Osmar Marchi dos Santos

Engineering model transformations with transML

Model transformation is one of the pillars of model-driven engineering (MDE). The increasing complexity of systems and modelling languages has dramatically raised the complexity and size of model transformations as well. Even though many transformation languages and tools have been proposed in the last few years, most of them are directed to the implementation phase of transformation development. In this way, even though transformations should be built using sound engineering principles—just like any other kind of software—there is currently a lack of cohesive support for the other phases of the transformation development, like requirements, analysis, design and testing. In this paper, we propose a unified family of languages to cover the life cycle of transformation development enabling the engineering of transformations. Moreover, following an MDE approach, we provide tools to partially automate the progressive refinement of models between the different phases and the generation of code for several transformation implementation languages.

transML: a family of languages to model model transformations

Model transformation is one of the pillars of Model-Driven Engineering (MDE). The increasing complexity of systems and modelling languages has dramatically raised the complexity and size of model transformations. Even though many transformation languages and tools have been proposed in the last few years, most of them are directed to the implementation phase of transformation development. However, there is a lack of cohesive support for the other phases of the transformation development, like requirements, analysis, design and testing. In this paper, we propose a unified family of languages to cover the life-cycle of transformation development. Moreover, following an MDE approach, we provide tools to partially automate the progressive refinement of models between the different phases and the generation of code for specific transformation implementation languages.

Fast and accurate transaction-level model of a wormhole network-on-chip with priority preemptive virtual channel arbitration

Simulation is a bottleneck in the design flow of on-chip multiprocessors. This paper addresses that problem by reducing the simulation time of complex on-chip interconnects through transaction-level modelling (TLM). A particular on-chip interconnect architecture was chosen, namely a wormhole network-on-chip with priority preemptive virtual channel arbitration, because its mechanisms can be modelled at transaction level in such a way that accurate figures for communication latency can be obtained with less simulation time than a cycle-accurate model. The proposed model produced latency figures with more than 90% accuracy and simulated more than 1000 times faster than a cycle-accurate model.

Verifying Object-based Graph Grammars

The development of concurrent and reactive systems is gaining importance since they are well-suited to modern computing platforms, such as the Internet. However, the development of correct concurrent and reactive systems is a non-trivial task. Object-based graph grammar (OBGG) is a visual formal language suitable for the specification of this class of systems. In previous work, a translation from OBGG to PROMELA (the input language of the SPIN model checker) was defined, enabling the verification of OBGG models using SPIN. In this paper we extend this approach in two different ways: (1) the approach for property specification is improved, enabling to prove properties not only about possible OBGG derivations, but also about the internal state of involved objects; (2) an approach is defined to interpret PROMELA races as OBGG derivations, generating graphical counter-examples for properties that are not true for a given OBGG model. Another contribution of this paper is (3) the definition of a method for model checking partial systems (isolated objects or a set of objects) using an assume-guarantee approach. A gas station system modeled with OBGGs is used to illustrate the contributions.

Automated verification of executable UML models

We present a fully automated approach to verifying safety properties of Executable UML models (xUML). Our tool chain consists of a model transformation program which translates xUML models to the process algebra mCRL2, followed by symbolic model checking using LTSmin. If a safety violation is found, an error trace is visualised as a UML sequence diagram. As a novel feature, our approach allows safety properties to be specified as UML state machines.

Using Model Transformation to Generate Graphical Counter-Examples for the Formal Analysis of xUML Models

The INESS (Integrated European Signalling System) Project, funded by the FP7 programme of the European Union, aims to provide a common, integrated, railway signalling system within Europe. INESS experts have been using the Executable UML (xUML) language to model an executable specification of the proposed system. Due to safety-critical aspects of these systems, one key idea is to formally analyse them. In this context, we have been working with other universities on different translation-based methods that enable the formal verification of xUML models. At the core of this approach is a verification framework based on model transformation technology, used to implement an automatic and transparent verification method for xUML. Since a translation-based approach is used, a key aspect to achieve transparency is the automatic generation of counter-examples for verified properties that have a false result during the analysis, in terms of the original xUML model. We describe in this paper how we achieve this using model transformation technology.

