Ljp Luc Engelen

An exercise in iterative domain-specific language design

We describe our experiences with the process of designing a domain-specific language (DSL) and corresponding model transformations. The simultaneous development of the language and the transformations has lead to an iterative evolution of the DSL. We identified four main influences on the evolution of our DSL: the problem domain, the target platforms, model quality, and model transformation quality. Our DSL is aimed at modeling the structure and behavior of distributed communicating systems. Simultaneously with the development of our DSL, we implemented three model transformations to different formalisms: one for simulation, one for execution, and one for verification. Transformations to each of these formalisms were implemented one at the time, while preserving the validity of the existing ones. The DSL and the formalisms for simulation, execution, and verification have different semantic characteristics. We also implemented a number of model transformations that bridge the semantic gaps between our DSL and each of the three formalisms. In this paper, we describe our development process and how the aforementioned influences have caused our DSL to evolve.

Integrating Textual and Graphical Modelling Languages

Graphical diagrams are the main modelling constructs offered by the popular modelling language UML. Because textual representations of models also have their benefits, we investigated the integration of textual and graphical modelling languages, by comparing two approaches. One approach uses grammarware and the other uses modelware. As a case study, we implemented two versions of a textual alternative for Activity Diagrams, which is an example of a surface language. This paper describes our surface language, the two approaches, and the two implementations that follow these approaches.

REFINER: Towards Formal Verification of Model Transformations

We present the Refiner tool, which offers techniques to define behavioural transformations applicable on formal models of concurrent systems, reason about semantics preservation and the preservation of safety and liveness properties of such transformations, and apply them on models. Behavioural transformations allow to change the potential behaviour of systems. This is useful for model-driven development approaches, where systems are designed and created by first developing an abstract model, and iteratively refining this model until it is concrete enough to automatically generate source code from it. Properties that hold on the initial model and should remain valid throughout the development in later models can be maintained, by which the effort of verifying those properties over and over again is avoided. The tool integrates with the existing model checking toolsets mCRL2 and Cadp, resulting in a complete model checking approach for model-driven system development.

Efficient property preservation checking of model refinements

In model-driven software development, models and model refinements are used to create software. To automatically generate correct software from abstract models by means of model refinement, desirable properties of the initial models must be preserved. We propose an explicit-state model checking technique to determine whether refinements are property preserving. We use networks of labelled transition systems (LTSs) to represent models with concurrent components, and formalise refinements as systems of LTS transformation rules. Property preservation checking involves determining how a rule system relates to an input network, and checking bisimilarity between behaviour subjected to transformation and the corresponding behaviour after transformation. In this way, one avoids generating the entire LTS of the new model. Experimental results demonstrate speedups of several orders of magnitude.

Reusable and correct endogenous model transformations

Correctness of model transformations is a prerequisite for generating correct implementations from models. Given refining model transformations that preserve desirable properties, models can be transformed into correct-by-construction implementations. However, proving that model transformations preserve properties is far from trivial. Therefore, we aim for simple correctness proofs by designing model transformations that are as fine-grained as possible. Furthermore, we advocate the reuse of model transformations to reduce the number of proofs. For a simple domain-specific language, SLCO, we define a formal framework to reason about the correctness, reusability, and composition of the fine-grained model transformations used to transform a given model to three target languages: NQC, Promela and POOSL. The correctness criterion induces that the original model and the resulting model obtained after a proper sequence of transformations have the same observable behavior.

MDE basics with a DSL focus

Small languages are gaining popularity in the software engineering community. The development of MOF and EMF has given the Domain Specific Language community a tremendous boost. In this tutorial the basic aspects of model driven engineering in combination with Domain Specific Languages will be discussed. The focus is on textual Domain Specific Languages developed using the language invention pattern. The notion of abstract syntax will be linked to metamodels as well as the definition of concrete syntax. Defining static and dynamic semantics will be discussed. A small but non trivial Domain Specific Language SLCO will be used to illustrate our ideas.

Prototyping the semantics of a DSL using ASF+SDF: link to formal verification of DSL models

A formal definition of the semantics of a domain-specific language (DSL) is a key prerequisite for the verification of the correctness of models specified using such a DSL and of transformations applied to these models. For this reason, we implemented a prototype of the semantics of a DSL for the specification of systems consisting of concurrent, communicating objects. Using this prototype, models specified in the DSL can be transformed to labeled transition systems (LTS). This approach of transforming models to LTSs allows us to apply existing tools for visualization and verification to models with little or no further effort. The prototype is implemented using the ASF+SDF Meta-Environment, an IDE for the algebraic specification language ASF+SDF, which offers efficient execution of the transformation as well as the ability to read models and produce LTSs without any additional pre or post processing.

Incremental formal verification for model refining

When developing complex software systems, it is vital to ensure that the final product satisfies all the stated requirements. Model checking can help to exhaustively check models of such systems, but due to its high computation demands, it is often not practical. In this paper, we present a new technique to check that properties are preserved when a model at a high level of abstraction is refined to one at a lower level through transformations. In this way, correctness of the resulting models can be determined efficiently. This technique has been implemented, and we demonstrate its usefulness in practice.

A systematic approach for safety evidence collection in the safety-critical domain

In order to show that the required safety objectives are met, it is necessary to collect safety evidence in the form of consistent and complete data. However, manual safety evidence collection is usually tedious and time-consuming, due to a large number of artifacts and implicit relations between them. The potential ambiguities in the textual description of safety objectives even increase the difficulties of collecting the necessary safety evidence. Consequently, suppliers, who have to ensure that the required objectives have been fulfilled, need to investigate safety evidence requirements very carefully and rigorously to avoid collecting any ineffective information, or missing any important information. This paper proposes a systematic, model-based approach to facilitate manual safety evidence collection with clear evidence requirements. To evaluate the effectiveness of our approach, an industrial case study on an avionics Real-Time Operating System (RTOS) is conducted. A large number of evidence items are collected from thousands of artifacts (involving more than 10,000 test cases and nearly thousand pages of requirement specification), for demonstrating the compliance of system development with the avionic safety standard RTCA DO-178C.

Metamodel Comparison and Model Comparison for Safety Assurance

In safety-critical domains, conceptual models are created in the form of metamodels using different concepts from possibly overlapping domains. Comparison between those conceptual models can facilitate the reuse of models from one domain to another. This paper describes the mappings detected when comparing metamodels and models used for safety assurance. We use a small use case to discuss the mappings between metamodels and models, and the relations between model elements expressed in mappings. Finally, an illustrative case study is used to demonstrate our approach.