On the Semantics of Real-Time Domain Specific Modeling
Transcripción
On the Semantics of Real-Time Domain Specific Modeling
On the Semantics of Real-Time Domain Specific Modeling Languages PhD Thesis of: Jose E. Rivera Advisors: Dr. Antonio Vallecillo Dr. Francisco Durán To obtain the degree of: Doctor por la Universidad de Málaga Dept. Lenguajes y Ciencias de la Computación Universidad de Málaga Jose E. Rivera, 2010 D. Antonio Vallecillo Moreno, Catedrático de Universidad del Departamento de Lenguajes y Ciencias de la Computación de la E.T.S. de Ingenierı́a Informática de la Universidad de Málaga, y D. Francisco Javier Durán Muñoz, Profesor Titular de Universidad del Departamento de Lenguajes y Ciencias de la Computación de la E.T.S. de Ingenierı́a Informática de la Universidad de Málaga Certifican Que D. José Eduardo Rivera Cabaleiro, Ingeniero en Informática, ha realizado en el Departamento de Lenguajes y Ciencias de la Computación de la Universidad de Málaga, bajo nuestra dirección, el trabajo de investigación correspondiente a su Tesis Doctoral titulada On the Semantics of Real-Time Domain Specific Modeling Languages Revisado el presente trabajo, estimamos que puede ser presentado al tribunal que ha de juzgarlo, y autorizamos la presentación de esta Tesis Doctoral en la Universidad de Málaga. Málaga, 27 de Julio de 2010 Fdo.: Antonio Vallecillo Moreno Fdo.: Francisco Javier Durán Muñoz Catedrático de Universidad del Departamento Titular de Universidad del Departamento de Lenguajes y Ciencias de la Computación. de Lenguajes y Ciencias de la Computación. No hay hechos, sólo interpretaciones de los hechos. [...] No hay una realidad en sı́ misma, sólo maneras de observarla. Silvia Salinas: Todo (no) terminó. v vi A mi madre, a mi hermana y a mi tı́a, las mujeres de mi vida a las que las quiero con locura. A mi padre, del que me hubiera gustado aprender mucho. A mi abuela. Te lo regalo abuela. Pienso que nadie habrı́a sido más feliz en este momento. A mı́. vii viii Agradecimientos Gracias a todas las personas que de una forma u otra han colaborado en el desarrollo de esta tesis, ya sea de forma personal o laboral. Gracias a los Atenea boys (Fer, Jose, Javi y Dani) por su ayuda con el desarrollo de la herramienta e-Motions, y por las interacciones en el laboratorio. Gracias a Raúl y Nathalie por el empujoncillo inicial. Gracias a Cristina Vicente por enseñarme GMF, a validar, y a jugar al billar. Gracias a Cristina Cachero por ser una fuente de motivación. Gracias a Antonio, por saberme guiar en todo, y a Paco, por su ayuda incondicional. Ambos han sido para mı́ más que un referente profesional. Gracias a Francis, sin el que no podrı́a haber aprendido tanto, y a Antonio de Dios, por guiarme en esas enseñanzas. Y gracias al resto de mis familiares (entre los que incluyo a Nuria Vázquez) y amigos :). Un abrazo muy grande. Contents 1 2 Introduction 1 1.1 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Contribution of this Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Outline of this Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Background 9 2.1 Model Driven Engineering in a Nutshell . . . . . . . . . . . . . . . . . . . . . 9 2.1.1 Origins of Model Driven Engineering . . . . . . . . . . . . . . . . . . 9 2.1.2 Model Driven Engineering and Model Driven Architecture . . . . . . . 10 2.1.3 Main Technologies of MDE . . . . . . . . . . . . . . . . . . . . . . . 13 2.1.4 Model Driven Engineering in the Eclipse Platform . . . . . . . . . . . 14 2.2 2.1.4.1 The Eclipse Modeling Framework . . . . . . . . . . . . . . 14 2.1.4.2 The Graphical Modeling Framework . . . . . . . . . . . . . 16 2.1.4.3 Textual Concrete Syntax . . . . . . . . . . . . . . . . . . . . 16 2.1.4.4 The ATLAS Transformation Language . . . . . . . . . . . . 17 Rewriting Logic and Maude . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.2.1 Rewriting Logic and (Core) Maude . . . . . . . . . . . . . . . . . . . 20 2.2.2 Object-Oriented Specifications: Full Maude . . . . . . . . . . . . . . . 24 2.2.2.1 2.2.3 Real-Time Maude . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.2.3.1 2.2.4 3 Object-Oriented Modules in (Core) Maude . . . . . . . . . . 25 Timed Modules in (Core) Maude . . . . . . . . . . . . . . . 28 The mOdCL Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Defining a Domain Specific Modeling Language 33 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.2 Abstract Syntax of a DSML . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 xi 3.3 Concrete Syntax of a DSML . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 3.4 Semantics of a DSML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 3.4.1 3.5 4 Semantics Is Not Behavior . . . . . . . . . . . . . . . . . . . . . . . . 38 Defining a DSML (Revisited) . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3.5.1 Defining the Structural View of a DSML . . . . . . . . . . . . . . . . 40 3.5.2 Defining the Behavioral View of a DSML . . . . . . . . . . . . . . . . 41 Structural Semantics of DSMLs 4.1 MEL Representation of Models and Metamodels . . . . . . . . . . . . . . . . 43 4.1.1 Representing Metamodels with Maude . . . . . . . . . . . . . . . . . 44 4.1.2 Representing Models with Maude . . . . . . . . . . . . . . . . . . . . 48 4.1.2.1 4.2 4.2.2 5 The Conformance Relationship . . . . . . . . . . . . . . . . 49 Structural Semantic Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . 52 4.2.1 4.3 43 Maude’s Metamodel, Parser and Serializer . . . . . . . . . . . . . . . 52 4.2.1.1 The Metamodel Definition . . . . . . . . . . . . . . . . . . 53 4.2.1.2 The Maude Code Generator . . . . . . . . . . . . . . . . . . 56 4.2.1.3 The Maude Parser . . . . . . . . . . . . . . . . . . . . . . . 57 Encoding EMF Models and Metamodels into Maude . . . . . . . . . . 57 4.2.2.1 Encoding EMF Metamodels . . . . . . . . . . . . . . . . . . 57 4.2.2.2 Encoding EMF Models . . . . . . . . . . . . . . . . . . . . 61 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Model Management 5.1 Model Subtyping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 5.1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 5.1.2 Subtyping Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 5.1.2.1 5.1.3 5.2 67 Kinds of Subtyping . . . . . . . . . . . . . . . . . . . . . . 71 The Subtyping Operation in Maude . . . . . . . . . . . . . . . . . . . 72 Model Difference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 5.2.1 Representing Differences . . . . . . . . . . . . . . . . . . . . . . . . . 74 5.2.2 The Difference Operation . . . . . . . . . . . . . . . . . . . . . . . . 76 5.2.3 5.2.2.1 Matching Elements . . . . . . . . . . . . . . . . . . . . . . 77 5.2.2.2 Computing Differences . . . . . . . . . . . . . . . . . . . . 80 An Example of Model Difference . . . . . . . . . . . . . . . . . . . . 83 xii 5.2.4 The do Operation . . . . . . . . . . . . . . . . . . . . . . . 84 5.2.4.2 The undo Operation . . . . . . . . . . . . . . . . . . . . . 86 5.2.4.3 Sequential Composition of Differences . . . . . . . . . . . . 86 Further Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 5.4 Tool Support with Maudeling . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 5.4.1 The Way Back to EMF . . . . . . . . . . . . . . . . . . . . . . . . . . 89 5.4.2 Adapting Difference Models to the Eclipse Platform . . . . . . . . . . 92 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Behavioral Semantics of DSMLs 97 6.1 Representing DSMLs’ Behavior with Maude . . . . . . . . . . . . . . . . . . 97 6.2 Formal Analysis of Domain Specific Models with Maude . . . . . . . . . . . . 102 6.3 7 5.2.4.1 5.3 5.5 6 Related Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 6.2.1 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 6.2.2 Reachability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 104 6.2.3 LTL Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Representing DSML’s Behavior with In-Place Model Transformation . . . . . . 112 6.3.1 In-Place Model Transformation . . . . . . . . . . . . . . . . . . . . . 113 6.3.2 In-Place Rules for the Production System DSML . . . . . . . . . . . . 115 6.4 Behavioral Semantic Mappings and Tool Support . . . . . . . . . . . . . . . . 117 6.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Real-Time Behavioral Semantics of DSMLs 123 7.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 7.2 The e-Motions Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 7.2.1 A DSML for Mobile Phone Networks . . . . . . . . . . . . . . . . . . 126 7.2.2 A Model of Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 7.2.3 7.2.2.1 Atomic Rules . . . . . . . . . . . . . . . . . . . . . . . . . 128 7.2.2.2 Ongoing Rules . . . . . . . . . . . . . . . . . . . . . . . . . 132 7.2.2.3 Global Time Elapse . . . . . . . . . . . . . . . . . . . . . . 134 Action Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 7.2.3.1 Concurrency . . . . . . . . . . . . . . . . . . . . . . . . . . 136 7.2.3.2 Separation of Concerns . . . . . . . . . . . . . . . . . . . . 137 7.2.3.3 Past Actions . . . . . . . . . . . . . . . . . . . . . . . . . . 138 xiii 7.2.3.4 7.2.4 7.3 7.4 A Simple Round-Trip Time Protocol . . . . . . . . . . . . . . . . . . . 142 Real-time Behavioral Semantic Mappings . . . . . . . . . . . . . . . . . . . . 144 7.3.1 A General View of the Encoding . . . . . . . . . . . . . . . . . . . . . 145 7.3.2 Encoding of Atomic Rules . . . . . . . . . . . . . . . . . . . . . . . . 147 7.3.2.1 The Triggering Rule . . . . . . . . . . . . . . . . . . . . . . 147 7.3.2.2 The Realization Rule . . . . . . . . . . . . . . . . . . . . . 151 7.3.3 Encoding of Periodic Rules . . . . . . . . . . . . . . . . . . . . . . . 153 7.3.4 Encoding of Instantaneous Rules . . . . . . . . . . . . . . . . . . . . . 155 7.3.5 Encoding of Ongoing Rules . . . . . . . . . . . . . . . . . . . . . . . 156 7.3.5.1 The Initial Rule . . . . . . . . . . . . . . . . . . . . . . . . 156 7.3.5.2 The applyOngoingRules Operator . . . . . . . . . . . . 158 7.3.6 Encoding of Rule Execution Modes . . . . . . . . . . . . . . . . . . . 160 7.3.7 Pass of Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 7.3.7.1 The delta Function . . . . . . . . . . . . . . . . . . . . . 161 7.3.7.2 The mte Function . . . . . . . . . . . . . . . . . . . . . . . 161 Formal Analysis of Real-Time Domain Specific Models with Maude . . . . . . 163 7.4.1 Initial Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 7.4.2 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 7.4.2.1 7.4.3 7.4.4 8 Exceptions in Actions . . . . . . . . . . . . . . . . . . . . . 139 Querying the Result of a Simulation . . . . . . . . . . . . . 171 Reachability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 173 7.4.3.1 The Role of Tick Modes in the Analysis . . . . . . . . . . . 174 7.4.3.2 Reasoning about Action Executions . . . . . . . . . . . . . . 177 LTL Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 7.5 The e-Motions Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 7.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Conclusions and Future Work 187 8.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 8.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 8.3 List of Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 8.4 Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 A Maude Definitions for Models and Metamodels xiv 199 B Maude Encoding of the Ecore Metamodel 211 C Maude Definitions for Time and Action Properties 217 D Maude Operations for Querying a Simulation 227 Bibliography 229 xv xvi List of Figures 1.1 Simple definition of a DSML. . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Mapping a DSML to different semantic domains. . . . . . . . . . . . . . . . . 4 2.1 MDA four-level architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2 The Author metamodel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.3 An Author model (abstract syntax). . . . . . . . . . . . . . . . . . . . . . . . . 12 2.4 An overview of model transformation. . . . . . . . . . . . . . . . . . . . . . . 14 2.5 The Ecore metamodel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.6 An Author model (edited with the sample Ecore editor). . . . . . . . . . . . . . 16 2.7 The GMF process to define a visual concrete syntax for a DSML. . . . . . . . . 17 2.8 The Person metamodel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.1 Definition of a DSML. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 3.2 Metamodel of a DSML for production systems. . . . . . . . . . . . . . . . . . 35 3.3 A production system model (abstract syntax). . . . . . . . . . . . . . . . . . . 35 3.4 A concrete syntax for the DSML for production systems. . . . . . . . . . . . . 36 3.5 A production system model (concrete syntax). . . . . . . . . . . . . . . . . . . 36 3.6 Semantic bridges across different domains. . . . . . . . . . . . . . . . . . . . 39 3.7 Mapping a DSML to different semantic domains. . . . . . . . . . . . . . . . . 39 3.8 Definition of a DSML (revisited). . . . . . . . . . . . . . . . . . . . . . . . . . 40 3.9 Structural View of a DSML for Production Systems. . . . . . . . . . . . . . . 41 3.10 Behavioral View of a DSML for Production Systems. . . . . . . . . . . . . . . 42 4.1 The Maude metamodel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 4.2 The EObject interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 5.1 The Difference metamodel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 5.2 The Match Metamodel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 xvii 5.3 Example of package refactorization. . . . . . . . . . . . . . . . . . . . . . . . 80 5.4 Another production system model (concrete syntax). . . . . . . . . . . . . . . 83 5.5 The Maudeling tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 5.6 The higher-order transformation process. . . . . . . . . . . . . . . . . . . . . . 90 5.7 Correspondences between Maude and EMF specifications. . . . . . . . . . . . 91 6.1 The GenHandle in-place rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 6.2 The Assemble in-place rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 6.3 Further in-place rules of the production system DSML. . . . . . . . . . . . . . 116 6.4 Reachability analysis with the AToM3 tool. . . . . . . . . . . . . . . . . . . . 118 7.1 The e-Motions metamodel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 7.2 A metamodel for MPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 7.3 A concrete syntax for the MPN language. . . . . . . . . . . . . . . . . . . . . 127 7.4 A mobile phone network model. . . . . . . . . . . . . . . . . . . . . . . . . . 127 7.5 The SwitchOn atomic rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 7.6 The BatteryOff instantaneous rule. . . . . . . . . . . . . . . . . . . . . . . . . 129 7.7 The RemoveOffPhones scheduled rule. . . . . . . . . . . . . . . . . . . . . . . 130 7.8 The Coverage periodic rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 7.9 The distance helper. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 7.10 The BatteryConsumptionRule ongoing rule. . . . . . . . . . . . . . . . . . . . 132 7.11 The Moving ongoing rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 7.12 The correctPos, correctV and power helpers. . . . . . . . . . . . . . . . . . . 133 7.13 The Call atomic rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 7.14 The TalkingBatteryConsumption and StandbyBatteryConsumption ongoing rules.138 7.15 The InitialModel instantaneous rule. . . . . . . . . . . . . . . . . . . . . . . . 139 7.16 The BatteryOffCaller instantaneous rule. . . . . . . . . . . . . . . . . . . . . . 140 7.17 The BatteryOffCallee instantaneous rule. . . . . . . . . . . . . . . . . . . . . . 140 7.18 The BatteryOff instantaneous rule (revisited). . . . . . . . . . . . . . . . . . . 141 7.19 A metamodel for a simple RTTP. . . . . . . . . . . . . . . . . . . . . . . . . . 142 7.20 A concrete syntax for the RTTP language. . . . . . . . . . . . . . . . . . . . . 142 7.21 The Request periodic rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 7.22 The Response atomic rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 7.23 The LocalTimeElapse ongoing rule. . . . . . . . . . . . . . . . . . . . . . . . 144 7.24 The InitialModel instantaneous rule. . . . . . . . . . . . . . . . . . . . . . . . 145 xviii 7.25 A gcs model for the MPN example. . . . . . . . . . . . . . . . . . . . . . . . 180 7.26 The GCS metamodel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 7.27 The behavior and rule editors of the e-Motions tool. . . . . . . . . . . . . . . . 182 7.28 The simulation window of the e-Motions tool. . . . . . . . . . . . . . . . . . . 182 8.1 Our approach to define DSMLs. . . . . . . . . . . . . . . . . . . . . . . . . . 188 8.2 General view of our approach. . . . . . . . . . . . . . . . . . . . . . . . . . . 189 xix xx Chapter 1 Introduction Over the past five decades, software researchers and developers have been creating abstractions that help them to program in terms of their design intent rather than constrained by the underlying computing environment—for example, CPU, memory, and network devices—abstracting them away from the complexities of these environments. From the early days of computing, these abstractions included both language and platform technologies. For example, early programming languages, such as Assembly and Fortran, shielded developers from the complexities of programming directly with machine code. Advances in these languages and platforms during the past two decades have raised the level of software abstractions available to developers. However, although these languages and platforms raised the level of abstraction, they still had a distinct computing-oriented focus: they provided abstractions of the solution space rather than abstractions of the problem space [115]. Model Driven Engineering (MDE) emerges as a promising approach to address the inability of third-generation languages to (a) express domain concepts effectively and (b) alleviate the complexity of platforms. MDE advocates the use of models as first class entities throughout the software engineering life cycle, making use mainly of two technologies: Domain Specific Modeling Languages (DSMLs) and Model Transformation. DSMLs are used to represent the various facets of a system in terms of models. Such languages tend to support higher-level abstractions than general-purpose modeling languages, and are closer to the problem domain than to the implementation domain. Thus, a DSML follows the domain abstractions and semantics, allowing modelers to perceive themselves as working directly with domain concepts. Model Transformations analyze certain aspects of models and then automatically synthesize various types of artifacts, such as source code, simulation inputs, or alternative model representations. In MDE, models are not to be used as mere documentation, but key artifacts from which 1 2 C HAPTER 1. I NTRODUCTION the whole system can be derived and implemented. Therefore, a precise and formal basis will significantly help us in their definition not to produce unexpected results. Since models are defined with DSMLs, we need to provide DSMLs with semantics to avoid, e.g., semantic ambiguities and conflicting results across different tools. In this thesis, we will focus on the definition of the semantics of DSMLs, covering those that include real-time aspects. 1.1 Problem Statement The definition of a language involves at least three aspects: the domain concepts and rules (abstract syntax); the notation used to represent these concepts—let it be textual or graphical (concrete syntax); and the semantics of the language. In MDE, the structure of a DSML is usually defined by means of a metamodel. A metamodel can be seen as a UML class diagram—a metamodel is itself a model—on which we describe the concepts of the language, the relationships between them, and the structuring rules that constrain the model elements and their combinations in order to respect the domain rules. Then, a metamodel is usually provided with a concrete syntax by mapping the metamodel concepts to a textual or graphical notation (see Figure 1.1). This concrete syntax allow us to write models in our DSML. We normally say that a model conforms to the metamodel that represents the concepts of the DSML the model is written in [20]. Figure 1.1: Simple definition of a DSML. Defining a DSML only by means of its structural aspects (with its corresponding abstract and concrete syntaxes) allows the rapid development of languages and some of their associated tools, such as editors or browsers. However, if we want to perform real engineering tasks, we also need to count on model analyzers, simulators, matchmakers, quality evaluators, etc. Explicit and formal specification of model semantics is receiving more attention recently, 1.1. P ROBLEM S TATEMENT 3 since the lack of explicit semantics presents a possibility for semantic mismatch between design models and modeling languages of analysis tools [73]. While this problem exists in virtually every domain where DSMLs are used, it is more common in domains in which behavior needs to be explicitly represented, as it happens in most industrial applications of a certain complexity. This issue is particularly important in safety-critical real-time and embedded system domains, where precision is required and where semantic ambiguities may produce conflicting results across different tools. Furthermore, the lack of explicit behavioral semantics strongly hampers the development of formal analysis and simulation tools, relegating models to their current common role of simple illustrations. One way of specifying the semantics of a DSML is by defining a (semantic) mapping between the language itself and another language with well-defined semantics, such as Abstract State Machines [37], Petri Nets [49], or rewriting logic [104]. This method, which is also proposed by other authors (e.g. [18, 40, 73]), is usually called translational semantics. The advantage of using a model-driven approach is that these mappings can be defined in terms of model transformations. If the chosen target semantic domain includes mechanisms to specify the behavior of the system, the behavior of the DSML is usually encoded in the semantic domain directly. However, this approach has several disadvantages: it requires specialized knowledge and expertise on the target formalism, and it restricts the model simulation and analysis operations that can be performed over the models to those that the target tool we are encoding our behavior provides. Furthermore, not many formalisms can deal with real-time system, i.e., they do not provide specialized mechanism to specify time-dependent behavior. Another common formalism used to represent a DSML (including the behavioral specifications) is graph transformation [111, 49, 125]. Graph transformation allows users to describe the permitted actions of the system and how the model elements evolve as a result of these actions, working directly with domain specific concepts. This approach is quite intuitive, especially when it enables the use of the graphical concrete syntax of the language [102]. However, graph transformation—in its basic form—do not include a quantitative model of time. When time is needed, it is usually modeled by adding some kind of clocks to the DSML’s metamodel. These clocks are handled in the same way as common objects, which (a) forces designers to modify the DSML’s metamodel (the structure of our DSML) to include (behavioral) time aspects, and (b) does not constrain designers from unwillingly defining time-inconsistent sequences of states. In critical domains, such as real-time and embedded systems, timeouts, timing constraints and delays are essential concepts. Therefore, these concepts should be explicitly modeled in their behavioral specification to enable a proper analysis and simulation [99]. 4 C HAPTER 1. I NTRODUCTION Finally, current graph transformation approaches only allow users to model state-based properties. When we want to observe an action, we have to unnaturally extend our DSML’s metamodel again with the state of the actions that should be observed. 1.2 Contribution of this Thesis In this thesis, we clearly identify two different views in the definition of a DSML: structure and behavior. We propose defining them as models independently of any semantic domain. Then, since each semantic domain is more appropriate to represent and reason about certain properties, and to conduct certain kinds of analysis, we propose transforming these specifications into different semantic domains (see Figure 1.2) depending on the kind of formal analysis we require (of course, not all the transformations can always be accomplished: it depends on the expressiveness of the semantic domain). Figure 1.2: Mapping a DSML to different semantic domains. We will define the structural model, as commonly agreed by the MDE community, with a metamodel. However, there is no such agreement in the definition of the dynamic behavior. We think that in MDE, where DSMLs and model transformations are the key artifacts, model transformations are the natural way. In particular, model transformation languages that support in-place update are perfect candidates for the job. They follow the semantics of graph transformation, and they benefit from the same advantages: they allow modelers to perceive themselves as working directly with domain concepts, especially when it enables the use of the graphical concrete syntax of the language. Thus, we present in this thesis e-Motions [100, 99, 107], a formalism that extends in-place model transformation with a model of time and a mechanism to state action properties, easing the specification of real-time DSMLs’ behavior. Our approach avoids unnaturally mod- 1.2. C ONTRIBUTION OF THIS T HESIS 5 ifying the DSML’s metamodel—which defines the structural concepts of our language—to include time and action properties—which are related to the behavior of the language—and thus promoting a separation of concerns. The e-Motions formalism is developed as a modeling language, i.e., its specifications can be easily integrated in MDE processes, and is supported by a graphical framework that enables the use of the concrete syntax of the DSML to define its corresponding behavior, making this task quite intuitive. Contrary to other inplace model transformation-like approaches (specially graph transformation approaches), the e-Motions tool supports attribute computations and ordered collections, which are specified by means of OCL expressions. The e-Motions graphical framework has been defined for the Eclipse platform. The choice of Eclipse has been motivated by its open source policy, its increasing use by the MDE community, and specially for the wide spectrum of modeling tools that it provides: the Eclipse Modeling Framework (EMF) [9], the Eclipse Graphical Modeling Framework (GMF) [8], the Atlas Transformation Language (ATL) [3, 71], etc., some of which have been used in the development of the tool support of this thesis, as we shall see throughout this document. Once we have a way to specify the structure (by means of a metamodel defined using Ecore, see Chap. 4) and the behavior (by means of in-place model transformations defined with eMotions, see Chap. 7) as models, we are able to transform them into different semantic domains to (a) provide our DSML with (structural and behavioral) semantics, and (b) take advantage of the analysis tools they provide. In this thesis, we have implemented these semantic bridges to Maude. Maude [4, 42, 41] is a wide-spectrum programming language based on rewriting logic, with membership equational logic as its underlying equational theory. Maude has already been successfully used in software engineering tools and several applications; it is efficient enough to be of a practical use; and has already been integrated in the Eclipse platform. Furthermore, the use of Maude as a target semantic domain brings us more interesting benefits: • Maude performs simplification of terms modulo equational theories such as associativity, commutativity and identity (see Section 2.2.1), which enables the specification of many model operations at a very high level of abstraction. • Once the system specifications are written using Maude, what we get is a rewriting logic specification of the system. Since the rewriting logic specifications produced are executable, this specification can be used as a prototype of the system, which allows us to simulate and analyze it. Maude offers an interesting set of analysis tools, such as an LTL satisfiability and tautology checker, a Church-Rosser checker, a coherence checker, 6 C HAPTER 1. I NTRODUCTION a termination tool, etc. We show how our notation for models and metamodels, together with the powerful match- ing facilities that Maude provides, enables the specification of these model operations at a very high level of abstraction, which has allowed us to complete our tool with a relatively short development time when compared with approaches using conventional languages like Java or C++. The semantic bridges we have defined are composed of a mapping from EMF models and metamodels to membership equational logic theories in Maude, and a mapping from the eMotions language to rewriting logic theories in Maude. This mechanism allow us to automatically transform the structural and behavioral specifications of our DSMLs into Maude, providing our DSMLs with semantics. Furthermore, we have also developed a model transformation to transform models specified in Maude into its original EMF notation. Altogether, these mappings allows us to take advantage of both platforms: an intuitive way to define (the structure and behavior of) DSMLs with Eclipse tools, and a powerful mechanism to provide models with semantics and to simulate and analyze them in a transparent way. 1.3 Outline of this Thesis The present document is structured as follows: Chapter 2: Background. This chapter briefly introduces some parts of two usually separated worlds: modeling and formal languages. Firstly, we present the main concepts of Model Driven Engineering and the Model Driven Architecture, and some of the tools available for them in the Eclipse platform. Secondly, we introduce the rewriting logic formalism, and the Maude language and tool including two of its extensions: Full Maude and Real-Time Maude. Chapter 3: Defining a Domain Specific Modeling Language. In this chapter we present the elements that are involved in the definition of a DSML: abstract syntax, concrete syntax and semantics. We show the need of formally defining the semantics of a DSML, and we show how it can be separated from the definition of the behavior of the DSML. We present an approach for defining a DSML based on the specification of two different views: the structural view and the behavioral view. Furthermore, we give some hints on how the DSML designer can be kept from explicitly defining the semantics of his/her DSML. 1.3. O UTLINE OF THIS T HESIS 7 Chapter 4: Structural Semantics of DSMLs. In this chapter we approach the definition of the structural semantics of DSMLs. We show how models and metamodels can be formalized into Membership Equational Logic (MEL), and we specify semantic mappings (by means of automatic model transformations) between EMF models and metamodels and MEL, or, to be more precise, to the Maude implementation of MEL. We also present the Maude metamodel, parser and serializer that we have defined for this purpose. Chapter 5: Model Management. In this chapter we present several model operations— namely model subtyping, model difference, and metric evaluation—that we have defined in Maude. We show how our notation for models and metamodels, together with the powerful matching facilities that Maude provides, enables the specification of these model operations at a very high level of abstraction, which has allowed us to complete our tool with a relatively short development time when compared with approaches using conventional languages like Java or C++. Furthermore, we present the model transformation we have defined from Maude specifications to EMF models. This transformation, together with the transformations defined from EMF to Maude, allows Eclipse users to use the defined model operations without being aware of Maude at all. Chapter 6: Behavioral Semantics of DSMLs. In this chapter we approach the definition of the behavioral semantics of DSMLs. We show how the behavior of a DSML can be specified in Maude by means of rewrite rules, and how we can perform simulation, reachability and model-checking analysis on the domain specific models using the tools and techniques that Maude provides. We also propose defining the behavior of a DSML in a graphical and more intuitive way by means of in-place model transformations, and we show the similarity between the two approaches. Chapter 7: Real-Time Behavioral Semantics of DSMLs. In this chapter we present a lan- guage and a tool, called e-Motions, that extends in-place model transformation with a model of time and a mechanism to state action properties. We formalize this language into Rewriting Logic (RL) by means of model transformation, and we show how this automatic model transformation provides a way to give semantics to the behavioral parts of real-time DSMLs, preventing the DSML designer from explicitly defining the behavioral semantics of his/her DSML. Furthermore, we show how these semantic mappings allow us to specify the behavior of real-time DSMLs in a graphical and intuitive way (using the e-Motions tool), and perform 8 C HAPTER 1. I NTRODUCTION simulation and reachability and model-checking analysis on the models using some of the tools and techniques that Maude provides. Chapter 8: Conclusions and Future Work. This chapter presents the main contributions, results and publications of this thesis, and outlines some future research activities. Appendix A: Maude Definitions for Models and Metamodels. This appendix presents the algebraic specifications we have developed to support the definition of models and metamodels in Maude. Appendix B: Maude Encoding of the Ecore Metamodel. This appendix presents the Maude encoding of the Ecore metamodel. Appendix C: Maude Definitions for Time and Action Properties. This appendix presents the algebraic specifications we have developed to support the representation of time and action properties in Maude. Appendix D: Maude Operations for Querying a Simulation. This appendix presents the operations we have defined in Maude to query the result of a timed-simulation, and to present it in a more readable way. Chapter 2 Background This thesis tries, among other things, to bring closer two usually separated worlds: modeling and formal languages. This chapter briefly introduces (parts of) both. 2.1 Model Driven Engineering in a Nutshell This section presents the main principles and technologies of Model Driven Engineering (MDE), an approach that advocates the use of models as first class entities throughout the software engineering life cycle. Firstly, we discuss the problems that caused its origin; then, we introduce the MDE basic concepts and technologies; finally, we present some of the MDE tools provided by the Eclipse platform that we have used to develop the tool support of this thesis. 2.1.1 Origins of Model Driven Engineering Over the past five decades, software researchers and developers have been creating abstractions that help them to program in terms of their design intent rather than constrained by the underlying computing environment—for example, CPU, memory, and network devices—abstracting them away from the complexities of these environments. From the early days of computing, these abstractions included both language and platform technologies. For example, early programming languages, such as Assembly and Fortran, shielded developers from the complexities of programming directly with machine code. Likewise, early operating system platforms, such as OS/360 and Unix, shielded developers from the complexities of programming directly with hardware devices [115]. Advances in these languages and platforms during the past two decades have raised the 9 10 C HAPTER 2. BACKGROUND level of software abstractions available to developers. For instance, developers today typically use more expressive object-oriented languages, such as C++, Java, or C#, rather than Fortran or C. Likewise, today’s reusable class libraries and application framework platforms minimize the need to reinvent common and domain-specific middleware services, such as transactions, fault tolerance, event notification, and security. However, although these languages and platforms raised the level of abstraction, they still had a distinct computing-oriented focus. In particular, they provided abstractions of the solution space—that is, the domain of computing technologies themselves—rather than abstractions of the problem space that express designs in terms of concepts in application domains, such as telecom, aerospace and biology. Furthermore, platform complexity is evolving faster than the ability of general-purpose languages to mask it. For example, popular middleware platforms, such as J2EE, .NET, and CORBA, contain thousands of classes and methods with many intricate dependencies and subtle side effects that require considerable effort to program and tune properly. Thus, developers have to pay close attention to numerous tactical imperative programming details and they often cannot focus on strategic architectural issues such as system-wide correctness and performance. Moreover, since these platforms often evolve rapidly—and new platforms appear regularly—developers also expend considerable effort manually porting application code to different platforms or newer versions of the same platform. 2.1.2 Model Driven Engineering and Model Driven Architecture Model Driven Engineering (MDE). MDE emerges as a promising approach to address the inability of third-generation languages to (a) express domain concepts effectively and (b) alleviate the complexity of platforms [115]. MDE advocates the use of models as first class entities throughout the software engineering life cycle. Each model usually addresses one concern, independently from the rest of the issues involved in the construction of the system. Thus, the basic functionality of the system can be separated from its final implementation; the business logic can be separated from the underlying platform technology, etc. Although considered as first class citizens in MDE, there is no common agreement about what a model is [112]. Thus, we can find several definitions of a model, such as: • A model captures a view of a physical system. It is an abstraction of the physical system, with a certain purpose. This purpose determines what is to be included in the model 2.1. M ODEL D RIVEN E NGINEERING IN A N UTSHELL 11 and what is irrelevant. Thus the model completely describes those aspects of the physical system that are relevant to the purpose of the model, at the appropriate level of detail [94]. • A model represents some concrete or abstract thing of interest, and does so with a specific purpose. A model is related to the thing it represents by explicit or implicit correspondences between the elements of that model and the parts of that thing. This correspondence enables understanding the intended meaning of that model [93]. • A description of (part of) a system written in a well-defined language [74]. Independently of the definition we like the most, what we know is that, in MDE, models are not considered as mere documentation, but key artifacts from which the whole system can be derived and implemented. Thus, a precise and formal basis will significantly help us in their definition not to produce unexpected results. Model Driven Architecture (MDA). MDA is the Object Management Group’s (OMG) particular vision of MDE that relies on the use of OMG standards to represent (among others) models, model relationships, and model-to-model transformations. These standards include UML (Unified Modeling Language), MOF (Meta-Object Facility), OCL (Object Constraint Language), XMI (XML Metadata Interchange) and MOF/QVT (Query/View/Transformations), whose specifications can be found in the OMG’s website [11]. MDA presents a four-level architecture based on the idea of metamodeling (see Figure 2.1). In this architecture, a model is used to represent some concrete or abstract thing of interest (with a specific purpose) of the system under modeling. A model is written in the language defined by its metamodel. A metamodel describes the concepts of the language, the relationships among them, and the structuring rules that constrain the model elements and their combinations in order to respect the domain rules. We normally say that a model conforms to its metamodel [20]. Metamodels are also models, and therefore they need to be written in another language, which is described by its meta-metamodel. This recursive definition normally ends at such meta-metalevel, since meta-metamodels conform to themselves. An example of a meta-metamodel is the OMG standard Meta-Object Facility (MOF) [92], which can be basically seen as a subset of the UML Class Diagram—it is composed mainly of packages, classifiers and structural features. MOF enables the definition of metamodels, such as, e.g., the one shown in Figure 2.2. This figure shows a metamodel of a DSML for 12 C HAPTER 2. BACKGROUND Figure 2.1: MDA four-level architecture. Figure 2.2: The Author metamodel. authors and books. In this metamodel, named Author, authors can write several books. Authors are described by their name and surname, and books are described by their name and ISBN. Figure 2.3 shows an Author model example (conforming to the previous Author metamodel) using an object diagram. Note that a metamodel only define the concepts of the language, not a notation for it. We will use object diagrams as the “abstact” notation for models. The model consists of two authors, Paulo Coelho and Silvia Salinas, and three books, O Alquimista, Veronika decide morrer and Todo (no) terminó. The first two books were written by Paulo Coelho, while the last one was written by Silvia Salinas. Figure 2.3: An Author model (abstract syntax). 2.1. M ODEL D RIVEN E NGINEERING IN A N UTSHELL 13 2.1.3 Main Technologies of MDE MDE makes use mainly of two technologies: Domain Specific Modeling Languages and Model Transformations. Domain-Specific Modeling Languages (DSMLs). DSMLs are defined to formalize the ap- plication structure, behavior, and requirements within particular domains, such as avionics mission computing, online financial services or warehouse management. They are used to represent the various facets of a system in terms of models. Such languages tend to support higher level abstractions than general-purpose modeling languages, and are closer to the problem domain than to the implementation domain. Thus, a DSML follows the domain abstractions and semantics, allowing modelers to perceive themselves as working directly with domain concepts. Furthermore, the rules of the domain can be included into the language as constraints, disallowing the specification of illegal or incorrect models. In the next chapter, we will present how a DSML can be defined. Model transformation. Model Transformation provides a means to analyze certain aspects of models and then automatically synthesize various types of artifacts, such as source code, simulation inputs, or alternative model representations. The ability to synthesize artifacts from models helps to ensure the consistency between application implementations and analysis information associated with functional and QoS requirements captured by models. The most common type of model transformation is the so called model-to-model transformation. A model-to-model transformation specifies a way to produce a set of target models from a set of source models. For this purpose, it should enable developers to define the way source model elements must be matched and navigated in order to initialize the target model elements [3]. When a model-to-model transformation is composed of a single input model and a single output model, we call it simple model-to-model transformation. Formally, a simple model-to-model transformation has to define the way for generating a model Mb, conforming to a metamodel MMb, from a model Ma conforming to a metamodel MMa. Since in MDE a major feature is to consider, as far as possible, all handled items as models, the model transformation itself has to be defined as a model. This transformation model Mt has to conform to a transformation metamodel MMt whose language defines the model transformation semantics. As other metamodels, the transformation metamodel has, in turn, to conform to the considered meta-metamodel MMM (see Figure 2.4). 14 C HAPTER 2. BACKGROUND Figure 2.4: An overview of model transformation. An in-place model transformation is a special kind of model-to-model transformation where source and target models are always instances of the same metamodel (i.e., they are endogenous transformations). In fact, source and target models are the same: this kind of model transformation is not used to create new models but just to modify the source ones. As we will see in Section 6.3.1, they present a very intuitive way to represent the behavior of DSML. 2.1.4 Model Driven Engineering in the Eclipse Platform Eclipse is an open source community project focused on building an open development platform comprised of extensible frameworks, tools and support for building, deploying and managing software across the life cycle. It is becoming a widely used platform in the MDE community, since several modeling tools have been developed for it. In the next subsections, we will mention those that have been used to develop the tool support of this thesis. 2.1.4.1 The Eclipse Modeling Framework The Eclipse Modeling Framework (EMF) [9] is a modeling framework and code generation facility for building tools and other applications based on a structured data model. From a model specification described in XMI, EMF provides tools and runtime support to produce a set of Java classes for the model, along with a set of adapter classes that enable viewing and command-based editing of the model, and a basic editor. Models can be specified using annotated Java, XML documents, or modeling tools like Rational Rose, and then imported into EMF. Most important of all, EMF provides the foundation for interoperability with other EMF-based tools and applications, such as, e.g., the Graphical Modeling Framework (GMF), the Textual Concrete Syntax (TCS) tool, and the ATLAS Transformation Language (ATL)— see the next subsections for more details about these tools. 2.1. M ODEL D RIVEN E NGINEERING IN A N UTSHELL 15 EMF started out as an implementation of the MOF specification. It evolved from there based on the experience of implementing a large set of tools using it. EMF can be thought of as a highly efficient Java implementation of a core subset of the MOF API. However, to avoid any confusion, the MOF-like core metamodel in EMF is called Ecore, whose metamodel is described in Figure 2.5. In the current proposal for MOF 2.0, a similar subset of the MOF model, which is called EMOF (Essential MOF), is separated out. Although there are small, mostly naming differences between Ecore and EMOF, EMF can transparently read and write serializations of EMOF. Figure 2.5: The Ecore metamodel. All the metamodels produced in this thesis have been defined using the class diagramlike editor that EMF provides (see, for instance, Figure 2.2). EMF also provides a sample Ecore editor (tree editor) to define models that conform to metamodels specified using Ecore. 16 C HAPTER 2. BACKGROUND Figure 2.6 shows the definition of the model depicted in Figure 2.3 using the EMF sample Ecore editor. Figure 2.6: An Author model (edited with the sample Ecore editor). 2.1.4.2 The Graphical Modeling Framework The Eclipse Graphical Modeling Framework (GMF) [8] provides a generative component and runtime infrastructure for developing graphical concrete syntaxes (notations) for DSMLs. It automatically generates an Eclipse plugin with a DSML diagram editor from (1) the DSML’s metamodel (abstract syntax); (2) a graphical definition model (i.e., the shapes that will be associated to the domain elements); (3) a tooling definition model (namely the buttons that enable the creation of the model elements); and (4) a mapping model relating the three previous artifacts (see Figure 2.7). GMF significantly reduces the cost of DSML tooling. We have used it to define, for instance, the graphical concrete syntax of our e-Motions language (see Section 7.2). More information about GMF can be found in [8]. 