DesigningWD ) ] . i sF in i shed

and Main / 1 / value WorkDef in i t i on [ $ ( ProgrammingWD ) ] . i sF in i shedand Main / 1 / value WorkDef in i t i on [ $ ( DocumentingWD ) ] . i sF in i shedand Main / 1 / value WorkDef in i t i on [ $ ( TestCaseWritingWD ) ] . i sF in i shed

) ) )

19/33


Leveraging formal verification for DSMLs: goals

Resolved issues

Lack of semantics of the MDE =⇒ Applying the metamodeling pattern

The unfitness for model analysis =⇒ Connecting TINA toolbox to the DSML

Lack of expressing DSML behavioral propoerties =⇒ Defining the TOCL language

Lack of generating automatically formal properties =⇒ Proposing an automatictransformation of DSML behavioral properties

DSML end-user expectations

DSML verifier that hides formal aspects=⇒ Obtain verification results in the domain side

Domain expert and Language expert expectations

Tools for building seamless verification toolchain=⇒ Manage the feedback of verification results for each DSML

20/33


Leveraging formal verification for DSMLs: missing elements

SPEMmodel SPEM2Fiacre

translational semantics

SPEM2Fiacrepropertiesgeneration

Fiacremodel

Fiacreproperties

Fiacreverification

results

Fiacre verifier

Fiacre2SPEMfeedback

verification results

SPEMverification

results

SPEM verifier

SPEMbehavioral properties

21/33


Outline







22/33


Current problem

Verification results generated in the formal side

Difficult to

understand

Formal verification results generated by the model-checker

Hard to use for the DSML end-user

23/33


Current problem

Ad-hoc solutions

Backward transformation

Write the backward transformation manually

Bidirectional model transformation

Combine both transformations (both translational semantics and backward transformation)

Drawbacks

Implementation-specific solutions

Hard-coded solutions

Do not favor the definition of generative tools

Do not ease the integration of tools for new DSMLs

24/33


Outline







25/33


Prerequisites

Motivations

Executable DSML

<<import>>

<<merge>>

DDMM

Domain Definition

MetaModelQDMM

Queries Definition

MetaModel

EDMM

Events Definition

MetaModel

TM3

Trace Managment MetaModel

<<merge>>

SDMM

States Definition

MetaModel<<merge>>

<<merge>>

<<implement>>

Language expert

Modeltransformation

TOCLeditor

FeVeReLeditor

uses<<uses>>

<<uses>>

<<uses>>uses

uses

uses

FeVeReL: Feedback Verification Results Language

26/33


Prerequisites

Introduce runtime extensions for Fiacre

<<im

port>

>

<<merge>>DDMM

EDMM

FiacreEvent

PortEvent

StateEventVariableEvent

TM3

Scenario


RuntimeEvent0..* runtimeEvents

<<merge>>SDMM

currentState: StateDeclarationInstanceDeclaration

currentValue: ExpressionVariableDeclaration

0..* traces

<<merge>>

PortDeclaration

StateDeclaration TagDeclaration

VariableDeclarationport

state

variable

tag

TagEvent

ProcessDeclaration

ComponentDeclaration

ModelDeclaration0..*

declarations

...

...

...

27/33


Implementation of SPEM-Fiacre mappings using FeVeReL

FeVeReL architecture

ATL.ecoreDSPL

FeVeReL

Language

ocl

Object ConstraintLanguage

atl

Atlas Transformation

Language

FeVeReL2ATL.atl

piggyback pattern

source-to-source pattern

28/33



FeVeReL architecture

FeVeReL model

FormalScenario2DSMLScenario

Formal language metamodelFormal language

semantics metamodel

DSML metamodel

DSML semantics metamodel

<<extends>><<extends>>

Formalscenario

<<conformsTo>>

Formalmodel

<<refersTo>>

<<conformsTo>>

DSMLscenario

<<conformsTo>>

DSMLmodel

<<refersTo>>

<<conformsTo>>

usesproduces

Language expert

DSMLend-user

<<defines>>

<<obtains>>

<<defines>>

FeVeReL2ATL

uses

uses

uses

uses

29/33



Define events mappings between SPEM and Fiacre

Events mappings

events mapping swd2t :DSMLEvent swd : DSMLSemantics . StartWD (

date <− ev1 . date)mapsFormalEvent ev1 : FormalSemantics . EnterEvent (

ev1 . s t a te . name = ’ running ’ andFormalAS ! Model . a l l I n s t a n c e s ()−> f i r s t ( ) . r oo t . body . b locks−>indexOf ( ev1 . path . instances−> f i r s t ( ) )=DSML! Process . a l l I n s t a n c e s ()−> f i r s t ( ) . w o rkD e f i n i t i ons−>indexOf ( swd . w o r k d e f i n i t i o n )

)end events mapping

events mapping fwd2te :DSMLEvent fwd : DSMLSemantics . FinishWD (

date <− ev2 . date)mapsFormalEvent ev2 : FormalSemantics . EnterEvent (

ev2 . s t a te . name = ’ f i n i s h e d ’ andFormalAS ! Model . a l l I n s t a n c e s ()−> f i r s t ( ) . r oo t . body . b locks−>indexOf ( ev2 . path . instances−> f i r s t ( ) )=DSML! Process . a l l I n s t a n c e s ()−> f i r s t ( ) . w o rkD e f i n i t i ons−>indexOf ( fwd . w o r k d e f i n i t i o n )

)end events mapping

30/33



Define states mappings between SPEM and FiacreStates mappings

states mapping wdnotStarted2vd :DSMLState wd:DSMLMM. WorkDef in i t i on ( s t a te <− # no tS ta r ted )observed asFormalState vd : FormalMM . Var i ab leDec la ra t i on (

vd . name= ’ WorkDef in i t i on ’ andvd . value . values−>at (wd . get Index ( ) ) . f i e l d s−>at ( 0 ) . value . ocl IsTypeOf (FormalMM ! F a l s e L i t e r a l )

)end states mapping

states mapping wdrunning2vd :DSMLState wd:DSMLMM. WorkDef in i t i on ( s t a te <− #running )observed asFormalState vd : FormalMM . Var i ab leDec la ra t i on (

vd . name= ’ WorkDef in i t i on ’ andvd . value . values−>at (wd . get Index ( ) ) . f i e l d s−>at ( 0 ) . value . ocl IsTypeOf (FormalMM ! T r u e L i t e r a l )

andvd . value . values−>at (wd . get Index ( ) ) . f i e l d s−>at ( 1 ) . cur rentVa lue . ocl IsTypeOf (FormalMM ! F a l s e L i t e r a l )

)end states mapping

states mapping wdf in ished2vd :DSMLState wd:DSMLMM. WorkDef in i t i on ( s t a te <− # f i n i s h e d )observed asFormalState vd : FormalMM . Var i ab leDec la ra t i on (

vd . name= ’ WorkDef in i t i on ’ andvd . value . values−>at (wd . get Index ( ) ) . f i e l d s−>at ( 1 ) . cur rentVa lue . ocl IsTypeOf (FormalMM ! T r u e L i t e r a l )

)end states mapping

31/33



SPEM end-user overview

P1

P2

31/33



SPEM end-user overview

Computer---------------count = 4

P1

P2

P1

P2

32/33


Outline







33/33


Review

Presented Work

Propose a DSL to specify mappings between DSML and formal language runtimeinformation

Current and Future Work

Extend the FeVereL language to support sophisticated mappings

Experiment the FeVeReL language with other verification toolchains (AADL2Fiacre,LADDER2 FIacre)