Fast Simulation of Networks-on-Chip with Priority-Preemptive Arbitration

An increasingly time-consuming part of the design flow of on-chip multiprocessors is the simulation of the interconnect architecture. The accurate simulation of state-of-the art network-on-chip interconnects can take hours, and this process is repeated for each design iteration because it provides valuable insights on communication latencies that can greatly affect the overall performance of the system. In this article, we identify a time-predictable network-on-chip architecture and show that its timing behaviour can be predicted using models which are far less complex than the architecture itself. We then explore such a feature to produce simplified and lightweight simulation models that can produce latency figures with more than 90% accuracy and simulate more than 1,000 times faster when compared to a cycle-accurate model of the same interconnect.

Verifying fault-tolerant distributed systems using object-based graph grammars

Assuring the correctness of fault-tolerant distributed systems can be an overwhelming task. Besides dealing with complex problems of distributed systems, it is also necessary to design the system in such a way that a well-defined failure behaviour, or the masking of failure components, is presented by the system when components fail. To help reasoning about such systems, the use of formal methods becomes desirable. In previous work we introduced a graphical formal specification language, called Object-Based Graph Grammars (OBGG), for modelling asynchronous distributed systems. We also defined a method for automatically inserting classical fault behaviours into OBGG models. The obtained models could be analysed using simulation. In this paper a new method for automatically inserting fault behaviours into OBGG models, which is suitable for using verification as the analysis method, is proposed. Moreover, we show how to formally verify OBGG models in the presence of such faults. A two phase commit protocol is used to illustrate the contributions.

Correct transformation: From object-based graph grammars to PROMELA

Model transformation is an approach that, among other advantages, enables the reuse of existing analysis and implementation techniques, languages and tools. The area of formal verification makes wide use of model transformation because the cost of constructing efficient model checkers is extremely high. There are various examples of translations from specification and programming languages to the input languages of prominent model checking tools, like SPIN. However, this approach provides a safe analysis method only if there is a guarantee that the transformation process preserves the semantics of the original specification/program, that is, that the transformation is correct. Depending on the source and/or target languages, this notion of correctness is not easy to achieve. In this paper, we tackle this problem in the context of Object-Based Graph Grammars (OBGG). OBGG is a formal language suitable for the specification of distributed systems, with a variety of tools and techniques centered around the transformation of OBGG models. We describe in details the model transformation from OBGG models to PROMELA, the input language of the SPIN model checker. Amongst the contributions of this paper are: (a) the correctness proof of the transformation from OBGG models to PROMELA; (b) a generalization of this process in steps that may be used as a guide to prove the correctness of transformations from different specification/programming languages to PROMELA.

Measuring and policing blocking times in real-time systems

In real-time systems, the execution-time overrun of a thread may lead to a deadline being missed by the thread or even others threads in the system. From a fault tolerance perspective, both execution time overruns and deadline misses can be considered timing errors that could potentially cause a failure in the systems ability to deliver its services in a timely manner. In this context, the ideal is to detect the error in the system as soon as possible, so that the propagation of the error can be limited and error recovery strategies can take place with more accurate information. The run-time support mechanism usually deployed for monitoring the timing requirements of real-time systems is based on deadline monitoring, that is, the system calls specific application code whenever a deadline is violated. Recognizing that deadline monitoring may not be enough for providing an adequate level of fault tolerance for timing errors, major real-time programming standards, like Ada, POSIX and the Real-Time Specification for Java (RTSJ), have proposed different mechanisms for monitoring the execution time of threads. Nevertheless, in order to provide a complete fault tolerance approach for timing errors, the potential blocking time of threads also has to be monitored. In this article, we propose mechanisms for measuring and policing the blocking time of threads in the context of both basic priority inheritance and priority ceiling protocols. The notion of blocking-time clocks and timers for the POSIX standard is proposed, implemented and evaluated in the open-source real-time operating system MaRTE OS. Also, a blocking time monitoring model for measuring and policing blocking times in the RTSJ framework is specified. This model is implemented and evaluated in the (RTSJ-compliant) open-source middleware jRate, running on top of MaRTE OS.