2.1.4.3 Textual Concrete Syntax Textual Concrete Syntax (TCS) [70] is an Eclipse component that enables the specification of textual concrete syntaxes (notations) for DSMLs by attaching syntactic information to metamodels. With TCS, it is possible to parse (text-to-model) and pretty-print (model-to-text) DSML sentences. Moreover, TCS provides an Eclipse editor which features syntax highlighting, hyperlinks, and hovers for every DSML which syntax is represented in TCS. We use TCS, for instance, to define the model-to-text transformation from Maude models (see Section 4.2.1.2). The interested reader is referred to TCS’s website [7] for more information about the tool. 2.1. M ODEL D RIVEN E NGINEERING IN A N UTSHELL 17 Figure 2.7: The GMF process to define a visual concrete syntax for a DSML. 2.1.4.4 The ATLAS Transformation Language The Atlas Transformation Language (ATL) [3, 71] is the ATLAS INRIA & LINA research group’s answer to the OMG MOF /QVT RFP. It is a model transformation language specified as both a metamodel and a textual concrete syntax. In the field of MDE, ATL provides developers with a mean to specify the way to produce a number of target models from a set of source models. The ATL language is a hybrid of declarative and imperative programming. The preferred style of transformation writing is the declarative one: it enables to simply express mappings between the source and target model elements. However, ATL also provides imperative constructs in order to ease the specification of mappings that can hardly be expressed declaratively. ATL uses OCL for specifying both its data types and its declarative expressions. Besides basic model transformations, ATL defines an additional model querying facility that enables to specify requests on models (including code generation). ATL also allows code factorization through the definition of ATL libraries [3]. ATL Modules and Rules. An ATL module corresponds to a model-to-model transformation. This kind of ATL unit allows ATL developers to specify the way to produce a set of target models from a set of source models. Both source and target models of an ATL module must be “typed” by their respective metamodels. Moreover, an ATL module accepts a fixed number of models as input, and returns a fixed number of target models: it cannot generate an unknown 18 C HAPTER 2. BACKGROUND number of similar target models (e.g., models that conform to the same metamodel). An ATL module is composed of the following elements: • a header section that defines some attributes that are relative to the transformation module (such as the input and output models and the metamodels they conform to); • an optional import section that enables to import some existing ATL libraries; • a set of helpers (that can be viewed as the ATL equivalent to Java methods); • and a set of rules that defines the way target models are generated from source ones. There are several types of transformation rules, namely called, lazy and match rules. In this section we focus on the main ones: match rules. This kind of rules have the following syntax: r u l e rule_name { from in_var1 : in_type1 , ... in_varn : in_typen [ ( condition ) ] ? [ using { var1 : var_type1 = init_exp1 ; ... varn : var_typen = init_expn ; } ] ? to out_var1 : out_type1 ( bindings1 ) , ... out_varn : out_typen ( bindingsn ) [ do { statements } ] ? } A match rule is identified by its name. It matches one or more given types of source model elements, and generates one or more kinds of target model elements. The rule specifies the way generated target model elements must be initialized from each matched source pattern. It is composed of two mandatory (the source and the target patterns) and two optional (the local variables and the imperative) sections. When defined, the local variables section is introduced by the keyword using. It allows us to locally declare and initialize a number of local variables (that will only be visible in the scope of the current rule). The source pattern of a matched rule is defined after the keyword from. It allows us to specify a set of model element variables that corresponds to the types of source elements the rule has to match—these types correspond 2.1. M ODEL D RIVEN E NGINEERING IN A N UTSHELL 19 to some entities of one of the source metamodels of the transformation. This means that the rule will generate target elements for each occurrence of the source pattern. In many cases, the developer will be interested in matching only a subset of the source elements that conform to the matching type. This is simply achieved by specifying an optional condition (expressed as an OCL expression) within the rule’s source pattern. In this way, the rule will only generate target elements for the source model elements that both conform to the matching types and verify the specified condition. The target pattern of a matched rule is introduced by the keyword to. It specifies the elements to be generated when the source pattern of the rule is matched, and how these generated elements are initialized. A target pattern element corresponds to a model element variable declaration associated with its corresponding set of initialization bindings. This model element variable declaration has to correspond to an entity of the target metamodels of the transformation. Finally, the optional imperative section, introduced by the keyword do, enables the specification of some imperative code that will be executed after the initialization of the target elements generated by the rule. Figure 2.8: The Person metamodel. As an example, the following is an ATL module (Author2Person) that transforms a model conforming to the Author metamodel (see Figure 2.2) to a model conforming to the Person metamodel (see Figure 2.8): module Author2Person ; c r e a t e OUT : MMPerson from IN : MMAuthor ; r u l e Author { from a : MMAuthor ! Author to p : MMPerson ! Person ( name <− a . name , surname <− a . surname ) } IN and OUT are the variables that will be used throughout the whole transformation spec- ification to refer to the input and output models, respectively. The specific models they refer 20 C HAPTER 2. BACKGROUND to will be assigned when running the transformation. The same applies for the MMAuthor and MMPerson variables, which represent the metamodels these models conform to. The rule, called Author, transforms Author source model elements to Person target model elements. The source pattern defines no filter, which means that all Author elements of the source MMAuthor model will be matched by the rule. The rule target pattern contains a single simple target pattern element (called p). This target pattern element will allocate a Person element of the MMPerson target model for each source model element matched by the source pattern. The features of the generated model element are initialized with the corresponding features of the matched source model element. In this case, Book source model elements are simply ignored. ATL also supports other features not presented in this brief introduction, such as other types of transformation rules, rule inheritance, superimposition mode, etc. The interested reader is referred to [3] for more details about these features. 2.2 Rewriting Logic and Maude There are several formalisms that enable the specification of the structure and behavior of systems. In this work, we will focus on rewriting logic, a logic of change that can naturally deal with state and with highly nondeterministic concurrent computations. In particular, we introduce Maude [42], a programming language based on rewriting logic, and two of its extensions: Full Maude, that allows users to specify object-oriented systems, and Real-Time Maude, an extension of the former to specify real-time systems. We will also present the mOdCL tool, an OCL validation tool based on Maude that has been used to develop the tools support of this thesis. 2.2.1 Rewriting Logic and (Core) Maude Membership equational logic (MEL) [27] is a Horn logic whose atomic sentences are equalities t = t′ and membership assertions of the form t : S, stating that a term t has sort S. A MEL theory Γ is a tuple (Σ, E) where Σ is its signature, which specifies its sorts, subsorts, kinds and overloaded operators, and E is a collection of equations and memberships. Such a logic extends order-sorted equational logic, and supports sorts, subsort relations, subsort overloading of operators, and the definition of partial functions with equationally defined domains. MEL has sound and complete rules of deduction, and initial and free algebras [27]. Rewriting logic (RL) [30, 83] is a logic of change that can naturally deal with state and 2.2. R EWRITING L OGIC AND M AUDE 21 with highly nondeterministic concurrent computations. In RL, the state space of a distributed system is specified as an algebraic data type in terms of an equational specification, i.e., RL is parameterized by the choice of its underlying equational logic. The dynamics of a system in RL is then specified by rewrite rules. To be more precise, a RL specification R is a 4tuple (Σ, E, Φ, R) where (Σ, E) is an equational theory, Φ is the function specifying the frozen arguments of each operator in Σ, and R is a collection of rewrite rules. Rewrite rules are of the form [t]E → [t′ ]E , where t and t′ are Σ-terms, and [t]E denotes the equivalence (or congruence) class of the term t modulo the equations E. These rules describe the local, concurrent transitions possible in the system, i.e., when a part of the system state fits any pattern in [t]E then it can change to a new local state fitting pattern [t′ ]E . The model theory of RL has been developed in detail in [83], where initiality, soundness and completeness theorems are proved. Maude [4, 41, 42] is a wide-spectrum programming language based on RL, with MEL as its underlying equational theory. Thus, Maude integrates an equational style of functional programming with RL computation. Because of its efficient rewriting engine and its metalanguage capabilities, Maude turns out to be an excellent tool to create executable environments for different logics, models of computation, theorem provers, or even programming languages. In addition, Maude has already been successfully used in software engineering tools and several applications (see, e.g., [80]). We informally describe in this section those Maude features needed for understanding our approach; the interested reader is referred to [42] for details. For example, the following Maude functional module NATURAL defines the natural numbers (with sorts Nat of natural numbers and NzNat of nonzero natural numbers), using the Peano notation, with the zero (0) and successor (s_) operators as constructors (note the ctor attribute). The addition operation (_+_) is also defined, being its behavior specified by one equational axiom. Note that the operators s_ and _+_ are defined using mixfix syntax (underscores indicate placeholders for arguments). fmod NATURAL i s s o r t s NzNat Nat . s u b s o r t NzNat < Nat . op 0 : −> Nat [ ctor ] . op s_ : Nat −> NzNat [ ctor ] . op _+_ : Nat Nat −> Nat [ assoc comm id : 0 ] . v a r s M N : Nat . eq s M + s N = s s ( M + N ) . endfm Functional modules are required to be terminating and Church-Rosser [27]. Computation in a functional module is accomplished by using equations as simplification rules from left to 22 C HAPTER 2. BACKGROUND right until a canonical form is found. Some equations, like those expressing the commutativity of binary operators, are not terminating but nonetheless they are supported by means of operator attributes, so that Maude performs simplification modulo the equational theories provided by such attributes, which can be any combination of associativivity (assoc), commutativity (comm) and identity (id). The equations in a MEL theory (Σ, E) are in fact divided as E ∪ A, with E equations and memberships, and A the axiom supported by equational attributes. In Maude, specifications may be generic, that is, they may be defined with other specifications as parameters. The requirements that a datatype must satisfy are described by theories. Theories may include declarations of sorts, subsorts, operations, membership axioms and equations as can be done in modules. For example, sets can be constructed on top of any data, which means that its parameter could be a theory requiring only the existence of a sort. The following module SET provides a sort Set{X} of sets over a given sort of elements (specified by the Elt sort in the TRIV theory) with the empty constant as the empty set, and , the associative and commutative union operator, with identity element empty. f t h TRIV i s s o r t Elt . endfth fmod SET{X : : TRIV} i s s o r t Set{X} . s u b s o r t X$Elt < Set{X} . op empty : −> Set{X} [ ctor ] . op _ , _ : Set{X} Set{X} −> Set{X} [ ctor assoc comm id : empty ] . var E : X$Elt . eq E , E = E . endm The parameter X :: TRIV indicates that X is the label of the formal parameter, which must be instantiated with modules satisfying the requirements expressed by the theory TRIV. The sorts and operations of the theory are used in the body of the parameterized module, but sorts are qualified with the label of the formal parameter; thus, in this case, the parameter Elt becomes X$Elt in the SET module. In Maude, parameterized modules are instantiated by means of views. A view shows how a particular module satisfies a theory by mapping sorts and operations in the theory to sorts and operations in the target module, in such a way that the induced axioms are provable in the target module. The following view Nat maps the theory TRIV to the Maude’s predefined module NAT of natural numbers. view Nat from TRIV t o NAT i s s o r t Elt t o Nat . 2.2. R EWRITING L OGIC AND M AUDE 23 endv Then, the module expression SET{Nat} denotes the instantiation of the parameterized module SET with the above view Nat. Notice that the name of the sort Set{X} makes explicit the label of the parameter. In this way, when the module is instantiated with a view, like for example the Nat view above, the sort name is also instantiated becoming Set{Nat}. While functional modules specify membership equational theories, rewrite theories are specified by system modules. A system module may have the same declarations of a functional module plus rules. Unconditional rules are written using the syntax rl [l] : t => t′ . and conditional rules using the syntax crl [l] : t => t′ if Cond . where l is the rule label and Cond its condition. The guards of conditional rules act as blocking pre-conditions, in the sense that a conditional rule can only be fired if its condition is satisfied. The form of rule conditions used in this thesis is EqC 1 /\ ... /\ EqC n where each of the EqC i is either an ordinary equation t = t′ , a matching equation t := t′ , or a term t of sort Bool, abbreviating t = true.1 In the execution of a matching equation t := t′ , the variables of the term t, which may not appear in the lefthand side of the corresponding conditional equation, become instantiated by matching the term t against the canonical form of the bounded term t′ . For example, given the quotient operator quo , the following BOARD system module defines a rule replace that takes any two numbers in a set of numbers and replaces them by their mean: mod BOARD i s p r o t e c t i n g SET{Nat} . v a r s N M : Nat . r l [ replace ] : N , M => ( N + M ) quo 2 . endm Rewriting in a system module operates on congruence classes of terms module its equations. When we rewrite a term like (6,3,2) we are rewriting in fact on its equivalent class (modulo equation E,E = E and associativity, commutativity and identity of , ). Thus, the rule can be applied on subterms (6,3), (6,2), (3,2), or their permutations. The rewrite command can be used to execute the system, using the Maude interpreter, which applies the rules until none is applicable. Maude> r e w r i t e 6 , 3 , 2 . r e s u l t NzNat : 4 1 Maude supports other kind of rule conditions, such as, e.g., rewrite conditions of the form t => t′ [42]. 24 C HAPTER 2. BACKGROUND Note that the result depends on the numbers matched in each application of the rule. System rules are not required to be terminating nor confluent. In this case, subterm (3,2) (or (2,3)) has been rewritten first to term 2, and then the resulting term (6,2) (or (2,6)) has been rewritten to term 4. 2.2.2 Object-Oriented Specifications: Full Maude Full Maude [42] is an extension of Maude (written in Maude itself) that provides a notation for object-oriented programming. In Full Maude, concurrent object-oriented systems are specified by object-oriented modules in which classes and subclasses are declared. A class is declared with the syntax class C | a1 :S1 , ..., an :Sn , where C is the name of the class, ai are attribute identifiers, and Si are the sorts of the corresponding attributes. Objects of a class C are then record-like structures of the form < O : C | a1 :v1 , ..., an :vn >, where O is the object identifier, and vi are the current values of its attributes ai . Objects can interact in a number of different ways, including message passing. Messages are declared in Maude in msg clauses, in which the syntax and arguments of the messages are defined. In a concurrent object-oriented system, the concurrent state, which is called a configuration, has the structure of a multiset made up of objects and messages that evolves by concurrent rewriting, using rules that describe the effects of the communication events of objects and messages. The predefined sort Configuration represents configurations of Maude objects and messages, with none as the empty configuration and the empty syntax operator __ as union of configurations. mod CONFIGURATION i s s o r t Configuration . s u b s o r t s Object Message < Configuration . op none : −> Configuration [ ctor ] . op __ : Configuration Configuration −> Configuration [ ctor assoc comm id : none ] . ... endm Class inheritance is directly supported by Maude’s order-sorted type structure. A subclass declaration C < C’, indicating that C is a subclass of C’, is a particular case of a subsort declaration C < C’, by which all attributes, messages, and rules of the superclasses, as well as the newly defined attributes, messages and rules of the subclass characterize its structure and behavior. This corresponds to the traditional notion of subtyping: A is a subtype of B if every <X> that satisfies A also satisfies B (in some contexts, this also means that objects of class A can 2.2. R EWRITING L OGIC AND M AUDE 25 safely replace objects of class B). Multiple inheritance is also supported in Maude [42, 41]. For instance, the following Maude module EMPLOYEE2 specifies two classes: Person and Employee. The Person class has an attribute name of sort string (String). The Employee class extends the Person class and has an attribute salary of sort integer (Int). The String sort is predefined in the STRING module, and the Int sort is imported in every Maude module. ( omod EMPLOYEE i s p r o t e c t i n g STRING . c l a s s Person | name : String . c l a s s Employee | salary : Int . s u b c l a s s Employee < Person . endom ) 2.2.2.1 Object-Oriented Modules in (Core) Maude Although object-oriented modules provide convenient syntax for programming object-oriented systems, their semantics can be reduced to that of system modules. We can regard the special syntax reserved for object-oriented modules as syntactic sugar. In fact, each object-oriented module can be translated into a corresponding system module whose semantics is by definition that of the original object-oriented module. This is precisely what Full Maude does to handle object-oriented modules [42, 51]. For instance, each class declaration of the form class C | a1 :S1 , ..., an :Sn can be specified in (Core) Maude as a subsort C of sort Cid (class identifier), a constant C of sort C, and declarations of operations ai : : Si -> Attribute for each attribute ai ; and each subclass relation C < D as a subsort declaration subsort C < D. Thus, the above Person and Employee classes specifications can be rewritten in (Core) Maude (importing the CONFIGURATION module) as follows: s o r t Person . s u b s o r t Person < Cid . op Person : −> Person . op name : _ : String −> Attribute . s o r t Employee . s u b s o r t Employee < Person . op Employee : −> Employee . op salary : _ : Int −> Attribute . Further details on the translations performed from Full Maude to (Core) Maude can be found in [42]. 2 Any module, theory, view, or command intended for Full Maude has to be enclosed in parentheses [42] 26 C HAPTER 2. BACKGROUND 2.2.3 Real-Time Maude Real-Time Maude [89, 91] is a language and tool for the high-level formal specification, simulation, and formal analysis of real-time and hybrid systems. It is implemented in Maude as an extension of Full Maude. Real-Time Maude provides, among others: • a sort Time to model the time domain, which can be either discrete or dense time (although users can define their own time domain); • a sort TimeInf, which extends the sort Time with the infinite value INF; • a built-in constructor { } of sort GlobalSystem, with the intended meaning that, given a term t of sort System, {t} denotes the whole system in state t; • an extended form of rewrite rules, known as tick rules, whose concrete syntax is crl [l] : {t} => {t′ } in time τ if Cond . where τ is a term of sort Time that denotes the duration of the rewrite, and that affects the global time elapse. Real-time rewrite theories are described in Real-Time Maude as timed modules. For example, the following timed module (borrowed from [89]) specifies a simple discrete clock which shows the time. Clocks count hours, so time advances by one time unit in each tick step until it reaches time 24. Since the example handles discrete time, we import the built-in module NAT-TIME-DOMAIN to use natural numbers as the time domain. ( tmod CLOCK i s p r o t e c t i n g NAT−TIME−DOMAIN . op clock : Time −> System [ ctor ] . var N : Time . c r l [ tick ] : {clock ( N ) } => {clock ( N + 1 ) } in time 1 i f N < 24 . r l [ reset ] : clock ( 2 4 ) => clock ( 0 ) . endtm ) As we previously mentioned, tick rules affect the global time. Therefore, when the system is composed of several timed elements, time elapse is usually modeled by one single tick rule, and the system dynamic behavior by instantaneous transitions [89]. The tick rule is defined by using two functions: the delta function, that defines the effect of time elapse over every system element; and the mte (maximal time elapse) function, that defines the maximum amount of time that can elapse before any action can take place. Then, time advances nondeterministically by any amount τ , which must be less or equal than the maximum time elapse of the system. 2.2. R EWRITING L OGIC AND M AUDE 27 The following timed module specifies the same system with several clocks (adapted from [89]). We let an associative and commutative operator __ be the constructor for multisets of single clocks. 1 ( tmod CLOCKS i s 2 p r o t e c t i n g NAT−TIME−DOMAIN . 3 --- The sort System is a multiset of clocks: 4 s o r t Clock . 5 op clock : Time −> Clock [ ctor ] . 6 s u b s o r t Clock < System . 7 op __ : System System −> System [ ctor assoc comm ] . 8 --- Variables 9 v a r s R R ’ : Time . 10 v a r s SYSTEM SYSTEM ’ : System . 11 --- The instantaneous transitions: 12 r l [ reset ] : clock ( 2 4 ) => clock ( 0 ) . 13 --- Tick the whole system: 14 c r l [ tick ] : 15 16 {SYSTEM} => {delta ( SYSTEM , R ) } in time R i f R <= mte ( SYSTEM ) [ nonexec ] . 17 --- Effect of time elapse on a system: 18 op delta : System Time −> System [ frozen ( 1 ) ] . 19 eq delta ( clock ( R ) , R ’ ) = clock ( R plus R ’ ) . 20 eq delta ( SYSTEM SYSTEM ’ , R ) = delta ( SYSTEM , R ) delta ( SYSTEM ’ , R ) . 21 --- Maximum Time Elapse allowed in a system before a clock must be reset: 22 op mte : System −> Time [ frozen ( 1 ) ] . 23 eq mte ( clock ( R ) ) = 24 monus R . 24 25 eq mte ( SYSTEM SYSTEM ’ ) = min ( mte ( SYSTEM ) , mte ( SYSTEM ’ ) ) . endtm ) Since the state of the system is now a multiset of clocks, time elapse must be specified over every clock. The delta operation is defined over the whole system and increases every clock time with time elapse R. The maximal time elapse of the system (specified by the mte operation) defines the maximal amount of time that can elapse before a possible event (in this case the reset of a clock) may happen. Thus, it equals the time until the next moment in time when any clock must be reset. Note that time advance in the above tick rule is nondeterministic. The nonexec attribute (line 16) specifies that the rule is not directly executable. This attribute will be “removed” when a time sampling strategy is applied to the rule (see below). Finally, the frozen attribute (line 18 and 22) forbids rewriting with rules in all proper subterms of mte and delta operators to avoid “aged” rewrites [89]. Real-Time Maude identifies two types of tick rules: time-deterministic and time-nondeterministic. Tick rules in which the time increment is explicitly given are called time-deterministic. This is the case, e.g., of the tick rule described in the CLOCK module, on which we specify that time advances by 1 time unit. All other tick rules are called time-nondeterministic. In this kind 28 C HAPTER 2. BACKGROUND of rules, the time increment is not explicitly specified, but may be restricted (see below). An example of this kind of tick rules can be found in the CLOCKS module, in which we specify that time advances by any amount equal or less than the maximum time elapse of the system. This is the kind of time-nondeterministic tick rule we are going to focus on in this thesis. Time-nondeterministic tick rules are not directly executable in Maude, since it is not clear which values to assign to τ (the R variable in the presented example) in a rewrite step. RealTime Maude allows the user to choose from a set of predefined time sampling strategies (also called tick modes), whose precise meaning is described in [91], for instantiating the variable R in each application of the tick rule. We present in what follows the tick modes applicable to the type of time-nondeterministic rule we have selected: • Default mode. The default mode is parameterized by a time increment value ∆. Time is advanced by the smallest value of the maximum time elapse of the system and ∆. • Maximal mode. Time is advanced by the maximal time elapse of the system. • Maximal/default mode. The maximal/default mode is parameterized by a time value ∆. Tick rules are applied using a maximal time advance strategy if possible, and by trying to advance time by the default value ∆ if the maximal time increase is the infinite value INF. The tick mode stays unchanged until another tick mode is selected. All applications of nondeterministic tick rules—be it for rewriting, search, or model checking—are performed using the strategy corresponding to the current tick mode. The user has to note that using either of these strategies when applying the tick rules means that some potential behaviors in the system, namely those obtained by applying the tick rules differently, are not analyzed. The discretization provided by the time sampling strategies does not in general preserve all interesting properties of the system, and all analysis results should be understood in this light [91]. 2.2.3.1 Timed Modules in (Core) Maude Similarly to object-oriented modules, the semantics of a timed module can also be reduced to that of system modules. In fact, each timed module can be translated into a corresponding system module whose semantics is by definition that of the original timed module. In this section, we will focus on the translation of tick rules into rewrite rules. Further details on the translation performed from Real-Time Maude to (Core) Maude can be found in [91]. 2.2. R EWRITING L OGIC AND M AUDE 29 Let us show how tick rules are encoded in (Core) Maude by presenting the translation of the time-nondeterministic tick rule used in the previous example for clocks. The original tick rule is specified as follows: 1 var R : Time . 2 var SYSTEM : System . 3 4 5 c r l [ tick ] : {SYSTEM} => {delta ( SYSTEM , R ) } in time R i f R <= mte ( SYSTEM ) [ nonexec ] . Several changes are applied to a tick rule to obtain the final rewrite rule. For instance, we have to take into account that internally Real-Time Maude adds a clock component to each state of the system. This component represents the time on which the state was reached. 1 s o r t ClockedSystem . 2 op _in time_ : GlobalSystem Time −> ClockedSystem [...] . Therefore, if we want to find a system state that fits the left-hand side of our rule, we must include a clock component on it: 1 var T TE : Time . 2 var SYSTEM : System . 3 4 5 c r l [ tick ] : {SYSTEM} in time T => {delta ( SYSTEM , TE ) } in time ( T plus TE ) i f TE <= mte ( SYSTEM ) [ nonexec ] . Note that now time will advance TE time units with respect to the time T assigned to the global SYSTEM state. Another change is performed depending on the tick mode selected by the user: the nonexec attribute is removed and the time elapse is set to a specific value, not being nondeterministic anymore. For instance, if we consider the maximal mode, the previous tick rule will be finally translated into the following rewrite rule: 1 var T TE : Time . 2 var SYSTEM : System . 3 4 5 c r l [ tick ] : {SYSTEM} in time T => {delta ( SYSTEM , TE ) } in time ( T plus TE ) i f TE : = mte ( SYSTEM ) / \ TE =/= zero . Note that TE is assigned the maximal time elapse of the system (computed by the mte operation). Furthermore, we include the TE =/= zero condition. This is a pragmatic choice based on the fact that advancing time by zero units using this kind of tick rules does not change the state, but leads to unnecessary looping during executions [91]. Of course, the resulting rewrite rule will represent the original tick rule whenever we import in our specifications the system modules on which Real-Time Maude defines the time domains and the built-in constructor for global systems. 30 C HAPTER 2. BACKGROUND 2.2.4 The mOdCL Tool mOdCL [108] is an OCL validation tool based on Maude. The tool allows us to validate OCL expressions on concrete UML object diagrams. However, its implementation is not tied to its internal representation of the UML metamodel, and therefore it can be adapted to be applied over other DSMLs. In this section, we sketch the mOdCL representation of the main OCL concepts in Maude that we are going to use throughout this thesis. The complete mOdCL specification is available at [10]. The complete set of renamings that we have performed over the sorts and operators defined in mOdCL to adapt them to our Maude infrastructure to represent models and metamodels can be found in Appendix A, although those that affect the comprehension of this thesis will be presented throughout this document as needed. In mOdCL, OCL expressions are represented as terms of the OCL-Exp sort. The basic OCL types Boolean, Integer, Real and String are, respectively, mapped into the Maude predefined sorts Bool, Int, Float and String, whereas the user defined types are mapped on the Maude predefined sort Oid. OCL predefined collection types are built over the generic sorts List{X} an MSet{X}, which represent ordered and non-ordered collections of elements, respectively. 1 mod CONTAINER{X : : OCL−TRIV} i s 2 s o r t s List{X} MSet{X} . 3 s u b s o r t X$Elt < List{X} . 4 s u b s o r t X$Elt < MSet{X} . 5 op mt−ord : −> List{X} [ ctor ] . 6 op _ , _ : List{X} List{X} −> List{X} [ ctor assoc id : mt−ord . . . ] . 7 op mt : −> MSet{X} [ ctor ] . 8 op _ ; _ : MSet{X} MSet{X} −> MSet{X} [ ctor assoc comm id : mt . . . ] . 9 10 ... endm Each type of collection (Set, Bag, OrdSet and Sequence) is then built by wrapping its corresponding type of collection of elements (ordered or non-ordered), with the suitable constant: 1 2 mod COLLECTION i s pr CONTAINER{OCL−Exp} . 3 4 op Set{_} : MSet{OCL−Exp} −> Set [ ctor ] . 5 op Bag{_} : MSet{OCL−Exp} −> Bag [ ctor ] . 6 op OrderedSet{_} : List{OCL−Exp} −> OrdSet [ ctor ] . 7 op Sequence{_} 8 op Set{} : −> Set . 9 op Bag{} : −> Bag . : List{OCL−Exp} −> Sequence [ ctor ] . 10 op Sequence{} : −> Sequence . 11 op OrderedSet{} : −> OrdSet . 12 eq Set{} = Set{mt} . 13 eq Bag{} = Bag{mt} . 14 eq Sequence{} = Sequence{mt−ord} . 2.2. R EWRITING L OGIC 15 16 17 AND M AUDE 31 eq OrderedSet{} = OrderedSet{mt−ord} . ... endm Set{}, Bag{}, Sequence{} and OrderedSet{} operators are defined as syntactic sugar to represent the empty collection of its corresponding type. The Set{ } and Bag{ } operators are built over non-ordered collections, while OrderedSet{ } and Sequence{ } are built over ordered collections. Contrary to bags and sequences, sets and ordered sets cannot have duplicated elements. These elements are removed (by further mOdCL equations) when the OCL expression is evaluated. mOdCL provides syntax for all OCL operators. OCL expressions written using these declarations follow very closely the original OCL syntax. Only some differences apply: the = operator is represented as the .=. operator, the elements of sets and bags are separated by a semicolon instead of a comma, and every subexpression of an OCL expression must be separated by a space. As we will see in Chapter. 7, OCL expressions written in e-Motions are transparently mapped into the mOdCL notation, so the user is not aware of these syntactic mismatches. mOdCL also provides several operators to evaluate well-formed OCL expressions. The following is an example on how we can evaluate a context-free OCL expression in Maude by means of the << >> operator: 1 Maude> r e d u c e << Sequence{1 , 3 , 4} −> size ( ) >> . 2 3 r e s u l t NzNat : 3 32 C HAPTER 2. BACKGROUND Chapter 3 Defining a Domain Specific Modeling Language In this chapter we present the elements that are involved in the definition of a DSML: abstract syntax, concrete syntax and semantics. We show the need of formally defining the semantics of a DSML, and we separate it from the definition of its behavior. Thus, we identify two views in the definition of a DSML: the structural view and the behavioral view. We give some hints on how the DSML designer can be kept from explicitly defining the semantics of his/her DSML. 3.1 Introduction Domain-Specific Modeling Languages (DSMLs) formalize the application structure, behavior, and requirements within particular domains. Such languages tend to support higher level abstractions than general-purpose modeling languages, and are closer to the problem domain than to the implementation domain. Thus, a DSML follows the domain abstractions and semantics, allowing modelers to perceive themselves as working directly with domain concepts. Furthermore, the rules of the domain can be included into the language as constraints, disallowing the specification of illegal or incorrect models. The definition of a DSML involves at least three aspects: the domain concepts and rules (abstract syntax); the notation used to represent these concepts—let it be textual or graphical (concrete syntax); and the semantics of the language (see Figure 3.1). Most of the MDE community efforts have been focused on the definition of the structural parts of DSMLs, i.e., on the definition of models and metamodels, and some graphical o textual syntax for them— this is what is usually called the metamodeling technique. This approach enables the rapid 33 34 C HAPTER 3. D EFINING A D OMAIN S PECIFIC M ODELING L ANGUAGE Figure 3.1: Definition of a DSML. development of languages and some of their associated tools, such as editors or browsers. However, the idea of MDE is not to use models as mere documentation, but key artifacts from which the whole system can be derived and implemented. Thus, a precise and formal basis will significantly help us in their definition not to produce unexpected results. Since models are defined with DSMLs, we should not avoid the definition of the semantics of a DSML, specially when we need to explicitly describe its behavior. 3.2 Abstract Syntax of a DSML The abstract syntax of a DSML is usually specified by a metamodel, which describes the concepts of the language, the relationships among them, and the structuring rules that constrain the model elements and their combinations in order to respect the domain rules. We normally say that a model conforms to the metamodel that represents the concepts of the DSML the model is written in [20]. Figure 3.2 shows a metamodel of a DSML for production systems defined with the Ecore language. In this metamodel, a production system is made of plants that are composed of machines: generators (HeadGen and HandleGen) and assemblers; containers, which can be trays, conveyors and users; and parts: heads, handles and hammers. Trays can be connected to machines; machines are connected to conveyors, and conveyors are connected to trays. Trays, conveyors, and users can hold different parts (heads, handles and hammers). Note that no information is included about the behavior of these elements. Figure 3.3 shows a production model example (conforming to the metamodel in Figure 3.2) 3.3. C ONCRETE S YNTAX OF A DSML 35 Figure 3.2: Metamodel of a DSML for production systems. Figure 3.3: A production system model (abstract syntax). using an object diagram. The model consists of a plant with two generators, each one connected to a different conveyor. These conveyors are connected to the same tray, which is connected in its turn to an assembler. The assembler is connected to a third conveyor, which is also connected to another tray. 3.3 Concrete Syntax of a DSML The concrete syntax of a DSML provides a realization of its abstract syntax as a mapping between the metamodel concepts and their textual or graphical representation (see Figure 3.1). For visual languages, it is necessary to establish links between these concepts and the visual symbols that represent them—as done, e.g, with GMF (see Section 2.1.4.2). Similarly, with textual languages links are required between metamodel elements and the syntactic structures 36 C HAPTER 3. D EFINING A D OMAIN S PECIFIC M ODELING L ANGUAGE of the textual DSML. An example of this approach is TCS (see Section 2.1.4.3). Of course, a language can have several concrete syntaxes. Figure 3.4: A concrete syntax for the DSML for production systems. Figure 3.4 shows a simple visual concrete syntax for the DSML for production systems. We have associated an image to each class of the metamodel. For instance, machines are represented as cogwheels with an icon showing the kind of part they generate. Figure 3.5: A production system model (concrete syntax). Once we have defined a concrete syntax for a DSML, we can make use of it, e.g., to define visual models. Figure 3.5 shows the model depicted in Figure 3.3 using the above concrete syntax. In this case, we have represented references between objects as directed arrows, and attribute-value pairs textually, except the position of each element, which is dictated from its position in the plant (depicted as the background grid). 3.4. S EMANTICS OF A DSML 37 The graphical concrete syntax can also be used in the definition of the behavioral rules of a DSML, as we shall see in Chapters 6 and 7. 3.4 Semantics of a DSML Defining a DSML only by means of its abstract and concrete syntaxes allows the rapid development of languages and some associated tools, such as editors or browsers. However, if we want to perform real engineering tasks, we also need to count on model analyzers, simulators, matchmakers, quality evaluators, etc. Explicit and formal specification of model semantics is receiving more attention recently, since the lack of explicit semantics presents a possibility for semantic mismatch between design models and modeling languages of analysis tools [73]. While this problem exists in virtually every domain where DSMLs are used, it is more common in domains in which behavior needs to be explicitly represented, as it happens in most industrial applications of a certain complexity. This issue is particularly important in safety-critical real-time and embedded system domains, where precision is required and where semantic ambiguities may produce conflicting results across different tools. Furthermore, the lack of explicit behavioral semantics strongly hampers the development of formal analysis and simulation tools, relegating models to their current common role of simple illustrations. In general, DSMLs have not been given semantics or has been done using natural languages. Although users can normally guess the meaning of most terms of a DSML (a good language designer probably chooses keywords and special symbols with a meaning similar to some accepted norm), a computer cannot act on such assumptions [66]. To be useful in the computing arena, any language (let it be textual or visual or used for programming, requirements, specification, or design) must come with rigid rules that clearly state allowable syntactic expressions and give a rigid description of their meaning. A formal description of a language’s semantics has been usually done using an operational, denotational or axiomatic style (see, e.g., [128] for a comprehensive survey of semantic description frameworks). Operational semantics involves the specification of an abstract machine or transition system, the computations of which represent possible executions of a language expression. A denotational semantics is given by a mathematical function which maps the syntax of the language to a semantic value (a denotation). Axiomatic semantics involves rules for deducing assertions on the correctness or equivalence of language expressions and corresponding parts [128]. Each of these frameworks have particular properties, but the distinction between 38 C HAPTER 3. D EFINING A D OMAIN S PECIFIC M ODELING L ANGUAGE them is seldom sharp: they frequently borrow features from each other. In MDE, the definition of the semantics of a DSML can be also accomplished through the definition of a mapping between the language itself and another language with well-defined semantics (see Figure 3.1) such as Abstract State Machines [37], Petri Nets [49], or rewriting logic [104]. This method, which is also proposed by other authors (see, e.g., [18, 40, 73]), it is usually called translational semantics. The advantage of using a model-driven approach is that these semantic mappings can be defined in terms of model transformations. Semantic mappings can be defined to more that one semantic domain, providing the DSML with alternative semantic representations. Each semantic domain is more appropriate to represent and reason about certain properties, and to conduct certain kinds of analysis. Therefore, these semantic mappings are very useful not only to provide precise semantics to the DSMLs, but also to be able to simulate, analyze or reason about them using the logical and semantical framework available in the target domain [45]. Of course, not all the transformations can always be accomplished: it depends on the expressiveness of the semantic domain. Note that when the semantic mappings can automatically be derived, the underlying semantic domain(s) as well as the semantic mappings themselves can be completely transparent to the DSML designer. This mechanism has several advantages: the DSML designer do not need to know the semantic domain(s), nor the relationship between the concepts of his/her DSML and the concepts of the semantic domain, and he/she can still being benefited from its analysis tools. We call semantic bridges to those general mappings between different domains from which DSML-specific semantic mappings can be automatically derived (see Figure 3.8). Models can then cross these bridges to benefit from each world without being aware of how they were constructed (see Figure 3.6). 3.4.1 Semantics Is Not Behavior A common misconception in modeling languages is to confuse semantics with behavior [66]. Some of the most intricate languages deal with behavior, especially reactive behavior. Their semantics must prescribe the system’s behavior for each allowed model, so that for such languages, behavior and semantics are closely related. However, even structure description languages such as entity-relationship diagrams or UML class diagrams also need semantics so that users know exactly what the language is defining. Hence, semantics and behavior are not to be confused. Both a system’s behavior and its structure are important views in system modeling: Both are represented by syntactic concepts, and both need semantics. 3.5. D EFINING A DSML (R EVISITED ) 39 Figure 3.6: Semantic bridges across different domains. Semantic domains normally include mechanism to specify the behavior of systems, and therefore the behavior of a DSML is usually encoded in the semantic domain directly [37, 104]. However, this approach has several disadvantages: it requires specialized knowledge and expertise on the target formalism, and it restricts the model simulation and analysis operations that can be performed over the models to those that the target tool we are encoding our behavior provides. If we define the behavior as a model in a separate way (as usually done with the structure), we can define an intuitive graphical notation for it, and we can transform it into different semantic domains by using semantic bridges (see Figure 3.7), alleviating these disadvantages. Figure 3.7: Mapping a DSML to different semantic domains. 3.5 Defining a DSML (Revisited) Once we have clarified the difference between behavior and semantics, we propose defining a DSML by means of two views: the structural view and the behavioral view. The elements 40 C HAPTER 3. D EFINING A D OMAIN S PECIFIC M ODELING L ANGUAGE involved in the definition of a DSML (abstract syntax, concrete syntax and semantics, see Figure 3.8) will then be specified for both of them (note the * upper bound for the cardinality of the specification association). However, as we shall see in the next chapters, our approach keeps the DSML designer from explicitly defining the elements involved in the definition of the semantics of the DSML (namely semantic mappings and semantic models), since they are automatically derived from the model transformations we have developed. Figure 3.8: Definition of a DSML (revisited). 3.5.1 Defining the Structural View of a DSML In MDE, there is already a common agreement on how to specify the structure of a DSML: by means of a metamodel (see Section 3.2). The structural concepts defined in the metamodel can be provided with a concrete syntax by mapping them to their corresponding (graphical or textual) symbols (see Section 3.3). The same concepts can also be provided with semantics by mapping them to a semantic domain, such as Membership Equational Logic (MEL) in Maude (see Chap. 4). Figures 3.9 shows the models we identify in our approach in the definition of the structural view of a DSML for a particular example: the DSML for production systems (see Section 3.2). As we shall see in Chap. 4, the structural semantic mappings and the structural semantic model do not need to be explicitly defined: they are derived from the model transformation we have defined between Ecore and Maude. 3.5. D EFINING A DSML (R EVISITED ) 41 Figure 3.9: Structural View of a DSML for Production Systems. 3.5.2 Defining the Behavioral View of a DSML There is no common agreement on how to specify the dynamic behavior of a DSML. One particular way to do it is by describing the evolution of the state of the modeled artifacts along some time model. In MDE, where models, metamodels and model transformations are the key artifacts, model transformations seem to be the natural way. In particular, model transformation languages that support in-place update [46] are perfect candidates for the job. This kind of transformations allow users to describe the permitted actions and how the model elements evolve as a result of these actions. Furthermore, they also allow modelers to perceive themselves as working directly with domain concepts, especially when it enables the use of the graphical concrete syntax of the language (see Section 6.3.1 for more information about in-place model transformation and Section 6.5 for related work). Once we have defined the possible actions of our system, we could provide them with a specific notation by defining a mapping between the actions and their corresponding (graphical or textual) symbols. Note that at a particular moment of time, some model elements can be involved in an action (or in some of them), specially when these actions have a specific duration (see Chap. 7), and a user can be interested in representing these action occurrences explicitly. Normally, modeling tools do not allow users to explicitly represent action executions, they only allow us to represent system states. As we shall see in Section 7.5, our e-Motions tool 42 C HAPTER 3. D EFINING A D OMAIN S PECIFIC M ODELING L ANGUAGE does enable the representation of action executions in a general way in the specification of the behavior of a DSML. The possible actions of the system can also be provided with semantics by mapping them to a semantic domain, such as RL in Maude (see Chap. 6). Figure 3.10: Behavioral View of a DSML for Production Systems. Figures 3.10 shows the models we identify in our approach in the definition of the behavioral view of a DSML for the same particular example: the DSML for production systems. Again, the behavioral semantic mappings and the behavioral semantic model do not need to be explicitly defined: they are derived from the model transformation we have defined between e-Motions and Maude (see Chap. 7). Chapter 4 Structural Semantics of DSMLs In this chapter we approach the definition of the structural semantics of DSMLs. We show how models and metamodels can be formalized into Membership Equational Logic (MEL), and we specify semantic mappings (by means of model transformation) between EMF models and metamodels and MEL, or, to be more precise, to the Maude implementation of MEL. These model transformations will prevent the DSML designer from explicitly defining the structural semantics of his/her DSML. We also present the Maude metamodel, parser and serializer that we have defined for this purpose. 4.1 MEL Representation of Models and Metamodels As we previously mentioned, models are written in the language described by their metamodels. Metamodels define the concepts of the language, the relationships among them, and the structuring rules that constrain the model elements and their combinations in order to respect the domain rules. So, the question is, can these three elements be represented in Maude? Of course they can, and many choices exist for this (see Section 4.3). In this section we show how MEL is a suitable formalism to represent models and metamodels. Among all the possible representations, we have defined a specific one and we show its benefits—the following chapters will also presents more advantages related to the use of this formalism and this specific representation. 43 44 C HAPTER 4. S TRUCTURAL S EMANTICS OF DSML S 4.1.1 Representing Metamodels with Maude A metamodel can be specified in Maude as a MEL theory. This theory should include the algebraic representation for all the corresponding object types and model types. As a first attempt, one could think about making a direct use of Full Maude classes and attributes to specify these object types in object-oriented modules. However, although this being a completely valid solution, there are some issues that made us decide to build a new infrastructure: • This representation does not consider some metamodel elements such as packages or the metamodel itself, but just classes and attributes. Furthermore, the definitions of classes and attributes do not include all the information related to these elements in a metamodel, such as whether a class is abstract or not, or the types of the references. • The common object representation used in Full Maude [42] forces us to access Maude’s metalevel to perform some common tasks in metamodel-independent operations, something that degrades performance when dealing with large models. These tasks include checking whether a class inherits from another, or accessing an attribute value independently of its attribute name. Our infrastructure then refines the algebraic representation of classes and objects in Core Maude (see Section 2.2.2.1) to (a) include more metamodel-related properties and (b) avoid accessing Maude’s metalevel when dealing with common tasks. To support the features expressed in (a), we include in our Maude specifications a sort for every metamodel element: a sort @Class for classes, a sort @Attribute for attributes, a sort @Reference for references, etc. In particular, we have defined nine sorts: @NamedElement, @Metamodel, @Package, @Classifier, @StructuralFeature, @Attribute, @Reference, @DataType and @Enumeration. The relationships among these sorts can be found in Appendix A, and they cor- respond to the relationships between the Ecore classes (see Figure 2.5) that each of these sorts represent. In fact, this initial infrastructure can be seen as the representation of a metametamodel, such as Ecore. To support the features expressed in (b), we include a set of operations defined over the sorts that represent metamodel elements. The equations that define these operations will gather all the information related to the properties of metamodel elements. For instance, we gather the superclasses relationships, the name of every class, the cardinality of structural features, the type of references, etc. These equations will allow users to get all the metamodel information from a model conforming to it, and therefore it makes it unnecessary to access to Maude’s 4.1. MEL R EPRESENTATION OF M ODELS AND M ETAMODELS 45 metalevel for, e.g., checking whether a class inherits from another or not. Thus, we represent a metamodel MM as a MEL theory T on which each class of the metamodel is represented by a constant of a sort named after the class. This sort, which will be declared as subsort of sort @Class, is defined to support class inheritance through Maude’s order-sorted type structure. Attributes, references, packages and the metamodel as an element itself are represented by constants of sorts @Attribute, @Reference, @Package and @Metamodel, respectively. The properties of all these elements will be represented by means of Maude equations defined over their corresponding constants (see below). To illustrate our proposal, let us introduce the fragment of Maude specification that describes the elements of the production system metamodel depicted in Figure 3.2: 1 mod PRODUCTION−SYSTEM i s 2 p r o t e c t i n g @ECORE@ . 3 4 op ProductionSystem : −> @Metamodel . 5 op PS : −> @Package . 6 7 s o r t Plant . 8 s u b s o r t Plant < @Class . 9 op Plant : −> Plant . 10 op els : −> @Reference . 11 12 s o r t PositionedEl . 13 s u b s o r t PositionedEl < @Class . 14 op PositionedEl : −> PositionedEl . 15 op xPos : −> @Attribute . 16 op yPos : −> @Attribute . 17 18 s o r t Machine . 19 s u b s o r t Machine < PositionedEl . 20 op Machine : −> Machine . 21 op in : −> @Reference . 22 op out : −> @Reference . 23 24 s o r t Assembler . 25 s u b s o r t Assembler < Machine . 26 op Assembler : −> Assembler . 27 op counter : −> @Attribute . 28 29 s o r t Generator . 30 s u b s o r t Generator < Machine . 31 op Generator : −> Generator . 32 33 s o r t s HandleGen HeadGen . 34 s u b s o r t s HandleGen HeadGen < Generator . 35 op HandleGen : −> HandleGen . 36 op HeadGen : −> HeadGen . 46 C HAPTER 4. S TRUCTURAL S EMANTICS OF DSML S 37 38 s o r t Container . 39 s u b s o r t Container < PositionedEl . 40 op Container : −> Container . op parts : −> @Reference . 41 42 43 s o r t Tray . 44 s u b s o r t Tray < Container . 45 op Tray : −> Tray . op capacity : −> @Attribute . 46 47 48 s o r t Conveyor . 49 s u b s o r t Conveyor < Container . 50 op Conveyor : −> Conveyor . op out : −> @Reference . 51 52 53 s o r t User . 54 s u b s o r t User < Container . 55 op User : −> User . 56 57 s o r t Part . 58 s u b s o r t Part < PositionedEl . 59 op Part : −> Part . 60 61 s o r t Head Handle Hammer . 62 s u b s o r t s Head Handle Hammer < Part . 63 op Head : −> Head . 64 op Handle : −> Handle . 65 op Hammer : −> Hammer . 66 67 68 ... endm Predefined sorts @Class, @Attribute, etc. are imported from the @ECORE@ module, which also includes the definition of the Ecore metamodel (see Appendix B). Note that this representation is quite similar to that presented in Section 2.2.2.1 for objectoriented features in Maude. In fact, our infrastructure just refine it (by adding more metamodel elements and several operations to gather their corresponding properties). The way we have performed the refinements together with some renamings (see Appendix A) enable the interoperability between these two representations, and therefore we can make use of the tools defined for the common representation suggested in [42] (such as the mOdCL tool) with our specifications. The properties of metamodel elements, such as whether a class is abstract or not, the opposite of a reference (to represent bidirectional associations), or attributes and reference types, are expressed by means of Maude equations defined over the constant that represents the cor- 4.1. MEL R EPRESENTATION OF M ODELS AND M ETAMODELS 47 responding metamodel element. Basically, we gather every metamodel element property reflected in the Ecore metamodel except those that refer to Java properties, which are not inherent in a metamodel description but specific to the EMF capability of generating Java code from the metamodel specification. The following fragment of Maude code includes the equations defined for some of the elements of the production system metamodel, namely the metamodel itself, the package on which all the classes are defined, the class Tray, and two of its structural features: the capacity attribute and the in reference. The specification of all the operations defined for this purpose can be found in the METAMODEL-PROP module in Appendix A. mod PRODUCTION−SYSTEM i s ... --- metamodel ProductionSystem eq name ( ProductionSystem ) = "ProductionSystem" . eq packages ( ProductionSystem ) = PS . --- package PS eq name ( PS ) = "PS" . eq metamodel ( PS ) = ProductionSystem . eq superPackage ( PS ) = null . eq subPackages ( PS ) = nil . eq classes ( PS ) = PositionedEl Plant Machine Container Part HandleGen HeadGen Generator Assembler Tray Conveyor User Head Handle Hammer . --- class Tray eq name ( Tray ) = "Tray" . eq package ( Tray ) = PS . eq superTypes ( Tray ) = Container . eq isAbstract ( Tray ) = false . eq references ( Tray ) = nil . eq attributes ( Tray ) = capacity . --- attribute capacity (of class Tray) eq name ( capacity ) = "capacity" . eq type ( capacity ) = @Int . eq lowerBound ( capacity ) = 1 . eq upperBound ( capacity ) = 1 . eq containingClass ( capacity ) = Tray . eq isOrdered ( capacity ) = true . eq isUnique ( capacity ) = true . eq isId ( capacity ) = false . --- reference in (of class Machine) eq name ( in ) = "in" . eq type ( in ) = Tray . eq opposite ( in ) = null . eq lowerBound ( in ) = 0 . 48 C HAPTER 4. S TRUCTURAL S EMANTICS OF DSML S eq upperBound ( in ) = 1 . eq containingClass ( in ) = Machine . eq isOrdered ( in ) = true . eq isUnique ( in ) = true . eq isContainment ( in ) = false . ... endm Classes, attributes and references are qualified with their containers’ names, so that classes with the same name belonging to different packages, as well as attributes and references of different classes, are distinguished. For example, assuming that all the classes in the model are included in a package PS, identifiers Machine and out would really be Machine@PS and out@Machine@PS (or out@Conveyor@PS). These qualifications are omitted here to improve readability. The interested reader is referred to Appendix B to see an example of a metamodel definition (namely, the Ecore metamodel) where these qualifications are shown. 4.1.2 Representing Models with Maude Once we have described a metamodel in Maude as a MEL theory, we can represent models conforming to it by means of Maude terms that belong to this MEL theory. In particular, we represent models as structures of sort @Model of the form mm{obj1 obj2 ... objN }, where mm is the constant that represent the metamodel, and obji are the objects that constitute the model. Objects are record-like structures of the form < o : c | a1 :v1 # ...# an :vn >, where o is the object identifier (of sort Oid), c is the class the object belongs to (a subsort of sort @Class), and ai : vi are attribute-value pairs (of sort @StructuralFeatureInstance). Attributevalue pairs, which represent both (Ecore) attributes and references, are constructed in such a way that attribute names (of sort @Attribute or @Reference, respectively) are distinguished from attribute values (of sort OCL-Type), and therefore, they can be accessed independently with a simple Maude match instead of making use of metalevel operations—as done when using the representation suggested in [42]. For instance, the following Maude specification describes the production system model depicted in Figures 3.3 and 3.5: op psModel : −> @Model . eq psModel = ProductionSystem { < ’p : Plant | els : Sequence{ ’heg # ’hag # ’c1 # ’c2 # ’t1 # ’a # ’c3 # ’t2 # ’u } > < ’heg : HeadGen | in : null # out : ’c1 # counter : 10 # xPos : 1 # yPos : 3 > < ’hag : HandleGen | in : null # out : ’c2 # counter : 10 # xPos : 1 # yPos : 1 > 4.1. MEL R EPRESENTATION OF M ODELS AND M ETAMODELS 49 < ’c1 : Conveyor | parts : Sequence{} # out : ’t1 # xPos : 2 # yPos : 3 > < ’c2 : Conveyor | parts : Sequence{} # out : ’t1 # xPos : 2 # yPos : 1 > < ’t1 : Tray | parts : Sequence{} # capacity : 4 # xPos : 3 # yPos : 2 > < ’a : Assembler | in : ’t1 # out : ’c3 # xPos : 4 # yPos : 2 > < ’c3 : Conveyor | parts : Sequence{} # out : ’t2 # xPos : 5 # yPos : 2 > < ’t2 : Tray | parts : Sequence{} # capacity : 4 # xPos : 6 # yPos : 2 > < ’u : User | parts : Sequence{} # xPos : 6 # yPos : 3 > } . References are represented by object identifiers, which are in turn represented by quoted identifiers (identifiers prefixed by a quote). Attribute and reference values are specified by OCL expressions, which are fully supported thanks to mOdCL. We have applied some renamings to the original mOdCL specifications to adapt it to our Maude representation of model and metamodels. For instance, the , operator is now named # , and therefore elements of sequences and ordered sets are now separated by hash marks. The interested reader is referred to Appendix A for more details on our algebraic constructors and the renamings we have applied to mOdCL specifications. Finally, note that metamodels can also be seen as models that conform to meta-metamodels, and therefore they can be represented as Maude terms of sort @Model too. The MEL theory that defines their constructors will represent a meta-metamodel, such as the MOF or Ecore metamodel. 4.1.2.1 The Conformance Relationship As we previously mentioned, once we have described a metamodel in Maude as a MEL theory, we can represent models conforming to such a metamodel by means of Maude terms that belong to the @Model sort, but it does not mean that all the terms of this sort will represent models which really conform to the metamodel that the MEL theory describes. If we want to ensure this, we have to check that the term of sort @Model obeys the structuring rules specified by the properties of the metamodel elements, such as the types of the objects being referenced, or the cardinality of the structural features. The correct construction of the objects in a model is checked by the Maude type system. In addition, other metamodel properties (such as the valid types of the objects being referenced) is expressed in terms of the validModel predicate that define the well-formedness rules that any valid model should conform to. Thus, given a variable OBJSET of sort Set{@Object}, we define a sort for every model type by means of membership axioms as follows: s o r t PS@Model . s u b s o r t PS@Model < @Model . 50 C HAPTER 4. S TRUCTURAL S EMANTICS OF DSML S cmb ProductionSystem { OBJSET } : PS@Model i f validModel ( ProductionSystem { OBJSET } ) . Membership axioms (mb) and conditional membership axioms (cmb) assign sorts to terms. Thus, a term of sort @Model becomes also of sort PS@Model if its metamodel is ProductionSystem and the objects that constitute it fulfills all the metamodel properties. This last require- ment is checked with the validModel operation; the following is an excerpt of its specification: 1 mod MODELCONFORMANCE i s 2 pr METAMODEL−PROP . 3 4 v a r s MM : @Metamodel . 5 v a r s MODEL : @Model . 6 v a r s C C ’ : @Class . 7 v a r s O SRC : Oid . 8 v a r s OBJSET : Set{@Object} . 9 v a r s SFS SFS ’ : Set{@StructuralFeatureInstance} . 10 v a r s ATTIS : Set{@AttributeInstance} . 11 v a r s REFIS : Set{@ReferenceInstance} . 12 var ATT : @Attribute . 13 var REF : @Reference . 14 var VALUE : OCL−Type . 15 var LO : List{OCL−Exp} . 16 v a r s ATTS REFS : MyList . 17 var SEQ : Sequence . 18 19 op validModel : @Model −> Bool . 20 eq validModel ( MODEL ) = validModelAux ( MODEL , MODEL ) . 21 22 op validModelAux : @Model @Model −> Bool . 23 eq validModelAux ( MM { none } , MODEL ) = true . 24 eq validModelAux ( MM { < O : C | ( ATTIS # REFIS ) > OBJSET } , MODEL ) = 25 ( ( metamodel ( C ) == MM ) or−else isEcore ( metamodel ( C ) ) ) 26 and−then validReferences ( allReferences ( C ) , < O : C | REFIS >, MODEL ) 27 and−then validAttributes ( allAttributes ( C ) , < O : C | ATTIS >) 28 and−then validModelAux ( MM { OBJSET } , MODEL ) . 29 eq validModelAux ( MM { OBJSET } , MODEL ) = false [ owise ] . 30 31 op validAttributes : MyList @Object −> Bool . 32 eq validAttributes ( nil , < O : C | empty >) = true . 33 eq validAttributes ( ( ATT ATTS ) , < O : C | ( ATT : VALUE # ATTIS ) >) = 34 ( isUnique ( ATT ) == isUnique ( VALUE ) ) 35 and−then ( isOrdered ( ATT ) == isOrdered ( VALUE ) ) 36 and−then ( isMany ( ATT ) == isMany ( VALUE ) ) 37 and−then ( lowerBound ( ATT ) <=Card size ( VALUE ) ) 38 and−then ( size ( VALUE ) <=Card upperBound ( ATT ) ) 39 and−then (<< VALUE −> asSequence ( ) −> isEmpty ( ) >> or−else 40 41 42 subTypeOf ( meta ( VALUE ) , type ( ATT ) ) ) and−then validAttributes ( ATTS , < O : C | ATTIS >) . eq validAttributes ( ATTS , < O : C | ATTIS >) = false [ owise ] . 4.1. MEL R EPRESENTATION OF M ODELS AND M ETAMODELS 51 43 44 op validReferences : MyList @Object @Model −> Bool . 45 eq validReferences ( nil , < O : C | empty >, MODEL ) = true . 46 eq validReferences ( ( REF REFS ) , < O : C | ( REF : VALUE # REFIS ) >, MODEL ) = 47 ( isUnique ( REF ) == isUnique ( VALUE ) ) 48 and−then ( isOrdered ( REF ) == isOrdered ( VALUE ) ) 49 and−then ( isMany ( REF ) == isMany ( VALUE ) ) 50 and−then ( lowerBound ( REF ) <=Card size ( VALUE ) ) 51 and−then ( size ( VALUE ) <=Card upperBound ( REF ) ) 52 and−then validRefType ( << VALUE −> asSequence ( ) >>, type ( REF ) , MODEL ) 53 and−then ( ( opposite ( REF ) == null ) or−else validOpposites(<< VALUE −> asSequence ( ) >>, opposite ( REF ) , O , MODEL ) ) 54 and−then validReferences ( REFS , < O : C | REFIS >, MODEL ) . 55 56 eq validReferences ( REFS , < O : C | REFIS >, MODEL ) = false [ owise ] . 57 58 op validRefType : Sequence @Class @Model −> Bool . 59 eq validRefType ( Sequence{mt−ord } , C , MODEL ) = true . 60 eq validRefType ( Sequence{O # LO } , C ’ , MM { < O : C | SFS > OBJSET } ) = isSubClass ( C , C ’ ) 61 and−then validRefType ( Sequence{LO } , C ’ , MM { < O : C | SFS > OBJSET } ) . 62 63 eq validRefType ( SEQ , C , MODEL ) = false [ owise ] . 64 65 op validOpposites : Sequence @Reference Oid @Model −> Bool . 66 eq validOpposites ( Sequence{mt−ord } , REF , SRC , MODEL ) = true . 67 eq validOpposites ( Sequence{O # LO } , REF , SRC , MM { < O : C | ( REF : VALUE # SFS ) > OBJSET } ) = 68 69 << VALUE −> asSequence ( ) −> includes ( SRC ) >> 70 and−then validOpposites ( Sequence{LO } , REF , SRC , MM { < O : C | ( REF : VALUE # SFS ) > OBJSET } ) . 71 72 eq validOpposites ( SEQ , REF , O , MODEL ) = false [ owise ] . 73 74 75 ... endm The validModelAux operation is recursively applied over every object of the model. It checks whether the object class belongs to the specified metamodel or to the Ecore metamodel, since this one is imported in every metamodel. Then, it checks with the auxiliary validReferences and validAttributes operations (a) that every reference and attribute value fulfills the properties of the structural feature specified in the metamodel, such as its cardinality or type; and (b) that no attribute or reference is missing or borrowed from another class. Metamodel properties can be accessed directly from the model thanks to the equations we define for every metamodel. Most of the equations defined for attributes and references, such as isOrdered and isUnique, are defined over attributes and references values (of sort OCL-Type) too, in order to check their correspondence (see Appendix A). The meta operator (see line 40 in the above excerpt of code) obtains from a term of sort OCL-Type its primitive 52 C HAPTER 4. S TRUCTURAL S EMANTICS OF DSML S data type. The <=Card operator is used to check whether a cardinality value is less or equal than another (it considers the * symbol). Note that we do not need to access Maude’s metalevel in any moment. Furthermore, our notation allows to easily separate attributes and references in a match (see line 24), and attribute and reference names from their values (see lines 33 and 46), thus facilitating the specification of model operations. Further structural constraints can also be checked with the mOdCL tool (see Section 2.2.4). The mOdCL tool allows us to specify OCL invariants and then check them on any specific model. For instance, the following invariant specifies that the capacity of any tray is not exceeded: 1 op noCapacityExceeded : −> OCL−Exp . 2 eq noCapacityExceeded = context Tray inv ( self . parts −> size ( ) <= self . capacity ) . This invariant can be checked over the psModel model we defined in Section 4.1.2 by typing: 1 Maude> r e d u c e << noCapacityExceeded ; psModel >> . 2 3 r e s u l t Bool : true The << ; >> operator evaluates the OCL expression given as the first argument in the context of the model given as the second argument. 4.2 Structural Semantic Mappings As we mentioned in Section 3.4, the definition of the semantics of a language can be accomplished through the definition of a mapping between the language itself and another language with well-defined semantics. Thus, once we have defined a way to specify models and metamodels in the semantic domain of MEL, we can define mappings from other languages such as MOF or Ecore, providing them with semantics. Furthermore, the advantage of using a modeldriven approach is that these mappings can be defined in terms of model transformations [123]. 4.2.1 Maude’s Metamodel, Parser and Serializer The first step to specify a model transformation between two languages is to define their corresponding metamodels. Since MOF and Ecore metamodels are already defined (see Section 2.1.4.1), we just need to create a metamodel for Maude. Thus, we provide a Maude metamodel (implemented as Ecore and KM3 [21] models), a model-to-text transformation to serialize Maude models (i.e., to get the corresponding Maude code), and a Maude parser for 4.2. S TRUCTURAL S EMANTIC M APPINGS 53 models specified with Maude code. This allows Maude specifications to be represented as models and fully integrated into MDE processes. The specifications of all these artifacts are included in our e-Motions tool, which can be download from our group’s website [2]. 4.2.1.1 The Metamodel Definition The Maude metamodel [98] is shown in Figure 4.1. It is based on the Maude language definition, whose grammar can be found in [42]. The metamodel does not cover the whole Maude language, it is restricted to the elements needed in our formalization of models and metamodels with Maude. The interested reader is referred to [42] for a description of the Maude language concepts. Specifying a metamodel implies the choice between different design options. Some of these choices introduce new constraints to the language that must be considered in the metamodel definition. For instance, in the Maude metamodel diagram shown in Figure 4.1, we do not distinguish the type of elements that every kind of module can have; therefore, we include an OCL invariant to forbid the inclusion of rewrite rules (Rule) in functional modules (FModule). Another example is the relationship between a recursive term (RecTerm) and an operation (Operation): we have not specified a link between them because Maude allows overloading of operators and there are recursive terms on which we cannot figure out the specific operator it refers to without previous evaluation of the subterms. However, we can force that at least there exists one operation that makes the recursive term a valid term by including another OCL invariant (see the fifth invariant below). The following constraints have been then added to the metamodel definition: -- Membership axioms cannot have rewrite conditions c o n t e x t Membership i n v : s e l f . conds−>forAll ( c | c . oclIsKindOf ( EquationalCond ) ) -- Equations cannot have rewrite conditions c o n t e x t Equation i n v : s e l f . conds−>forAll ( c | c . oclIsKindOf ( EquationalCond ) ) -- Functional modules cannot have rules c o n t e x t FModule i n v : not s e l f . els−>exists ( e | e . oclIsTypeOf ( Rule ) ) -- Constant terms must be declared (by an operation) c o n t e x t Constant i n v : Operation . AllInstances ( )−>exists ( o | o . name = s e l f . op and s e l f . type . isSubsortOf ( o . coarity ) ) 54 C HAPTER 4. S TRUCTURAL S EMANTICS OF DSML S Figure 4.1: The Maude metamodel. 4.2. S TRUCTURAL S EMANTIC M APPINGS -- Recursive terms must be declared (by an operation) c o n t e x t RecTerm i n v : Operation . allInstances ( )−>exists ( o | o . name = s e l f . op and s e l f . type . isSubsortOf ( o . coarity ) and s e l f . args−>forAll ( a | a . type . isSubsortOf ( op . arity−>at ( s e l f . args−>indexOf ( a ) ) ) ) ) -- The sort of boolean conditions is sort (or subsort of) ’Bool’ c o n t e x t BooleanCond i n v : let boolSort : Sort = Sort . allInstances−>select ( s | s . name = ’Bool’ ) −>first ( ) in s e l f . lhs . type . isSubsortOf ( boolSort ) -- View’s operation mappings’ attributes cannot be specified. c o n t e x t View i n v : s e l f . els−>select ( e | e . oclIsTypeOf ( OpTypedMapping ) )−>forAll ( m | m . atts . oclIsUndefined ( ) ) -- Every module expression must refer to a theory or a module c o n t e x t ModExpression i n v : s e l f . getBaseModExps ( )−>forAll ( me | me . oclIsTypeOf ( TheoryIdModExp ) or me . oclIsTypeOf ( ModuleIdModExp ) ) -- Module expressions that refer to modules cannot be composed with those -- that refer to theories c o n t e x t CompModExp i n v : s e l f . getBaseModExps ( )−>forAll ( me | me . oclIsTypeOf ( TheoryIdModExp ) ) or s e l f . getBaseModExps ( )−>forAll ( me | me . oclIsTypeOf ( ModuleIdModExp ) ) -- The source module expression of a view must refer to a theory c o n t e x t View i n v : s e l f . from . getBaseModExps ( )−>forAll ( me | me . oclIsTypeOf ( TheoryIdModExp ) ) -- A module parameter must refer to a theory c o n t e x t Parameter i n v : s e l f . modExp . getBaseModExps ( )−>forAll ( me | me . oclIsTypeOf ( TheoryIdModExp ) ) These invariants make use of the following OCL auxiliary operations: c o n t e x t InstModExp : : getBaseModExp ( ) : Bag ( ModExpression ) body : s e l f . modExp . getBaseModExp ( ) c o n t e x t RenModExp : : getBaseModExp ( ) : Bag ( ModExpression ) body : s e l f . modExp . getBaseModExp ( ) c o n t e x t ModuleIdModExp : : getBaseModExp ( ) : Bag ( ModExpression ) body : Bag{ s e l f } c o n t e x t TheoryIdModExp : : getBaseModExp ( ) : Bag ( ModExpression ) body : Bag{ s e l f } c o n t e x t CompModExp : : getBaseModExp ( ) : Bag ( ModExpression ) body : s e l f . modExps−>collect ( me | me . getBaseModExp ( ) )−>flatten ( ) 55 56 C HAPTER 4. S TRUCTURAL S EMANTICS OF DSML S c o n t e x t Kind : : isSubsortOf ( st : Type ) : B o o l e a n body : ( s e l f = st ) c o n t e x t Sort : : isSubsortOf ( st : Type ) : B o o l e a n body : ( s e l f = st ) or s e l f . getAllSupersorts ( )−>exists ( s | s = st ) c o n t e x t Sort : : getAllSupersorts ( ) : S e t ( Sort ) body : s e l f . getSupersorts ( )−>union ( s e l f . getSupersorts ( )−>collect ( s | s . getAllSupersorts ( ) )−>flatten ( ) ) c o n t e x t Sort : : getSupersorts ( ) : S e t ( Sort ) body : s e l f . supersortRels−>collect ( sr | sr . supersorts )−>flatten ( ) 4.2.1.2 The Maude Code Generator We have developed a set of model-to-text transformations, using TCS (see Section 2.1.4.3), that allow Maude models to be serialized into the corresponding Maude code. The following is a fragment of these transformations: 1 2 t e m p l a t e FModule : "fmod" name ( i s D e f i n e d ( params ) ? "{" params{ s e p a r a t o r = "," , autoCreate = never} "}" ) "is" 3 ( i s D e f i n e d ( els ) ? [ els{ s e p a r a t o r = "."} "." ] ) 4 5 "endfm" ; 6 7 8 t e m p l a t e Sort : "sort" name ; 9 10 11 t e m p l a t e SubsortRel : "subsorts" subsorts{ r e f e r s T o = name} "<" supersorts{ r e f e r s T o = name ) ; 12 13 14 t e m p l a t e Operation : "op" name ":" arity{ r e f e r s T o = name} "->" coarity{ r e f e r s T o = name} ( i s D e f i n e d ( atts ) ? "[" atts "]" ) ; 15 16 ... TCS’s main elements are class templates. Class templates specify how classes are represented, and they are associated to their corresponding metaclass by their names. For instance, the TCS template Sort corresponds to the class Sort of the Maude metamodel. These templates can be composed of the language keywords, which are specified between double quotes (such as ”sort” in line 8 in the above excerpt of code), or properties, which corresponds to a metamodel structural feature (i.e., attribute or reference) of the class associated to the contextual template or one of its super classes (such as name in line 8). Other TCS features include separator, which defines a character to separate multi-valued properties (line 3), the isDefined operation, which checks whether a property has been defined or not (line 3), and refersTo to 4.2. S TRUCTURAL S EMANTIC M APPINGS 57 indicate the structural feature that we want to serialize when accessing a reference (line 11). The complete TCS transformation can be found in our website [2]. 4.2.1.3 The Maude Parser Maude is a very complex language, and defining a parser for it from scratch may result in a very difficult task. With TCS, it is possible to parse (text-to-model) and pretty-print (modelto-text) DSML sentences. However, there are some properties of the Maude language that TCS cannot handle, such as synonym keywords (for instance, var and vars are different keywords in Maude that have the same functionality). Therefore, we have defined a Maude operation that uses its metalevel capabilities to obtain the corresponding EMF notation of a Maude model from a Maude term that represent any model, i.e., any term of sort @Model. The implementation of the operation can be accessed through our e-Motions tool [2]. We are now working on defining a complete Maude language parser with the new tool Gra2Mol [69]. 4.2.2 Encoding EMF Models and Metamodels into Maude Once we count on a metamodel for Maude, we can define model transformations from other languages to it. In this section, we show how we provide the Ecore language with semantics by defining a semantic mapping—by means of model transformations—from the Ecore language to its corresponding MEL specifications in Maude. Since Ecore is a language for specifying metamodels, what we are doing is to provide a way to formalize metamodels defined in the Eclipse Platform in MEL. Note that our approach does not prevent the user from defining metamodels using a different language from Ecore, such as KM3, MOF or UML Class diagrams, since there are already defined model transformations from/to this technical spaces and Ecore [3]. Furthermore, we also present a general model transformation that transforms models conforming to metamodels defined using Ecore into its corresponding representation in Maude. In this way, what we finally get is a formalization of the structural parts of a DSML, i.e., models and metamodels. The definition of these model transformations allows us to benefit from both platforms: the friendly interface of Eclipse, and the formal basis provided by Maude. 4.2.2.1 Encoding EMF Metamodels EMF supports the specification of metamodels through the Ecore language (see Section 2.1.4.1). The Ecore language is provided with different graphical editors to define metamodels. No mat- 58 C HAPTER 4. S TRUCTURAL S EMANTICS OF DSML S ter the editor we choose, the resulting metamodel will be specified as an Ecore model, i.e., as a model conforming to the Ecore metamodel (see Figure 2.5). In this section, we present an ATL transformation that we have defined from the Ecore metamodel to the Maude metamodel. This model transformation provides as a result a Maude model that describes the MEL theory that represents our metamodel defined using Ecore. This Maude model can then be serialized into Maude code with our Maude code generator. In the following, we will introduce some fragments of the aforementioned model transformation. The first fragment correspond to the creation of all Maude elements that will be used throughout the entire transformation. For this purpose, we make use of module attributes and an entrypoint rule [3]: h e l p e r d e f : mSpec : Maude ! Sort = OclUndefined ; h e l p e r d e f : sModule : Maude ! SModule = OclUndefined ; h e l p e r d e f : sModuleEcore : Maude ! SModule = OclUndefined ; h e l p e r d e f : sortClass : Maude ! Sort = OclUndefined ; h e l p e r d e f : sortPack : Maude ! Sort = OclUndefined ; ... entrypoint r u l e Initialize ( ) { to mSpec : Maude ! MaudeSpec ( els <− S e q u e n c e {sModule , sModuleEcore , ... sModule : Maude ! SModule ( name <− thisModule . metamodelName . toUpper ( ) , els <− mImport ) , mImport : Maude ! ModImportation ( mode <− #protecting , imports <− moduleIdModExp ) , moduleIdModExp : Maude ! ModuleIdModExp ( ” module ” <− sModuleEcore ) , sModuleEcore : Maude ! SModule ( name <− ’@ECORE@’ ) , sortClass : Maude ! Sort ( name <− ’@Class’ , ” module ” <− sModuleEcore ) , sortPack : Maude ! Sort ( name <− ’@Package’ , ” module ” <− sModuleEcore ) , ... do{ thisModule . mSpec <− mSpec ; thisModule . sModule <− sModule ; thisModule . sModuleEcore <− sModuleEcore ; thisModule . sortClass <− sortClass ; thisModule . sortPack <− sortPack ; ... } } 4.2. S TRUCTURAL S EMANTIC M APPINGS 59 Module attributes can be seen as constants specified within the context of the module (see the thisModule context needed to refer to them). An entrypoint rule is a rule that is implicitly invoked at the beginning of the transformation execution. This kind of rule is very useful to create elements (in its to block) that will be needed throughout the entire transformation. Once these elements are created, they can be assigned to module attributes in the do block, so that the elements will be accessible from any point of the transformation. For instance, in this rule we create the Maude model root element (mSpec), the module in which all the metamodel specifications will be included (sModule), the @ECORE@ module imported by every metamodel specification, and several predefined Maude sorts, such as @Class (sortClass) and @Package (sortPack). Then, we specify a matched rule for every Ecore element, such as EPackage, EClass or EAttribute, and we define the corresponding Maude elements that should be generated for each of them. For instance, the following rule Class2Sort generates a Maude sort, a subsort relation and a constant per each class EClass element: 1 r u l e Class2Sort{ from 2 class : Ecore ! EClass 3 to 4 sort : Maude ! Sort ( 5 name <− class . maudeName ( ) , 6 ” module ” <− thisModule . sModule ) , 7 ssort : Maude ! SubsortRel ( 8 ” module ” <− thisModule . sModule , 9 supersorts <− if class . eSuperTypes . isEmpty ( ) 10 then thisModule . sortClass 11 else class . eSuperTypes endif 12 subsorts <− Set{sort } ) , 13 cte : Maude ! Operation ( 14 name <− class . maudeName ( ) , 15 16 ” module ” <− thisModule . sModule , 17 coarity <− sort ) do{ 18 19 thisModule . EqName ( class ) ; 20 thisModule . ClassEqIsAbstract ( class ) ; 21 thisModule . EqPackage ( class ) ; 22 thisModule . ClassEqSuperTypes ( class ) ; 23 thisModule . ClassEqReferences ( class ) ; 24 thisModule . ClassEqAttributes ( class ) ; } 25 26 27 } ... The sort and the constant (cte) are named after the class; the subsort relation (ssort) is specified from this sort to the sorts that represent their superclasses (if applicable, otherwise 60 C HAPTER 4. S TRUCTURAL S EMANTICS OF DSML S it will be a subsort of the predefined sort @Class); and the type of cte is sort (i.e., its coarity refers to sort). These three elements will be contained in the Maude module that represent the metamodel (thisModule.sModule, see lines 7, 9 and 16). Constants are represented in Maude as operations with no arguments (i.e., operations with an undefined arity). The maudeName helper obtains the name given to an Ecore element in Maude by qualifying it with their containers’ names (see Section 4.1.1). Note that elements of the source model could not be assigned directly to elements of the target model; for instance, you could not assign a set of EClasses (the eSuperTypes reference, see line 12) to a set of Maude sorts (the supersorts reference, see line 10). When we try to do this, ATL does not assign the corresponding source model but the first element placed in the to block of the rule that this source element matches. Thus, lines 10 to 12 will assign, for each superclass of class, the corresponding sort element created by another match of this same rule (Class2Sort). The do block specifies the creation of all the Maude equations that will gather each property of the class (see Section 4.1.1). These equations will be created by means of called rules. A called rule is a special kind of rule that enables the generation of target elements from imperative code [3]. For instance, the following called rule EqName generates the Maude equation that encodes the name of any ENamedElement (the Ecore class from which the remaining Ecore classes inherits from): r u l e EqName ( namedElement : Ecore ! ENamedElement ) { to eqName : Maude ! Equation ( ” module ” <− thisModule . sModule , lhs <− lhsEqName , rhs <− rhsEqName ) , lhsEqName : Maude ! RecTerm ( op <− ’name’ , type <− thisModule . sortString , args <− cteName ) , cteName : Maude ! Constant ( op <− namedElement . maudeName ( ) , type <− namedElement . maudeSort ( ) ) , rhsEqName : Maude ! Constant ( op <− namedElement . normalizedName ( ) , type <− thisModule . sortString ) } The Maude equation is composed of a left-hand side lhsEqName and a right-hand side rhsEqName. lhsEqName represents the application of the operation name over the constant cteName that refers to the namedElement, and rhsEqName is the string constant that gathers 4.2. S TRUCTURAL S EMANTIC M APPINGS 61 its name. The normalizedName helper adds double quotes to the string constant and replaces special characters used in our Maude infrastructure. 4.2.2.2 Encoding EMF Models Once we have defined a model transformation from metamodels defined with EMF to a MEL theory in Maude, the following step is to transform models that conform onto these metamodels to the same semantic domain. For this purpose, we have defined a general model transformation that transforms models conforming to metamodels defined using Ecore into their corresponding representation in Maude. This general model transformation makes use of the EMF EObject interface and all its meta-capabilities, i.e., all the operations that allow us to obtain metamodel properties from a model conforming to it (see Figure 4.2). Since all the objects specified in EMF implement the EObject interface, we can define a model transformation independently of the source metamodel by defining it in terms of EObject. Figure 4.2: The EObject interface. The following ATL code is an excerpt of this model transformation: 62 C HAPTER 4. S TRUCTURAL S EMANTICS OF DSML S 1 h e l p e r d e f : objectOperator : S t r i n g = ’<_:_|_>’ ; 2 h e l p e r d e f : setOperator : S t r i n g = ’_‘,_’ ; 3 h e l p e r d e f : objectSort : Maude ! Sort = OclUndefined ; 4 h e l p e r d e f : objSet : Maude ! RecTerm = OclUndefined ; 5 h e l p e r d e f : sfiSetSort : Maude ! Sort = OclUndefined ; 6 h e l p e r context OclAny d e f : atts ( ) : S e q u e n c e ( Ecore ! EAttribute ) = self . eClass ( ) . eAllAttributes ; 7 8 h e l p e r context OclAny d e f : refs ( ) : S e q u e n c e ( Ecore ! EReference ) = self . eClass ( ) . eAllReferences ; 9 10 ... 11 12 entrypoint r u l e Initialize ( ) { to 13 ... 14 objSet : Maude ! RecTerm ( 15 op <− thisModule . objSetOperator , 16 type <− objectSetSort , 17 ...) , objectSort : Maude ! Sort ( 18 name <− ’@Object’ , 19 ” module ” <− auxiliaryModule ) , 20 sfiSetSort : Maude ! Sort ( 21 name <− ’Set{@StructuralFeatureInstance}’ , 22 ” module ” <− auxiliaryModule ) , 23 ... 24 do{ 25 26 thisModule . objSet <− objSet ; 27 thisModule . objectSort <− objectSort ; 28 thisModule . sfiSetSort <− sfiSetSort ; ... 29 } 30 31 } 32 33 34 r u l e Object{ from o : Ecore ! EObject 35 36 37 to obj : Maude ! RecTerm ( 38 op <− thisModule . objectOperator , 39 type <− thisModule . objectSort , 40 41 42 43 44 args <− S e q u e n c e {thisModule . MaudeOid ( o ) , class , sfs } ) , class : Maude ! Constant ( op <− o . eClass ( ) . maudeClassifierName ( ) , type <− thisModule . MaudeClassSort ( o . eClass ( ) ) ) , sfs : Maude ! RecTerm ( 45 op <− thisModule . setOperator , 46 type <− thisModule . sfiSetSort , 47 args <− o . atts ( )−>collect ( a | thisModule . MaudeAttributeInstance ( o , a ) ) 48 49 50 51 −>union ( o . refs ( )−>collect ( r | thisModule . MaudeReferenceInstance ( o , r ) ) ) −>union ( S e q u e n c e {emptySfs1 , emptySfs2 } ) ) , emptySfs1 : Maude ! Constant ( op <− thisModule . emptySetOperator , 4.3. R ELATED W ORK type <− thisModule . sfiSetSort ) , 52 emptySfs2 : Maude ! Constant ( 53 op <− thisModule . emptySetOperator , 54 type <− thisModule . sfiSetSort ) 55 do{ 56 thisModule . objSet . args <− thisModule . objSet . args−>append ( obj ) ; 57 } 58 59 60 63 } ... The Object rule transforms any object defined in EMF to their corresponding Maude representation. As we mentioned in Section 4.1.2, we represent a Maude object (obj) as a term < : | > of sort @Object whose arguments are its identifier, its class, and its structural feature- value pairs (sfs). The object identifier is defined depending on the position of the object in the tree of the EMF model. It is generated by means of the MaudeOid lazy rule. A lazy rule is a kind of rule that needs to be explicitly invoked from declarative code [3]. The class element is the Maude constant that represents the object’s class. This constant is an invocation of the corresponding cte operation created in the Class2Sort rule (see above). The structural featurevalue pairs constitute a set of structural feature instances, i.e., a term which name is , , its sort is Set@StructuralFeatureInstance, and whose elements are defined with the MaudeAttributeInstance and MaudeReferenceInstance lazy rules. These rules perform like the Object rule but acting on attributes and references; they use the operation eGet (see Figure 4.2) to get the value of all the references and attributes of the object’s class (see the atts and refs helpers in lines 6 to 9). The emptySfs1 and emptySfs1 constants represent two instances of the identity element of the set operator. They are included in the arguments of sfs in order to make it valid in the case the object has no attributes (and references) or just has one, since the set operator , needs two or more arguments (it is declared associative [42]). Finally, in the do block, we add the Maude object obj to the set of objects that represents the whole model (thisModule.objSet). 4.3 Related Work There are some works that propose different formalisms to represent models, metamodels and their behavior. In this section we will introduce those that focus on the structural parts of a DSML, i.e., on models and metamodels. Those that includes behavioral specifications (such as graph transformation) will be discussed in Chap. 6. Batory [17] describes a set of concepts on which MDE, Software Product Lines (SPL), and Computation Design (CD) are founded. In particular, he shows how MDE and SPL ideas map 64 C HAPTER 4. S TRUCTURAL S EMANTICS OF DSML S to categorical concepts, and he explains the benefits in making a connection (at a theoretical level). Poernomo [95] uses Constructive Type Theory (CTT) and a related synthesis formal method known as proofs-as-programs to formalize MOF-based metamodels and model transformations, and to develop model transformations that are provably correct with respect to a given functional specification (by making use of a theorem prover). Models are defined as terms (token models), that can also be represented as types (type models) by means of a reflection mechanism. Models, metamodels and model transformation are specified directly in the logic that is built into CTT, i.e., the author do not provide any intuitive front-end from which transform these specification into the CTT formalism. Boronat and Meseguer [25] propose an algebraic semantics in MEL for the MOF metamodeling framework, giving an explicit formal representation for each of the different notions that may be involved in a metamodeling framework: model type, metamodel realization, and metamodel conformance. Their encoding of models and metamodels shares many similarities with our previous representation [110]. We abandoned this representation for the reasons that we presented in Section 4.1.1, mainly to (a) include more metamodel-related properties (that can be accessible from the model level), and (b) avoid accessing Maude’s metalevel when dealing with common tasks (something that degrades performance when dealing with large models). They have defined the Algebraic MOF Framework [5], a reflective, algebraic, executable framework for metamodeling that provides support for the MOF and the OCL standards. This framework provides an executable environment that is plugged into EMF and that constitutes the kernel of a model management framework (see Section 5.5). Contrary to our approach, they do not follow a full MDE process to define the semantic mappings: they directly serialize EMF models into Maude instead of defining a Maude metamodel and model transformation between both platforms. Other works also try to formalize the concepts of concrete metamodeling languages, such as UML or OCL. There is a great number of contributions trying to attribute a rigorous meaning to specific (or a small set of) UML diagrams, especially UML class diagrams, by translating them into a language with well-defined semantics. For instance, in [72] UML class diagrams are formalized into the Object Z language; in [96] a more general schema of the semantics of UML is presented by using the algebraic language Casl-LTL, where the modeling of behavior is handled by means of labeled transition sytems; in [75] UML diagrams are formalized in terms of state predicates to check their consistency with the theorem prover PVS (Prototype Verification System); in [28], a modeling technique based on UML is provided with semantics 4.3. R ELATED W ORK 65 by using the Mathematical System Model (MSM); and in [36] the authors propose to formalize each UML diagram with an appropriate institution and the relationship between them by an institution comorphism. Other works which can be considered more closely related to ours are those that formalize these concrete metamodeling languages into Maude. For instance, Toval-Álvarez and Fernández-Alemán propose in [120] an algebraic formalization of UML that supports the UML extension mechanism. The approach is in accordance with the four-layer metamodeling architecture on which the UML definition is based. In this work the authors focus on UML Class diagrams. RIVIERA [114] is a framework for the verification and simulation of UML class diagrams and statecharts. It is based on the representation of class and state models as terms in Maude modules that specify the UML metamodel. MOVA [12] is another Maude-based modeling framework for UML, which provides support for OCL constraint validation, OCL query evaluation, and OCL-based metrication. In MOVA, both UML class and object diagrams are formalized as MEL theories. Note that these approaches define models in a fixed formalism (mainly UML) directly instead of explicitly discussing the metamodel definition too. The aforementioned approaches that make use of Maude (i.e., [120], RIVIERA, MOVA and MOMENT) have a different model representation. In fact, Maude offers several options to represent and manipulate object-oriented systems, depending on the way in which objects, attributes and references are represented; whether reflection is used or not, etc. For instance, in [120] the authors exploit the reflective capabilities of Full Maude to formalize the four-layer metamodel architecture of UML, and in MOMENT attribute-value pairs are constructed in such a way that an attribute value cannot be accessed independently of its attribute name (a pretty common task when defining metamodel-independent operations) with a simple match— the reflective capabilities of Maude would be needed for that purpose. Using the reflective capabilities of Maude have several drawbacks: it increases the complexity of the specifications, makes them much more difficult to write and to maintain, and also has a significant impact on performance. This is the reason why we changed the representation we used in our initial proposals [104, 110] to improve the efficiency of the operations and of the analysis tools. 66 C HAPTER 4. S TRUCTURAL S EMANTICS OF DSML S Chapter 5 Model Management Once we have described how models and metamodels can be represented in Maude, this chapter shows how some of the basic operations on models—namely model subtyping, model difference, and metric evaluation—can be then specified. We will see how our notation for models and metamodels, together with the powerful matching facilities that Maude provides, enables the specification of these model operations at a very high level of abstraction, which has allowed us to complete our tool with a relatively short development time when compared with approaches using conventional languages like Java or C++. Furthermore, we present the model transformation we have defined from Maude specifications to EMF models. This transformation, together with the two transformations presented in last chapter (from EMF to Maude), allow Eclipse users to use the defined model operations without being aware of Maude at all. 5.1 Model Subtyping With the increasing adoption of MDE, there are more and more model operations that are being defined: model transformation, metrics, composition, etc. Generally, the specification of these operations depends on the metamodels to which the operand models conform. Thus, it would be interesting to define another operation, model subtyping, that tries to maximize the reuse of these already defined operations [103]. In this section, we introduce a definition of model subtyping that guarantees type safety and introduce polimorfism in MDE. In particular, we distinguish four different kinds of subtyping depending on the relaxation of the relationships between the operand metamodels: strict subtyping, subtyping with renaming, flattened subtyping and flattened subtyping with renaming. 67 68 C HAPTER 5. M ODEL M ANAGEMENT 5.1.1 Motivation Model typing is a critical issue for MDE, specially for describing the input and output parameters of model operations and services. For instance, model transformations are defined in terms of the metamodels of their input and output models, and therefore we need to know whether a given model (conforming to a metamodel) is a valid input for that transformation. This situation is even more justified in the case of initiatives such as the Model Bus [22], which allows modeling services to be connected. For connecting them, it is essential to check the type substitutability between the output of a service and the input of another, in such a way that type safety is guaranteed. Another situation which requires type checking happens when looking for metamodels in a given repository (this is called metamodel matchmaking, a key mechanism for enabling reuse). For instance, suppose that you want to work with state machines, and want to know if there are already metamodels in a repository that deal with them. The easiest way to proceed would be to provide a very simple initial metamodel and then look for subtypes of such a metamodel. Finally, metamodels, as every software artifact, evolve with time in every phase of its life cycle. Another interesting use of the subtyping operation would be to know which kind of metamodel modifications will invalid (or not) the operations already defined over a metamodel. 5.1.2 Subtyping Algorithm Despite being a core concept, a definition of the term model type is not widely agreed by the MDE community yet. However, due to the similarities between the structures used in MDE (as defined by MOF) and in object-oriented paradigms, its reasonable to expect that theories developed for type systems of object-oriented languages will apply or adapt well for models. In [116] and [117], Steel and Jézéquel extended the notion of object subtyping to the realm of models, providing an algorithm for model subtyping (i.e., safe replaceability). This algorithm tries to be generic, and provides an elegant approach to address the problem of model type conformance, i.e., to check whether a required model type may be satisfied by a provided model type. In this thesis, we adapt their algorithm to the Ecore structure (see Figure 2.5), i.e., we consider a metamodel as a model type. We selected this choice for practical reasons: (a) a metamodel considers the MDE metalevel hierarchy; (b) there are many languages and operations defined for them that we can make use of; and (c) they are used in model transformation—the model operation par excellence—to describe the input and output parameters type. 5.1. M ODEL S UBTYPING 69 Definition. Given two model types M and M′ (i.e., two metamodels), we say that M′ is subtype of M (M′ ≤ M) whenever we can ensure that if we substitute M by M′ , the operations defined over M are also applicable to M′ , guaranteing type safety. When M and M′ are defined with the Ecore language (see Figure 2.5), this gives place to the following definitions: • Metamodel M′ is subtype of metamodel M (M′ ≤ M) iff: ∀(EPackage)P ∈ M • ∃(EPackage)P′ ∈ M′ • (P′ ≤ P) • EPackage P′ is subtype of EPackage P (P′ ≤ P) iff: isRelated(P′ .name, P.name)∧ ∀ C ∈ P.eClassifiers • ∃ C′ ∈ P′ .eClassifiers • (C′ ≤ C) • EClass C′ is a subtype of EClass C (C′ ≤ C) iff: isRelated(C′ .name, C.name) ∧ (C′ .abstract → C.abstract)∧ ∀ SC ∈ C.eSuperTypes • ∃ SC′ ∈ C′ .eSuperTypes • (SC′ ≤ SC)∧ ∀ SF ∈ C.eStructuralFeatures • ∃ SF′ ∈ C′ .eStructuralFeatures • (SF′ ≤ SF) • EDataType D′ is a subtype of EDataType D (D′ ≤ D) iff: if (D.oclIsTypeOf (EEnum) ∧ D′ .oclIsTypeOf (EEnum)) then (E.eLiterals ⊆ E′ .eLiterals) otherwise (not D.oclIsTypeOf (EEnum) ∧ not D′ .oclIsTypeOf (EEnum))∧ ((D′ = D) ∨ ((D′ .name = EDouble) ∧ (D.name = EInt))) • EAttribute A′ is subtype of EAttribute A (A′ ≤ A) iff: isRelated(A′ .name, A.name) ∧ (A′ .eType ≤ A.eType) ∧ (A′ .unique = A.unique)∧ ((A.upperBound = A′ .upperBound) ∨ (2 ≤ A.upperBound ≤ A′ .upperBound))∧ (A.lowerBound ≤ A′ .lowerBound) ∧ (A′ .ordered = A.ordered) • EReference R′ is a subtype of EReference R (R′ ≤ R) iff: isRelated(R′ .name, R.name) ∧ (R′ .eType ≤ R.eType) ∧ (R′ .unique = R.unique)∧ 70 C HAPTER 5. M ODEL M ANAGEMENT ((R.upperBound = R′ .upperBound) ∨ (2 ≤ R.upperBound ≤ R′ .upperBound))∧ (R.lowerBound ≤ R′ .lowerBound) ∧ (R′ .ordered = R.ordered)∧ (R′ .eOpposite ≤ R.eOpposite) The subtyping algorithm establishes the relationship that must exist between the elements of two different metamodels (M′ and M) to ensure that the operations defined over M to be also applicable to M′ . We consider every metamodel element property reflected in the Ecore metamodel except those that refer to Java properties, which are not inherent to a model type description but specific to the EMF capability of generating Java code from the metamodel specification. Initially, we assume the isRelated operation defined as the equality relationship (see Section 5.1.2.1). Let us illustrate the above definition with an example. We will retake the ATL transformation presented in Section 2.1.4.4, and consider this model transformation as an example of model operation applied over the Author metamodel. Recall that, in this metamodel, authors have a single name and a single surname. module Author2Person ; c r e a t e OUT : MMPerson from IN : MMAuthor ; r u l e Author { from a : MMAuthor ! Author to p : MMPerson ! Person ( name <− a . name , surname <− a . surname ) } Now, suppose that we create a new metamodel Author2 on which we consider that an author can have two surnames, i.e., we set the upper bound value of the surname attribute to two. Would this model operation be applicable to the new metamodel? According to the above definition, the Author2 metamodel is not subtype of the Author metamodel, so we cannot ensure that the transformation will be applicable to the Author2 metamodel. In fact, if we define a model conforming to this new metamodel with an author whose name is Jose and whose surnames are Rivera and Cabaleiro, and we run the transformation, what we get is an ATL error, because we are trying to assign a collection of strings (a.surname) to a single string (p.surname). Since a structural feature is usually accessed differently when its value is a single element and a collection of them, we include in our subtyping algorithm cardinality restrictions to 5.1. M ODEL S UBTYPING 71 distinguish both cases. For the same reason, we force ordered and unique properties to be equal (note that operations defined over sequences are not the same that those defined over sets, for instance). However, there are other properties, such as containment, that do not usually affect to the way an element is accessed in a model operation, and therefore we do not include any restriction about it in our algorithm. Regarding data types, we consider the Ecore EString, EBoolean, EInt and EDouble data types. The operations defined over integer numbers (except the modulo operation) are also defined over the sort EDouble, and this is why we consider that EDouble ≤ EInt. Note that our context is replaceability or substitution in the application of operations, and therefore, the direction of our subtyping relationship ≤ is opposite to the normal direction (EInt ≤ EDouble). The presented subtyping algorithm is also useful in the context of metamodel evolution. It allows us to know what kind of metamodel modifications will invalidate (or not) the operations defined over a metamodel. For instance, we know that any element (package, class, reference, attribute, etc.) can be added to a metamodel and the operations defined over it will remain applicable. On the contrary, we cannot delete a metamodel element, since this action will usually invalidate the operation. Regarding modifications of elements, we have to perform them in such a way that the restrictions specified in the algorithm remain fulfilled. 5.1.2.1 Kinds of Subtyping The above subtyping algorithm guarantees that, whenever a metamodel M′ is subtype of another metamodel M, we can substitute M by M′ and the operations defined over M will be directly applicable over M′ , i.e., we do not need to perform any modification to the operations to apply them over M′ . For this purpose, we assume the isRelated operation defined as the equality relationship, i.e., we force subtype elements to have the same name as their supertypes. This kind of subtyping is called strict subtyping. However, there are cases in which two elements may represent the same element but they have different names: think for instance on spelling mistakes, upper and lower cased differences, or synonyms. Thus, we have also identified another kind of subtyping, subtyping with renaming, that implements the isRelated operation by means of a model that links words that are synonyms, or by defining an operation to compute the distance between two strings. Note that by forcing a relationship between the element names we promote class identity conservation. Specifically, we have implemented the Levenshtein distance [76], a metric that represents the minimum number of operations needed to transform one string into the other, where an op- 72 C HAPTER 5. M ODEL M ANAGEMENT eration is an insertion, deletion, or substitution of a single character. If the Levenshtein distance is lower than a fixed bound, two names can be considered to be related. Another issue related to the subtyping algorithm is the metamodel package structure, which can be considered not relevant to what a model type refers to. In fact, Steel and Jézéquel [116] consider a model type as the set of object types for all the objects contained in a model, i.e., they basically consider as model type a metamodel without its package structure. To cover this case, we have identified two additional kinds of subtyping, namely flattened subtyping and flattened subtyping with renaming. These kinds of subtyping are unaware of the package structure, i.e., they do not consider metamodel packages in their calculations: they compare classifiers independently of the package they belong to. The latter, flattened subtyping with renaming, also allows related elements to have different names. Finally, note that when the subtype relationship is relaxed by using one of the alternative types: subtyping with renaming, flattened subtyping or flattened subtyping with renaming, we will usually need to adapt the model operations to make them applicable to the new metamodel M′ . We believe that this adaptation can be automatically generated by means of a model transformation that renames the affected elements (in case of subtyping with renaming) or modifies the classifiers package if an ambiguity is possible (in case of flattened subtyping). 5.1.3 The Subtyping Operation in Maude One of the benefits of using Maude for representing models and metamodels is that this subtyping algorithm can be easily implemented. In fact, the above clauses can be naturally specified in Maude using its equational logic capabilities. For instance, given M and M’ Ecore models (i.e., models that represent metamodels defined using Ecore), and operations arePackagesSubtypeOf and areClassifiersSubtypeOf described below, the following Maude specifications define the four kinds of subtyping: v a r s M M ’ : @Model . var RENTYPE : String . op isStrictSubtypeOf : @Model @Model −> Bool . eq isStrictSubtypeOf ( M ’ , M ) = arePackagesSubtypeOf ( allPackages ( M ’ ) , allPackages ( M ) , "Equal" , M ’ , M ) . op isRenSubtypeOf : @Model @Model String ˜> Bool . eq isRenSubtypeOf ( M ’ , M , RENTYPE ) = arePackagesSubtypeOf ( allPackages ( M ’ ) , allPackages ( M ) , RENTYPE , M ’ , M ) . op isFlatSubtypeOf : @Model @Model −> Bool . 5.1. M ODEL S UBTYPING 73 eq isFlatSubtypeOf ( M ’ , M ) = areClassifiersSubtypeOf ( allClassifiers ( M ’ ) , allClassifiers ( M ) , "Equal" , M ’ , M ) . op isFlatRenSubtypeOf : @Model @Model String ˜> Bool . eq isFlatRenSubtypeOf ( M ’ , M , RENTYPE ) = areClassifiersSubtypeOf ( allClassifiers ( M ’ ) , allClassifiers ( M ) , RENTYPE , M ’ , M ) . Note that the isStrictSubtypeOf and isRenSubtypeOf operations start traversing all packages, while the isFlatSubtypeOf and isFlatRenSubtypeOf operations handle classifiers directly, independently of the package they belong to. On the other hand, the isStrictSubtypeOf and isFlatSubtypeOf operations force the relationship between the names of the metamodel elements to be the equality relation ("Equal" as their third argument), while the isRenSubtypeOf and isFlatRenSubtypeOf operations admit a parameter to specify the kind of relationship to be used on these names. Currently, only the Levenshtein distance is available, and it is defined with a maximal distance of two units. The auxiliary operation arePackagesSubtypeOf traverses all the packages in M to check if, for every package P in M, there exists a package P’ in M’ which is a subtype of P, i.e., their names are related, and their corresponding classifiers are also subtypes. v a r s MM MM ’ : @Metamodel . v a r s PACKS PACKS ’ : Set . v a r s CLASSFS CLASSFS ’ : OrderedSet . v a r s LPACKS LPACKS ’ : MSet{OCL−Exp} . v a r s N N ’ STRCOMP : String . v a r s P P ’ : Oid . v a r s SFS SFS ’ : Set{@StructuralFeatureInstance} . v a r s OBJSET OBJSET ’ : Set{@Object} . op arePackagesSubtypeOf : Set Set String @Model @Model ˜> Bool . eq arePackagesSubtypeOf ( PACKS ’ , Set{mt } , STRCOMP , M ’ , M ) = true . ceq arePackagesSubtypeOf ( Set{P ’ ; LPACKS ’ } , Set{P ; LPACKS } , STRCOMP , MM ’ { < P ’ : EPackage | name : N ’ # eClassifiers : CLASSFS ’ # SFS ’ > OBJSET ’ } , MM { < P : EPackage | name : N # eClassifiers : CLASSFS # SFS > OBJSET } ) = true if isRelated ( N ’ , N , STRCOMP ) / \ areClassifiersSubtypeOf ( CLASSFS ’ , CLASSFS , STRCOMP , MM ’ { . . . } , MM { . . . } ) / \ arePackagesSubtypeOf ( Set{P ’ ; LPACKS ’ } , Set{LPACKS } , STRCOMP , MM ’ { . . . } , MM { . . . } ) eq arePackagesSubtypeOf ( PACKS ’ , PACKS , STRCOMP , M ’ , M ) = false [ owise ] . The remaining subtype operations are implemented in a similar way: Maude equations are used to specify the subtyping algorithm until reaching the most primitive metamodel elements, i.e., the structural features (attributes and references). With these operations, checking, e.g., whether a metamodel M′ is strict subtype of another metamodel M (M′ ≤ M), i.e., M can be directly replaced by M′ , is just a matter of reducing the 74 C HAPTER 5. M ODEL M ANAGEMENT term isStrictSubtypeOf(M’, M), where both M and M’ are expressed as (Ecore) @Model terms. Maude> r e d u c e isStrictSubtypeOf ( M ’ , M ) . 5.2 Model Difference Model difference is an essential operation in several software development processes [38], including version and change management, software evolution, model/data integration, etc. Most of the current techniques for visualizing and representing model differences are mainly based on edit scripts and coloring techniques [14, 81, 88]. These approaches do not produce models as results of their calculations, and therefore cannot be fully integrated within other MDE processes. Furthermore, most of them do not fulfill other interesting properties required in MDE environments, such as composability [29]. Other techniques based on text, data structure or models also exist, but are usually restricted to a specific metamodel (namely UML) [14, 87, 127]. In this section we present an approach to compare models which conform to arbitrary metamodels. For this purpose we have defined a Difference Metamodel so that differences are represented as models, too, that conform to such a metamodel. We have also defined a set of operations on models and on differences that provide support for the calculation of differences, their application and composition. 5.2.1 Representing Differences Our first requirement is that the results of a model difference operation can be expressed as a model, so they can be fully integrated into other MDE processes. Since models conform to metamodels, we have to define a Difference metamodel with the elements that a difference may contain, and the relationships between them. Furthermore, this Difference metamodel should be general enough to be independent of the metamodel of the source models. Taking into account these requirements, we have developed the Difference metamodel depicted in Figure 5.1. A difference model will contain all the changes from a subtrahend model to a minuend model. As usual, we can distinguish three different kinds of changes: element addition, element deletion, and element modification. Thus, every element of a difference model (DiffElement) will belong to the ModifiedElement metaclass, the DeletedElement metaclass, or 5.2. M ODEL D IFFERENCE 75 Figure 5.1: The Difference metamodel. the AddedElement metaclass, depending on whether the element has been added, deleted or modified, respectively. Elements which do not suffer from any changes will not be reflected in the difference model. Every difference element DiffElement will have a reference (element) to the element that has suffered the change. In case of element modification (ModifiedElement), the difference element will refer to both the element of the minuend model (after the modification, element) and the element of the subtrahend model (before the modification, oldElement). Modified, deleted and added elements from both operand models are added to the difference model too, so that it is self-contained [29], that is, the difference model will contain all the changes, not relying on external sources of information (such as the operand models). Since these elements can belong to any metaclass—model difference can be applied to models conforming to arbitrary metamodels—we make use of the (Ecore) EObject metaclass, which all metaclasses inherits from. The Difference Metamodel can be specified in Maude, following the conventions explained in Section 4.1.1, as follows: mod @DIFFERENCE@ i s p r o t e c t i n g @ECORE@ . op @Difference@ : −> @Metamodel . op Difference : −> @Package . s o r t DiffElement . s u b s o r t DiffElement < @Class . op DiffElement : −> DiffElement . op element : −> @Reference . s o r t AddedElement . s u b s o r t AddedElement < DiffElement . op AddedElement : −> AddedElement . s o r t DeletedElement . s u b s o r t DeletedElement < DiffElement . 76 C HAPTER 5. M ODEL M ANAGEMENT op DeletedElement : −> DeletedElement . s o r t ModifiedElement . s u b s o r t ModifiedElement < DiffElement . op ModifiedElement : −> ModifiedElement . op oldElement : −> @Reference . --- METAMODEL PROPERTIES --- Equations for the "@Diference@" metamodel op @Difference@ : −> @Metamodel . eq name ( @Difference@ ) = "Difference" . eq packages ( @Difference@ ) = Difference . ... --- Equations for the "DiffElement" class eq name ( DiffElement ) = "DiffElement" . eq isAbstract ( DiffElement ) = true . eq package ( DiffElement ) = Difference . eq superTypes ( DiffElement ) = nil . eq references ( DiffElement ) = element . eq attributes ( DiffElement ) = nil . --- Equations for the "element" reference eq name ( element ) = "element" . eq type ( element ) = EObject . eq opposite ( element ) = null . eq lowerBound ( element ) = 1 . eq upperBound ( element ) = 1 . eq containingClass ( element ) = DiffElement . eq isContainment ( element ) = true . ... endm The EObject class (as every Ecore element) is defined in the @ECORE@ module (see Appendix B). 5.2.2 The Difference Operation Given a minuend model Mm and a subtrahend model Ms , both conforming to some metamodels (not necessary the same), the result of applying the model difference operation to them is another model Md conforming to the Difference Metamodel presented above, in such a way that modelDiff(Mm ,Ms ) = Md . The global comparison process is generally admitted as being composed of two main parts: matching and differencing [29]. The latter makes use of the former to decide whether an element in the minuend model is the same (although possibly modified) as another in the subtrahend model. Decomposing the difference operation in these two parts allows the reuse of 5.2. M ODEL D IFFERENCE 77 both algorithms in different applications, such as, e.g., model patching [29]. Thus, we will firstly show how elements are matched, and secondly how the difference is computed using this information. 5.2.2.1 Matching Elements Matching two models M1 and M2 conforming to some (not necessarily the same) metamodels means finding different objects from both models that represent the same elements. The result of applying the match operation to M1 and M2 is a match model MM that conforms to the Match Metamodel, depicted in Figure 5.2. Figure 5.2: The Match Metamodel. Match model elements (of class Match) symbolize links between two objects that represent the same elements. Thus, a match model element will refer to both objects (leftEl and rightEl) and will rate their similarity (expressed in terms of a ratio between zero and one). In this work, we will consider two different types of model matching: identifier-based matching and structural matching. Matching objects using persistent identifiers. Since Maude objects have persistent iden- tifiers, and there cannot be two objects with the same identifier in the same model, checking whether two objects represent the same element can be easily accomplished by comparing their identifiers. If their identifiers are the same, the two objects can be said to represent the same element; otherwise, the two objects represent different elements. The idMatch operation can be specified in Maude as follows: v a r s MM MM ’ : @Metamodel . v a r s OBJSET OBJSET ’ : Set{@Object} . v a r s O O ’ : Oid . v a r s C C ’ : @Class . v a r s SFS SFS ’ : Set{@StructuralFeatureInstance} . op idMatch : @Model @Model −> @Model . eq idMatch ( MM { OBJSET } , MM ’ { OBJSET ’ } ) = @Match@ { idMatch ( OBJSET , OBJSET ’ ) } . op idMatch : Set{@Object} Set{@Object} −> Set{@Object} . eq idMatch(< O : C | SFS > OBJSET , < O : C ’ | SFS ’ > OBJSET ’ ) 78 C HAPTER 5. M ODEL M ANAGEMENT = < O : Match | leftEl : O # rightEl : O # rate : 1 . 0 ) > idMatch ( OBJSET , OBJSET ’ ) . eq idMatch ( OBJSET , OBJSET ’ ) = none [ owise ] . For every object of M1 with the same identifier as another object of M2 , a match object that relates them is added to the resulting model. Since [owise] equations are only executed if no other equation holds, when no objects with the same identifier are found nothing else is added to the match model. Note that the union operator for sets of objects is declared associative, commutative, and with identity element none (see Appendix A), and therefore the sets of objects are matched modulo these axioms. Matching objects using structural similarities. Using persistent universal identifiers makes the matching process simple and robust. However, counting on this kind of identifiers is not always possible: if the two models to compare conform to different metamodels, or have evolved independently, there is little chance that an element being the “same” in the two models has the same identifier. In addition, when comparing models not originally specified in Maude but, e.g., in MOF or Ecore, we cannot assume that the model transformations from MOF or Ecore to Maude will assign the same identifier to two different objects that represent the same element. A more sophisticated matching algorithm is therefore needed. This kind of matching algorithm should compare two elements by their structural similarities. There are several structural matching algorithms described in the literature that can be used (see, e.g., [119, 77]). One of the advantages of using Maude is that its powerful matching facilities enables the specification of this kind of algorithms at a very high level of abstraction. We have implemented a structural matching algorithm in our Maudeling framework (see Section 5.4). The algorithm, which was published in [105], starts by comparing every object of a model with every object of the other one. Comparing two objects means obtaining a match rate that represents their similarity. In case two objects are identified by the same attribute (i.e., their corresponding metaclass have the same attribute set as identifier), this rate is computed by comparing them, otherwise the rate will be computed by comparing their metaclasses and structural features. Then, two objects are said to potentially match when the rate is greater than a given threshold (Th). At the end of the process, a sieve is applied to all potential matches in order to pair only those objects that together obtain the biggest rate, taking into account that a specific object can only belong to one match relationship. In case two objects cannot be compared by their identifier attributes, class and structural 5.2. M ODEL D IFFERENCE 79 features match rates are obtained in the following way: • Two metaclasses match if they are the same, or there exists an inheritance relation between them. 1.0 if C1 = C2 classRate(C1 , C2 ) = 0.9 if isSubtype(C1 , C2 ) or isSubtype(C2 , C1 ) 0.0 otherwise • Structural features are compared taking into account their names and types. The structural feature rate sfRate is computed by comparing each single structural feature and assigning a weight to them—boolean attributes have a weight lower than structural features of other types. If a structural feature is defined only in one of the objects (i.e., a structural feature with the same name and type cannot be found in the other object), a penalty is applied to the final sfRate. If a structural feature’s upper cardinality is greater than 1 (i.e., if its value is a collection), the average rate is calculated. – Boolean attributes and enumerations match (with rate = 1.0) if they have the same value (otherwise rate = 0.0). – String attribute values distances are calculated using the Levenshtein algorithm. Depending on the resulting distance, a different rate is given. 1.0 if levenshteinDist(S1 , S2 ) = 0 0.9 if levenshteinDist(S1 , S2 ) = 1 nameRate(S1 , S2 ) = 0.5 if levenshteinDist(S1 , S2 ) = 2 0.1 if levenshteinDist(S1 , S2 ) = 3 0.0 otherwise – Numerical attribute values match rate is computed with a relative distance function (1 − |N1 −N2 | |N1 +N2 | limited to [0..1]) – References are matched recursively, i.e., objects referenced are compared using the same match operation but without taking into account their own references (to avoid cycles). Once the class and structural features match rates are calculated, the final joint rate is obtained as follows: 80 C HAPTER 5. M ODEL M ANAGEMENT finalRate = wc ∗ classRate + wsf ∗ sfRate where finalRate, classRate, sfRate ∈ [0..1], and the weights that we have initially considered are wc = 0.66, wsf = 0.34. The threshold value we normally use is Th = 0.88, although the weights and threshold are of course user-defined and easily configurable. It is worth noting that the weights and threshold values specified above do not allow elements to potentially match if their metaclasses are not related, since in that case the finalRate could not be greater than wsf (and wsf is lower than the threshold Th). In case two objects have the same identifier attribute, they will be compared just by them, i.e., finalRate = idRate. This comparison will be computed depending on the type of the attribute (boolean, string or numerical) by using one of the above equations. In these cases, we normally use the same threshold Th = 0.88. Contrary to other approaches (e.g., [119]) in which a model is seen as a tree (levels are determined by the containment relationship), and only objects at the same level are compared, our approach compares every object independently of its depth in the tree. This decision implies more comparisons, but also brings along interesting advantages: (a) moved elements through different levels can be detected; and (b) failing to identify a match does not condition other potential matches below in the tree hierarchy. For example, refactoring is a common technique used for making models evolve. One usual refactorization step is to add packages to improve the grouping structure of the model. This is the kind of change that affects the containment tree, as depicted in Figure 5.3, and that can be missed by those approaches that compare elements only at the same level of the tree. Figure 5.3: Example of package refactorization. 5.2.2.2 Computing Differences As previously mentioned, the model difference operation makes use of the match model in order to decide whether one element in the minuend model is the same (although possibly modified) as another in the subtrahend model. Thus, in the global comparison process the match model is calculated before the differencing part starts: 5.2. M ODEL D IFFERENCE 81 v a r s M1 M2 : @Model . v a r s MM1 MM2 : @Metamodel . v a r s OBJSET1 OBJSET2 : Set{@Object} . op difference : @Model @Model −> @Model . --- Using Structural matching algorithm eq difference ( M1 , M2 ) = difference ( M1 , M2 , match ( M1 , M2 ) ) . op idDifference : @Model @Model −> @Model . --- Using Identifier matching eq idDifference ( M1 , M2 ) = difference ( M1 , M2 , idMatch ( M1 , M2 ) ) . op difference : @Model @Model @Model −> @Model . eq difference ( MM1 { OBJSET1 } , MM2 { OBJSET2 } , MATCHM ) = @Difference@ { difference ( OBJSET1 , OBJSET2 , MATCHM ) } . op difference : Set{@Object} Set{@Object} @Model −> Set{@Object} . In order to specify the differencing part, we have identified four different situations that may happen when calculating a model difference operation on an element: (1) the element appears in both models (minuend and subtrahend) and has not been modified; (2) the element appears in both models but has been modified; (3) the element only appears in the minuend model; and (4) the element only appears in the subtrahend model. The four Maude equations below specify the difference operation in each of these cases. In all of them we will use the following variable declarations: v a r s M MATCHM : @Model . v a r s OBJSET OBJSET1 OBJSET2 : Set{@Object} . v a r s O O1 O2 : Oid . v a r s C C1 C2 : @Class . v a r s SFS SFS1 SFS2 : Set{@StructuralFeatureInstance} . In the first case, we have to check whether two objects (one belonging to the minuend model, the other belonging to the subtrahend model) match, i.e., they represent the same element, and belong to the same class and have the same structural feature values. If this situation occurs, we have found an element that has not been modified, and therefore no evidence of the element is stored in the difference model: ceq difference(< O1 : C | SFS > OBJSET1 , < O2 : C | SFS > OBJSET2 , MATCHM ) = difference ( OBJSET1 , OBJSET2 , MATCHM ) i f match ( O1 , O2 , MATCHM ) . The match operation checks whether the corresponding match object that relates O1 and O2 exists in the match model. op match : Oid Oid @Model −> Bool . eq match ( O1 , O2 , @Match@ { < O : Match | leftEl : O1 # rightEl : O2 # SFS > OBJSET } ) = true . eq match ( O1 , O2 , M ) = false [ owise ] . 82 C HAPTER 5. M ODEL M ANAGEMENT In the second case, two objects represent the same element, but the element has been mod- ified, i.e., the two objects match, but either they belong to different classes (Maude allows the dynamic reclassification of objects), or their attributes have different values. In this case, we create an object instance of class ModifiedElement with references to both the object of the subtrahend model (before the modification, oldElement) and the object of the minuend model (after the modification, element). Both operand models’ objects are added to the difference model, but only with the relevant attributes, i.e., those that have different values in both objects (storing both values, the old one and the new one). The identifiers of the two added objects are modified (with newId and oldId operations) to distinguish them, since Maude objects should have unique identifiers in the same Maude configuration. Modifications to object identifiers are performed in such a way that it is possible to “undo” them to get the original identifiers (with the originalId operation, which will be introduced later). ceq difference(< O1 : C1 | SFS1 > OBJSET1 , < O2 : C2 | SFS2 > OBJSET2 , MATCHM ) = < newModId ( O1 ) : ModifiedElement | element : newId ( O1 ) # oldElement : oldId ( O2 ) > < newId ( O1 ) : C1 | attsDiff ( SFS1 , SFS2 ) > < oldId ( O2 ) : C2 | attsDiff ( SFS2 , SFS1 ) > difference ( OBJSET1 , OBJSET2 , MATCHM ) i f match ( O1 , O2 , MATCHM ) / \ not ( SFS1 == SFS2 ) or not ( C1 == C2 ) . Note that every element modification is treated in the same way, i.e., the ModifiedElement metaclass is used for all kinds of possible modifications: from a modification in a String attribute value to a change in the order of elements in collections. This decision was made for the sake of simplicity, although, of course, the Difference Metamodel could be easily extended to explicitly distinguish between different kinds of element modifications, if required. In the third and fourth cases, one element in one of the models does not match any element of the other model. If the object only appears in the minuend model, the element has been added; otherwise (i.e., the object only appears in the subtrahend model) the element has been deleted. Thus, we just have to create an object AddedElement (or DeletedElement, respectively) with a reference to the element in question, which will be also added to the difference model (modifying its identifier as previously described): eq difference ( < O1 : C1 | SFS1 > OBJSET1 , OBJSET2 , MATCHM ) = < newAddId ( O1 ) : AddedElement | element : newId ( O1 ) > < newId ( O1 ) : C1 | SFS1 > difference ( OBJSET1 , OBJSET2 , MATCHM ) [ owise ] . eq difference ( OBJSET1 , < O2 : C2 | SFS2 > OBJSET2 , MATCHM ) = < newDelId ( O2 ) : DeletedElement | element : oldId ( O2 ) > < oldId ( O2 ) : C2 | SFS2 > difference ( OBJSET1 , OBJSET2 , MATCHM ) [ owise ] . 5.2. M ODEL D IFFERENCE 83 The reader should notice the existence of a final fifth case where both the minuend and subtrahend models are empty. In this case, the result of the modelDiff operation will be an empty difference model, as expected: eq difference ( none , none , MATCHM ) = none . Finally, note that these specifications do not force both operand models to conform to the same metamodel, i.e., this difference operation can be applied to minuend and subtrahend models conforming to different metamodels. Thus, in some situations in which models and metamodels are evolving at the same time, models can be compared as well. 5.2.3 An Example of Model Difference For illustration purposes, let us introduce a simple example to show how the model difference works, and the results that it provides. Given the production system model depicted in Figure 3.5, suppose that we add another user (u2) with position (6,1). As a result, the following model (depicted in Figure 5.4) is obtained: Figure 5.4: Another production system model (concrete syntax). ProductionSystem { < ’p : Plant | els : Sequence{ ’heg # ’hag # ’c1 # ’c2 # ’t1 # ’a # ’c3 # ’t2 # ’u # ’u2} > < ’heg : HeadGen | in : null , out : ’c1 , xPos : 1 , yPos : 3 > < ’hag : HandleGen | in : null , out : ’c2 , xPos : 1 , yPos : 1 > < ’c1 : Conveyor | parts : Sequence{} , out : ’t1 , xPos : 2 , yPos : 3 > < ’c2 : Conveyor | parts : Sequence{} , out : ’t1 , xPos : 2 , yPos : 1 > < ’t1 : Tray | parts : Sequence{} , capacity : 4 , xPos : 3 , yPos : 2 > < ’a : Assembler | in : ’t1 , out : ’c3 , xPos : 4 , yPos : 2 > < ’c3 : Conveyor | parts : Sequence{} , out : ’t2 , xPos : 5 , yPos : 2 > < ’t2 : Tray | parts : Sequence{} , capacity : 4 , xPos : 6 , yPos : 2 > < ’u : User | parts : Sequence{} , xPos : 6 , yPos : 3 > < ’u2 : User | parts : Sequence{} , xPos : 6 , yPos : 1 > } . 84 C HAPTER 5. M ODEL M ANAGEMENT Note that plant ’p is also modified, since it has a reference to the elements that it contains. Now, if we take the modified model as the minuend model, and the initial model as the subtrahend model, the result of applying the difference operation is the following difference model: < ’p@MOD : ModifiedElement | element : ’p@NEW # oldElement : ’p@OLD > < ’p@NEW : Plant | els : Sequence{ ’heg # ’hag # ’c1 # ’c2 # ’t1 # ’a # ’c3 # ’t2 # ’u # ’u2} > < ’p@OLD : Plant | els : Sequence{ ’heg # ’hag # ’c1 # ’c2 # ’t1 # ’a # ’c3 # ’t2 # ’u} > < ’u2@ADD : AddedElement | element : ’u2@NEW > < ’u2@NEW : User | parts : Sequence{} , xPos : 6 , yPos : 1 > As we can see, the added user and the plant reference modification are both represented in the difference model (elements were matched as expected). 5.2.4 Related Operations Model difference is probably the main operation for dealing with model evolution and for handling model versions, but it is not the only one required to achieve such processes. There are other related operations that need to be considered too, such as those that do and undo the changes, compose several differences, etc. For instance, operations do and undo will allow us to obtain the minuend model from the subtrahend model, and viceversa, respectively. In fact, one of the current limitations of other proposals that implement model comparison and difference (e.g., [88]) is that their results cannot be effectively composed, and that these additional operations are hard to define. In our approach, given the way in which the differences have been represented (as models) and the modelDiff operation has been specified (as an operation on models), they become natural and easy to define [105]. 5.2.4.1 The do Operation Given a model Ms conforming to an arbitrary metamodel MM and a difference model Md (conforming to the Difference Metamodel), the result of applying operation do to them is another model Mm so that: do(Ms ,Md ) = Mm and modelDiff(Mm ,Ms ) = Md . Operation do applies to a model all the changes specified in a difference model. Basically, it adds to the model all elements referred to by AddedElements of the difference model; deletes from the model all elements referred to by DeletedElements of the difference model; and modifies those elements of the model which are referred to by ModifiedElements. In Maude, this operation can be specified by three equations (described below) that correspond, respectively, to the addition, deletion and modification of elements. A fourth equation 5.2. M ODEL D IFFERENCE 85 is also included to deal with the empty difference: 1 v a r s MM1 MM2 : @Metamodel . 2 v a r s OBJSET1 OBJSET2 : Set{@Object} . 3 v a r s O1 O2 OLDO NEWO : Oid . 4 v a r s C1 NEWC OLDC : @Class . 5 v a r s SFS1 OLDSFS NEWSFS : Set{@StructuralFeatureInstance} . 6 7 op do : @Model @Model ˜> @Model . 8 eq do ( MM1 { OBJSET1 } , MM2 { OBJSET2 } ) = otherMM ( MM1 , OBJSET2 ) { do ( OBJSET1 , OBJSET2 ) } . 9 10 op do : Set{@Object} Set{@Object} ˜> Set{@Object} . 11 eq do ( OBJSET1 , < O2 : AddedElement | element : NEWO > 12 13 14 15 < NEWO : NEWC | NEWSFS > OBJSET2 ) = < originalId ( NEWO ) : NEWC | NEWSFS > do ( OBJSET1 , OBJSET2 ) . ceq do(< O1 : C1 | SFS1 > OBJSET1 , 17 18 19 < O2 : DeletedElement | element : OLDO > < OLDO : OLDC | OLDSFS > OBJSET2 ) 16 = do ( OBJSET1 , OBJSET2 ) i f O1 = originalId ( OLDO ) . ceq do(< O1 : C1 | SFS1 > OBJSET1 , < O2 : ModifiedElement | element : NEWO # 20 oldElement : OLDO > 21 < NEWO : NEWC | NEWSFS > < OLDO : OLDC | OLDSFS > OBJSET2 ) 22 23 24 25 26 = < originalId ( NEWO ) : NEWC | ( excludingAll ( SFS1 , OLDSFS ) , NEWSFS ) > do ( OBJSET1 , OBJSET2 ) i f O1 = originalId ( OLDO ) . eq do ( OBJSET1 , OBJSET2 ) = OBJSET1 [ owise ] . Operation otherMM gets the metamodel of the minuend model by looking for it through the classes of the difference model (note that model difference can be applied over models conforming to different metamodels). The auxiliary operation originalId recovers the original identifier of the object that was modified, i.e., reverts the changes done by operations newId or oldId in the model difference. Operation excludingAll deletes from a set of structural feature instances SFS1 all the structural feature instances that have the same name of any structural feature instance of the OLDSFS set. This operation is used in line 23 to remove from SFS1 the structural features that have the old values (OLDSFS), to add them again but with the corresponding new values (contained in NEWSFS). Note that a matching between both models (Ms and Md ) is not needed, because operation do is supposed to be applied to the original model of the difference, and original object identifiers can be recovered from the difference model. The resulting model Mm will usually conform to the same metamodel MM of Ms . However, model difference can be applied to models conforming to different metamodels. In general, model difference will be applied to models conforming to the same metamodel, or meta- 86 C HAPTER 5. M ODEL M ANAGEMENT models that are related by the sybtyping relationship. Therefore, we could usually affirm that the resulting model Mm will conform to a metamodel which is a subtype [116] (or, in special cases, supertype) of the metamodel MM of the original subtrahend Mm . 5.2.4.2 The undo Operation Given a model Mm conforming to a metamodel MM and a difference model Md (conforming to the Difference Metamodel), the result of applying operation undo to them is another model Mm so that: undo(Mm ,Md ) = Ms and modelDiff(Mm ,Ms ) = Md . As well as in operation do, the resulting model Ms will usually conform to the same metamodel MM of Mm (if this was true when the difference was done). This operation reverts all the changes specified in a difference model. Operation undo can be considered as the inverse operation of do. Basically, it adds to the model all elements referred to by DeletedElements of the difference model; deletes from the model all elements referred to by AddedElements of the difference model; and modifies those elements of the model that are referred to by ModifiedElements (but in the opposite way of operation do). Since the equations for the undo operation are analogous to the equations for the do operation, we will not include them here. 5.2.4.3 Sequential Composition of Differences Another important operation provides the sequential composition of differences. In general, each difference model represents the changes in a model from one version to the next, i.e., a delta (∆). The diffComposition operation specifies the composition of deltas, so that individual deltas can be combined into a single one. This operation is very useful, for instance, to “optimize” the process of applying successive modifications to the same model, which might introduce complementary changes. For example, if one element is added in one delta and then deleted in another, the composed delta does not need to store both changes. In this way, this operation not only composes deltas, but also eliminates unnecessary changes and provides more compact model differences, hence improving efficiency. The following Maude equations are a fragment of the diffComposition operation specification. The first equation corresponds to the composition of an addition and a deletion of the same element. In this case, as mentioned before, there will be no evidence of the element in the resulting difference model. The second equation corresponds to the composition of an 5.3. F URTHER O PERATIONS 87 addition and a modification of the same element. In this case, an AddedElement that refers to the element with its attributes properly modified, and the element itself, will be included in the resulting difference model. op diffComposition : @Model @Model ˜> @Model . eq diffComposition ( @Difference@ { OBJSET1 } , @Difference@ { OBJSET2 } ) = @Difference@ { diffComposition ( OBJSET1 , OBJSET2 ) } . op diffComposition : Set{@Object} Set{@Object} −> Set{@Object} . ceq diffComposition(< O1 : AddedElement | element : NEWO > < NEWO : NEWC | NEWSFS > OBJSET1 , < O2 : DeletedElement | element@DiffElement : OLDO > < OLDO : OLDC | OLDSFS > OBJSET2 ) = diffComposition ( OBJSET1 , OBJSET2 ) i f originalId ( OLDO ) = originalId ( NEWO ) . ceq diffComposition(< O1 : AddedElement | element : O > < O : C | SFS > OBJSET1 , < O2 : ModifiedElement | element : NEWO # oldElement : OLDO ) > < OLDO : OLDC | OLDSFS > < NEWO : NEWC | NEWSFS > OBJSET2 ) = < newAddId ( originalId ( O2 ) ) : AddedElement | element : NEWO > < NEWO : NEWC | ( excludingAll ( SFS , OLDSFS ) , NEWSFS ) > diffComposition ( OBJSET1 , OBJSET2 ) i f originalId ( O ) = originalId ( OLDO ) . ... eq diffComposition ( OBJSET1 , OBJSET2 ) = OBJSET1 OBJSET2 [ owise ] . When no correspondences are found between the two difference models, i.e., when the difference models do not contain more DiffElements that refer to the same element, all their remaining elements (DiffElements) are just included in the composition (as specified by the last equation). 5.3 Further Operations Model subtyping and model difference are quite helpful operations in MDE processes. However, there are many other operations that can also benefit from our models and metamodels representation. For instance, one of the interesting applications of the proposed Maude formalization is the simplicity of the computation of metrics, both on models and metamodels. Thus, e.g., most of the quality metrics for models defined in [35] can be easily formalized in Maude, and therefore automatically computed. These metrics include, e.g., the number of classes, associations and inheritance relationships, the maximum DIT (Depth of Inheritance Tree), or the average number of attributes, references or children per class. 88 C HAPTER 5. M ODEL M ANAGEMENT For instance, the number of classes (EClasses) of an Ecore model coincides with the num- ber of Maude objects of class EClass in its representation as an instance of the Ecore metamodel. This metric can be specified in Maude as follows: var O : Oid . var SFS : Set{@StructuralFeatureInstance} . var OBJSET : Set{@Object} . op NoOfClasses : @Model −> Nat . eq NoOfClasses ( @Ecore { < O : EClass | SFS > OBJSET } ) = 1 + NoOfClasses ( @Ecore { OBJSET } ) . eq NoOfClasses ( @Ecore { OBJSET } ) = 0 [ owise ] . 5.4 Tool Support with Maudeling One of the main advantages of using Maude is the possibility of using its execution environment, able to provide efficient implementations of the specifications—comparable in resource consumption to most commercial programming languages’ environments. In addition, the Maude environment is integrated in Eclipse, which has provided a very convenient working environment for model management. Figure 5.5: The Maudeling tool. 5.4. T OOL S UPPORT WITH M AUDELING 89 As part of this thesis, we have developed an Eclipse plug-in, called Maudeling [101], that allows users to perform some of the previously described operations on EMF models, i.e., on models defined in the Eclipse platform.1 In this way, the user can define their models and metamodels with the Eclipse tool of choice, and then execute the model management operations in Maude being completely unaware of it (Maude is kept completely transparent to the user). Both versions of the tool (1.0 [101] and 2.0) can be downloaded from our website [2]. The version 2.0 includes model validation, subtyping and difference related operations. Its main component is the Maude perspective, which includes several buttons to perform the corresponding operations. In addition, the user can also invoke the model validation operation directly from a contextual menu. Whenever an operation is invoked, Maudeling performs as follows: it encodes EMF models and metamodels into Maude, executes the corresponding operation in the Maude environment, and transforms back the resulting Maude specifications into the original notation (see below). The final result of applying the model difference operation (or one of its related operations) is an EMF model, while the final result of applying model subtyping and validation is a boolean value. 5.4.1 The Way Back to EMF In Section 4.2 we showed how we encode EMF models (and metamodels) into Maude. Once we count on the Maude representation of these models, we can make use of the model operations presented in previous sections. However, some of these operations return a model as a result. Since we want users to be completely unaware of Maude, we have developed a model transformation to transform models specified in Maude into the EMF notation. In what follows, we present the steps that are involved in this process. Firstly, we have to parse the Maude term that represent a model (a term of sort @Model) into a Maude model (see Section 4.2.1.3). This Maude model, which will conform to the Maude metamodel, will also contain the specification of the @Model term. Then, this Maude model is transformed into the corresponding EMF model that represents the term it contains. For instance, if the Maude term represents an Author model, we have to transform it to an EMF model conforming to the Author metamodel (see Figure 2.2). Note that this transformation depends on the metamodel the @Model term conforms to. Thus, we cannot achieve this process with a simple transformation: we need a Higher-Order Transfor1 Maudeling uses our previous Maude representation for models and metamodels, which is described in [106]. 90 C HAPTER 5. M ODEL M ANAGEMENT mation (HOT). A HOT is a model transformation whose output is another transformation, i.e., whose output is a model that conforms to a metamodel that represents a model transformation language. In our case, the HOT (named Ecore2ATL) will take as input the metamodel MM (defined as a Ecore model) to which the final model will conform, and produce as output a model transformation (an ATL model) that will transform the Maude specifications to a model conforming to MM. For instance, if the Maude term represents an Author model, the input of this HOT will be the Author metamodel, and its output an ATL model (Maude2Author) which transforms Maude specifications into Author models. Figure 5.6 shows an overview of this transformation. Figure 5.6: The higher-order transformation process. Figure 5.7 shows the correspondences between a Maude model containing a @Model term that represents a particular author model, and its corresponding EMF representation. The resulting Maude2Author transformation is specified in ATL as follows. 1 module Maude2Ecore ; 2 c r e a t e OUT : MM from IN : Maude ; 3 4 u s e s Maude2ModelLib ; 5 6 r u l e ”Author : : Book” { from 7 8 rt : Maude ! RecTerm 9 ( rt . op = thisModule . objectOperator and rt . isTypeOf ( ’@Object’ ) and rt . belongsTo ( ’Book@Author’ ) ) 10 to 11 cl : Author ! Book ( 12 name <− rt . getAttValue ( ’name’ ) . attToString ( ) , 13 ISBN <− rt . getAttValue ( ’ISBN’ ) . attToString ( ) ) 14 15 } 16 17 18 19 r u l e ”Author : : Author” { from rt : Maude ! RecTerm 5.4. T OOL S UPPORT WITH M AUDELING ( rt . op = thisModule . objectOperator and rt . isTypeOf ( ’@Object’ ) 20 and rt . belongsTo ( ’Author@Author’ ) ) 21 using{ 22 books : OrderedSet ( Maude ! Constant ) = rt . getAttValue ( ’books’ ) . toOrdSet ( ) ; } 23 to 24 cl : Author ! Author ( 25 26 name <− rt . getAttValue ( ’name’ ) . attToString ( ) , 27 surname <− rt . getAttValue ( ’surname’ ) . attToString ( ) , 28 books <− Maude ! RecTerm−>allInstances ( )−>select ( rt | rt . isTypeOf ( ’@Object’ ) )−> select ( obj | books−>exists ( oid | oid . op = obj . oid ( ) . op ) ) ) 29 30 91 } Figure 5.7: Correspondences between Maude and EMF specifications. The Author::Book rule transforms every Maude recursive term (Maude!RecTerm) that represent a book object (a < : | > term of sort @Object whose class is Book@Author) into an object (cl) of the Author!Book class. The attribute values of cl are set by using the getAttrValue operation. This operation traverses all the structural features of a Maude object to get the value of the one whose name is specified as parameter. The Author::Author rule is similar to the Author::Book rule. The attribute values of cl are set by using the getAttrValue operation, and its reference values (in this case, the books reference) are set by searching in the entire model those Maude recursive terms that represent the referred objects. Since there exists a rule (the Book rule) which transforms these recursive terms into book objects, the books reference will be correctly set. By observing these two rules, we notice that they follow the same structure. This design has been chosen to facilitate its automatic generation through a HOT transformation. Furthermore, both of them use general helpers, i.e., helpers whose definitions are completely independent of the metamodel, such as belongsTo or getAttrValue. These helpers are defined in the Maude2ModelLib library, which will be imported by every transformation generated by the 92 C HAPTER 5. M ODEL M ANAGEMENT Ecore2ATL transformation. Additionally, Ecore2ATL generates an ATL match rule per metaclass following the mentioned structure. The interested reader is referred to our website [2] to find the specification of the Ecore2ATL transformation in our tool e-Motions. Finally, we would like to clarify that in the encoding of EMF models into Maude (the reverse transformation) a simple transformation is enough: thanks to the meta-capabilities of the EObject interface, we can access any model object and obtain its metaclass independently of the metamodel the model conforms to. However, the inverse process is not feasible: we cannot create a general object with ATL, look for its class in the Maude model, and then assign it. This is the reason why we have accomplished this process by defining a HOT. 5.4.2 Adapting Difference Models to the Eclipse Platform In Maude, objects may have references to non-accessible elements. For instance, modified, added and deleted elements of difference models (contained by the element and oldElement references) may refer to other objects that are not contained in the difference model but in one of the operand (subtrahend or minuend) models. If we remove, for example, the minuend model, and keep the subtrahend and difference models, the references from difference elements to objects of the minuend model will be kept. Then, whenever we apply the do operation to the subtrahend and difference models, we will recover the minuend model and the dangling references will become valid references again. However, EMF editors do not work like that: they do not allow editing models with dangling references. If we, e.g., delete one of the difference operand models, the difference model may become invalid, and therefore we need to maintain minuend and subtrahend models in order to have a valid difference model. Thus, we have defined a mechanism to adapt our difference approach to the Eclipse platform taking into account these considerations. We have created a new Difference metamodel where difference elements will not contain the modified, added, and deleted elements anymore but they will have just an (intermodel) reference to them (note that in Eclipse we will have to maintain the difference operand models, so it makes no sense for the difference model to contain these elements too). In fact, the only difference with respect to the Difference metamodel shown in Figure 5.1 is that the element and oldElement references are not containments. Then, to transform models conforming to the previous Difference metamodel (specified in the Maude platform) to this new one (specified in the Eclipse platform), we have specified an ATL model transformation from Maude to EMF that adapt difference models to this new represen- 5.4. T OOL S UPPORT WITH M AUDELING 93 tation. This transformation has been defined making use of the Ecore2ATL transformation: we selected the previous Difference metamodel as input, and we adapted the resulting transformation to set these new intermodel references properly: module DifferenceRepresentation ; -- Module Template c r e a t e OUT : Difference from IN : Maude , SUB : Ecore1 , MIN : Ecore2 ; u s e s Maude2ModelLib ; ... r u l e ”Difference : : ModifiedElement” { from rt : Maude ! RecTerm ( rt . op = thisModule . object and rt . isTypeOf ( ’@Object’ ) and rt . belongsTo ( ’ModifiedElement@Difference’ ) ) using{ oid_element : S t r i n g = rt . listVariable ( ’element’ )−>first ( ) . originalOid ( ) ; oid_oldElement : S t r i n g = rt . listVariable ( ’oldElement’ )−>first ( ) . originalOid ( ) ; } to cl : Difference ! ModifiedElement ( ) do{ cl . refSetValue ( ’element’ , Ecore2 ! EObject . getInstanceById ( ’MIN’ , oid_element ) ) ; cl . refSetValue ( ’oldElement’ , Ecore1 ! EObject . getInstanceById ( ’SUB’ , oid_oldElement ) ) ; } } r u l e ”Difference : : DeletedElement” { from rt : Maude ! RecTerm ( rt . op = thisModule . object and rt . isTypeOf ( ’@Object’ ) and rt . belongsTo ( ’DeletedElement@Difference’ ) ) using{ oid_element : S t r i n g = rt . listVariable ( ’element’ )−>first ( ) . originalOid ( ) ; } to cl : Difference ! DeletedElement ( ) do{ cl . refSetValue ( ’element’ , Ecore1 ! EObject . getInstanceById ( ’SUB’ , oid_element ) ) ; } } r u l e ”Difference : : AddedElement” { from rt : Maude ! RecTerm ( rt . op = thisModule . object and rt . isTypeOf ( ’@Object’ ) and rt . belongsTo ( ’AddedElement@Difference’ ) ) using{ oid_element : S t r i n g = rt . listVariable ( ’element’ )−>first ( ) . originalOid ( ) ; } to 94 C HAPTER 5. M ODEL M ANAGEMENT cl : Difference ! AddedElement ( ) do{ cl . refSetValue ( ’element’ , Ecore2 ! EObject . getInstanceById ( ’MIN’ , oid_element ) ) ; } } Note that we have added two additional input models: MIN and SUB, that represent the minuend and subtrahend models, respectively. They are needed to get their corresponding added, deleted or modified objects. These objects will be obtained by means of the getInstanceById ATL operation, which looks for them by their identifiers. Once we get these objects, we can set the value of the element reference of the created difference elements (and the value of the odlElement reference in case of ModifiedElements) properly by making use of the refSetValue ATL operation. 5.5 Related Work There is quite a large number of contributions about the importance of model management, the operations required to deal with models and metamodels, and about algorithms to implement such operations. For instance, there is the work by X. Blanc on the Model Bus [22], or the work by Bernstein on Model Management [19] on how model operations can help addressing classical meta-data management problems such as schema integration, schema evolution, and round-trip engineering. Many people have mentioned the importance of counting on model management operations such as model subtyping, match, merge, diff, compose, or apply, and some other people have developed algorithms for implementing some of these operations. Most of these implementations have been independently developed, although some of them have tried to deal with them on a unified and general way (e.g., [13, 63]), but mostly at a very high level, using category theory and institutions. What we are presenting here is an integrated environment to both formally specify these operations, and to provide efficient implementations for them, which has been integrated into an Eclipse model engineering environment. In this sense, MOMENT [23, 5, 24] is a generic model management framework integrated in Eclipse which provides a reflective, algebraic, and executable framework for metamodeling, with support for MOF and OCL, and partial support for the QVT Relations language. It also uses Maude modules to automatically serialize software artifacts, but the kind of operations they provide are different. They do not provide model subtyping These operations rely on the definition of the Equal operation for matching two elements. The semantics of this operation coincides with the syntactical equivalence, although this generic semantics can be enriched by 5.5. R ELATED W ORK 95 means of OCL expressions that take into account the structure and semantics of a specific metamodel. The latest internal encoding of models and metamodels in MOMENT was presented in [25], and shares many similarities with our previous representation [110] (see Section 4.3 for a comparison between the two representations). The tool does not follow a full MDE process to define the semantic mappings: they directly serialize EMF models into Maude instead of defining a Maude metamodel and model transformation between both platforms. Model Subtyping. One of the most relevant works in model subtyping was presented by Steel and Jézéquel in [117]. They introduced a model type definition as an extension of object type, i.e., as the set of objects types for all the objects contained in a model (basically a metamodel without its packages structure). The reason not to consider the metamodel as the model type is attributed to the increasing abundance of models that refer to other models, that causes that we can no longer guarantee that the classes of all objects within a model will be contained by a single package. However, we think that the problem lies on the metamodel definition they adopt, assuming a metamodel as a single MOF package and not considering the different package relationships (such as importation) that may exist. Our flattened subtyping covers the subtyping relationship they propose. There are other approaches that propose to check type conformance from a set of restrictions. For instance, in [56], a type system for object models is described that supports subtypes and allows overloading of relation names. The work is focused on type conformance, which is checked using the Alloy language. Model operations defined over the object models are not considered. Finally, in [126], metamodel evolution is also handled, but they focus on the adaption of the models that conforms to the metamodels instead of on their operations. Model Difference. There are several proposals that address the problems of comparing models and calculating their difference. Firstly, we have the works that describe how to compute the difference of models that conform to one specific metamodel, usually UML [14, 87, 127]. Their specificity and strong dependence on the elements and structure of the given metamodel hinders their generalization as metamodel-independent approaches that can be used with models that conform to arbitrary metamodels. Secondly, there are several techniques that allow to compute the difference between models using edit scripts, which are based on representing the modifications as sequences of atomic actions specifying how the initial model is procedurally modified. These approaches are more 96 C HAPTER 5. M ODEL M ANAGEMENT general and powerful, and have been traditionally used for calculating and representing differences in several contexts. However, edit scripts are intrinsically not declarative, lengthy and very fine-grained, suitable for internal representations but quite ineffective to be adopted for documenting changes in MDE environments, and difficult to compose. Furthermore, the results of their calculations are not expressed as a model conforming to a specific metamodel, and therefore they cannot be processed by standard modeling platforms [39]. Other works, such as [39], [77] and [119], are closer to ours. In [39], a metamodelindependent approach to difference representation is presented, but with the particularity that the Difference Metamodel is not fixed, but created in each case as an extension of the operands’ metamodel. This approach is agnostic of the calculation method, so it does not introduce any model difference operation, and also requires a complex model transformation process to create the specific Difference Metamodel and to calculate the differences. Matching is based on name comparison: the proposal assumes that a specific attribute called name always exists. This may hinder its application in some contexts, such as for instance those in which metamodels are defined in languages different to English. The work described in [77] introduces an algorithm for calculating and representing model differences in a metamodel-independent manner, but the result is not compact (it contains more information than required) and it is more oriented towards graphically representing and visualizing the differences. Thirdly, EMFCompare [119] is an interesting approach that uses complex and sophisticated algorithms to compute the structural matching between model elements. However, this proposal makes heavy use of the hierarchical tree for matching the elements, restricting the comparisons to elements in the same level. As discussed in Section 5.2.2, this restriction may not be effective in some cases, including those in which the changes affect the tree structure (something common in several model refactoring operations). Furthermore, difference models are not self-contained in EMFCompare, and therefore the minuend and subtrahend models are required in order to operate with the differences. Finally, none of these approaches currently provide good support for composing the deltas and implementing further operations on them. Chapter 6 Behavioral Semantics of DSMLs Once we count on a formalization of models and metamodels in MEL, we can provide them with behavioral specifications by using Rewriting Logic (RL). In this chapter we present a way to specify the behavior of DSMLs by means of rewriting rules in Maude. This allows us to, e.g., perform simulation and reachability and model-checking analysis on the domain specific models using the tools and techniques that Maude provides. However, we do not expect a DSML designer to learn Maude for specifying the behavior of his/her DSML. Therefore, we introduce a graphical and more intuitive way to do it by means of in-place model transformation, and we show the similarity between the two approaches. 6.1 Representing DSMLs’ Behavior with Maude In Section 4.1 we showed how we represent the structural parts of a DSML (namely models and metamodels) in Maude. This section introduces how we represent DSMLs’ dynamic behavior. Dynamic behavior is usually specified in Maude in terms of rewrite rules. These rules, of the form [t]E → [t′ ]E , describe the local, concurrent transitions possible in the system, i.e., when a part of the system state fits any pattern in [t]E then it can change to a new local state fitting pattern [t′ ]E . Thus, given a Maude module with the specification of a MEL theory that represent a metamodel, we can “extend” it with behavioral information by adding the appropriate rewrite rules. Therefore, the complete specification of the system (including the structural and behavioral views) will now be represented with a rewrite theory. To illustrate this approach, consider again the production system example in Section 3.2. Figure 3.2 shows the Production System (PS) metamodel. Note that it is not clear from this metamodel when are handles and heads generated, or what is the precise behavior of the sys97 98 C HAPTER 6. B EHAVIORAL S EMANTICS OF DSML S tem when one of the trays is full. Can we execute the system for simulating different trays capacities, in order to find the most efficient production line? These are the sort of issues that need to be precisely clarified by a behavioral specification. The following Maude module PRODUCTION-SYSTEM-WITH-BEHAVIOR extends the PRODUCTION-SYSTEM module (see Section 4.1.1) with five rules: mod PRODUCTION−SYSTEM−WITH−BEHAVIOR i s p r o t e c t i n g PRODUCTION−SYSTEM . v a r s U P C T HEG HAG HA HE HAM A PL : Oid . v a r s PARTS PARTS ’ : Sequence . v a r s SFS SFS ’ SFS ’ ’ SFS ’ ’ ’ SFS ’ ’ ’ ’ : Set{@StructuralFeatureInstance} . var OBJSET : Set{@Object} . v a r s CONT CAP XPOS XPOS ’ YPOS YPOS ’ : Int . var PART : Part . c r l [ GenHead ] : ProductionSystem { < HEG : HeadGen | counter : CONT # out : C # SFS > < C : Conveyor | parts : PARTS # xPos : XPOS # yPos : YPOS # SFS ’ > OBJSET } => ProductionSystem{ < HEG : HeadGen | counter : << CONT − 1 >> # out : C # SFS > < C : Conveyor | parts : << PARTS −> append ( HE ) >> # xPos : XPOS # yPos : YPOS # SFS ’ > < HE : Head | xPos : XPOS # yPos : YPOS > OBJSET } i f << CONT <> 0 >> / \ HE : = headId ( CONT ) . c r l [ GenHandle ] : ProductionSystem { < HAG : HandleGen | counter : CONT # out : C # SFS > < C : Conveyor | parts : PARTS # xPos : XPOS # yPos : YPOS # SFS ’ > OBJSET } => ProductionSystem{ < HAG : HandleGen | counter : << CONT − 1 >> # out : C # SFS > < C : Conveyor | parts : << PARTS −> append ( HA ) >> # xPos : XPOS # yPos : YPOS , SFS ’ > < HA : Handle | xPos : XPOS # yPos : YPOS > OBJSET } i f << CONT <> 0 >> / \ HA : = handleId ( CONT ) . c r l [ Transfer ] : ProductionSystem { < C : Conveyor | parts : PARTS # out : T # SFS > < T : Tray | capacity : CAP # parts : PARTS ’ # xPos : XPOS ’ # yPos : YPOS ’ # SFS ’ > < P : PART | xPos : XPOS # yPos : YPOS # SFS ’ ’ > OBJSET } 6.1. R EPRESENTING DSML S ’ B EHAVIOR WITH M AUDE 99 => ProductionSystem{ < C : Conveyor | parts : << PARTS −> excluding ( P ) >> # out : T # SFS > < T : Tray | capacity : CAP # parts : << PARTS ’ −> append ( P ) >> # xPos : XPOS ’ # yPos : YPOS ’ # SFS ’ > < P : PART | xPos : XPOS ’ # yPos : YPOS ’ # SFS ’ ’ > OBJSET } i f << PARTS −> first ( ) . = . P >> / \ << PARTS ’ −> size ( ) < CAP >> . c r l [ Assemble ] : ProductionSystem { < HA : Handle | SFS > < HE : Head | SFS ’ > < T : Tray | parts : PARTS # SFS ’ ’ > < A : Assembler | in : T # out : C # SFS ’ ’ ’ > < C : Conveyor | parts : PARTS ’ # xPos : XPOS # yPos : YPOS # SFS ’ ’ ’ ’ > OBJSET } => ProductionSystem{ < T : Tray | parts : << PARTS −> excluding ( HE ) −> excluding ( HA ) >> # SFS ’ ’ > < A : Assembler | in : T # out : C # SFS ’ ’ ’ > < C : Conveyor | parts : << PARTS ’ −> append ( HAM ) >> # xPos : XPOS # yPos : YPOS # SFS ’ ’ ’ ’ > < HAM : Hammer | xPos : XPOS # yPos : YPOS > OBJSET } i f << PARTS −> includes ( HE ) >> / \ << PARTS −> includes ( HA ) >> / \ HAM : = hammerId ( HE , HA ) . c r l [ Collect ] : ProductionSystem { < T : Tray | parts : PARTS # xPos : XPOS # yPos : YPOS # SFS > < U : User | parts : PARTS ’ # xPos : XPOS ’ # yPos : YPOS ’ # SFS ’ > < HAM : Hammer | xPos : XPOS ’ ’ # yPos : YPOS ’ ’ # SFS ’ ’ > OBJSET } => ProductionSystem{ < T : Tray | parts : << PARTS −> excluding ( HAM ) >> # xPos : XPOS # yPos : YPOS # SFS > < U : User | parts : << PARTS ’ −> append ( HAM ) >> # xPos : XPOS ’ # yPos : YPOS ’ # SFS ’ > < HAM : Hammer | xPos : XPOS ’ # yPos : YPOS ’ # SFS ’ ’ > OBJSET } i f << PARTS −> includes ( HAM ) >> / \ << ( XPOS − XPOS ’ ) . abs ( ) <= 1 >> / \ << ( YPOS − YPOS ’ ) . abs ( ) <= 1 >> . endm The GenHead and GenHandle rules specify the behavior of head and handle generators, respectively. Since with these rules the value of the generator attribute counter is decreased every time a part is generated, a head (or handle) is created and placed in the out conveyor 100 C HAPTER 6. B EHAVIORAL S EMANTICS OF DSML S provided that the number of parts already generated is smaller than its upper bound (i.e., its attribute counter is different from zero). The headId (resp. handleId) function returns a new identifier of the form ’hen (resp. ’han) given a natural number n. The Transfer rule specifies the behavior of conveyors. If there are parts in a conveyor, it will place the first one in its out tray provided that there is enough space in it (i.e., the number of parts in the tray is smaller than its capacity). Note the use of the variable PART, of sort Part, to represent any of its subclasses. The Assemble rule specifies the behavior of assemblers. If there is an assembler with a head and a handle in its in tray, it will consume such a head and a handle and will put a hammer in its out conveyor. Given identifiers ’hen and ’ham, for natural numbers n and m, the hammerId function returns a new identifier ’hen.ham . The Collect rule represents hammer collection. When there is a hammer on a tray, a nearby user—an user who has an adjacent position to the tray—collects it with this rule. Note that the dynamic semantics of the model is precisely specified by these rewrite rules. For instance, if the counter of a generator is set to zero, it will generate no more parts; in case that an user can collect several hammers, only one (at a time) will be collected in an nondeterministic way; etc. Moreover, this specification can be used for simulation and execution purposes, as well as for formal analysis. Finally, please note that several alternative behaviors can be specified by defining other modules extending the original PRODUCTION-SYSTEM module with different rules. This, together with the module inheritance that Maude supports [42], provides a very powerful mechanism for refining and extending behavioral specifications. For instance, suppose that we want to define two different behaviors for tray overflow: when there is a conveyor with parts and its out tray is full, we want the first part of the conveyor to be (a) assigned to the plant floor (the Drop rule), or (b) removed from the system (the Remove rule). Thus, we define two new modules PRODUCTION-SYSTEM-WITH-BEHAVIOR-1 and PRODUCTION-SYSTEM-WITH-BEHAVIOR-2, that extend the above module with the Drop and Remove rules, respectively: mod PRODUCTION−SYSTEM−WITH−BEHAVIOR−1 i s p r o t e c t i n g PRODUCTION−SYSTEM−WITH−BEHAVIOR . v a r s C T P PL : Oid . var OBJSET : Set{@Object} . v a r s SFS SFS ’ SFS ’ ’ SFS ’ ’ ’ : Set{@StructuralFeatureInstance} . v a r s PARTS ELS : Sequence . var CAP : Int . var PART : Part . 6.1. R EPRESENTING DSML S ’ B EHAVIOR WITH M AUDE c r l [ Drop ] : ProductionSystem { < C : Conveyor | parts : PARTS # out : T # SFS > < T : Tray | capacity : CAP # parts : PARTS ’ # SFS ’ > < P : PART | SFS ’ ’ > < PL : Plant | els : ELS # SFS ’ ’ ’ > OBJSET } => ProductionSystem{ < C : Conveyor | parts : << PARTS −> excluding ( P ) >> # out : T # SFS > < T : Tray | capacity : CAP # parts : PARTS ’ # SFS ’ > < P : PART | SFS ’ ’ > < PL : Plant | els : << ELS ’ −> append ( P ) >> # SFS ’ ’ ’ > OBJSET } i f << PARTS −> first ( ) . = . P >> / \ << PARTS ’ −> size ( ) >= CAP >> . endm mod PRODUCTION−SYSTEM−WITH−BEHAVIOR−2 i s p r o t e c t i n g PRODUCTION−SYSTEM−WITH−BEHAVIOR . v a r s C T P : Oid . var OBJSET : Set{@Object} . v a r s SFS SFS ’ SFS ’ ’ : Set{@StructuralFeatureInstance} . v a r s PARTS : Sequence . var CAP : Int . var PART : Part . c r l [ Remove ] : ProductionSystem { < C : Conveyor | parts : PARTS # out : T # SFS > < T : Tray | capacity : CAP # parts : PARTS ’ # SFS ’ > < P : PART | SFS ’ ’ > OBJSET } => ProductionSystem{ < C : Conveyor | parts : << PARTS −> excluding ( P ) >> # out : T # SFS > < T : Tray | capacity : CAP # parts : PARTS ’ # SFS ’ > OBJSET } i f << PARTS −> first ( ) . = . P >> / \ << PARTS ’ −> size ( ) >= CAP >> . endm 101 102 C HAPTER 6. B EHAVIORAL S EMANTICS OF DSML S 6.2 Formal Analysis of Domain Specific Models with Maude Once the system specifications are written using Maude and the modeling approach presented in this thesis, what we get is a rewriting logic specification of the system. Since the rewriting logic specification produced in this way is executable, it can be used as a prototype of the system, which allows us to simulate and analyze it. Maude offers tool support for interesting possibilities such as model simulation, reachability analysis and model checking. We focus here on these three facilities, which will be described with the help of examples that illustrate Maude’s possibilities in this context. Detailed descriptions of the commands and tools used here can be found in [42]. In addition, models can be further analyzed using other available tools in Maude’s formal environment: the LTL satisfiability and tautology checker [59], the Church-Rosser checker [53], the coherence checker [54], the termination tool [52], etc. We also refer the interested reader to [42, 43] for details on these tools. 6.2.1 Simulation Given a Maude specification as the one described in the previous sections, it can be executed by just successively applying equations and rewrite rules on an initial term (representing a model). Maude provides two different rewrite commands, namely rewrite and frewrite, which implement two different execution strategies, a top-down rule-fair strategy, and a depthfirst position-fair strategy, respectively (cf., [42]). The rewrite and frewrite commands explore a possible execution for a given initial model. However, a rewrite system do not need to be Church-Rosser and terminating,1 and there might be many different execution paths. Although these commands are enough in many practical situations where an execution path is sufficient for testing executability, the user might be interested in exploring all possible execution paths from the starting model, a subset of these, or a specific one. There are currently three ways of controlling the execution process in Maude, which, ordered from the more complex to the easiest to use, are: • Using the reflective capabilities of Maude, with built-in metalevel functions such as 1 For MEL specifications, being Church-Rosser and terminating means not only confluence—so that a unique normal form will be reached—but also a sort decreasingness property, namely that the normal form will have the least possible sort among those of all other equivalent terms. 6.2. F ORMAL A NALYSIS OF D OMAIN S PECIFIC M ODELS WITH M AUDE 103 metaReduce, metaApply, etc., which provide absolute control over the execution pro- cess (see [42] for additional details). • Using the Maude strategy language [58] to define strategy expressions that control the way terms are rewritten. • Using invariant-driven strategies for executing specifications complying with given invariants [55, 109]. We illustrate here the use of the Maude’s strategy language proposed in [58] as a mechanism to guide the execution process. In this language, a strategy is described as an operation that, when applied to a given term, produces a set of terms as a result (since in general this is a nondeterministic process). The basic strategies consist of the application of a rule (identified by the corresponding rule label) to a given term, and allowing variables in a rule to be instantiated before its application with a specific substitution. Basic strategies are combined by means of operators such as concatenation (;), union (|), iteration (* for zero or more times and + for one or more times), if-then-else, etc. For example, we can use the Maude srewrite using command to find all possible applications of the rules included in the PRODUCTION-SYSTEM-WITH-BEHAVIOR-1 module (see Section 6.3) from the psModel initial model (see Section 4.1.2) as follows: Maude> s r e w r i t e psModel u s i n g all ∗ . In this case the number of possible executions is huge, and although may be helpful for some automatic checking, the result is not very useful here. More interesting is the result given by the following command: Maude> s r e w r i t e psModel u s i n g ( GenHead ; Transfer ; GenHandle ; Transfer ; Assemble ; Transfer ; Collect ) + . In this case, the following sequence is enforced: firstly, a head is generated and moved to the in tray of the assembler; then, a handle is generated and moved as well; afterwards, both the head and the handle are assembled to generate a hammer; finally, this hammer is moved to the final tray and collected by the user. Ten solutions are found, one for each possible time that the sequence can be repeated before the generators reach their limit. For instance, the last solution found, where ten hammers are created and stored, is the following: r e s u l t @Model : ProductionSystem { < ’p : Plant | els : Sequence{ ’heg # ’hag # ’c1 # ’c2 # ’t1 # ’a # ’c3 # ’t2 # ’u} > < ’heg : HeadGen | in : null # out : ’c1 # counter : 0 # xPos : 1 # yPos : 3 > < ’hag : HandleGen | in : null # out : ’c2 # counter : 0 # xPos : 1 # yPos : 1 > < ’c1 : Conveyor | parts : Sequence{mt−ord} # out : ’t1 # xPos : 2 # yPos : 3 > 104 C HAPTER 6. B EHAVIORAL S EMANTICS OF DSML S < ’c2 : Conveyor | parts : Sequence{mt−ord} # out : ’t1 # xPos : 2 # yPos : 1 > < ’t1 : Tray | parts : Sequence{mt−ord} # capacity : 4 # xPos : 3 # yPos : 2 > < ’a : Assembler | in : ’t1 # out : ’c3 # xPos : 4 # yPos : 2 > < ’c3 : Conveyor | parts : Sequence{mt−ord} # out : ’t2 # xPos : 5 # yPos : 2 > < ’t2 : Tray | parts : Sequence{mt−ord} # capacity : 4 # xPos : 6 # yPos : 2 > < ’u : User | parts : Sequence{ ’he10 . ha10 # he9 . ha9 # ’he8 . ha8 # ’he7 . ha7 # ’he6 . ha6 # ’he5 . ha5 # ’he4 . ha4 # ’he3 . ha3 # ’he2 . ha2 # ’he1 . ha1} # xPos : 6 # yPos : 3 > < ’he1 . ha1 : Hammer | xPos : 6 # yPos : 3 > < ’he2 . ha2 : Hammer | xPos : 6 # yPos : 3 > ... < ’he10 . ha10 : Hammer | xPos : 6 # yPos : 3 > } The number of solutions to be shown can be limited using the corresponding (optional) argument of the srewrite command. Thus, for example, we can ask for the first fifteen executions, using a less strict strategy (applying some of the rules with some freedom), as follows: Maude> s r e w r i t e [ 1 5 ] psModel u s i n g ( ( GenHead ; Transfer ) | ( GenHandle ; Transfer ) | ( Assemble ; Transfer ) | Collect ) + . Among the solutions obtained we get the one above (together with many others). The rewrite and frewrite commands also allow users to specify an upper bound for the number of rule applications. This upper bound can be very useful to simulate non-terminating system, or to execute a simulation step by step. 6.2.2 Reachability Analysis Executing the system using the rewrite and frewrite commands means exploring just one possible behavior of the system. As shown in Section 6.2.1, this can be partially improved by using rewriting strategies. However, it does not allow us to analyze the solutions found. The Maude search command allows us to explore (following a breadth-first strategy) the reachable state space in different ways. Let us start by looking for deadlock states. Although in this example we may easily guess how the deadlock states look like, let us be a bit naive and look for final states (states on which no further rewrite may take place), using the =>! variant of the search command, with no hammers in the final container. For instance, starting from our initial model, and given variables SFS of sort Set{@StructuralFeatureInstance} and OBJSET of sort Set{@Object}, we can use the search command as follows: 6.2. F ORMAL A NALYSIS OF D OMAIN S PECIFIC M ODELS WITH M AUDE 105 Maude> s e a r c h [ 1 0 ] psModel =>! ProductionSystem { < ’t2 : Tray | parts : Sequence{mt−ord} # SFS > OBJSET } . Please note that we have limited the number of solutions to 10, otherwise it gives hundreds of solutions. By observing them we realize that a possible source of deadlock is that the ’t1 tray may be full of parts of the same type, not allowing the assembler machine to proceed. Let us look now for states satisfying this condition. For instance, starting from our initial model, and given variables O1, O2, O3 and O4 of sort Oid; P of sort Part; SFS, SFS1, SFS2, SFS3 and SFS4 of sort Set{@StructuralFeatureInstance}; and OBJSET of sort Set{@Object}, we can search for states on which the tray ’t1 contains four parts of the same type, using the search command as follows: Maude> s e a r c h [ 1 ] psModel =>∗ ProductionSystem { < ’t1 : Tray | parts : Sequence{O1 ; O2 ; O3 ; O4} # SFS > < O1 : P | SFS1 > < O2 : P | SFS2 > < O3 : P | SFS3 > < O4 : P | SFS4 > OBJSET } . Note the use of the =>* variant of the search command to look for any state, final or not. Note as well that we have requested only the first solution. The result given by Maude is the following: Solution 1 ( state 1 8 2 ) OBJSET −−> < ’p : Plant | els : Sequence{ ’heg # ’hag # ’c1 # ’c2 # ’t1 # ’a # ’c3 # ’t2 # ’u} > < ’heg : HeadGen | in : null , out : ’c1 # counter : 6 # xPos : 1 # yPos : 3 > < ’hag : HandleGen | in : null # out : ’c2 # counter : 10 # xPos : 1 # yPos : 1 > < ’c1 : Conveyor | parts : Sequence{mt−ord} # out : ’t1 # xPos : 2 # yPos : 3 > < ’c2 : Conveyor | parts : Sequence{mt−ord} # out : ’t1 # xPos : 2 # yPos : 1 > < ’a : Assembler | in : ’t1 # out : ’c3 # xPos : 4 # yPos : 2 > < ’c3 : Conveyor | parts : Sequence{mt−ord} # out : ’t2 # xPos : 5 # yPos : 2 > < ’t2 : Tray | parts : Sequence{mt−ord} # capacity : 4 # xPos : 6 # yPos : 2 > < ’u : User | parts : Sequence {mt−ord} # xPos : 6 # yPos : 3 > SFS −−> xPos : 3 # yPos : 2 # capacity : 4 O1 −−> ’he10 O2 −−> ’he9 O3 −−> ’he8 O4 −−> ’he7 P −−> Head@ps SFS1 −−> xPos : 3 # yPos : 2 SFS2 −−> xPos : 3 # yPos : 2 SFS3 −−> xPos : 3 # yPos : 2 SFS4 −−> xPos : 3 # yPos : 2 As result, a collection of solutions (variable substitutions) that fulfil the given search pattern is obtained. In this case, a state with four heads placed in the tray ’t1 is found. 106 C HAPTER 6. B EHAVIORAL S EMANTICS OF DSML S The shortest sequence of rewrites followed to reach this model (one of them in case of existing more than one with the same length) can be displayed by typing show path n, where n is the number of a state (notice that it is 182 for the model shown). If we are only interested in the labels of the applied rules, the command show path labels n can be used instead. In this case, show path labels 182 produces the sequence GenHead GenHead GenHead GenHead Transfer Transfer Transfer Transfer, which is one of the possible (short- est) paths leading to this state. Upper bounds for the number of rule applications (maximum depth) and solutions can also be specified in the search. For instance, let us consider a new initial model, infPsModel, with the counters of generators set to −1. Since counter attributes are decremented each time a part is generated, and generators stop when its value is equals to zero, it can result in a nonterminating execution if hammers are correctly produced (users do not have an upper bound for contained parts). Then, it could be interesting to know, for example, whether a model on which the user contains at least three hammers can be reached. Given variables PARTS of sort Sequence, SFS of sort Set{@StructuralFeatureInstance} and OBJSET of sort Set{@Object}, we can check it (by searching for only one solution) in the following way: Maude> s e a r c h [ 1 ] infPsModel =>∗ ProductionSystem { < ’u : User | parts : PARTS # SFS > OBJSET } such that << PARTS −> size ( ) >= 3 >> . Note the use of the such that clause to look for states matching the specified pattern and satisfying the given condition. Although the number of states reachable from the initial state is infinite, a solution was found: Solution 1 ( state 3 0 9 9 8 8 ) OBJSET −−> < ’p : Plant | els : Sequence{ ’heg # ’hag # ’c1 # ’c2 # ’t1 # ’a # ’c3 # ’t2 # ’u} > < ’heg : HeadGen | in : null , out : ’c1 # counter : −4 # xPos : 1 # yPos : 3 > < ’hag : HandleGen | in : null # out : ’c2 # counter : −4 # xPos : 1 # yPos : 1 > < ’c1 : Conveyor | parts : Sequence{mt−ord} # out : ’t1 # xPos : 2 # yPos : 3 > < ’c2 : Conveyor | parts : Sequence{mt−ord} # out : ’t1 # xPos : 2 # yPos : 1 > < ’t1 : Tray | parts : Sequence{mt−ord} # capacity : 4 # xPos : 3 # yPos : 2 > < ’a : Assembler | in : ’t1 # out : ’c3 # xPos : 4 # yPos : 2 > < ’c3 : Conveyor | parts : Sequence{mt−ord} # out : ’t2 # xPos : 5 # yPos : 2 > < ’t2 : Tray | parts : Sequence{mt−ord} # capacity : 4 # xPos : 6 # yPos : 2 > < ’he1 . ha1 : Hammer | xPos : 6 # yPos : 3> < ’he2 . ha2 : Hammer | xPos : 6 # yPos : 3> < ’he3 . ha3 : Hammer | xPos : 6 # yPos : 3> SFS −−> xPos : 6 # yPos : 3 PARTS −−> Sequence{ ’he1 . ha1 # ’he2 . ha2 # ’he3 . ha3} 6.2. F ORMAL A NALYSIS OF D OMAIN S PECIFIC M ODELS WITH M AUDE 107 We can also use the search command to check safety properties. For instance, given variables O of sort Oid, CAP of sort Int, PARTS of sort Sequence, OBJSET of sort Set{@Object}, and SFS of sort Set{@StructuralFeatureInstance}, we can check whether starting from psModel the capacity of any tray is exceeded: Maude> s e a r c h psModel =>∗ ProductionSystem { < O : Tray | capacity : CAP # parts : PARTS # SFS > OBJSET } such that << PARTS −> size ( ) > CAP >> . No solution . Since no solutions are found, we can state that (starting from psModel) the capacities of the trays are never exceeded. Whenever an invariant is violated, we are guaranteed to get a counterexample (up to time and memory limitations). However, when the number of states reachable from the initial state is infinite, and the invariant holds, we will search forever, never finding it. In these cases, bounded search (a search with a maximum number of rule applications) is a widely used procedure that: (a) together with a big depth can greatly increase the confidence that the invariants hold, and (b) can still be quite effective in finding counterexamples, where applicable. We can do the same check for infPsModel with a bound on the depth of the search of, e.g., 1000, as follows. Maude> s e a r c h [ 1 , 1 0 0 0 ] infPsModel =>∗ ProductionSystem { < O : Tray | capacity : CAP # parts : PARTS # SFS > OBJSET } such that << PARTS −> size ( ) > CAP >> . No solution . With the information provided by the performed analysis, we could modify the dynamic behavior of our model to avoid deadlocks. For example, we could modify the behavior of conveyors in such a way that a part is never put in the output tray if the capacity of the tray is about to be filled with parts of the same type. The following two rules substitutes the Transfer rule to model this behavior: v a r s P P ’ C T : Oid . v a r s PARTS PARTS ’ : Sequence . v a r s SFS SFS ’ SFS ’ ’ SFS ’ ’ ’ : Set{@StructuralFeatureInstance} . var OBJSET : Set{@Object} . v a r s CAP XPOS XPOS ’ YPOS YPOS ’ : Int . var PART PART ’ : Part . c r l [ Transfer1 ] : ProductionSystem { 108 C HAPTER 6. B EHAVIORAL S EMANTICS OF DSML S < C : Conveyor | parts : PARTS # out : T # SFS > < T : Tray | capacity : CAP # parts : PARTS ’ # xPos : XPOS ’ # yPos : YPOS ’ # SFS ’ > < P : PART | xPos : XPOS # yPos : YPOS # SFS ’ ’ > OBJSET } => ProductionSystem{ < C : Conveyor | parts : << PARTS −> excluding ( P ) >> # out : T # SFS > < T : Tray | capacity : CAP # parts : << PARTS ’ −> append ( P ) >> # xPos : XPOS ’ # yPos : YPOS ’ # SFS ’ > < P : PART | xPos : XPOS ’ # yPos : YPOS ’ # SFS ’ ’ > OBJSET } i f << PARTS −> first ( ) . = . P >> / \ << PARTS ’ −> isEmpty ( ) >> . c r l [ Transfer2 ] : ProductionSystem { < C : Conveyor | parts : PARTS # out : T # SFS > < T : Tray | capacity : CAP # parts : PARTS ’ # xPos : XPOS ’ # yPos : YPOS ’ # SFS ’ > < P : PART | xPos : XPOS # yPos : YPOS # SFS ’ ’ > < P ’ : PART ’ | SFS ’ ’ ’ > OBJSET } => ProductionSystem{ < C : Conveyor | parts : << PARTS −> excluding ( P ) >> # out : T # SFS > < T : Tray | capacity : CAP # parts : << PARTS ’ −> append ( P ) >> # xPos : XPOS ’ # yPos : YPOS ’ # SFS ’ > < P : PART | xPos : XPOS ’ # yPos : YPOS ’ # SFS ’ ’ > < P ’ : PART ’ | SFS ’ ’ ’ > OBJSET } i f << PARTS −> first ( ) . = . P >> / \ << PARTS ’ −> includes ( P ’ ) >> / \ << ( PARTS ’ −> size ( ) < ( CAP − 1 ) ) or ( ( PARTS ’ −> size ( ) . = . ( CAP − 1 ) ) and ( PART =/= PART ’ ) ) >> . The Transfer1 rule models the movement of the first part of a conveyor to its empty output tray. The Transfer2 rule models the movement of the first part of a conveyor to its non-empty output tray whenever a) the capacity of the tray is not going to be filled or b) it is going to be filled but at least there exists a part on the tray which is of a different type from the part which is being transferred. 6.2.3 LTL Model Checking Maude offers a linear temporal logic explicit-state model checker [59], which allows us to check whether every possible behavior starting from a given initial model satisfies a given temporal logic property. Maude’s model checker can be used to prove safety and liveness properties of rewriting systems when the set of states reachable from an initial state is finite. 6.2. F ORMAL A NALYSIS OF D OMAIN S PECIFIC M ODELS WITH M AUDE 109 Full verification of invariants in infinite-state systems can be accomplished by verifying the invariants on finite-state abstractions (see, e.g., [85]) of the original infinite-state system, that is, on an appropriate quotient of the original system whose set of reachable states is finite [42]. In order to specify safety and liveness properties, state predicates are needed. For instance, suppose that we want to check that a hammer that has been created is eventually collected by the user. In this case, we can introduce two different state predicates: exist and collected, that will reflect whether a part exists and is collected, respectively. State predicates are defined as operators of sort Prop, and their semantics are given by means of a set of equations that specify for what model pattern a given state predicate evaluates to true. In Maude, opposite to standard LTL propositional logic, we can define parametric state predicates, that is, operators of sort Prop which need not be constants, but may have one or more sorts as parameter arguments. The exist and collected prepositions can be specified as follows: ops exist collected : Oid −> Prop . v a r s O P : Oid . v a r s SFS SFS ’ : Set{@StructuralFeatureInstance} . var OBJSET : Set{@Object} . var PART : Part . var PARTS : Sequence . eq ProductionSystem { < O : PART | SFS > OBJSET } | = exist ( O ) = true . ceq ProductionSystem { < O : User | parts : PARTS # SFS > < P : PART | SFS ’ > OBJSET } | = collected ( P ) = true i f << PARTS −> includes ( P ) >> . Note that we have only specified for what model patterns given state predicates evaluate to true. The remaining case is already included in our Maude specifications. var MODEL : @Model . var PROP : Prop . eq MODEL | = PROP = false [ owise ] . After defining these state predicates, we are ready to model-check different LTL properties. Making use of the eventually <> and henceforth [] LTL connectives, we can model check, for instance, that a created hammer (say ’he10.ha10) is collected at some time, by typing: Maude> r e d u c e modelCheck ( psModel , [ ] ( exist ( ’ he10 . ha10 ) −> <> collected ( ’ he10 . ha10 ) ) ) . r e s u l t Bool : true Of course, this property is not very useful, but it becomes a bit more interesting if we check it for all possible hammers. Given the exist and stored propositions above, the following 110 C HAPTER 6. B EHAVIORAL S EMANTICS OF DSML S formula allHammers express the same property for all possible hammers, with identifiers created as in the above rules: v a r s N M K : Nat . op allHammers : Nat Nat −> Formula . op allHammers : Nat Nat Nat −> Formula . eq allHammers ( N , M ) = allHammers ( N , M , M ) . eq allHammers ( s N , 0 , K ) = [ ] ( exist ( ID ) −> <> collected ( ID ) ) / \ allHammers ( N , K , K ) i f ID : = hammerId ( headId ( s N ) , handleId ( 0 ) ) . eq allHammers ( N , s M , K ) = [ ] ( exist ( ID ) −> <> collected ( ID ) ) / \ allHammers ( N , M , K ) i f ID : = hammerId ( headId ( N ) , handleId ( s M ) ) . eq allHammers ( 0 , 0 , K ) = [ ] ( exist ( ID ) −> <> collected ( ID ) ) i f ID : = hammerId ( headId ( 0 ) , handleId ( 0 ) ) . We can now check it as follows: Maude> r e d u c e modelCheck ( psModel , allHammers ( 1 0 , 1 0 ) ) . r e s u l t Bool : true Of course, not all properties are true. For example, if we model-check that a created head, say ’he10, is consumed at any time (to form a hammer) by typing: Maude> r e d u c e modelCheck ( psModel , [ ] ( exist ( ’ he10 ) −> <> ˜ exist ( ’ he10 ) ) ) . we get a counterexample showing why it fails (in this case due to deadlock states). r e s u l t ModelCheckResult : counterexample ( { ProductionSystem { < ’a : Assembler | out : ’c3 # in : ’t1 # xPos : 4 # yPos : 2 > < ’c1 : Conveyor | parts : Sequence{mt−ord} # out : ’t1 # xPos : 2 # yPos : 3 > < ’c2 : Conveyor | parts : Sequence{mt−ord} # out : ’t1 # xPos : 2 # yPos : 1 > < ’c3 : Conveyor | parts : Sequence{mt−ord} # out : ’t2 # xPos : 5 # yPos : 2 > < ’hag : HandleGen | out : ’c2 # in : null # xPos : 1 # yPos : 1 # counter : 10 > < ’heg : HeadGen | out : ’c1 # in : null # xPos : 1 # yPos : 3 # counter : 10 > < ’p : Plant | els : Sequence{ ’heg # ’hag # ’c1 # ’c2 # ’t1 # ’a # ’c3 # ’t2 # ’u} > < ’t1 : Tray | parts : Sequence{mt−ord} # xPos : 3 # yPos : 2 # capacity : 4 > < ’t2 : Tray | parts : Sequence{mt−ord} # xPos : 6 # yPos : 2 # capacity : 4 > < ’u : User | parts : Sequence{mt−ord} # xPos : 6 # yPos : 3 >}, ’GenHead} { ProductionSystem { < ’a : Assembler | out : ’c3 # in : ’t1 # xPos : 4 # yPos : 2 > < ’c1 : Conveyor | parts : Sequence{ ’he10} # out : ’t1 # xPos : 2 # yPos : 3 > < ’c2 : Conveyor | parts : Sequence{mt−ord} # out : ’t1 # xPos : 2 # yPos : 1 > < ’c3 : Conveyor | parts : Sequence{mt−ord} # out : ’t2 # xPos : 5 # yPos : 2 > < ’hag : HandleGen | out : ’c2 # in : null # xPos : 1 # yPos : 1 # counter : 10 > < ’he10 : Head | xPos : 2 # yPos : 3 > 6.2. F ORMAL A NALYSIS OF D OMAIN S PECIFIC M ODELS WITH M AUDE 111 < ’heg : HeadGen | out : ’c1 # in : null # xPos : 1 # yPos : 3 # counter : 9 > < ’p : Plant | els : Sequence{ ’heg # ’hag # ’c1 # ’c2 # ’t1 # ’a # ’c3 # ’t2 # ’u} > < ’t1 : Tray | parts : Sequence{mt−ord} # xPos : 3 # yPos : 2 # capacity : 4 > < ’t2 : Tray | parts : Sequence{mt−ord} # xPos : 6 # yPos : 2 # capacity : 4 > < ’u : User | parts : Sequence{mt−ord} # xPos : 6 # yPos : 3 >}, ’GenHead} ... { ProductionSystem { < ’a : Assembler | out : ’c3 # in : ’t1 # xPos : 4 # yPos : 2 > < ’c1 : Conveyor | parts : Sequence{mt−ord} # out : ’t1 # xPos : 2 # yPos : 3 > < ’c2 : Conveyor | parts : Sequence{ ’ha1} # out : ’t1 # xPos : 2 # yPos : 1 > < ’c3 : Conveyor | parts : Sequence{mt−ord} # out : ’t2 # xPos : 5 # yPos : 2 > < ’ha1 : Handle | xPos : 2 # yPos : 1 > < ’ha10 : Handle | xPos : 2 # yPos : 1 > < ’ha2 : Handle | xPos : 2 # yPos : 1 > < ’ha3 : Handle | xPos : 2 # yPos : 1 > < ’ha4 : Handle | xPos : 2 # yPos : 1 > < ’ha5 : Handle | xPos : 2 # yPos : 1 > < ’ha6 : Handle | xPos : 2 # yPos : 1 > < ’ha7 : Handle | xPos : 2 # yPos : 1 > < ’ha8 : Handle | xPos : 2 # yPos : 1 > < ’ha9 : Handle | xPos : 2 # yPos : 1 > < ’hag : HandleGen | out : ’c2 # in : null # xPos : 1 # yPos : 1 # counter : 0 > < ’he1 : Head | xPos : 2 # yPos : 3 > < ’he10 : Head | xPos : 3 # yPos : 2 > < ’he2 : Head | xPos : 2 # yPos : 3 > < ’he3 : Head | xPos : 2 # yPos : 3 > < ’he4 : Head | xPos : 2 # yPos : 3 > < ’he5 : Head | xPos : 2 # yPos : 3 > < ’he6 : Head | xPos : 2 # yPos : 3 > < ’he7 : Head | xPos : 3 # yPos : 2 > < ’he8 : Head | xPos : 3 # yPos : 2 > < ’he9 : Head | xPos : 3 # yPos : 2 > < ’heg : HeadGen | out : ’c1 # in : null # xPos : 1 # yPos : 3 # counter : 0 > < ’p : Plant | els : Sequence{ ’heg # ’hag # ’c1 # ’c2 # ’t1 # ’a # ’c3 # ’t2 # ’u # ’he6 # ’he5 # ’he4 # ’he3 # ’he2 # ’he1 # ’ha10 # ’ha9 # ’ha8 # ’ha7 # ’ha6 # ’ha5 # ’ha4 # ’ha3 # ’ha2} > < ’t1 : Tray | parts : Sequence{ ’he10 # ’he9 # ’he8 # ’he7} # xPos : 3 # yPos : 2 # capacity : 4 > < ’t2 : Tray | parts : Sequence{mt−ord} # xPos : 6 # yPos : 2 # capacity : 4 > < ’u : User | parts : Sequence{mt−ord} # xPos : 6 # yPos : 3 >}, ’Drop } , { ProductionSystem { < ’a : Assembler | out : ’c3 # in : ’t1 # xPos : 4 # yPos : 2 > < ’c1 : Conveyor | parts : Sequence{mt−ord} # out : ’t1 # xPos : 2 # yPos : 3 > < ’c2 : Conveyor | parts : Sequence{mt−ord} # out : ’t1 # xPos : 2 # yPos : 1 > < ’c3 : Conveyor | parts : Sequence{mt−ord} # out : ’t2 # xPos : 5 # yPos : 2 > < ’ha1 : Handle | xPos : 2 # yPos : 1 > < ’ha10 : Handle | xPos : 2 # yPos : 1 > < ’ha2 : Handle | xPos : 2 # yPos : 1 > < ’ha3 : Handle | xPos : 2 # yPos : 1 > 112 C HAPTER 6. B EHAVIORAL S EMANTICS OF DSML S < ’ha4 : Handle | xPos : 2 # yPos : 1 > < ’ha5 : Handle | xPos : 2 # yPos : 1 > < ’ha6 : Handle | xPos : 2 # yPos : 1 > < ’ha7 : Handle | xPos : 2 # yPos : 1 > < ’ha8 : Handle | xPos : 2 # yPos : 1 > < ’ha9 : Handle | xPos : 2 # yPos : 1 > < ’hag : HandleGen | out : ’c2 # in : null # xPos : 1 # yPos : 1 # counter : 0 > < ’he1 : Head | xPos : 2 # yPos : 3 > < ’he10 : Head | xPos : 3 # yPos : 2 > < ’he2 : Head | xPos : 2 # yPos : 3 > < ’he3 : Head | xPos : 2 # yPos : 3 > < ’he4 : Head | xPos : 2 # yPos : 3 > < ’he5 : Head | xPos : 2 # yPos : 3 > < ’he6 : Head | xPos : 2 # yPos : 3 > < ’he7 : Head | xPos : 3 # yPos : 2 > < ’he8 : Head | xPos : 3 # yPos : 2 > < ’he9 : Head | xPos : 3 # yPos : 2 > < ’heg : HeadGen | out : ’c1 # in : null # xPos : 1 # yPos : 3 # counter : 0 > < ’p : Plant | els : Sequence{ ’heg # ’hag # ’c1 # ’c2 # ’t1 # ’a # ’c3 # ’t2 # ’u # ’he6 # ’he5 # ’he4 # ’he3 # ’he2 # ’he1 # ’ha10 # ’ha9 # ’ha8 # ’ha7 # ’ha6 # ’ha5 # ’ha4 # ’ha3 # ’ha2 # ’ha1} > < ’t1 : Tray | parts : Sequence{ ’he10 # ’he9 # ’he8 # ’he7} # xPos : 3 # yPos : 2 # capacity : 4 > < ’t2 : Tray | parts : Sequence{mt−ord} # xPos : 6 # yPos : 2 # capacity : 4 > < ’u : User | parts : Sequence{mt−ord} # xPos : 6 # yPos : 3 >}, deadlock } ) A counterexample is a pair consisting of two lists of transitions, where the first corresponds to a finite path beginning in the initial state, and the second describes a loop. This is because if an LTL formula is not satisfied by a finite structure, it is always possible to find a counterexample for the formula having the form of a path of transitions followed by a cycle [42]. Each transition is represented as a pair, consisting of a state and the label of the rule applied to reach the next state. 6.3 Representing DSML’s Behavior with In-Place Model Transformation Maude offers a comprehensive toolkit for performing simulation and analysis, efficient enough to be of practical use, and easy to integrate with software development environments such as Eclipse. However, one of its drawbacks is that it requires specialized knowledge and expertise, something that may hinder its usability by the average DSML designer. In MDE, where models, metamodels and model transformations are the key artifacts, model transformations 6.3. R EPRESENTING DSML’ S B EHAVIOR WITH I N -P LACE M ODEL T RANSFORMATION113 that support in-place update seem to be the natural way to specify the dynamic behavior of DSMLs. This kind of transformation allows users to describe the permitted actions of the system and how the model elements evolve as a result of these actions, allowing designers to work with domain specific concepts and their concrete syntax for describing the rules [49]. In the following, we will show that in-place model transformation represents an intuitive approach to model the dynamic behavior of DSMLs by presenting some examples. 6.3.1 In-Place Model Transformation An in-place model transformation is an endogenous model-to-model transformation where source and target models are the same: this kind of model transformation does not create new models but just modify the source ones. They are composed of a set of transformation rules that typically represent the possible actions of the system. Such rules are of the form l : [NAC]∗ × LHS → RHS, where l is the rule’s label (its name); and LHS (Left-Hand Side), RHS (Right-Hand Side), and NAC (Negative Application Conditions) are model patterns that represent certain (sub-)states of the system. The LHS and NAC patterns express the precondition for the rule to be applied, whereas the RHS one represents its postcondition, i.e., the effect of the corresponding action. Thus, a rule can be applied, i.e., triggered, if an occurrence (or match) of the LHS is found in the model and none of its NAC patterns occurs. Generally, if several matches are found, one of them is non-deterministically selected and applied, producing a new model where the match is substituted by the appropriate instantiation of its RHS pattern (the rule’s realization). The model transformation proceeds by applying the rules in a non-deterministic order, until none is applicable—although this behavior can be modified by some execution control mechanism (see Section 6.2.1 for some examples). Figure 6.1: The GenHandle in-place rule. Figure 6.1 shows an example of an in-place transformation rule specified with the e-Motions 114 C HAPTER 6. B EHAVIORAL S EMANTICS OF DSML S tool (see Section 7.5). This tool allows users to use the graphical concrete syntax of the user’s DSML for defining visual in-place transformation rules. The rule models the behavior of the handle generators of the production system DSML, whose metamodel is depicted in Figure 3.2. It can be applied if an occurrence of the LHS is found in the model. Then, the elements in the LHS that do not appear in the RHS are deleted, whereas the elements in the RHS that do not appear in the LHS are created. In the e-Motions tool, LHS and NAC rule patterns may include conditions (see the WITH clause in the LHS of the rule in Figure 6.1) and RHS patterns may include attribute computations. In this case, a handle can be generated if the handle generator’s upper bound (i.e., its attribute counter) is different from zero. Then, if the rule is applied, the value of the generator attribute counter is decreased and the position of the handle set to the conveyor’s position. (OCL is fully supported in e-Motions [99].) Figure 6.2: The Assemble in-place rule. Another example of in-place rule is shown in Figure 6.2. This rule, named Assemble, models the assembling of parts: if there is an assembler with a head and a handle in its in tray, the rule will consume such a head and a handle and will put a hammer in its out conveyor. The position of the hammer is set to the conveyor’s position. In place-model transformation usually admits two different kinds of formalization, which are taken from algebraic graph transformation [102]: Double Pushout (DPO) and Single Pushout (SPO). From a practical point of view, their difference is that in DPO, deletion has no side effects. When an object is deleted by a rule, it can only be connected with other objects through the links explicitly deleted by the rule. For example, if we try to apply the Assemble rule, and ha is matched to a handle connected to more than one tray (should it be allowed by the metamodel), then the rule cannot be applied with such a match as otherwise some links would become dangling in the model. In SPO, dangling references are removed by the rewriting step. Therefore in DPO, in addition to positive pre-conditions, a LHS also imposes implicit negative 6.3. R EPRESENTING DSML’ S B EHAVIOR WITH I N -P LACE M ODEL T RANSFORMATION115 pre-conditions in case the rule deletes some object. In the e-Motions tool, these formalizations have been adapted to the tree-structure of EMF models: • In EMF, links are not considered first class citizens: they are defined by means of references, which are object properties. Thus, in our formalization, we consider dangling references only those that refer to a deleted element. Those references that belong to a deleted element and that refer to any model object are not considered dangling, and therefore they are always removed when its corresponding object is so (no matter if we choose the DPO or SPO formalization). • The tree-structure of EMF models is given by the containment relation between their classes, and the deletion of a containment reference implies the deletion of all the elements it refers to. Therefore, when an object is deleted by a rule, all the contained objects (by means of containment references) are removed too. This new situation has impact over DPO and SPO formalizations: in DPO, when a rule specifies the deletion of an object, it cannot be applied to a specific match if the deletion of the object and all of its containing objects would result in dangling references; however, in SPO, the rule can be applied in this situation and all the dangling references caused by the deletion of the object and all of its containing objects are removed too. Furthermore, we can usually identify two different kinds of matches: injective and noninjective. Injective matches are those on which each object of a pattern has to be matched with a different object in the model, while non-injective matches are those in which two or more objects with compatible classes in a pattern may be matched to a single object in the model. In a non-injective match, e.g., of two pattern objects with one model object, if the rule specifies that one of the pattern objects is deleted and the other one preserved, DPO forbids applying such a rule to such a match, while SPO allows its application and deletes both objects. 6.3.2 In-Place Rules for the Production System DSML Figure 6.3 shows the remaining in-place rules that define the behavior of the DSML for production systems. They model the same behavior that was specified with rewrite rules in Section 6.3. Specifically, each in-place rule specifies the same behavior than the corresponding rewrite rule with the same name. In this example, we consider SPO formalization and injective matches. Similarly to Maude, the e-Motions tool allows pattern objects to be assigned an abstract class (see, e.g., the Transfer rule). Of course, no object with an abstract class, such as Part, can 116 C HAPTER 6. B EHAVIORAL S EMANTICS OF DSML S Figure 6.3: Further in-place rules of the production system DSML. be found in the models, but the abstract pattern object in the rule can get instantiated to objects of any concrete subtype [47] (namely Head, Handle or Hammer). In addition, in e-Motions 6.4. B EHAVIORAL S EMANTIC M APPINGS AND T OOL S UPPORT 117 links can be assigned a natural number to represent the position of the target element in the collection of object reference values owned by the source element. For instance, the Transfer rule specifies that if there are parts in a conveyor (at least one), the first one will be placed in its out tray provided that there is enough space in it. 6.4 Behavioral Semantic Mappings and Tool Support After the discussion in the previous sections, we can note the similarity between the two approaches presented to specify the behavior of DSMLs: in-place transformation rules can be naturally formalized as rewrite rules. Thus, to take advantage of both worlds, we have defined a mapping from in-place model transformation to the Maude semantic domain. This allows us to specify the dynamic behavior of a DSML in a graphical and intuitive way, and conduct simulation and reachability and model-checking analysis using the tools and techniques already available for Maude as explained in Section 6.2. As part of this work we have integrated Maude with the e-Motions [100, 99, 107] and AToM3 [124, 48, 102] tools. We want users to benefit from Maude simulation and analysis capabilities, but working with their favorite notation and tools. The e-Motions tool is a language and graphical framework developed for Eclipse that supports the specification of graphical in-place model transformation rules. Moreover, it extends in-place model transformation with a model of time and a mechanism to state action properties. The language, the tool and the semantic mappings defined from its behavioral specification to Maude are presented in the next chapter. AToM3 is a tool for multi-paradigm modeling based on graph grammars [111]. With AToM3 , we can specify the behavior of our DSML by means of graphical graph transformation rules [57]. In collaboration with Juan De Lara and Esther Guerra, we have built a Maude parser and code generator, and integrated them in the AToM3 tool. Thus, AToM3 is now provided with the analysis capabilities of Maude, and, on the other hand, it can be used as a visual front-end for Maude. The code generator synthesizes Maude specifications from the DSML’s metamodel, the graph transformation rules describing its behavior and its models. Properties to be checked using reachability analysis can be specified by means of graph constraints [57, 65], which constitute a graphical and formal way to specify model properties. We use graph constraints to specify the search pattern when performing reachability analysis in Maude. The result of a reachability analysis is parsed and presented back in the AToM3 tool in terms of the origi- 118 C HAPTER 6. B EHAVIORAL S EMANTICS OF DSML S nal DSML, thus hiding the formal methods used for the analysis. Further visual support for defining model checking predicates and showing model execution paths are future work. Figure 6.4: Reachability analysis with the AToM3 tool. Figure 6.4 shows the state of the AToM3 environment for a DSML similar to the production system DSML presented in Section 3.2. The initial model is shown in the main window. The lower three buttons on the left side of the main window allow, respectively, simulating the model using the graph transformation rules, performing reachability analysis, and generating plain Maude code, so that for example model checking can be performed. The window in the middle shows a screenshot during the specification of the reachability analysis, and the right-most window shows the specification of a graphical constraint. The way we encode the DSML’s metamodel, the graph transformation rules describing its behavior, and the models from AToM3 to Maude are presented in [102]. We do not introduce them here because of its similarity with the semantic mappings that we have defined from the e-Motions tool to Maude, which will be presented in the next chapter. 6.5 Related Work One way to specify the semantics of a language is to define a translation from expressions in that language into expressions in another language with well defined semantics (cf, e.g., [66]). These semantic mappings between semantic domains are very useful, not only to provide 6.5. R ELATED W ORK 119 metamodels with semantics, but also to be able to simulate, analyze or reason about them using the logical and semantical framework available in the target domain (in general, each semantic domain is more appropriate to represent and reason about certain properties, and to conduct certain kinds of analyses). The most common formalization of graph transformation is the so-called algebraic approach, which uses category theory to express the rewriting [57]. This approach supports a number of interesting analysis techniques, such as detecting rule dependencies [57] or calculating critical pairs (minimal context of pairs of conflicting rules) [67]—usually with simple type graphs [47]. However, graph transformation offers limited support for other kinds of analyses, such as reachability analysis, model checking, etc. This is why some authors define semantic mappings between graph transformation and other semantic domains, and then back-annotate the analysis results to the source notation [34, 48, 49, 67]. This possibility allows one to use the techniques specific to the target semantic domain for analyzing the source models. For example, in [16] rules are translated into Alloy in order to study the applicability of sequences of rules and the reachability of models; in [15] rules are translated into Petri nets to check safety properties; in [125] they are transformed into Transition Systems (TS) for model-checking; and in [33, 34] rules are transformed into OCL pre- and postconditions for rule analysis (e.g., conflict detection) using standard OCL tools. One of the problems of these approaches is due to the fact that they require, from the DSML designer, deep knowledge of the target language in order to specify the transformations. However, this problem can be partially overcome if the transformations are automated, using, e.g., model transformation techniques. For example, in [49] the authors are able to generate the transformations from rule-based Domain-Specific Visual Languages (DSVLs) into semantic domains with an explicit notion of transition, such as Place-Transition Petri Nets. The generated transformation is expressed in the form of operational triple graph grammar rules that transform the static information (initial model) and the dynamics (source rules and their execution control structure). Similarly, in [34] the authors describe how graph transformation rules can be mapped into OCL pre- and postconditions for rule analysis. However, as the authors describe in their paper, not all kinds of graph transformations can be automatically transformed into OCL, and the analyses that can be conducted are somehow limited. Another problem of these approaches is that they are usually restricted in the kind of graphs and attributes they can handle, so they cannot deal with, e.g., some DSMLs that can be defined with Ecore. For instance, the work of [125] does not allow unbounded attributes in metamodel 120 C HAPTER 6. B EHAVIORAL S EMANTICS OF DSML S elements, and the Groove tool [97], a tool that incorporates a built-in explicit model checker for graph transformation systems, works with simple graphs with edge labels, i.e., it cannot analyze models that have multiple edges between the same two nodes. The use of Maude as a semantic domain in which DSMLs can be mapped has enabled the use of more powerful analysis on the source models. First, Maude we can deal with more complex structural and behavioral specifications (i.e., not limited to place/transition systems); and second, it offers an integrated environment and a toolkit for conducting different kinds of analysis, such as reachability and model checking analysis, so we do not need to define several semantic mappings to different domains to perform each of them. Other approaches use UML behavioral models to represent system dynamics. For example, in [60] operational semantics are represented using UML collaboration diagrams, which are then formalized into graph transformation rules. In [61], Story Diagrams are presented as a new graph rewrite language based on UML and Java. More precisely, the authors propose the use of UML together with pieces of Java code to express a graph rewrite language mixed with object-oriented data concepts. The whole specification (including dynamic behavior) is then transformed into Java classes and methods, although not all kinds of story patterns can be translated automatically. Again, the kind of analysis is limited in these approaches, and they do not use the concrete syntax of the DSML, but an object diagram-like structure. Other works propose model transformation languages to specify the behavioral semantics of DSMLs. For example, in [79], QVT is proposed to specify the semantics of OCL, but analysis capabilities are not provided. The MOMENT-QVT tool [24] is a model transformation engine that provides partial support for the QVT Relations language. The behavioral specifications are also transformed into Maude in order to perform reachability and model checking analysis. These specifications, as well as the properties to be analyzed, are expressed in a textual fashion (by means of QVT rules and model patterns, and boolean OCL expressions). This proposal does not support the use of the graphical concrete syntax of his/her DSML to express them in a more intuitive way. Kermeta [86] is an extension of EMOF (part of the MOF 2.0 specification) for specifying operational semantics. It enriches the EMOF metamodel with an action specification metamodel, introducing another new language to express specifications of algorithms. Simulation and execution possibilities are available for this approach. Di Ruscio et al. [113] presents an approach for specifying dynamic semantics of Domain Specific Languages in the context of MDE. In particular, they extend KM3 [21] (a textual language for describing metamodels) with the Abstract State Machines (ASM) formalism to 6.5. R ELATED W ORK 121 specify its dynamic behavior. Simulation and analysis capabilities are not provided although, as the authors point out, it could be possible to use other existing ASM tools for that purpose. Another interesting approach for defining semantic mappings in order to specify the behavioral semantics of a language is the semantic anchoring method developed at the Vanderbilt University [37]. Semantic anchoring relies on the use of well-defined “semantic units” of simple, well-understood constructs and on the use of model transformations that map higher level modeling constructs into configured semantic units. The approach uses UML Class Diagrams and OCL to represent the structure of a DSML, and ASM as the semantic framework. In particular, the structural specifications are transformed into ASM to make use of the Abstract State Machine Language (AsmL) and associated tools for enabling the programming, simulating and model checking of ASM models [37]. One of the drawbacks of this approach is that it requires specialized knowledge and expertise on the ASM formalism and AsmL tools, since behavior and analysis are specified directly in this formalism. 122 C HAPTER 6. B EHAVIORAL S EMANTICS OF DSML S Chapter 7 Real-Time Behavioral Semantics of DSMLs In-place model transformation provides an intuitive way to represent the dynamic behavior of DSMLs, especially when it enables the use of the graphical concrete syntax of the language. However, in its basic form, it cannot deal with time-dependent behavior, hampering, e.g., the modeling of real-time DSMLs. Furthermore, current approaches do not allow users to model action-based properties, lacking enough expressive power and forcing unnatural changes to the system specification. In this chapter, we present a language and a tool, called e-Motions, that extends in-place model transformation with a model of time and a mechanism to state action properties. We formalize this language into Rewriting Logic (RL) by means of model transformation. This automatic model transformation provides a way to give semantics to the behavioral parts of real-time DSMLs, preventing the DSML designer from explicitly defining the behavioral semantic mappings and the behavioral semantic model of his/her DSML. Furthermore, these semantic mappings allow us to specify real-time DSMLs’ behavior in a graphical and intuitive way (using the e-Motions tool), and perform simulation and reachability and model-checking analysis on the models using some of the tools and techniques that Maude provides. 7.1 Motivation In critical systems, such as real-time and embedded systems, timeouts, timing constraints and delays are essential concepts. Therefore, these concepts should be modeled in their behavioral specification to enable proper analysis and simulation. In-place model transformation (in their 123 124 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S basic form) are not provided with a quantitative model of time. When time is needed, it is usually modeled by adding some kind of clocks to the DSML’s metamodel. These clocks are handled in the same way as common objects, which forces designers to modify the DSML’s metamodel (the structural model of the DSML) to include time aspects (which are related to behavioral aspects). Furthermore, this does not constrain designers from unwillingly defining time-inconsistent sequences of states. Furthermore, current approaches only allow users to model state-based properties. When we want to observe an action, we have to unnaturally extend our DSML’s metamodel again with the states of the actions that should be observed. The need for action-based specifications has been recently acknowledged, showing that this kind of specifications are more natural and expressive in many different situations [84]. In this chapter, we present e-Motions, a DSML that extends in-place model transformation with a model of time and a mechanism to state action properties, easing the specification of real-time DSMLs’ behavior. Our approach tries to allow users to focus on the complexity of the system instead of focusing on the complexity of the specification of time and actions properties. Furthermore, it avoids unnaturally modifying the DSML’s metamodel—which defines the structural concepts of our language—to include time and action properties—which are related to the behavior of the language. This promotes separation of concerns. We provide e-Motions with semantics by defining a semantic mapping (by means of model transformation) to rewriting logic in Maude. As we discussed in the case of untimed specifications in Chapter 6, the use of Maude as a target semantic domain brings very interesting benefits, because it enables, e.g., simulation of the real-time specifications and the conduction of reachability analysis and model checking. 7.2 The e-Motions Language Figure 7.1 shows the e-Motions metamodel, which describes the main concepts of our approach to model time-dependent behavior. In e-Motions, the behavior of a DSML is specified by a set of in-place rules and an optional set of helpers. We differentiate between two types of in-place rules to specify time-dependent behavior, namely atomic and ongoing rules. Atomic rules represent atomic actions with a specific duration, while ongoing rules represent actions that progress continuously with time. Atomic rules can be periodic. Atomic and ongoing rules can be scheduled or be given an execution interval by rules’ lower and upper bounds. We also distinguish between normal 7.2. T HE e-Motions L ANGUAGE 125 Figure 7.1: The e-Motions metamodel. rules, which are triggered as soon as possible, and soft rules, which are not necessarily triggered immediately but in a non-deterministic moment in time in the near future. Helpers, expressed as OCL operations, are library functions which are useful for specifying some of the rule parameters or object attributes. They can be used throughout the behavioral specifications. Rules are composed of patterns (one LHS, one RHS and zero or more NACs) and an optional set of variable definitions. The context of a variable is the rule in which it is defined, and their values are computed (only once) when the rule is triggered. Rule patterns may contain objects, links and action execution elements (see the ActionExec metaclass), which represent action occurrences. LHS and NAC patterns may also include conditions. Objects can be com- 126 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S posed of slots (structural feature-value pairs). When an object is placed in a LHS or NAC pattern, its slots represent attribute conditions. When an object is placed in a RHS pattern, its slots represent attribute computations. Slot values and conditions are specified with OCL expressions. We include a special kind of object, named Clock, that represents the current global time elapse. We consider discrete and dense time [89], injective rules, and the two main formalizations of algebraic graph transformation: Double Pushout (DPO) and Single Pushout (SPO), although adapted to the tree-structure of EMF models (see below). We also consider the graphical concrete syntax of the DSML in the specification of the visual rules (MetamodelGD and ClassGD metaclasses are defined for this purpose, see Section 7.5). The following subsections describe the main concepts of our approach with more detail on an example describing a modeling language for mobile phone networks. 7.2.1 A DSML for Mobile Phone Networks Let us introduce a simple modeling language for mobile phone networks (MPNs), which will serve as the motivating example to show the expresiveness of our approach to specify timeddependent behavior. This subsection focuses on the structural parts of the language; next subsections will focus on its behavioral aspects. Figure 7.2: A metamodel for MPNs. The MPN metamodel is shown in Figure 7.2. An MPN has cell phones and antennas. Antennas provide coverage to cell phones, depending on their relative distance. Phones and antennas have a position (they are positioned elements). A cell phone is identified by its number, and can perform calls to other phones of its contact list. Dialed and received calls are 7.2. T HE e-Motions L ANGUAGE 127 registered. Phone’s attribute bps represents the battery consumption per time unit, and vx and vy define its velocity vector. Figure 7.3: A concrete syntax for the MPN language. Figure 7.3 shows a simple visual concrete syntax for our DSML for MPNs. In e-Motions, we can associate every metamodel class with a picture (see Section 7.5). This concrete syntax will be used in next subsections for the definition of the behavioral rules. Figure 7.4: A mobile phone network model. Figure 7.4 represents a MPN model example. This model consists of a mobile phone network composed of four cell phones and two antennas. Phones consume one battery unit per time unit (i.e., their bps attribute value is set to 1), are initially off, and have all the other phones in their contact list. In this model, we have represented a phone’s velocity vector with an arrow associated to the phone: phone 444 has a left arrow that represents a (-1,0) vector, phone 111 has a right arrow that represents a (1,0) vector, phone 333 has an up arrow that represents a (0,1) vector, and phone 222 has a down arrow that represents a (0,-1) vector. Once we have specified a metamodel for MPNs, we can complement it with in-place model transformation rules to describe the dynamic behavior of the language. In the specification of the behavior rules for this example, we will consider discrete time and a SPO formalization (see Section 6.3.1). 128 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S 7.2.2 A Model of Time In this subsection we show how time-related attributes can be added to rules to represent features like duration, periodicity, etc. We identify two types of rules to specify time-dependent behavior, namely atomic and ongoing rules, and we include a special kind of object, Clock, that represents the current global time elapse. 7.2.2.1 Atomic Rules One natural way to model time-dependent behavior quantitatively consists in decorating the rules with the time they consume, i.e., by assigning to each action the time it takes. Thus, we [t,t′ ] define atomic rules as in-place transformation rules of the form l : [NAC]∗ × LHS → RHS, where [t, t′ ] expresses the duration interval of the action modeled by the rule, i.e., the minimum and the maximum amount of time needed to perform the action. As normal in-place transformation rules, an atomic rule can be triggered whenever an occurrence (or match) of its LHS, and none of its NAC patterns, is found in the model. Then, the action specified by such rule is scheduled to be realized between t and t′ time units later. At that time, the rule is applied by substituting the match by its RHS and performing the attribute computations. Since actions have now a duration, elements can be engaged in several actions at the same time. The triggering of an atomic rule is only forbidden if another occurrence of the same rule is already being executed with the same participants,1 to avoid non-terminating executions. Note that the states of the elements that participate in a timed action may vary during the action’s time elapse, since the states of the elements may be modified by other actions. The only condition for the final application of an atomic rule is that the elements involved are still there; otherwise the action will be aborted. If we want to make sure that something happens (or does not happen) during the execution of an action, we can make use of action execution elements to model the corresponding exceptional behavior (see below). As an example, Figure 7.5 shows the SwitchOn atomic rule. When a phone is off and has enough battery, it is switched on in five time units. More precisely, if a phone p which is off and has more than five times bps battery units is found in the model, after five units of time it is switched on and its battery decreased five times bps battery units, whenever p still remains in the model; otherwise, the action is simply aborted. Note that, in this case, the minimal 1 We call participants of a rule to those objects and ActionExec elements that instantiate the rule’s LHS pattern. 7.2. T HE e-Motions L ANGUAGE 129 Figure 7.5: The SwitchOn atomic rule. and maximal duration of the rule coincide, so the rule duration is deterministic. The attribute computation p.battery - 5 * p.bps is performed at the moment of the finalization of the rule, and therefore property values (p.batery and p.bps) are accessed at this moment of time (but previous to any computation performed by the RHS pattern). If the value of the properties at the moment of the triggering of the rule were needed, variables could be used (see Section 7.2.3). Instantaneous rules. Atomic rules extend in-place transformation rules with the time they consume. Therefore, standard in-place rules can be modeled as atomic rules with no duration. We named this kind of rules instantaneous rules, and they are modeled with atomic rules which take zero time units. No other action may occur during the execution of this kind of actions. Figure 7.6: The BatteryOff instantaneous rule. The BatteryOff rule, which is depicted in Figure 7.6, is an example of instantaneous rule: whenever a phone p that is on and has no battery, it is switched off. 130 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S Rule execution modes. We distinguish normal rules, which are triggered as soon as possi- ble, from soft rules, which are not necessarily triggered immediately, but in a non-deterministic moment in time in the near future (e.g., next time the clock is stopped because some event happens). Contrary to normal rules, soft rules are not forced to be applied whenever its LHS pattern (and none of the NACs) occurs in the model. The SwitchOn action in Figure 7.5 is modeled by a soft rule (notice the soft label in the rule’s header): we allow phones to be switched on at a non-deterministic moment in time. However, the BatteryOff action in Figure 7.6 is modeled by a normal (non-soft) rule: mobile phones must go off as soon as they run out of battery. The e-Motions language also supports the definition of scheduled actions, which are actions that are tried to be triggered at a specific moment in time (and only at that moment in time). This kind of actions will be actually triggered if their preconditions hold at that moment of time, i.e., if an occurrence of their LHS, and none of their NAC patterns, is found in the model. They are modeled by normal (non-soft) atomic rules whose lower and upper bounds (lowerBound and upperBound attributes, see Figure 7.1) coincide with the moment in time at which the rules are scheduled. Figure 7.7: The RemoveOffPhones scheduled rule. The RemoveOffPhones rule, which is depicted in Figure 7.7, is an example of scheduled rule: we plan to remove from the system all the phones that are off at the moment of time 150 (notice this value specified as the rule’s lower and upper bounds between the square brackets in the right-hand side of the header of the rule). These rule execution modes are also applicable to ongoing rules. Periodicity. Another essential aspect for modeling time-dependent behavior is periodicity. Atomic rules admit a parameter that specifies the period of an action. We distinguish between 7.2. T HE e-Motions L ANGUAGE 131 normal periodic rules and soft periodic rules: both kinds of rules are triggered as soon as possible, but normal periodic rules can only be triggered at the beginning of the period—if they cannot be triggered at that moment of time they will not be enable until the next period—, while soft periodic rules can be triggered at any time within the period—if they cannot be triggered at the beginning of the period they will be tried to be triggered at any other time within the period (but only once per period). Figure 7.8: The Coverage periodic rule. Figure 7.8 shows the Coverage atomic periodic rule, which specifies the way in which antenna coverage changes. Coverage is updated every five time units (notice the loop icon in the header of the Coverage rule). Each cell phone is covered by its closest antenna: as specified in its NAC pattern, the rule cannot be applied if there exists another antenna closer to the phone. Figure 7.9: The distance helper. To compute the distance between an antenna and a phone, we have defined the distance helper (see Figure 7.9). A helper is defined as an OCL operation. Helper invocations in LHS and NAC patterns are computed at the triggering of actions, while helper invocations in RHS patterns are computed at their realization. Thus, note that the distance between the antenna and the phone may vary on these two different moments of time. If the same value were needed, a variable could be used (see below). The e-Motions tool is designed to provide useful predefined helpers. For instance, it currently supports, by means of the emotions.random(b : Int) : Int helper, the generation of a pseudo-random number between zero and the given bound b. 132 7.2.2.2 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S Ongoing Rules In addition to atomic rules, e-Motions also provides rules to model actions that are continuously progressing and require to be continuously updated. Think for instance of an action that models the consumption of a phone battery, whose level decreases continuously with time. This property must be always updated, since most rules (such as SwitchOn and BatteryOff) depend on its value. Ongoing rules model this kind of behavior. They are used to model actions that a) do not have a priori duration time—they progress with time while the rule preconditions (LHS and NACs) hold, or until the time limit (maxDuration) of the action is reached—and b) are required to be continuously updated— their effects are always computed before the triggering of any atomic rule. Figure 7.10: The BatteryConsumptionRule ongoing rule. For example, Figure 7.10 shows the BatteryConsumption ongoing rule, which models phone battery consumption (note the use of the purple background for the arrow in the rule to distinguish ongoing actions from atomic ones, on the blue background). According to this rule, the battery power is decreased bps battery units per time unit. To explicitly identify the state in which a phone runs out of battery, and not to decrease the battery power below zero, we limit the duration of the rule (see the expression on the right-hand side of symbol ≤). Since the effects of ongoing actions are always realized before the triggering of atomic rules, phone batteries will always be updated whenever an atomic rule is tried to be triggered. Phones moving can also be modeled by an ongoing rule, which is shown in Figure 7.11. In this case, the position of each phone will be updated according to its velocity vector and time elapse. We suppose that phones can only move inside the limits of the MPN they belong to, and therefore positions and velocity vector are always corrected according to these limits, which are given by xSize and ySize MPN’s attributes. Notice that the Moving rule has no 7.2. T HE e-Motions L ANGUAGE 133 Figure 7.11: The Moving ongoing rule. maximum duration, that means that phones will keep moving for ever. The correctPos and correctV helpers, shown in Figure 7.12, are defined for this purpose. Figure 7.12: The correctPos, correctV and power helpers. Note that, by using ongoing rules, we have modeled battery consumption and phone movement separately from the other behavior rules, avoiding concern tangling. Even if the battery consumption or phones moving would depend on the execution of other actions, we could define their behavior in a separate way by using action executions, as we shall see below. Atomic rules versus ongoing rules. Our approach provides two different kind of rules: on- going and atomic. These two types of rules are provided to model different kind of actions. Of course, we could try to model ongoing actions using periodic atomic actions, by somehow “discretizing” them and using the minimum time elapse as the period (e.g., one time unit). However, this solution becomes quite inefficient in a simulation (or analysis) scope: the rule would be applied at every time unit. Furthermore, if the rule is used to model a property that must be updated at every time moment, we should explicitly force the rule to be executed at every time unit before the triggering of any other rule, complicating the design of the rule by introducing some control mechanisms. As we shall see in Section 7.3, ongoing rules are updated 134 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S according to time elapse as needed, and previously to the triggering of any atomic rule. Moreover, ongoing rules can hardly model some atomic actions. In the best case, we could modify the DSML’s metamodel to include some kind of timer that represent a countdown to the finalization of the atomic action, together with some links to gather the information about the rule instantiation. The idea would be then to use three ongoing rules per each atomic action: an initial rule that set two different timers t1 and t2 to the minimal and maximal duration of the action, respectively; another rule that decreases the timers; and a third rule that checks whether t1 has been consumed and t2 has not been so, and if so substitutes the corresponding match by its RHS. However, this approach has several drawbacks: a) it does not have exactly the same semantics as a single atomic rule (if the same semantics were required, more control mechanisms need to be included); b) it cannot model instantaneous rules (ongoing rules progress with time, and they require time to elapse to be executed); and c) this mechanism would imply breaking our principle of separation of concerns, since we have to modify the DSML’s metamodel to include action properties. Therefore, we strongly recommend the use of both kinds of rules (atomic and ongoing) were needed, avoiding the artificial (and probably incorrect) design of actions by using only one kind of rule. 7.2.2.3 Global Time Elapse We provide a special kind of object, named Clock, that represents the current global time elapse. A unique and read-only Clock instance is provided by the system (i.e., it does not need to be created by the user) to model time elapse through the underlying platform. This allows designers to use the Clock in their timed rules to get the current time (using its attribute time) to model, e.g., time stamps (as we shall see later on with the Call rule). Provided that the clock behavior cannot be modified, users cannot drive the system to time-inconsistent sequences of states (even unwillingly).2 7.2.3 Action Statements In in-place model transformation approaches, LHS, RHS, and NAC patterns are defined in terms of system states. This is a strong limitation in those situations in which we need to 2 Of course, users can define their own clocks to model other aspects of distributed systems (such as distributed clocks) and specify how they individually evolve. In this case, the user is responsible for the correct modeling and use of these clocks. 7.2. T HE e-Motions L ANGUAGE 135 refer to actions currently under execution, or to those that have been executed in the past. For example, we can be interested in knowing whether an object is currently performing a given action to take some decision, e.g., to interrupt the action (e.g., in case an exception occurs), or not to allow the object to perform another action. We can also be interested in reasoning about the performed actions so far (e.g., to be able to search for undesirable action occurrences or invalid sequences of action executions). Note that a given system state may usually be reached by performing different sequences of actions, and checking only system states will not always give us information about the performed actions. In general, the inability of modeling and dealing with action occurrences hinders the specification of some useful action properties, unless some unnatural changes are introduced in the system model—such as extending the system state (i.e., the metamodel of the DSML) with information about the actions currently happening. In order to be able to model both state-based and action-based properties, we propose extending model patterns with action executions to specify action occurrences. These action executions will contain information on the type of the action (given by the name of the atomic rule that represents the action); its status, i.e., if the action is unfinished, realized, interrupted or aborted (see below); and its identifier. They may also specify its starting and ending time—the latter one can only be specified for non-unfinished actions—, its execution time, and the set of participants involved in it. These participants are specified by object mappings, which are sets of pairs (o → r). Each pair identifies the object that participates in the action (o) and one of the roles it plays in the rule (r). For instance, the Call rule in Figure 7.13 defines five roles: two phones (p1 and p2), the clock instance (cl), and two call records (c1 and c2), which correspond to the identifiers of the elements placed in LHS and RHS patterns. When using action execution in patterns, we can also leave unspecified the type of the rule and the role of an object to represent whatever rule instantiation or object role, respectively. Action executions whose status is unfinished refer to actions that are currently happening, i.e., actions which have been triggered but its duration time has not been consumed yet. Action executions whose status is realized refer to actions that were already performed (i.e., the effects specified in their RHS were already applied). Action executions whose status is interrupted refer to actions that were triggered but not realized because their corresponding action executions were deleted by a rule explicitly modeled by the user for that purpose (see below). And finally, action executions whose status is aborted refer to actions that were triggered but not realized because any of its participants were removed from the system before the duration time of the action was consumed, i.e., actions that were automatically discarded because they could not be 136 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S completed. 7.2.3.1 Concurrency Atomic rules have a duration, and they can be applied whenever an occurrence of the LHS pattern and none of the NAC patterns are found in the model. Therefore, elements can be engaged in several actions at the same time. This is very useful for modeling realistic situations in a natural way, e.g., a phone can be involved in a talk while its coverage is being updated, its battery decreased, and it is receiving a message. As we previously mentioned, the triggering of an atomic rule is only forbidden if another occurrence of the same rule is already executing with the same participants. However, there are some situations on which we want to forbid (or enforce) the execution of a rule if one of its participants is already performing the same action with different participants, or simply one of its participants is performing any other action. Figure 7.13: The Call atomic rule. As an example, Figure 7.13 shows the Call atomic rule, which models the behavior of a call from a cell phone to one of its contacts. To make a call, both phones must be on and have coverage. Furthermore, we do not allow call waiting: we want to forbid the execution of the rule whenever one of the phones (p1 or p2) is participating in another call. For this purpose, we make use of action executions in NAC patterns. These action executions explicitly specify that phone p1 and p2 are currently participating (notice the unfinished status label in the action execution’s header) in a Call action. Note that there is no role specified for p1 nor for p2 in the action execution, and therefore it refers to any instantiation of the Call rule where p1 or p2 is participating, no matter if the phone is the caller or the callee. For the same reason, since 7.2. T HE e-Motions L ANGUAGE 137 no other participant is specified in the action execution, it refers to any instantiation of the Call rule independently of the remaining participants, i.e., no matter if p1 (or p2, respectively) is in a Call with p2 (or p1, respectively) or with any other phone. At the end of the talk, the call is registered in both phones (as a dialed call in phone p1 and as a received call in phone p23 ) including the duration of the call (T) and its starting time (initTime). Note that T refers to the duration of the current rule execution, which will vary between 20 and 30 time units. The starting time of the call is computed by using the clock instance together with a variable. Variables are computed when the rule in which they are defined is triggered, and they can be used in all the patterns (LHS, RHS and NACs) defined for the rule. In this case, we use the initTime variable to store the value of the clock at the moment of the triggering of the rule, and then assign it to the startingTime attribute of the call records at the moment of the finalization of the rule. 7.2.3.2 Separation of Concerns Ongoing rules usually model system properties that must be continuously updated. However, the updating of these properties can also depend on the realization of other actions of the system. Think for instance on battery consumption, which could be greater while we are engaged in a call; or the position of the phones: some people stop moving when they are in a talk; etc. As a first attempt, the user can try to include the adjustment of these system properties in every atomic rule that interferes with them. However, the properties will not be properly updated until the actions are completely performed, and therefore it can lead to some inconsistent states in the meantime. Thus, the best way to do this is by using ongoing rules together with action executions to model separately the continuous updating of this kind of properties. As an example, let us revisit the modeling of the battery consumption, and let us replace the rule in Figure 7.10 with the following rules. Figure 7.14 shows the TalkingBatteryConsumption and StandbyBatteryConsumption ongoing rules, which models the battery consumption while phone p is involved in a Call action and when it is not, respectively. Since a phone consumes more battery when it is participating in a call, we will duplicate (two times bps battery units per time unit) its battery consumption. Note that ongoing actions are always updated before 3 Although the e-Motions tool does not show in its diagrams the type of the links, every link is associated with a specific reference (EReference) defined in the metamodel of the DSML for which we are specifying its behavior. In this example, the links between the p1 and p2 phones and their corresponding call records c1 and c2 refer to the dialedCalls and receivedCalls references of the MPN metamodel, respectively. 138 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S Figure 7.14: The TalkingBatteryConsumption and StandbyBatteryConsumption ongoing rules. the triggering of any atomic rule, and therefore these two rules will never be executing at the same time for the same phone. 7.2.3.3 Past Actions There are some situations in which the triggering of an action may depend on the previous realization (or not) of another action. For instance, there are actions that must be realized just once; some others can only be triggered after the realization of another action (e.g., a sequence of action must be somehow enforced); etc. Reasoning about past actions usually allows us to take better decisions about future actions. Thus, action execution can also refer to past actions. Figure 7.15 shows the InitialModel rule, which creates the initial configuration of the system. In particular, it creates all the model objects specified in Figure 7.4. The NotExecutedBefore NAC pattern forbids the triggering of the rule if it was already performed before (note the realized status label in the action execution’s header), independently of its participants. No other condition is required: the LHS pattern is empty, and therefore it is always fulfilled. Note that this mechanism allows us to create models conforming to our DSML’s metamodel, which is specially relevant when our DSML is not supported by a more sophisticated graphical concrete syntax. 7.2. T HE e-Motions L ANGUAGE 139 Figure 7.15: The InitialModel instantaneous rule. 7.2.3.4 Exceptions in Actions Atomic rules are realized at a non-deterministic moment of time between t and t′ time units after its triggering, where t and t′ represent its duration interval of time. The only condition for their final application is that the elements involved are still there; otherwise the action will be aborted. Nothing is assumed about what happens while the action is being executed: if we want to make sure that something happens or does not happen, we can make use of action execution elements to model the corresponding exceptional behavior. In particular, we can add new rules that model action interruptions by deleting their corresponding action executions, i.e., by including them in a rule’s LHS pattern but not in its RHS pattern. Their effects will be then defined in the rule’s RHS pattern. Consider, for instance, the BatteryOffCaller atomic rule in Figure 7.16, which models the behavior of a caller phone when it runs out of battery in the middle of a conversation. The instantaneous rule is triggered whenever two phones p1 and p2 are participating in a Call action, and the caller phone p1 has no battery. In this case, the Call action is interrupted, the call registered in both phones, an the caller phone p1 is switched off. Note the use of object roles 140 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S Figure 7.16: The BatteryOffCaller instantaneous rule. in the action execution element to identify the caller and the callee phones (i.e., the roles that p1 and p2 play in the Call action), which allow us to properly register the call: as a dialled call for the caller phone p1, and as a received call for the callee phone p2. Figure 7.17: The BatteryOffCallee instantaneous rule. Analogously, the BatteryOffCallee atomic rule shown in Figure 7.16 models the behavior of a callee phone when it runs out of battery in the middle of a conversation. Note that the BatteryOffCaller and BatteryOffCallee rules consider that a phone runs out of battery in the middle of a talk to switch off the phone and record the call. However, as 7.2. T HE e-Motions L ANGUAGE 141 Figure 7.18: The BatteryOff instantaneous rule (revisited). currently modeled, the BatteryOff rule could be applied instead, and the call would not be registered. Therefore, we modify the BatteryOff rule to forbid its application whenever the phone p is participating in a Call action. The resulting BatteryOff rule is shown in Figure 7.18. Finally, note that it only makes sense to interrupt actions that are currently happening. We do not allow to “delete” (include in the LHS pattern and not in the RHS one) action executions whose status is other than unfinished. Note also that action executions placed in a rule’s LHS (or RHS) pattern become also participants in the rule when it is executed. Therefore, in the same way in which atomic rules are aborted when any of its participant objects is removed from the system before their duration time is consumed, they will be aborted when any of its participant action executions is removed (by explicit deletion or because the action is realized) as well. This means that if an action execution in a LHS pattern refers to an unfinished action, the referred action must be still unfinished at the moment of the finalization of the rule, otherwise the rule application will be aborted.4 This has to be taken into account only for action executions that refer to unfinished actions, since the status of finished actions (whether realized, interrupted or aborted) will never change, and they cannot be interrupted. The deletion of action executions is included in our proposal to model the interruption of actions in an intuitive way. However, action executions are not defined to handle them as common model objects. For instance, we cannot force the triggering of an action by creating an action execution (by including it in a RHS pattern and not in its corresponding LHS pattern). We only allow rules to be triggered when a match of its LHS pattern (and none of its NAC patterns) is found in the model. In the same way, we do not allow users to explicitly modify any of the action execution properties by modeling the corresponding behavior in a rule. Action execution elements are included in our approach only for (a) reasoning about the existence of 4 Action interruptions should be modeled as instantaneous rules to avoid this situation. 142 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S (past or present) action occurrences, and (b) interrupting actions in the way we have described in this section. 7.2.4 A Simple Round-Trip Time Protocol Once we have shown the expressiveness of the e-Motions language by presenting a DSML for MPNs, let us introduce another example of a real-time DSML that will be used in Section 7.4 to show the kind if real-time analysis we can perform over real-time systems: a language to model a simple Round-Trip Time Protocol (RTTP). Round-Trip Time (RTT), also called round-trip delay, is the time required for a signal pulse or packet in a network to travel from a specific source to a specific destination and back again. In our context, a RTTP may be composed of several rounds. In a single round, every node will send a message to each of its neighbors. This message will contain the initiator node, the responder node, and the time at which the message was sent (i.e., the request time). Once a responder receives a message, it retransmits it back to the initiator node. When the initiator node gets the response message, it computes the round-trip time by using its local clock, and stores the result together with the response message. Figure 7.19 shows a metamodel for this simple RTTP. Figure 7.19: A metamodel for a simple RTTP. Figure 7.20: A concrete syntax for the RTTP language. The visual concrete syntax we have defined for the RTTP example is shown in Figure 7.20. 7.2. T HE e-Motions L ANGUAGE 143 In the following, we will use this visual concrete syntax to define the timed rules that model the dynamic behavior of the language. Figure 7.21: The Request periodic rule. Figure 7.21 shows the Request periodic rule. Notice the link from the n2 node to the message in the RHS pattern, modeling that the message has arrived to its destination. This rule models the sending of a message m from a node n1 to one of its neighbors n2. This action takes between 5 and 20 time units. The message includes information about the initiator n1, the responder n2, and the time at which the message was originally sent (the requestTime). This latter value is computed by using the initTime variable, which gathers the value of the local clock at the triggering of the action. A different round of the RTTP will start every 100 time units. Figure 7.22 shows the Response atomic rule. When a node n2 receives a message m whose initiator is a different node n1, it retransmits the message back to the n1 node. The initiator will receive the message between 5 and 20 time units after, and will store it and compute its RTT by using the value of its local clock. To model time elapse of local clocks, we have defined the LocalTimeElapse ongoing rule, which is shown in Figure 7.23. Clocks increase their time value with the corresponding time elapse T. Note that we could have used the clock provided by the system instead for modeling this behavior. However, we have selected this option to show how easy an user can define his/her own (distributed) clocks. Finally, the InitialModel rule in Figure 7.24 generates a possible initial configuration for the system. This rule will be executed just once (the NAC pattern forbids the application of the 144 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S Figure 7.22: The Response atomic rule. Figure 7.23: The LocalTimeElapse ongoing rule. rule if it was already realized before). The rule creates a network composed of two nodes n1 and n2, and their corresponding local clocks c1 and c2. In our case, we only consider n1 as an initiator node. 7.3 Real-time Behavioral Semantic Mappings In the previous sections, we have introduced the e-Motions language in an intuitive and informal manner, by means of descriptions of its main features in natural language. However, this lack of rigorous definitions may lead to imprecisions and misunderstandings that might hinder the proper usage and analysis of the language. In this section, we provide a precise semantics to this behavioral language by providing a representation of it in terms of Maude constructs, i.e., we formalize this language into rewriting logic by means of model transformation [100]. 7.3. R EAL - TIME B EHAVIORAL S EMANTIC M APPINGS 145 Figure 7.24: The InitialModel instantaneous rule. This model transformation provides a way to give semantics to the behavioral parts of realtime DSMLs, preventing the DSML designer from defining the behavioral semantics of his/her DSML explicitly. Furthermore, this semantic mapping allows us to specify real-time DSMLs’ behavior in a graphical and intuitive way (using the e-Motions tool), and perform simulation, reachability and model-checking analysis on the models using the tools and techniques that Maude provides. 7.3.1 A General View of the Encoding We follow the guidelines of [89] to model time elapse in Real-Time Maude, but adapted to its corresponding encoding in (Core) Maude (see Section 2.2.3.1). The choice of (Core) Maude instead of Real-Time Maude as the target domain is based on the fact that a) Real-Time Maude specifications can be translated to their corresponding (Core) Maude ones without altering their semantics [91]; b) Maude specifications will remain transparent to the user, so the syntactic sugar provided by Real-Time is not relevant; and c) handling Maude specifications directly is more efficient that handling Real-Time Maude specifications. Basically, we define a single rule tick that makes use of two functions: the delta function, which defines the effect of time elapse over the model elements, and the mte (maximal time elapse) function, which defines the maximum amount of time that can elapse before any action can take place. Originally, time advances non-deterministically by any amount T, which must be equal or less than the maximum time elapse of the system. However, since we are 146 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S working directly with (Core) Maude (instead of Real-Time Maude), the tick mode selected by the user has to be considered in the specification of the tick rule (see Section 2.2.3.1). At this moment, our tool supports two of the three Real-Time Maude tick modes applicable to the tick rule we have defined: maximal and default (see Section 2.2.3). We will consider the maximal mode in the encoding presented in this section; the default mode will be presented in Section 7.4, and the maximal/default mode is left as future work. In maximal mode, time advances then deterministically by the maximum time elapse of the system. var MODEL : @Model . v a r s T TE : Time . c r l [ tick ] : {MODEL} in time T => {delta ( MODEL , TE ) } in time ( T plus TE ) i f TE : = mte ( MODEL ) / \ TE =/= zero . One of the main goals of our encoding is to make DSML objects as unaware of time as possible. With this goal in mind, we introduce in our underlying platform several classes to represent time and action properties. For instance, a Clock instance will represent the current time elapse (by means of its time attribute), while ActionExec objects will represent the execution of an action, gathering all the information related to it (such as the participants of the rule, its starting time, etc.). The complete Maude specification of this classes can be found in Appendix C. As we shall see later, time elapse will have to be defined only over these objects. We show in what follows a more specific encoding of the main features of our approach. In all of them we will use the following variable declarations: v a r s MODEL MODEL@ : @Model . v a r s MM MM@ : @Metamodel . v a r s OBJSET OBJSET@ : Set{@Object} . var C : @Class . var REF : @Reference . v a r s O O ’ O ’ ’ OR p1 p2 cl c1 c2 a CLK@ ACTEXC@ OR1@ OR2@ OR3@ OR4@ VAR1@ : Oid . v a r s SFS SFS ’ SFS ’ ’ p@SFS p1@SFS p2@SFS ACTEXEC@SFS a@SFS : Set{@StructuralFeatureInstance} . v a r s PHONE@p1@CLASS PHONE@p2@CLASS PHONE@p@CLASS : Phone . var ANTENNA@a@CLASS : Antenna . v a r s ON@p@ATT ON@p1@ATT ON@p2@ATT BATTERY@p@ATT DIALEDCALLS@p1@ATT RECEIVEDCALLS@p2@ATT CONTACTS@p1@ATT : OCL−Type . v a r s OIDSET@ SET SET ’ : Set . v a r s T T ’ T ’ ’ T ’ ’ ’ TE TIME@CLK@ MINDURATION@ MAXDURATION@ : Time . v a r s VALUE@ids@ VALUE@rdm@ : Nat . The @ character is used to qualify generated variable names so that they can be distinguished. Recall that classes, attributes and references are also qualified with their containers’ names; 7.3. R EAL - TIME B EHAVIORAL S EMANTIC M APPINGS 147 however, these qualifications will be omitted here to improve readability. 7.3.2 Encoding of Atomic Rules An atomic rule can be triggered whenever an occurrence (or match) of its LHS, and none of its NAC patterns, is found in the model. Then, the action specified by such rule is scheduled to be realized at a non-deterministic moment of time between t and t′ time units after. Such behavior can be naturally encoded in Maude with two rewrite rules, one modeling the triggering of the atomic action, and one modeling its actual realization. 7.3.2.1 The Triggering Rule When the precondition of an atomic rule is satisfied, i.e., when an occurrence of the LHS that does not fulfill any of the NAC patterns is found in the model, an object of the AtomicActionExec class (which inherits from the ActionExec class) is created. The AtomicActionExec object will represent the execution of the atomic rule, acting as a countdown to the finalization of the action (mintimer and maxtimer attributes). This object gathers all the information needed for its instantiation, such as the name of the rule (action attribute), the identifiers of the elements involved in the action (participants attribute), the status of the action (status attribute), the starting time (startingTime attribute), the ending time (endingTime attribute), and the execution time (executionTime attribute). Initially, the status of the action is set to unfinished; the mintimer and maxtimer attributes are set to the given minimal and maximal duration of the rule, respectively; the execution time is set to zero; the starting time is set to the value of the Clock instance; and the ending time is left undefined. For instance, the following Maude rule corresponds to the encoding of the Call action’s triggering rule (see Figure 7.13): v a r s initTime : OCL−Type . c r l [ Call@Triggering ] : MM@ { --- LHS elements < p1 : PHONE@p1@CLASS | contacts : CONTACTS@p1@ATT # on : ON@p1@ATT # p1@SFS > < p2 : PHONE@p2@CLASS | on : ON@p2@ATT # p2@SFS > < cl : Clock | time : TIME@CLK@ > --- Further elements < ’ids@ : Counter | value : VALUE@ids@ > < ’rdm@ : Counter | value : VALUE@rdm@ > OBJSET } => MM@ { --- LHS elements 148 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S < p1 : PHONE@p1@CLASS | contacts : CONTACTS@p1@ATT # on : ON@p1@ATT # p1@SFS > < p2 : PHONE@p2@CLASS | on : ON@p2@ATT # p2@SFS > < cl : Clock | time : TIME@CLK@ > --- Action execution < ACTEXC@ : AtomicActionExec | action : "Call" # participants : Set{OR1@ ; OR2@} # minTimer : MINDURATION@ # maxTimer : MAXDURATION@ # status : unfinished # startingTime : TIME@CLK@ # endingTime : null # executionTime : 0 # variables : Set{VAR1@} > < OR1@ : ObjectRole | actualObject : p1 # role : "p1" > < OR2@ : ObjectRole | actualObject : p2 # role : "p2" > < VAR1@ : Variable | name : "initTime" # value : initTime > --- Further elements < ’ids@ : Counter | value : ( VALUE@ids@ + 4 ) > < ’rdm@ : Counter | value : VALUE@rdm@ > OBJSET@ } i f MODEL@ : = MM@ { < p1 : PHONE@p1@CLASS | contacts : CONTACTS@p1@ATT # on : ON@p1@ATT # p1@SFS > < p2 : PHONE@p2@CLASS | on : ON@p2@ATT # p2@SFS > < cl : Clock | time : TIME@CLK@ > < ’ids@ : Counter | value : VALUE@ids@ > < ’rdm@ : Counter | value : VALUE@rdm@ > OBJSET } / \ not currentExec@Call ( Set{p1 ; p2 } , MODEL@ ) . --- Rule variables / \ initTime : = eval ( cl . time , env ( empty ) , MODEL@ ) --- LHS slots / \ ON@p1@ATT : = eval ( true , env ( self <− p1 ) , MODEL@ ) / \ ON@p2@ATT : = eval ( true , env ( self <− p2 ) , MODEL@ ) --- LHS links / \ p2 in CONTACTS@p1@ATT --- LHS conditions / \ eval ( p1 . coverage > 0 and p2 . coverage > 0 , env ( empty ) , MODEL@ ) --- Identifiers of the new elements / \ ACTEXC@ : = newId ( VALUE@ids@ ) / \ OR1@ : = newId ( VALUE@ids@ + 1 ) / \ OR2@ : = newId ( VALUE@ids@ + 2 ) / \ VAR1@ : = newId ( VALUE@ids@ + 3 ) --- Rule duration / \ MINDURATION@ : = toRat ( eval ( 2 0 , env ( empty ) , MODEL@ ) ) / \ MAXDURATION@ : = toRat ( eval ( 3 0 , env ( empty ) , MODEL@ ) ) --- NAC patterns / \ not p1isNotInACall@Call ( Set{p1 ; p2 } , < VAR1@ : Variable | name : "initTime" # value : initTime >, MODEL@ ) / \ not p2isNotInACall@Call ( Set{p1 ; p2 } , < VAR1@ : Variable | name : "initTime" # value : initTime >, MODEL@ ) . Note the use of the MODEL@ variable matched in the condition of the rule to avoid repeating the configuration in the remaining conjuncts of the condition. In the rules below, we will write dots to abbreviate their presentations. Objects of transformation rules’ LHS patterns are encoded as Maude objects placed in the 7.3. R EAL - TIME B EHAVIORAL S EMANTIC M APPINGS 149 left-hand side of the Maude rule; they are also included in the right-hand side so that they remain as such. LHS conditions and slots are encoded as rule conditions, which are computed by the eval operation. The eval operation evaluates the OCL expression given as its first argument in the context specified by its second and third arguments. The second argument represents a set of variable-value bindings of the form env(var1 ← val1 , ..., varN ← valN ), while the third argument represents the model on which we want the expression to be evaluated. LHS links are encoded as rule conditions too by means of invocations to the in operation. This operation checks whether an object identifier is included in a given collection of references. The toRat operation converts a possible float number into a rational number. This operation is applied to every value of the e-Motions language that represents a time value so that they can be handled by our (discrete or dense) model of time. The participants of the rule are specified by means of ObjectRole elements. An ObjectRole object represents a pair object-role: the object that is involved in an action (actualObject attribute) and the role that it plays on it (role attribute). Variables are computed in rule conditions and their values are stored in Variable objects so that they can be accessed from the realization rule (see below). The Clock instance is included in the Maude rule (no matter if is explicitly specified in the in-place rule or not) to set the starting time of the AtomicActionExec element ACTEXC@ that represents the rule execution. Two Counter objects are included too. The ids@ counter is used to compute the identifiers of the new created objects by using the newId operation, which creates an object identifier from a given natural number. The rdm@ counter is used when the predefined e-Motions helper random is invoked to perform successive calls to the Mersenne twister random number generator that Maude provides [42].5 Additionally, the currentExec@Call operation is included to forbid the triggering of the rule whenever an- other occurrence of the same rule is already being executed with the same set of participants. This operation checks the existence of an AtomicActionExec object that refers to the rule (Call) with the same set of participants (Set{p1 ; p2}) and with an undefined endingTime in the model (@MODEL). var L@TIMER@ : MSet{OCL−Exp} . op currentExec@Call : Set @Model −> Bool . eq currentExec@Call ( Set{p1 ; p2 } , MM@ { < ACTEXEC@ : AtomicActionExec | action : "Call" # endingTime : null # participants : Set{OR1@ ; OR2@ ; L@TIMER@} # ACTEXEC@SFS > < OR1@ : ObjectRole | actualObject : p1 # role : "p1" > < OR2@ : ObjectRole | actualObject : p2 # role : "p2" > 5 The ids@ and rdm@ counters are always included in the rule, no matter if they are used or not. 150 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S OBJSET@ } ) = true . eq currentExec@Call ( OIDSET@ , MODEL@ ) = false [ owise ] . NAC patterns are encoded as predicates which are invoked from rule conditions (see the p1isNotInACall@Call and p2isNotInACall@Call predicates). These predicates check whether occurrences of the specified patterns are found in the model. Their first and second parameters indicate the set of objects that are involved in the LHS pattern and the set of variables defined in the rule, respectively, so that they can be referred from the NAC pattern. For instance, the following excerpt of code specifies the p1isNotInACall@Call predicate: var initTime : OCL−Type . var L@a : MSet{OCL−Exp} . v a r s OR1@a : Oid . v a r s OR1@a@SFS : Set{@StructuralFeatureInstance} . op p1isNotInACall@Call : Set Set{@Object} @Model −> Bool . eq p1isNotInACall@Call ( Set{p1 ; p2 } , < VAR1@ : Variable | name : "initTime" # value : initTime >, MM@ { --- NAC elements < a : AtomicActionExec | action : "Call" # status : unfinished # participants : Set{OR1@a ; L@a} # a@SFS > < OR1@a : ObjectRole | actualObject : p1 # OR1@a@SFS > --- Further elements OBJSET@ } ) = true . eq p1isNotInACall@Call ( OIDSET@ , OBJSET@ , MODEL@ ) = false [ owise ] . In this case, the NAC pattern is only composed of an action execution element. Action execution elements are encoded as AtomicActionExec objects, while object mappings are encoded as ObjectRole objects. Note that the ObjectRole does not restrict the role that object p1 plays in the rule, since it was left undefined in the specification of the atomic rule (see Figure 7.13). DPO and SPO formalizations. The encoding of the atomic action’s triggering rule presented above follows the SPO formalization. However, our tool also supports the DPO formalization. When the DPO formalization is chosen, an invocation of the dpo predicate is added to the conditions of the triggering rule. This predicate has three arguments: 1) the set of elements to be deleted specified by the rule; 2) the list of links (of sort MyLinkList) to be deleted specified by the rule; and 3) the model on which the condition required by the DPO formalization will be checked. The dpo operation firstly deletes from the model all the links and objects (including their contained objects) specified by the rule to be deleted (lines 4 to 6), and then checks 7.3. R EAL - TIME B EHAVIORAL S EMANTIC M APPINGS 151 whether no references to these deleted elements are left in the model (lines 8 to 17). If any dangling reference is found, the DPO condition is not satisfied and the rule will not be applied. 1 v a r s L L ’ : MSet{OCL−Exp} . 2 v a r s LO LO ’ : List{OCL−Exp} . 3 4 op dpo : Set MyLinkList @Model −> Bool . 5 eq dpo ( SET , MLL , MODEL ) = dpo ( union ( SET , getAllContainedOids ( SET , MODEL ) ) , deleteEls ( SET , deleteLinks ( MLL , MODEL ) ) ) . 6 7 8 9 op dpo : Set @Model −> Bool . eq dpo ( Set{mt } , MODEL ) = true . 10 --- Possible references to deleted elements 11 eq dpo ( Set{O ; L } , MM {< O ’ : C | ( REF : Sequence{LO # O # LO ’ } # SFS ) > OBJSET } ) = false . 12 eq dpo ( Set{O ; L } , MM {< O ’ : C | ( REF : Set{O ; L ’ } # SFS ) > OBJSET } ) = false . 13 eq dpo ( Set{O ; L } , MM {< O ’ : C | ( REF : OrderedSet{LO # O # LO ’ } # SFS ) > OBJSET } ) = false . 14 eq dpo ( Set{O ; L } , MM {< O ’ : C | ( REF : Bag{O ; L ’ } # SFS ) > OBJSET } ) = false . 15 eq dpo ( Set{O ; L } , MM {< O ’ : C | ( REF : O # SFS ) > OBJSET } ) = false . 16 --- Otherwise 17 eq dpo ( Set{O ; L } , MODEL ) = true [ owise ] . The getAllContainedOids operation obtains from a set of objects (SET) the set of identifiers of the objects recursively contained by them. The deleteEls and deleteLinks operations remove a set of objects (including their contained objects) and a list of links from a model, respectively. 7.3.2.2 The Realization Rule Once an atomic action’s minimum timer is consumed (i.e., there is an AtomicActionExec object whose minTimer attribute’s value is 0) the corresponding action can be performed if its participants are still there. Then, the matching of the LHS is substituted by the corresponding instantiation of the RHS and the attribute computations are realized. To keep track of the performed actions, the AtomicActionExec objects are not deleted, but their ending times are set, and their corresponding status and participants are updated instead. For instance, the following Maude rule corresponds to the encoding of the Call action’s realization rule: var initTime : OCL−Type . c r l [ Call@Realization ] : MM@ { --- LHS elements < p1 : PHONE@p1@CLASS | contacts : CONTACTS@p1@ATT # dialedCalls : DIALEDCALLS@p1@ATT # p1@SFS > < p2 : PHONE@p2@CLASS | receivedCalls : RECEIVEDCALLS@p2@ATT # p2@SFS > < cl : Clock | time : TIME@CLK@ > --- Action execution with minimum timer consumed < ACTEXEC@ : AtomicActionExec | action : "Call" # participants : Set{OR1@ ; OR2@} # 152 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S minTimer : 0 # status : unfinished # endingTime : null # executionTime : T # variables : Set{VAR1@} # ACTEXC@@SFS > < OR1@ : ObjectRole | actualObject : p1 # role : "p1" > < OR2@ : ObjectRole | actualObject : p2 # role : "p2" > < VAR1 : Variable | name : "initTime" # value : initTime > --- Further elements < ’ids@ : Counter | value : VALUE@ids@ > < ’rdm@ : Counter | value : VALUE@rdm@ > OBJSET@ } => readjust ( ACTEXEC@ , Set{mt } , MM@ { --- RHS elements < p1 : PHONE@p1@CLASS | contacts : update ( contacts , CONTACTS@p1@ATT , nil , link ( p2 , null ) ) # dialedCalls : update ( dialedCalls , DIALEDCALLS@p1@ATT , nil , link ( c1 , null ) ) # p1@SFS > < p2 : PHONE@p2@CLASS | receivedCalls : update ( receivedCalls , RECEIVEDCALLS@p2@ATT , nil , link ( c2 , null ) ) # p2@SFS > complete(< c1 : CallRecord | duration : eval ( T , env ( self <− c1 ) , MODEL@ ) # contact : update ( contact , null , nil , link ( p2 , null ) ) # startingTime : eval ( initTime , env ( self <− c1 ) , MODEL@ ) >) complete(< c2 : CallRecord | duration : eval ( T , env ( self <− c2 ) , MODEL@ ) # contact : update ( contact , null , nil , link ( p1 , null ) ) # startingTime : eval ( initTime , env ( self <− c2 ) , MODEL@ ) >) < cl : Clock | time : TIME@CLK@ > --- Action execution updated < ACTEXEC@ : AtomicActionExec | action : "Call" # participants : Set{OR1@ ; OR2@ ; OR3@ ; OR4@} # minTimer : 0 # status : realized # endingTime : TIME@CLK@ # executionTime : T # variables : Set{VAR1@} # ACTEXEC@SFS > < OR1@ : ObjectRole | actualObject : p1 # role : "p1" > < OR2@ : ObjectRole | actualObject : p2 # role : "p2" > < OR3@ : ObjectRole | actualObject : c1 # role : "c1" > < OR4@ : ObjectRole | actualObject : c2 # role : "c2" > < VAR1 : Variable | name : "initTime" # value : initTime > --- Further elements < ’ids@ : Counter | value : ( VALUE@ids@ + 4 ) > < ’rdm@ : Counter | value : VALUE@rdm@ > OBJSET@ } i f MODEL@ : = MM@ { . . . OBJSET } / \ OR3@ : = newId ( VALUE@ids@ + 0 ) / \ OR4@ : = newId ( VALUE@ids@ + 1 ) / \ c1 : = newId ( VALUE@ids@ + 2 ) / \ c2 : = newId ( VALUE@ids@ + 3 ) . Objects that are specified by the rule to be created are added to the right-hand side of the Maude rule and included as new participants of the action execution. The complete operation adds to a new object all the structural feature-value pairs (with their default value) that are not explicitly specified within the object’s slots in the rule. RHS slots are encoded as computations in the right-hand side of the rule. The final duration of the rule T is obtained 7.3. R EAL - TIME B EHAVIORAL S EMANTIC M APPINGS 153 from the AtomicActionExec object’s executionTime attribute. Links that are specified by the rule to be created or deleted are so by means of the update operation. The first parameter of this operation is the reference that the link represents; the second parameter represents the previous value of the reference; the third parameter represents the list of links to be deleted; and the fourth parameter represents the list of links to be added. For this operation, we specify links as pairs (o, p), where o represents the target object identifier and p its possible position in the source collection of references (null if not specified). The readjust operation performs the deletion of objects (second parameter) that are specified in the in-place rule to be deleted (an empty set in this case). These deletions are handled with an equation (instead of simply not including the objects in the right-hand side pattern of the rewrite rule) because further processing is usually needed. In particular, once an object is deleted, all its contained objects and the set of all possible dangling references that its deletion may cause should be deleted as well. 6 The readjust operation is also responsible for abort- ing all the current action executions on which any of the elements that are specified by the rule to be deleted are involved in. Similarly, it aborts all unfinished actions in which the current finished action execution ACTEXEC@ specified by this rule participates (see Section 7.2.3.4). 7.3.3 Encoding of Periodic Rules Periodic rules are atomic rules that can be triggered only once in a given period of time. Therefore, they can be encoded as atomic rules (by means of two Maude rewrite rules, one modeling its triggering and one modeling its actual realization) but adding the corresponding rule conditions to fulfill this requirement. In fact, only the triggering rule is affected: the encoding of the realization rule remains unchanged. For instance, the following rewrite rule corresponds to the encoding of the Coverage action’s triggering rule (see Figure 7.8): 1 2 c r l [ Coverage@Triggering ] : MM@ { --- LHS elements 3 < p : PHONE@p@CLASS | p@SFS # on : ON@p@ATT > 4 < a : ANTENNA@a@CLASS | a@SFS > 5 --- Further elements 6 < CLK@ : Clock | time : TIME@CLK@ > 7 < ’ids@ : Counter | value : VALUE@ids@ > 8 < ’rdm@ : Counter | value : VALUE@rdm@ > OBJSET@ } 9 10 => MM@ { --- LHS elements 6 Note that dangling references are only deleted with the spo formalization, since dpo forbids the application of rules (by means of a rule condition) that may result in dangling references. 154 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S 11 < p : PHONE@p@CLASS | p@SFS # on : ON@p@ATT > 12 < a : ANTENNA@a@CLASS | a@SFS > 13 --- Action execution 14 < ACTEXEC@ : AtomicActionExec | action : "Coverage" # status : unfinished # 15 participants : Set{OR1@ ; OR2@} # minTimer : MINDURATION@ # 16 maxTimer : MAXDURATION # startingTime : TIME@CLK@ # endingTime : null # 17 executionTime : 0 # variables : Set{mt} > 18 19 < OR1@ : ObjectRole | actualObject : p # role : "p" > < OR2@ : ObjectRole | actualObject : a # role : "a" > 20 --- Further elements 21 < CLK@ : Clock | time : TIME@CLK@ > 22 < ’ids@ : Counter | value : ( VALUE@ids@ + 3 ) > 23 < ’rdm@ : Counter | value : VALUE@rdm@ > 24 OBJSET@ } 25 i f MODEL@ : = MM@ { . . . OBJSET } 26 --- Periodic condition 27 / \ not alreadyTrigInPeriod@Coverage ( Set{p ; a } , MODEL@ , TIME@CLK@ , toRat ( 5 . 0 ) ) 28 --- Normal periodic condition 29 / \ multiple ( TIME@CLK@ , toRat ( 5 . 0 ) ) 30 --- LHS slots 31 / \ ON@p@ATT : = eval ( true , env ( self <− p ) , MODEL@ ) 32 --- Identifiers of the new elements 33 / \ ACTEXC@ : = newId ( VALUE@ids@ ) 34 / \ OR1@ : = newId ( VALUE@ids@ + 1 ) 35 / \ OR2@ : = newId ( VALUE@ids@ + 2 ) 36 --- Rule duration 37 / \ MINDURATION@ : = toRat ( eval ( 1 , env ( empty ) , MODEL@ ) ) 38 / \ MAXDURATION@ : = toRat ( eval ( 1 , env ( empty ) , MODEL@ ) ) 39 --- NAC patterns 40 / \ not nocloserantenna@Coverage ( Set{p ; a } , none , MODEL@ ) . Two new conditions may appear in the triggering rule of periodic actions (see lines 26 to 29). The first condition is an invocation to the alreadyExecInPeriod@Coverage opera- tion, which checks whether the rule has already been triggered with the same set of participants in the current period. This operation is included in the encoding of every periodic rule (normal or soft). Note that the currentExec operation is not needed anymore. The second condition is specific to normal periodic rules: since this kind of rules can only be triggered at the beginning of the period, we forbid applying the rule if the current moment of time is not multiple of the period of the rule (5.0 in this example). The alreadyExecInPeriod@Coverage auxiliary operation is encoded in Maude as follows. This operation checks the existence of an AtomicActionExec object that refers to the rule (Coverage) with the same set of participants (Set{p ; a}) and with a starting time allocated within the current period (condition that is checked by the inPeriod operation). v a r s PERIOD@ : Time . var L@ACTEXEC@ : MSet{OCL−Exp} . 7.3. R EAL - TIME B EHAVIORAL S EMANTIC M APPINGS 155 op alreadyTrigInPeriod@Coverage : Set @Model Time Time −> Bool . ceq alreadyTrigInPeriod@Coverage ( Set{p ; a} , MM@ < ACTEXEC@ : AtomicActionExec | action : "Coverage" # participants : Set{OR1@ ; OR2@ ; L@ACTEXEC@} # startingTime : STARTINGTIME@ # ACTEXEC@SFS > < OR1@ : ObjectRole | actualObject : p # role : "p" > < OR2@ : ObjectRole | actualObject : a # role : "a" > OBJSET@ } , TIME@CLK@ , PERIOD@ ) = true i f inPeriod ( STARTINGTIME@ , TIME@CLK@ , PERIOD@ ) . eq alreadyTrigInPeriod@Coverage ( OIDSET@ , MODEL@ , TIME@CLK@ , PERIOD@ ) = false [ owise ] . As we shall see in Section 7.3.7, periods are also taken into account in the computation of time elapses so that we can ensure that periodic rules are tried to be triggered at least once in every period. 7.3.4 Encoding of Instantaneous Rules In the e-Motions tool, we model instantaneous rules as atomic rules with minimal and maximal duration equals to zero. However, they are not encoded in the same way as atomic rules: since instantaneous rules do not have a duration to be consumed, the rule’s triggering and realization do not need to be separated. Thus, we encode each instantaneous rule as a single rewrite rule. In this way, no other action may occur during the execution of this kind of actions. This rewrite rule will check whether the instantaneous rule’s precondition is satisfied, and if so, it will substitute the instantiation of the LHS pattern by the corresponding instantiation of the RHS, and will create an AtomicActionExec object to keep track of the performed action. For instance, the BatteryOff rule (see Figure 7.6) is encoded in Maude as follows: c r l [ BatteryOff@Instantaneous ] : MM@ { --- LHS elements < p : PHONE@p@CLASS | on : ON@p@ATT # battery : BATTERY@p@ATT # p@SFS > --- Further elements < CLK@ : Clock | time : TIME@CLK@ > < ’ids@ : Counter | value : VALUE@ids@ > < ’rdm@ : Counter | value : VALUE@rdm@ > OBJSET@ } => readjust ( Set{mt } , MM@ { --- RHS elements < p : PHONE@p@CLASS | on : eval ( false , env ( self <− p ) , MODEL@ ) # battery : BATTERY@p@ATT # p@SFS > --- Action execution < ACTEXEC@ : AtomicActionExec | action : "BatteryOff" # participants : Set{OR1@} # 156 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S minTimer : 0 # maxTimer : 0 # status : realized # variables : Set{mt} # startingTime : TIME@CLK@ # endingTime : TIME@CLK@ # executionTime : T > < OR1@ : ObjectRole | actualObject : p # role : "p" > --- Further elements < CLK@ : Clock | time : TIME@CLK@ > < ’ids@ : Counter | value : ( VALUE@ids@ + 2 ) > < ’rdm@ : Counter | value : VALUE@rdm@ > OBJSET@ } i f MODEL@ : = MM@ { . . . OBJSET } --- LHS slots / \ ON@p@ATT : = eval ( true , env ( self <− p ) , MODEL@ ) / \ BATTERY@p@ATT : = eval ( 0 , env ( self <− p ) , MODEL@ ) --- Identifiers of the new elements / \ ACTEXEC@ : = newId ( VALUE@ids@ ) / \ OR1@ : = newId ( VALUE@ids@ + 1 ) --- Rule duration / \ T : = eval ( 0 , env ( empty ) , MODEL@ ) --- NAC patterns / \ not pisNotInACall@BatteryOff ( Set{p } , none , MODEL@ ) . Note that, since no other action can occur during the execution of an instantaneous rule, we do not need to check whether the same rule is already being executed with the same set of participants. 7.3.5 Encoding of Ongoing Rules Ongoing rules are used to model actions that progress with time. Since the delta function defines the effect of time over the model objects, we will encode ongoing rules into the delta function itself. However, the maximal duration and time upper bounds of current executions of ongoing rules also affect the maximal time elapse (mte) of the system (see Section 7.3.7). Since the maximal time elapse is computed before the delta operation is, we also include a rewrite rule per each ongoing rule that creates an object at the triggering of the ongoing action that represent a possible execution of the action. This object will gather all the information about the rule instantiation (including its maximal duration), which will make it accessible when the mte operation is invoked (and in fact before the corresponding ongoing rule is realized). 7.3.5.1 The Initial Rule The initial rule of an ongoing action is encoded as the triggering rule of an atomic action. When the rule precondition is satisfied, an object of the OngoingActionExec class (which inherits from the ActionExec class) is created, indicating that the corresponding ongoing rule can be executed at that moment of time. This object gathers all the information about its instantiation, 7.3. R EAL - TIME B EHAVIORAL S EMANTIC M APPINGS 157 including the OCL expression that represents the maximal duration (maxTimer attribute), and a new timer that represents a countdown to the rule’s upper bound (upperBoundTimer attribute). This upperBoundTimer timer is only needed in ongoing action executions: since ongoing rules do not have a specific duration, their upper bound also act as a maximal bound for their duration. As an example, the following Maude specification corresponds to the encoding of the BatteryConsumption action’s initial rule (see Figure 7.10): 1 2 c r l [ BatteryConsumption@Triggering ] : MM@ { --- LHS elements 3 < p : PHONE@p@CLASS | on : ON@p@ATT , p@SFS > 4 --- Further elements 5 < CLK@ : Clock | time : TIME@CLK@ > 6 < ’ids@ : Counter | value : VALUE@ids@ > 7 < ’rdm@ : Counter | value : VALUE@rdm@ > OBJSET@ } 8 9 10 11 => MM@ { --- LHS elements < p : PHONE@p@CLASS | on : ON@p@ATT , p@SFS > 12 --- Action execution representation 13 < ACTEXC@ : OngoingActionExec | action : "BatteryConsumption" , 14 maxTimer : freeze ( p . battery / p . bps ) , variables : Set{mt } , 15 startingTime : TIME@CLK@ , endingTime : null , 16 participants : Set{OR1@ } , upperBoundTimer : null > 17 < OR1@ : ObjectRole | actualObject : p , role : "p" 18 --- Further elements 19 < CLK@ : Clock | time : TIME@CLK@ > 20 < ’ids@ : Counter | value : ( VALUE@ids@ + 2 ) > 21 < ’rdm@ : Counter | value : VALUE@rdm@ > 22 > OBJSET@ } 23 i f MODEL@ : = MM@ { < p : PHONE@p@CLASS | on : ON , p@SFS > . . . OBJSET@ } 24 / \ not currentExec@BatteryConsumption ( Set{p } , MODEL@ ) 25 / \ toRat ( eval ( p . battery / p . bps , env ( empty ) , MODEL@ ) ) > 0 26 / \ ON@p@ATT : = eval ( true , env ( self <− p ) , MODEL@ ) 27 / \ ACTEXC@ : = newId ( VALUE@ids@ ) 28 / \ OR1@ : = newId ( VALUE@ids@ + 1 ) . Ongoing rules’ maximal duration expressions are frozen (i.e., maintained unevaluated with the freeze operation in the maxTimer attribute) to be later computed in the mte function to get the current (real) values of the elements involved in the expression at that moment of time. However, they are also computed in the rule (see line 25) to forbid its triggering in case the maximal duration is not greater than zero. In the above rule, the upperBoundTimer attribute is set to null, since the BatteryConsumption rule’s upper bound is not specified. op freeze : OCL−Exp −> OCL−Type . --- No equations, so the operation is not evaluated 158 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S Finally, note that Maude rules are applied in a non-deterministic order. Therefore, the realization rule of an atomic action can be applied, e.g., after the execution of the initial rule of an ongoing action. This application can make an OngoingActionExec object to represent an invalid action execution: since the state of the system may change from the moment of the generation of an OngoingActionExec object to the moment in which the ongoing action is in fact realized (the moment in which the delta operation is applied), the precondition of the action that represents the OngoingActionExec object may be violated. These invalid OngoingActionExec objects will be removed from the specifications, as we shall see below. 7.3.5.2 The applyOngoingRules Operator In the following time elapse, the delta equation calls the applyOngoingRules function. One applyOngoingRules equation defining the operator is added for each ongoing rule. This equation checks whether the ongoing rule’s precondition is satisfied (note that the system state may have changed from the moment on which the OngoingActionExec object was created), and if so, it substitutes the LHS matching by its RHS and sets the ending time and maximal duration of the OngoingActionExec object. op applyOngoingRules : @Model Time −> @Model . ceq applyOngoingRules ( MM@ { --- LHS elements < p : PHONE@p@CLASS | on : ON@p@ATT # battery : BATTERY@p@ATT # p@SFS > --- Ongoing action execution element < ACTEXEC@ : OngoingActionExec | action : "BatteryConsumption" # endingTime : null # participants : Set{OR1@} # variables : Set{mt} # maxTimer : freeze ( MAXDURATION@ ) # ACTEXC@@SFS > < OR1@ : ObjectRole | actualObject : p # role : "p" > --- Further elements < CLK@ : Clock | time : TIME@CLK@ > < ’ids@ : Counter | value : VALUE@ids@ > < ’rdm@ : Counter | value : VALUE@rdm@ > OBJSET } , T) = applyOngoingRules ( readjust ( Set{mt } , MM@{ < p : PHONE@p@CLASS | on : ON@p@ATT # battery : eval ( p . battery − T ∗ p . bps , env ( self <− p ) , MODEL@ ) # p@SFS > --- Ongoing action execution element < ACTEXEC@ : OngoingActionExec | action : "BatteryConsumption" # endingTime : ( T plus TIME@CLK@ ) # participants : Set{OR1@} # variables : Set{mt} # maxTimer : toRat ( eval ( MAXDURATION@ , env ( empty ) ) # ACTEXC@@SFS > < OR1@ : ObjectRole | actualObject : p # role : "p" > < CLK@ : Clock | time : TIME@CLK@ > 7.3. R EAL - TIME B EHAVIORAL S EMANTIC M APPINGS 159 < ’ids@ : Counter | value : VALUE@ids@ > < ’rdm@ : Counter | value : VALUE@rdm@ > OBJSET } , T) i f MODEL@ : = MM@ { . . . OBJSET@ } / \ ON@p@ATT : = eval ( true , env ( self <− p ) , MODEL@ ) . / \ toRat ( eval ( MAXDURATION@ , env ( empty ) , MODEL@ ) ) > 0 --- Remaining applyOngoingRules equations... eq applyOngoingRules ( MODEL , T ) = joinOngoingActionExecs ( deleteInvalidActionExecs ( MODEL ) ) [ owise ] . The current system time elapse T is provided by the delta operation (see the second argument of the applyOngoingRule operation). This value is used to perform the attribute computations that depend on it (such as the above expression (p . battery - T * p . bps)), and set the rule’s ending time. The applyOngoingRule operation is recursively called until every possible execution of an ongoing action is realized, and thus the endingTime of the OngoingActionExec objects that represent them are set. Remaining OngoingActionExec objects with an undefined endingTime represent current invalid actions, i.e., actions that cannot be performed in that moment of time. These invalid applyOngoingRules objects are deleted (including the Variable and ObjectRole objects referred by them) in the owise equation. op deleteInvalidActionExecs : @Model −> @Model . eq deleteInvalidActionExecs ( MM { < O : OngoingActionExec | endingTime : null # participants : SET # variables : SET ’ # SFS ) > OBJSET } ) = deleteInvalidActionExecs ( deleteEls ( << SET −> union ( SET ’ ) >>, MM { OBJSET } ) ) . eq deleteInvalidActionExecs ( MODEL ) = MODEL [ owise ] . The joinOngoingActionExecs operation joins ongoing action execution elements that represent consecutive executions of the same ongoing action with the same set of participants. In particular, it refines the information gathered by a previous-in-time OngoingActionExec object with the information provided by the new occurrence. This operation has been defined to prevent the model from being flooded with OngoingActionExec objects with short execution times. var ST : String . v a r s MAXT MAXT ’ : Time . op joinOngoingActionExecs : @Model −> @Model . ceq joinOngoingActionExecs ( MM { < O : OngoingActionExec | action : ST # participants : SET # maxTimer : MAXT # endingTime : T # SFS > < O ’ : OngoingActionExec | action : ST # participants : SET ’ # maxTimer : MAXT ’ # startingTime : T # variables : SET ’ ’ # endingTime : T ’ # SFS ’ > 160 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S OBJSET } ) = joinOngoingActionExecs ( deleteEls ( << SET −> union ( SET ’ ) >>, MM { < O : OngoingActionExec | action : ST # participants : SET # maxTimer : i f ( ( MAXT =/= null ) and−then ( MAXT ’ =/= null ) ) then ( MAXT plus MAXT ’ ) else MAXT fi # endingTime : T ’ # SFS > OBJSET } ) ) i f sameParticipantsAndRoles ( SET , SET ’ , MM { . . . OBJSET } ) . eq joinOngoingActionExecs ( MODEL ) = MODEL [ owise ] . The sameParticipantsAndRoles operation checks whether two set of ObjectRole elements refer to the same set of action participants playing the same role. 7.3.6 Encoding of Rule Execution Modes As we mentioned in Section 7.2, we distinguish normal rules, which are triggered as soon as possible, from soft rules, which are not necessarily triggered immediately, but in a nondeterministic moment in time in the near future. The only difference in their encoding is that we do not allow time to elapse if a normal (non-soft) rule can be triggered, i.e., if the precondition of any normal rule is satisfied. Since the elapse of time depends on the maximal time elapse defined by the mte function, we include an extra mte equation for every normal rule that forbids time to elapse whenever the rule can be applied and it has not been so (see Section 7.3.7 for an example of such kind of equation). This mechanism is also used with normal and soft periodic rules, since both kinds of rules are triggered as soon as possible too. Regarding scheduled actions, they are modeled by normal atomic rules whose lower and upper bounds coincide with the moment in time at which the rules are scheduled. Lower and upper bounds are encoded as rule conditions that forbid the triggering of the rule out of its interval of time. In ongoing rules, upper bounds are also encoded as timers (see Section 7.3.5). Lower bounds are also considered in the computation of time elapse so that we can ensure that scheduled and time-bounded rules are tried to be applied at least once in their corresponding interval (see Section 7.3.7). 7.3.7 Pass of Time We model time elapse with one tick rule by using the delta and mte functions. The rule, which was already introduced in Section 7.3.1, is the following: c r l [ tick ] : { MODEL } in time T 7.3. R EAL - TIME B EHAVIORAL S EMANTIC M APPINGS 161 => { delta ( MODEL , TE ) } in time ( T plus TE ) i f TE : = mte ( MODEL ) / \ TE =/= zero . The delta function defines the effect of time elapse T over the model elements, and the mte function the maximum amount of time that can elapse before any action is performed. Our approach makes DSML objects unaware of time, and therefore both functions need to be defined only over time-dependent elements, namely the Clock instance, and AtomicActionExec and OngoingActionExec objects. 7.3.7.1 The delta Function The delta function applies ongoing actions (with the applyOngoingRules auxiliary operation), and then updates the Clock and AtomicActionExec instances. In particular, it increases the clock value and the execution time of action executions, and decreases the timers of action executions. The DSML objects remain unchanged. op delta : @Model Time −> @Model [ frozen ] . op deltaAux : @Model Time −> @Model [ frozen ] . op delta : Set{@Object} Time −> Set{@Object} [ frozen ] . eq delta ( MODEL , T ) = deltaAux ( applyOngoingRules ( MODEL , T ) , T ) . eq deltaAux ( MM { OBJSET } , T ) = MM { delta ( OBJSET , T ) } . eq delta(< O : AtomicActionExec | endingTime : null , minTimer : T ’ , maxTimer : T ’ ’ , executionTime : T ’ ’ ’ , SFS > OBJSET , T ) = < O : AtomicActionExec | endingTime : null , minTimer : ( T ’ monus T ) , maxTimer : ( T ’ ’ monus T ) , executionTime : ( T ’ ’ ’ plus T ) , SFS > delta ( OBJSET , T ) . eq delta(< O : Clock | time : T ’ , SFS > OBJSET , T ) = < O : Clock | time : ( T ’ plus T ) , SFS > delta ( OBJSET , T ) . eq delta ( OBJSET , T ) = OBJSET [ owise ] . Note the use of the owise attribute: we act on time-dependent elements and we leave the rest unaffected. Note as well that the frozen attribute guarantees that no rule is applied on any of the arguments of a delta function (see [89]). 7.3.7.2 The mte Function The mte function defines the maximum amount of time that can elapse before any action is performed. Therefore, this function must take into account the maximal duration of atomic and ongoing action executions, the beginning of periods of periodic rules, the upper bound for ongoing actions, etc. Thus, the mte function is defined as the minimum of (a) maxTimer values of current AtomicActionExec objects, (b) maxTimer and upperBoundTimer values 162 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S of current OngoingActionExec objects, and (c) for each rule, the difference between the following beginning of rule period or lower bound and the current time elapse. Furthermore, we add extra equations defining the mte operator per each normal and (normal or soft) periodic rule. These equations forbid time to elapse, i.e., define the maximal time elapse of the system as 0 time units, if any of these rules can be applied and it has not been so. Note also the use of the owise attribute. var OCLEXP : OCL−Exp . op mte : @Model −> TimeInf [ frozen ] . op mteAux : @Model @Model −> TimeInf [ frozen ] . ---- mte equation for the BatteryOff normal rule ceq mte ( MM@ { < p : PHONE@p@CLASS | on : ON@p@ATT # battery : BATTERY@p@ATT # p@SFS > < CLK@ : Clock | time : TIME@CLK@ > < ’ids@ : Counter | value : VALUE@ids@ > < ’rdm@ : Counter | value : VALUE@rdm@ > OBJSET@ } = 0 i f MODEL@ : = MM@ { . . . OBJSET } / \ ON@p@ATT : = eval ( true , env ( self <− p ) , MODEL@ ) / \ BATTERY@p@ATT : = eval ( 0 , env ( self <− p ) , MODEL@ ) / \ not pisNotInACall@BatteryOff ( Set{p } , none , MODEL@ ) . ---- mte equations for remaining normal and (normal or soft) periodic rules ... eq mte ( MODEL@ ) = mteAux ( MODEL@ , MODEL@ ) [ owise ] . eq mteAux ( MM@ { < O : AtomicActionExec | maxTimer : T , endingTime : null , SFS ) > OBJSET@ } , MODEL@ ) = minimum ( T , mteAux ( MM@ { OBJSET@ } , MODEL@ ) ) . eq mteAux ( MM@ { < O : OngoingActionExec | maxTimer : freeze ( OCLEXP ) , endingTime : null , upperBoundTimer : T ’ , SFS > OBJSET@ } , MODEL@ ) = i f ( toRat ( eval ( OCLEXP , env ( empty ) , MODEL@ ) ) <= 0 ) ) then minimum ( T ’ , mteAux ( MM { OBJSET@ } , MODEL@ ) ) else minimum ( toRat ( eval ( OCLEXP , env ( empty ) , MODEL@ ) ) , minimum ( T ’ , mteAux ( MM { OBJSET@ } , MODEL@ ) ) ) fi . eq mteAux ( MM@ { < O : Clock | time : T > OBJSET@ } , MODEL@ ) = minimum ( minimum ( nextLowerBound ( T , rulesInformation ) , nextPeriod ( T , rulesInformation ) ) monus T , mteAux ( MM@ { OBJSET@ } , MODEL@ ) ) . eq mteAux ( MODEL@ , MODEL@ ’ ) = INF [ owise ] . The rulesInformation constant is defined as a model that gathers all the rule properties, such as their periodicity and lower and upper bounds (see Appendix C). Operations nextPeriod and nextLowerBound make use of it to compute the following beginning of rule’s period and lower bound, forcing time to stop in these moments in time. In this way, we can ensure that periodic and time-bounded rules will be tried to be triggered at least once in 7.4. F ORMAL A NALYSIS OF R EAL -T IME D OMAIN S PECIFIC M ODELS WITH M AUDE 163 their corresponding interval and period, respectively. 7.4 Formal Analysis of Real-Time Domain Specific Models with Maude Once we encode the structural and time-dependant behavioral specifications of our DSML in Maude, what we get is a rewriting logic specification of the system. Since the rewriting logic specification produced in this way is executable, it can be used as a prototype of the real-time system, which allows us to simulate and formally analyze it. In Section 6.2 we showed how we can make use of Maude’s rewriting, search, and model checking facilities for untimed rewrite theories. However, in real-time systems it is often natural to relate rewriting, search, and model checking to the time elapsed in the system. Furthermore, time-bounded search and model checking is a reasonably natural way of restricting the possibly infinite number of reachable states in a system to the finite subset which is reachable within a given time. In this section we will show then how we can apply these mechanisms to make use of the tools already presented in Section 6.2 with timed rewrite theories. 7.4.1 Initial Considerations Real-Time Maude (see Section 2.2.3) extends Maude’s rewriting, search, and model checking facilities to perform analysis and simulation over real-time systems. Real-Time Maude is designed to take maximum advantage of the high performance of the Maude engine. Most Real-Time Maude analysis commands are therefore executed by first transforming the current timed module into a Maude module, followed by the execution of a corresponding Maude command [91]. In fact, a large majority of Real-Time Maude commands can be executed directly using the Maude engine. Only a few of them are only available for Real-Time Maude, such as the find latest and find earliest commmands [89]. Since in this thesis we encode e-Motions rules directly into (Core) Maude, we will make use of the (Core) Maude commands that represent the corresponding equivalent Real-Time Maude commands, following the directions given in [91]. The execution of a specific Real-Time Maude command in (Core) Maude, as well as the tick mode selected by the user, will affect the rewrite rule that we define to model time elapse. In Sections 7.3.1 and 7.3.7 we presented the default rule that models time elapse. This rule 164 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S follows the maximal time sampling strategy (see Section 2.2.3), i.e., with this rule time will advance deterministically by the maximum time elapse of the system. c r l [ tick ] : {MODEL} in time T => {delta ( MODEL , TE ) } in time ( T plus TE ) i f TE : = mte ( MODEL ) / \ TE =/= zero . However, other tick modes can also be considered. For instance, our e-Motions tool also supports the default tick mode. This tick mode is applied when the user specify a default time elapse for a specific simulation. If the user selects a default time value of, for instance, 2 time units, the rewrite rule that models time elapse will be defined as follows: c r l [ tick ] : {MODEL} in time T => {delta ( MODEL , TE ) } in time ( T plus TE ) i f TE : = minT ( mte ( MODEL ) , toRat ( 2 ) ) / \ TE =/= zero . where the minT operation computes the minimum of two time values. Note that in this case, time is advanced by the smallest value of the maximum time elapse of the system and the default time elapse value specified by the user.7 The user has to consider that all rewriting will be performed according to the chosen time sampling strategy, which of course impacts search and model checking [91]. Together with the tick mode selected by the user, the execution of a specific Real-Time Maude command in (Core) Maude usually places additional constraints to the tick rule. For instance, the tick rule should not tick the time beyond the time bound specified for any command. These additional constrains will be usually encoded as further rule conditions. For instance, if we specify a time bound of 100 time units, the tick rule will be described as follows (this rule consider maximal tick mode): c r l [ tick ] : {MODEL} in time T => {delta ( MODEL , TE ) } in time ( T plus TE ) i f TE : = mte ( MODEL ) / \ TE =/= zero / \ ( T plus TE ) le toRat ( 1 0 0 ) . where the le operation checks whether the first argument is less or equal than the second one. 7 The toRat operation invocation is not needed in this case, but it is automatically included by our tool to cover the case on which the user considers dense time and specifies a float number as the default time elapse value. 7.4. F ORMAL A NALYSIS OF R EAL -T IME D OMAIN S PECIFIC M ODELS WITH M AUDE 165 In the next subsections, we will present several applications of (Core) Maude’s simulation and analysis commands. In most of these applications we will consider the maximal tick mode (otherwise it will be clearly stated), and we will refer explicitly to the additional constraints imposed on the tick rule by the corresponding Real Time Maude command. Note that these constraints, together with the tick rule, will be automatically generated by the e-Motions tool (see Section 7.5). For simulation purposes, we will use the MPN and RTTP examples. For analysis purposes, we will only use the RTTP example.8 Regarding the RTTP example, we will consider all the rules described in Section 7.2.4. Regarding the MPN example, we will consider all the rules described in Section 7.2 but the RemoveOffPhones rule and a) battery consumption will be modeled by the BatteryConsumption ongoing rule (see Figure 7.10), and b) the SwitchOn atomic rule (see Figure 7.5) will be turned into a normal (non-soft) rule—we will make phones to be switched on as soon as possible. These considerations have been taken into account to ease the interpretation of the simulation results. Finally, since both examples have a rule to generate the initial configuration of the system, the initial model that we will specify in the application of simulation and analysis commands will be in both cases empty. op mpnModel : −> @Model . eq mpnModel = @MPNs@ { none } . op rttpModel : −> @Model . eq rttpModel = @rttp@ { none } . 7.4.2 Simulation Given a Maude specification as the one described in the previous sections, it can be executed by just successively applying equations and rewrite rules on an initial term. For this purpose, we can make use of Maude’s rewrite and frewrite as done with untimed specification. However, in real-time systems it is often more natural to measure and control the rewriting by the total duration of a computation than by the number of rewrites performed. In this section we will show how we can specify a time bound for a simulation. For instance, let us explore a possible execution for the MPN system in six time units. To specify this time bound, we have to add the following condition to the tick rule: (T plus 8 The MPN example is composed of a large number of rules. This issue, together with the high freedom that the system offers (calls do not have a specific duration, they can be performed to any phone at almost any moment of time, etc.), results in a high number of reachable states. 166 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S TE) le toRat(6). This condition will forbid time to elapse beyond six time units. Then, we use the rewrite command as follows: Maude> r e w r i t e init ( mpnModel ) . The init operation adds to the model the clock and counter objects used by our infrastructure (see Section 7.3), and the time stamp associated to each real-time state (see Section 2.2.3.1). op init : @Model −> ClockedSystem . eq init ( MM { OBJSET } ) = { MM { < ’ids@ : Counter | value : 0 > < ’rdm@ : Counter | value : 0 > < ’clk@ : Clock | time : zero > OBJSET } } in time zero . As a result of the rewriting, Maude provides the following term: { @MPNs@ { < ’0 : AtomicActionExec | participants : Set{ ’1 ; ’2 ; ’3 ; ’4 ; ’5 ; ’6 ; ’7} # variables : Set{mt} # startingTime : 0 # endingTime : 0 # action : "InitialModel" # maxTimer : 0 # minTimer : 0 # executionTime : 0 # status : realized > < ’1 : ObjectRole | actualObject : ’8 # role : "p1" > < ’2 : ObjectRole | actualObject : ’9 # role : "p2" > < ’3 : ObjectRole | actualObject : ’10 # role : "p3" > < ’4 : ObjectRole | actualObject : ’11 # role : "p4" > < ’5 : ObjectRole | actualObject : ’12 # role : "a1" > < ’6 : ObjectRole | actualObject : ’13 # role : "a2" > < ’7 : ObjectRole | actualObject : ’14 # role : "mpn" > < ’8 : Phone | dialedCalls : OrderedSet{mt−ord} # receivedCalls : OrderedSet{mt−ord} # contacts : OrderedSet{ ’10 # ’11 # ’9} # number : 111 # on : true # battery : 94 # coverage : 1 # bps : 1 # vx : 1 # vy : 0 # xPos : 11 # yPos : 45 > < ’9 : Phone | dialedCalls : OrderedSet{mt−ord} # receivedCalls : OrderedSet{mt−ord} # contacts : OrderedSet{ ’10 # ’11 # ’8} # number : 222 # on : true # battery : 44 # coverage : 1 # bps : 1 # vx : 0 # vy : −1 # xPos : 45 # yPos : 29 > < ’10 : Phone | dialedCalls : OrderedSet{mt−ord} # receivedCalls : OrderedSet{mt−ord} # contacts : OrderedSet{ ’11 # ’8 # ’9 } # number : 333 # on : true # battery : 94 # coverage : 1 # bps : 1 # vx : 0 # vy : 1 # xPos : 15 # yPos : 21 > < ’11 : Phone | dialedCalls : OrderedSet{mt−ord} # receivedCalls : OrderedSet{mt−ord} # contacts : OrderedSet{ ’10 # ’8 # ’9 } # number : 444 # on : true # battery : 44 # coverage : 2 # bps : 1 # vx : −1 # vy : 0 # xPos : 59 # yPos : 25 > < ’12 : Antenna | xPos : 25 # yPos : 35 > < ’13 : Antenna | xPos : 55 # yPos : 15 > < ’14 : MPN | els : OrderedSet{ ’10 # ’11 # ’12 # ’13 # ’8 # ’9} # xSize : 80 # ySize : 50 > < ’15 : AtomicActionExec | participants : Set{ ’16} # variables : Set{mt} # startingTime : 0 # endingTime : 5 # action : "SwitchOn" # maxTimer : 0 # minTimer : 0 # status : realized > < ’16 : ObjectRole | actualObject : ’10 # role : "p" > < ’17 : OngoingActionExec | participants : Set{ ’18 ; ’19} # variables : Set{mt} # startingTime : 0 # endingTime : 6 # action : "Moving" # maxTimer : null # 7.4. F ORMAL A NALYSIS OF R EAL -T IME D OMAIN S PECIFIC M ODELS WITH M AUDE 167 upperBoundTimer : null > < ’18 : ObjectRole | actualObject : ’10 # role : "p" > < ’19 : ObjectRole | actualObject : ’14 # role : "mpn" > < ’20 : AtomicActionExec | participants : Set{ ’21} # variables : Set{mt} # startingTime : 0 # endingTime : 5 # action : "SwitchOn" # maxTimer : 0 # minTimer : 0 # status : realized > < ’21 : ObjectRole | actualObject : ’11 # role : "p" > < ’22 : OngoingActionExec | participants : Set{ ’23 ; ’24} # variables : Set{mt} # startingTime : 0 # endingTime : 6 # action : "Moving" # maxTimer : null # upperBoundTimer : null > < ’23 : ObjectRole | actualObject : ’11 # role : "p" > < ’24 : ObjectRole | actualObject : ’14 # role : "mpn" > < ’25 : AtomicActionExec | participants : Set{ ’26} # variables : Set{mt} # startingTime : 0 # endingTime : 5 # action : "SwitchOn" # maxTimer : 0 # minTimer : 0 # status : realized > < ’26 : ObjectRole | actualObject : ’8 # role : "p" > < ’27 : OngoingActionExec | participants : Set{ ’28 ; ’29} # variables : Set{mt} # startingTime : 0 # endingTime : 6 # action : "Moving" # maxTimer : null # upperBoundTimer : null > < ’28 : ObjectRole | actualObject : ’8 # role : "p" > < ’29 : ObjectRole | actualObject : ’14 # role : "mpn" > < ’30 : AtomicActionExec | participants : Set{ ’31} # variables : Set{mt} # startingTime : 0 # endingTime : 5 # action : "SwitchOn" # maxTimer : 0 # minTimer : 0 # status : realized > < ’31 : ObjectRole | actualObject : ’9 # role : "p" > < ’32 : OngoingActionExec | participants : Set{ ’33 ; ’34} # variables : Set{mt} # startingTime : 0 # endingTime : 6 # action : "Moving" # maxTimer : null # upperBoundTimer : null > < ’33 : ObjectRole | actualObject : ’9 # role : "p" > < ’34 : ObjectRole | actualObject : ’14 # role : "mpn" > < ’35 : AtomicActionExec | participants : Set{ ’36 ; ’37} # variables : Set{mt} # startingTime : 5 # endingTime : 6 # action : "Coverage" # maxTimer : 0 # minTimer : 0 # status : realized > < ’36 : ObjectRole | actualObject : ’10 # role : "p" > < ’37 : ObjectRole | actualObject : ’12 # role : "a" > < ’38 : OngoingActionExec | participants : Set{ ’39} # variables : Set{mt} # startingTime : 5 # endingTime : 6 # action : "BatteryConsumption" # maxTimer : 95 # upperBoundTimer : null > < ’39 : ObjectRole | actualObject : ’10 # role : "p" > < ’43 : AtomicActionExec | participants : Set{ ’44 ; ’45} # variables : Set{mt} # startingTime : 5 # endingTime : 6 # action : "Coverage" # maxTimer : 0 # minTimer : 0 # status : realized > < ’44 : ObjectRole | actualObject : ’11 # role : "p" > < ’45 : ObjectRole | actualObject : ’13 # role : "a" > < ’46 : OngoingActionExec | participants : Set{ ’47} # variables : Set{mt} # startingTime : 5 # endingTime : 6 # action : "BatteryConsumption" # maxTimer : 45 # upperBoundTimer : null > < ’47 : ObjectRole | actualObject : ’11 # role : "p" > < ’51 : AtomicActionExec | participants : Set{ ’52 ; ’53} # variables : Set{mt} # startingTime : 5 # endingTime : 6 # action : "Coverage" # maxTimer : 0 # minTimer : 0 # status : realized > 168 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S < ’52 : ObjectRole | actualObject : ’8 # role : "p" > < ’53 : ObjectRole | actualObject : ’12 # role : "a" > < ’54 : OngoingActionExec | participants : Set{ ’55} # variables : Set{mt} # startingTime : 5 # endingTime : 6 # action : "BatteryConsumption" # maxTimer : 95 # upperBoundTimer : null > < ’55 : ObjectRole | actualObject : ’8 # role : "p" > < ’59 : AtomicActionExec | participants : Set{ ’60 ; ’61} # variables : Set{mt} # startingTime : 5 # endingTime : 6 # action : "Coverage" # maxTimer : 0 # minTimer : 0 # status : realized > < ’60 : ObjectRole | actualObject : ’9 # role : "p" > < ’61 : ObjectRole | actualObject : ’12 # role : "a" > < ’62 : OngoingActionExec | participants : Set{ ’63} # variables : Set{mt} # startingTime : 5 # endingTime : 6 # action : "BatteryConsumption" # maxTimer : 45 # upperBoundTimer : null > < ’63 : ObjectRole | actualObject : ’9 # role : "p" > < ’67 : AtomicActionExec | participants : Set{ ’68 ; ’69} # variables : Set{mt} # startingTime : 5 # endingTime : 6 # action : "Coverage" # maxTimer : 0 # minTimer : 0 # status : realized > < ’68 : ObjectRole | actualObject : ’9 # role : "p" > < ’69 : ObjectRole | actualObject : ’13 # role : "a" > < ’70 : OngoingActionExec | participants : Set{ ’71} # variables : Set{mt} # startingTime : 6 # endingTime : null # action : "BatteryConsumption" # maxTimer : freeze ( ’ 1 0 . battery / ’10 . bps ) # upperBoundTimer : null > < ’71 : ObjectRole | actualObject : ’10 # role : "p" > < ’72 : OngoingActionExec | participants : Set{ ’73 ; ’74} # variables : Set{mt} # startingTime : 6 # endingTime : null # action : "Moving" # maxTimer : freeze ( null ) # upperBoundTimer : null > < ’73 : ObjectRole | actualObject : ’10 # role : "p" > < ’74 : ObjectRole | actualObject : ’14 # role : "mpn" > < ’75 : OngoingActionExec | participants : Set{ ’76} # variables : Set{mt} # startingTime : 6 # endingTime : null # action : "BatteryConsumption" # maxTimer : freeze ( ’ 1 1 . battery / ’11 . bps ) # upperBoundTimer : null > < ’76 : ObjectRole | actualObject : ’11 # role : "p" > < ’77 : OngoingActionExec | participants : Set{ ’78 ; ’79} # variables : Set{mt} # startingTime : 6 # endingTime : null # action : "Moving" # maxTimer : freeze ( null ) # upperBoundTimer : null > < ’78 : ObjectRole | actualObject : ’11 # role : "p" > < ’79 : ObjectRole | actualObject : ’14 # role : "mpn" > < ’80 : AtomicActionExec | participants : Set{ ’81 ; ’82} # variables : Set{ ’83} # startingTime : 6 # endingTime : null # action : "Call" # maxTimer : 30 # minTimer : 20 # executionTime : 0 # status : unfinished > < ’81 : ObjectRole | actualObject : ’10 # role : "p1" > < ’82 : ObjectRole | actualObject : ’11 # role : "p2" > < ’83 : Variable | name : "initTime" # value : 6 > < ’84 : OngoingActionExec | participants : Set{ ’85} # variables : Set{mt} # startingTime : 6 # endingTime : null # action : "BatteryConsumption" # maxTimer : freeze ( ’ 8 . battery / ’8 . bps ) # upperBoundTimer : null > < ’85 : ObjectRole | actualObject : ’8 # role : "p" > < ’86 : OngoingActionExec | participants : Set{ ’87 ; ’88} # variables : Set{mt} # startingTime : 6 # endingTime : null # action : "Moving" # maxTimer : freeze ( null ) # upperBoundTimer : null > 7.4. F ORMAL A NALYSIS OF R EAL -T IME D OMAIN S PECIFIC M ODELS WITH M AUDE 169 < ’87 : ObjectRole | actualObject : ’8 # role : "p" > < ’88 : ObjectRole | actualObject : ’14 # role : "mpn" > < ’89 : OngoingActionExec | participants : Set{ ’90} # variables : Set{mt} # startingTime : 6 # endingTime : null # action : "BatteryConsumption" # maxTimer : freeze ( ’ 9 . battery / ’9 . bps ) # upperBoundTimer : null > < ’90 : ObjectRole | actualObject : ’9 # role : "p" > < ’91 : OngoingActionExec | participants : Set{ ’92 ; ’93} # variables : Set{mt} # startingTime : 6 # endingTime : null # action : "Moving" # maxTimer : freeze ( null ) # upperBoundTimer : null > < ’92 : ObjectRole | actualObject : ’9 # role : "p" > < ’93 : ObjectRole | actualObject : ’14 # role : "mpn" > < ’94 : AtomicActionExec | participants : Set{ ’95 ; ’96} # variables : Set{ ’97} # startingTime : 6 # endingTime : null # action : "Call" # maxTimer : 30 # minTimer : 20 # executionTime : 0 # status : unfinished > < ’95 : ObjectRole | actualObject : ’8 # role : "p1" > < ’96 : ObjectRole | actualObject : ’9 # role : "p2" > < ’97 : Variable | name : "initTime" # value : 6 > < ’clk@ : Clock | time : 6 > < ’ids@ : Counter | value : 98 > < ’rdm@ : Counter | value : 0 > }} in time 6 The resulting term includes the model objects of our MPN example (see objects whose identifiers go from ’8 to ’14) as well as the objects included by our e-Motions infrastructure (see the remaining objects). All performed ongoing and atomic actions are captured by their corresponding AtomicActionExec and OngoingActionExec objects, respectively. Actions that have been triggered but not finalized are also captured (see those atomic and ongoing action executions whose endingTime is set to null). We can see by having a look at the ’ids@ counter object that 98 objects have been created. However, not all of them will be found in the final result: ongoing action execution elements that represent consecutive executions of the same ongoing action with the same set of participants are combined (see Section 7.3.5.2). In six time units, all model objects have been created (by the InitialModel action), the four phones have been switched on, and their coverage and position have been updated. Furthermore, two calls have started (see atomic action executions ’80 and ’94) but not finished. More interesting is the result given by simulating the system for 100 time units. This result can be obtained following the same procedure: firstly, we add a condition to the tick rule ((T plus TE) le toRat(100)), and secondly, we use the rewrite command as follows: Maude> r e w r i t e init ( mpnModel ) . In this case, Maude provides the following result: { @MPNs@ { < ’8 : Phone | coverage : 0 # bps : 1 # vx : −1 # vy : 0 # xPos : 55 # yPos : 45 # dialedCalls : OrderedSet{ ’309 # ’536} # receivedCalls : OrderedSet{mt−ord} # 170 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S contacts : OrderedSet{ ’9 # ’11 # ’10} # number : 111 # on : false # battery : 0 > < ’9 : Phone | coverage : 2 # bps : 1 # vx : 0 # vy : −1 # xPos : 45 # yPos : 35 # dialedCalls : OrderedSet{mt−ord} # receivedCalls : OrderedSet{ ’310 # ’537} # contacts : OrderedSet{ ’10 # ’8 # ’11} # number : 222 # on : false # battery : 0 > < ’10 : Phone | coverage : 0 # bps : 1 # vx : 0 # vy : 1 # xPos : 15 # yPos : 15 # dialedCalls : OrderedSet{ ’296 # ’523 # ’561} # receivedCalls : OrderedSet{mt−ord} # contacts : OrderedSet{ ’8 # ’9 # ’11 } # number : 333 # on : false # battery : 0 > < ’11 : Phone | coverage : 2 # bps : 1 # vx : 1 # vy : 0 # xPos : 35 # yPos : 25 # dialedCalls : OrderedSet{mt−ord} # receivedCalls : OrderedSet{ ’297 # ’524 # ’562} # contacts : OrderedSet{ ’9 # ’8 # ’10 } # number : 444 # on : false # battery : 0 > < ’12 : Antenna | xPos : 25 # yPos : 35 > < ’13 : Antenna | xPos : 55 # yPos : 15 > < ’14 : MPN | els : OrderedSet{ ’10 # ’11 # ’12 # ’13 # ’8 # ’9} # xSize : 80 # ySize : 50 > < ’296 : CallRecord | contact : ’11 # startingTime : 6 # duration : 20 > < ’297 : CallRecord | contact : ’10 # startingTime : 6 # duration : 20 > < ’309 : CallRecord | contact : ’9 # startingTime : 6 # duration : 20 > < ’310 : CallRecord | contact : ’8 # startingTime : 6 # duration : 20 > < ’523 : CallRecord | contact : ’11 # startingTime : 26 # duration : 20 > < ’524 : CallRecord | contact : ’10 # startingTime : 26 # duration : 20 > < ’536 : CallRecord | contact : ’9 # startingTime : 26 # duration : 20 > < ’537 : CallRecord | contact : ’8 # startingTime : 26 # duration : 20 > < ’561 : CallRecord | contact : ’11 # startingTime : 46 # duration : 4 > < ’562 : CallRecord | contact : ’10 # startingTime : 46 # duration : 4 > ... }} in time 100 We only show the model objects of our MPN example for readability reasons. In 100 time units, all phones are off (they all have run out from battery), phone ’8 has performed two calls to phone ’9, and phone ’10 has performed three calls to phone ’11. All calls have had a duration of twenty time units except the last one, which was performed from phone ’10 to phone ’11 after 46 time units of simulation, and had a duration of four time units. Since phone ’11 had only 50 battery units when it was created, we can see that the call has been interrupted by the BatteryOffCallee rule, i.e., the callee ran out out battery after four time units participating in the call. Let us now explore a possible execution for the RTTP system in 500 time units. Again, we add the corresponding tick rule condition (in this case (T plus TE) le toRat(500)), and we use the rewrite command as follows: Maude> r e w r i t e init ( rttpModel ) . The result of the simulation is the following Maude term: { @rttp@ { < ’6 : Node | receivedMessages : Sequence{ ’21 # ’45 # ’69 # ’93 # ’117} # localClock : ’8 # neighbors : Set{ ’7} > < ’7 : Node | receivedMessages : Sequence{mt−ord} # localClock : ’9 # 7.4. F ORMAL A NALYSIS OF R EAL -T IME D OMAIN S PECIFIC M ODELS WITH M AUDE 171 neighbors : Set{mt} > < ’8 : Clock | time : 500 > < ’9 : Clock | time : 500 > < ’10 : Network | nodes : Set{ ’6 ; ’7} > < ’21 : Message | initiator : ’6 # responder : ’7 # requestTime : 0 # rtt : 40 > < ’45 : Message | initiator : ’6 # responder : ’7 # requestTime : 100 # rtt : 40 > < ’69 : Message | initiator : ’6 # responder : ’7 # requestTime : 200 # rtt : 40 > < ’93 : Message | initiator : ’6 # responder : ’7 # requestTime : 300 # rtt : 40 > < ’117 : Message | initiator : ’6 # responder : ’7 # requestTime : 400 # rtt : 40 > ... }} in time 500 As expected, we can see that five rounds of the protocol has been successfully realized. Node ’6 has been the initiator, while node ’7 has been the responder (they correspond to the n1 and n2 nodes depicted in Figure 7.24, respectively). In this case, all the RTT values are of 40 time units. Recall that classes, attributes and references are qualified with their containers’ names (although not shown here for readability reasons), and therefore clocks defined for the RTTP example (of class Clock@rttp) will not be confused with the clock instance provided by our infrastructure (of class Clock@MGBehavior). Finally, we can also simulate a system with no time limit by simply not adding a time bound constraint to the the tick rule. In both of our examples, this will result in a non terminating execution. The reason is that we have a periodic action without a defined time upper bound: the Coverage (in the MPN system) and the Request (in the RTTP system) rules will be tried to be triggered every 5 and 100 time units, respectively. If we do not want to add a time bound for the simulation, we can define a time upper bound for these periodic rules, or we can specify an upper bound for the number of rule applications in the rewrite or frewrite commands as we have done for untimed specifications. 7.4.2.1 Querying the Result of a Simulation As previously mentioned, the result of a simulation includes the model objects of the DSML, and the objects included by our e-Motions infrastructure, such as the objects that represent the performed actions. This result gives us a lot of useful information about the simulation, which can be further analyzed to reason about the behavior of the system. However, the way in which this information is presented (as a term of sort @Model) makes it hard for users to analyze it. To mitigate this, our infrastructure provides then several operations to query the result of a simulation, and to present it in a more readable way. The complete list of these operations can be found in Appendix D. For instance, the finalizedActions operation returns information on the actions that 172 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S have been triggered and finalized (either realized, interrupted, or aborted); the currentActions operation returns information on the actions that have been triggered but not finalized. Assuming that we have stored the result of the simulation of the MPN system in six time units in a Maude constant named resultMPNIn6, the result of the command: Maude> r e d u c e currentActions ( resultMPNIn6 ) . is the following: ( "BatteryConsumption" started at 6 with ’ 1 0 ) ( "Moving" started at 6 with ( ’ 1 0 ; ’14) ) ( "BatteryConsumption" started at 6 with ’ 1 1 ) ( "Moving" started at 6 with ( ’ 1 1 ; ( "Call" started at 6 with ( ’ 1 0 ; ’14) ) ’11) ) ( "BatteryConsumption" started at 6 with ’ 8 ) ( "Moving" started at 6 with ( ’ 1 4 ; ’8) ) ( "BatteryConsumption" started at 6 with ’ 9 ) ( "Moving" started at 6 with ( ’ 1 4 ; ( "Call" started at 6 with ( ’ 8 ; ’9) ) ’9) ) The result is a list of elements composed of the name of the action, the time at which the action was triggered, and the set of the identifiers of the participant elements. In a similar way, if we type: Maude> r e d u c e finalizedActions ( resultMPNIn6 ) . we obtain a list with the finalized actions of the system: ( "InitialModel" performed in [ 0 , 0 ] with ( ’ 1 0 ; ’11 ; ’12 ; ’13 ; ’14 ; ’8 ; ’9) ) ( "SwitchOn" performed in [ 0 , 5 ] with ’ 1 0 ) ( "Moving" performed in [ 0 , 6 ] with ( ’ 1 0 ; ’14) ) ( "SwitchOn" performed in [ 0 , 5 ] with ’ 1 1 ) ( "Moving" performed in [ 0 , 6 ] with ( ’ 1 1 ; ’14) ) ( "SwitchOn" performed in [ 0 , 5 ] with ’ 8 ) ( "Moving" performed in [ 0 , 6 ] with ( ’ 1 4 ; ’8) ) ( "SwitchOn" performed in [ 0 , 5 ] with ’ 9 ) ( "Moving" performed in [ 0 , 6 ] with ( ’ 1 4 ; ’9) ) ( "Coverage" performed in [ 5 , 6 ] with ( ’ 1 0 ; ’12) ) ( "BatteryConsumption" performed in [ 5 , 6 ] with ’ 1 0 ) ( "Coverage" performed in [ 5 , 6 ] with ( ’ 1 1 ; ’13) ) ( "BatteryConsumption" performed in [ 5 , 6 ] with ’ 1 1 ) ( "Coverage" performed in [ 5 , 6 ] with ( ’ 1 2 ; ’8) ) ( "BatteryConsumption" performed in [ 5 , 6 ] with ’ 8 ) ( "Coverage" performed in [ 5 , 6 ] with ( ’ 1 2 ; ’9) ) ( "BatteryConsumption" performed in [ 5 , 6 ] with ’ 9 ) ( "Coverage" performed in [ 5 , 6 ] with ( ’ 1 3 ; ’9) ) The elements of this list also include the time at which the action was finalized. By carefully observing this list, we realize that the Coverage rule has been applied for phone ’9 (whose number is 222) twice at the same moment of time 5. The reason is that after five time units the 7.4. F ORMAL A NALYSIS OF R EAL -T IME D OMAIN S PECIFIC M ODELS WITH M AUDE 173 phone is at the same Manhattan distance from both antennas, and therefore the rule is applied once per each antenna. Notice that this behavior is perfectly valid. However, if we would want to avoid this kind of situations, we could, e.g., include another NAC pattern in the Coverage rule that forbids (by means of an action execution element) the application of the rule it is already being applied to the same phone p. 7.4.3 Reachability Analysis The Maude search command allows us to explore (following a breadth-first strategy) the reachable state space in different ways. In Section 6.2.2, we showed how this command may be parameterized by an upper bound on the number of solutions to look for. We also showed how it can be bounded by a maximum number of rule applications. In this section, we will show how the search command can be used to look for states which are reachable in a certain time interval (starting from the initial state). As a first example, let us check that the local clocks of the RTTP example are always synchronized. Since we know that the Request periodic rule will be tried to be triggered every 100 time units (i.e., the number of states reachable from the initial state is infinite), we want to bound the search to 500 time units. Following the same procedure applied in the previous subsection, we will add the following condition to the tick rule: (T plus TE) le toRat(500). Then, we will look for a state that does not satisfy the invariant, i.e., we will look for a state on which two clocks have a different time value. If no solution is found, we are guaranteed that (starting from the initial model) clocks will always be synchronized. Given variables O1 and O2 of sort Oid, CT1 and CT2 of sort Int, OBJSET of sort Set{@Object}, and T of sort Time, we can look for the undesired state by issuing the following command: Maude> s e a r c h init ( rttpModel ) =>∗ { @rttp@ { < O1 : Clock | time : CT1 > < O2 : Clock | time : CT2 > OBJSET }} in time T such that CT1 =/= CT2 . No solution . As expected, no solution is found. A search can also be bounded with a lower bound limit, i.e., we can look for states that are reachable in a certain time interval. For instance, we may be interested in knowing whether the RTT value of any message may exceed 40 time units in the second round, i.e., between 100 and 199 time units. To specify the upper time bound, we add the condition (T plus TE) le 174 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S toRat(199) to the tick rule. To specify the lower time bound, we will include an additional condition to the search command. Given variables O of sort Oid, RTT of sort Int, OBJSET of sort Set{@Object}, SFS of sort Set{@StructuralFeatureInstance}, and T of sort Time, we can look for the mentioned state as follows: Maude> s e a r c h [ 1 ] init ( rttpModel ) =>∗ { @rttp@ { < O : Message | rtt : RTT # SFS > OBJSET }} in time T such that ( RTT > 4 0 ) / \ ( 1 0 0 le T ) . No solution . Again, Maude does not find any solution. In fact, an RTT value, as defined by the behavioral rules, will always range from ten to forty time units. We can also check this new property, e.g., for the five first rounds, by adding the (T plus TE) le toRat(500) condition to the tick rule: Maude> s e a r c h [ 1 ] init ( rttpModel ) =>∗ { @rttp@ { < O : Message | rtt : RTT # SFS > OBJSET }} in time T such that ( RTT > 4 0 ) or ( RTT < 1 0 ) . No solution . 7.4.3.1 The Role of Tick Modes in the Analysis As we already mentioned, the user has to consider that all rewriting will be performed according to the chosen time sampling strategy (tick mode). There is in general no guarantee that all “interesting” behaviors are covered by a time sampling strategy, which of course impacts search and model checking [91]. To illustrate this issue, let us consider again the RTTP example, and let us search for a state in the first round of the protocol in which a message has a RTT of twenty time units. As modeled with our behavioral rules, the user could think that this state is reachable. To verify it, we add the (T plus TE) le toRat(99) condition to the tick rule, and we use the search command as follows: Maude> s e a r c h [ 1 ] init ( rttpModel ) =>∗ { @rttp@ { < O : Message | rtt : RTT # SFS > OBJSET }} in time T such that RTT == 20 . No solution . 7.4. F ORMAL A NALYSIS OF R EAL -T IME D OMAIN S PECIFIC M ODELS WITH M AUDE 175 Maude does not find any solution. In fact, if we have a look at the result of the simulation performed in Section 7.4.2, we see that every message has an RTT of 40 time units. If we try to look for a state that contains a message with an RTT different from 40, we do not find any solution again. Maude> s e a r c h [ 1 ] init ( rttpModel ) =>∗ { @rttp@ { < O : Message | rtt : RTT # SFS > OBJSET }} in time T such that RTT =/= 40 . No solution . The reason is that we are using the maximal tick mode when performing the analysis. With this tick mode, time will advance by the maximum time elapse of the system, which is computed by the mte operation. Since both Request and Response rules have a maximal duration of 20 time units, and no other event will cause that time advances using a different granularity, the result of the mte function will always make these actions to consume its maximal duration. If we want time to elapse with a smaller granularity we can, e.g., use the default tick mode to specify a default time elapse. With the default tick mode, time will advance by the smallest value of the maximum time elapse of the system and the specified default value. For instance, if we specify a value of five time units, we ensure that time will advance five time units at most. Let us we perform the same analysis again but taking into account this default tick mode, which will be dictated by the following tick rule in our analysis: c r l [ tick ] : {MODEL} in time T => {delta ( MODEL , TE ) } in time ( T plus TE ) i f TE : = minT ( mte ( MODEL ) , toRat ( 5 ) ) / \ ( T plus TE ) le toRat ( 9 9 ) / \ TE =/= zero . Now, we obtain the following result: Solution 1 ( state 2 0 8 3 ) OBJSET −−> < ’0 : AtomicActionExec | participants : Set{ ’1 ; ’2 ; ’3 ; ’4 ; ’5} # variables : Set{mt} # startingTime : 0 # endingTime : 0 # action : "InitialModel" # maxTimer : 0 # minTimer : 0 # executionTime : 0 # status : realized > < ’1 : ObjectRole | actualObject : ’6 # role : "n1" > < ’2 : ObjectRole | actualObject : ’7 # role : "n2" > < ’3 : ObjectRole | actualObject : ’8 # role : "c1" > < ’4 : ObjectRole | actualObject : ’9 # role : "c2" > < ’5 : ObjectRole | actualObject : ’10 # role : "net" > < ’6 : Nodep | receivedMessages : Sequence{ ’21} # localClock : ’8 # neighbors : Set{ ’7} > < ’7 : Node | receivedMessages : Sequence{mt−ord} # localClock : ’9 # 176 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S neighbors : Set{mt} > < ’8 : Clock | time : 20 > < ’9 : Clock | time : 20 > < ’10 : Network@rttp | nodes@Network@rttp : Set{ ’6 ; ’7} > < ’11 : AtomicActionExec | participants : Set{ ’12 ; ’13 ; ’14 ; ’20} # variables : Set{ ’15} # startingTime : 0 # endingTime : 5 # action : "Request" # maxTimer : 15 # minTimer : 0 # status : realized > < ’12 : ObjectRole | actualObject : ’6 # role : "n1" > < ’13 : ObjectRole | actualObject : ’7 # role : "n2" > < ’14 : ObjectRole | actualObject : ’8 # role : "c" > < ’15 : Variable | name : "initTime" # value : 0 > < ’16 : OngoingActionExec | participants : Set{ ’17} # variables : Set{mt} # startingTime : 0 # endingTime : 20 # action : "LocalTimeElapse" # maxTimer : null # upperBoundTimer : null > < ’17 : ObjectRole | actualObject : ’8 # role : "c" > < ’18 : OngoingActionExec | participants : Set{ ’19} # variables : Set{mt} # startingTime : 0 # endingTime : 20 # action : "LocalTimeElapse" # maxTimer : null # upperBoundTimer : null > < ’19 : ObjectRole | actualObject : ’9 # role : "c" > < ’20 : ObjectRole | actualObject : ’21 # role : "m" > < ’22 : AtomicActionExec | participants : Set{ ’23 ; ’24 ; ’25 ; ’26} # variables : Set{mt} # startingTime : 5 # endingTime : 20 # action : "Response" # maxTimer : 5 # minTimer : 0 # status : realized > < ’23 : ObjectRole | actualObject : ’6 # role : "n1" > < ’24 : ObjectRole | actualObject : ’7 # role : "n2" > < ’25 : ObjectRole | actualObject : ’8 # role : "c" > < ’26 : ObjectRole | actualObject : ’21 # role : "m" > < ’clk@ : Clock | time : 20 > < ’ids@ : Counter | value : 39 > < ’rdm@ : Counter | value : 0 > O −−> ’21 SFS −−> initiator : ’6 # responder : ’7 # requestTime : 0 RTT −−> 20 T −−> 20 As expected, now Maude does find a solution. Note that we searched for only one solution. Without this restriction all possible solutions given the specified tick size would have been shown. In summary, by changing the tick mode, we can cover different “interesting” behaviors. In particular, making time to elapse using a smaller granularity, we ensure that more behaviors may be covered, although of course at the expense of a greater memory and time usage. For discrete domains, we can select one time unit as the default time elapse value to cover all the possible behaviors. For dense time domains, if the search command does not find any solution, we cannot conclude that a state satisfying the search pattern is not reachable. In these cases, the search command analyzes all behaviors up to the given strategy for advancing time, and we could only say that such a state is not reachable taking into account only the behaviors that 7.4. F ORMAL A NALYSIS OF R EAL -T IME D OMAIN S PECIFIC M ODELS WITH M AUDE 177 the selected tick mode covers. On the other hand, if a counterexample is found, it is always a real counterexample. The same applies to model checking analysis. The interested reader is referred to [90] for general criteria ensuring that maximal time sampling analyses are indeed complete. In these cases, the completeness results shown in this work justify using the maximal time sampling strategy instead of exhaustively visiting each time instant. 7.4.3.2 Reasoning about Action Executions Another interesting property of our approach is that we can reason not only about system states but also about action executions. Note that a same system state may usually be reached by performing different sequences of actions, and checking only system states will not always give us information about the performed actions. With our approach, we can look for, e.g., undesirable action occurrences, actions that has been interrupted or aborted, or invalid sequences of action executions. For example, let us show how the search command can be used to look for actions that have been aborted. In this case, we are going to look for a state in the first two rounds of the protocol on which a Request action has been aborted. We add the (T plus TE) le toRat(199) condition to the tick rule, and we use the search command as follows: Maude> s e a r c h [ 1 ] init ( rttpModel ) =>∗ { @rttp@ { < O : AtomicActionExec | action : "Request" # status : aborted # SFS > OBJSET }} in time T . Maude does not find any solution. In fact, an action is aborted when one of its participants is removed from the system, and there is no rule in the system that may lead to this situation. Our approach also allow us to look for, e.g., specific sequences of actions. For instance, we can be interested in knowing whether a responder always retransmits a message at the same moment of time at which it receives it. Given variables T, T1 and T2 of sort Time, O, O1, O2, OR1 and OR2 of sort Oid, OBJSET of sort Set{@Object}, SFS1 and SFS2 of sort Set{@StructuralFeatureInstance}, and ORS1 and ORS2 of sort MSet{OCL-Exp}, we can look for a counterexample by using the search command as follows: Maude> s e a r c h [ 1 ] init ( rttpEmptyModel ) =>∗ { @rttp@ { < O1 : AtomicActionExec | action : "Request" # participants : Set{OR1 ; ORS1} # endingTime : T1 # SFS1 > < OR1 : ObjectRole | actualObject : O # role : "m" > < O2 : AtomicActionExec | action : "Response" # participants : Set{OR2 ; ORS2} # startingTime : T2 # SFS2 > < OR2 : ObjectRole | actualObject : O # role : "m" > OBJSET }} in time T such that T1 =/= T2 . 178 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S Maude does not find any solution. Note that we are looking for a state on which a Request and a Response action executions are applied over the same message O but they are not consecutive, i.e., the ending time of the Request action execution do not coincide with the starting time of the Response action execution. Since the maximal tick mode does not cover all possible behaviors, the fact that no state is found starting from our initial model does not allow us to extract any final conclusion on the property we are tying to verify. However, if we perform the same analysis but using the default tick mode to specify a default time elapse of one time units, we obtain the same result, and therefore we can conclude that (starting from our initial model) a responder always retransmits a message at the same moment of time at which it receives it. 7.4.4 LTL Model Checking Maude offers a linear temporal logic explicit-state model checker [42, 59], which allows us to check whether every possible behavior starting from a given initial model satisfies a given temporal logic property. As we mentioned in Section 6.2.3, Maude’s model checker can be used to prove safety and liveness properties of rewriting systems when the set of states reachable from an initial state is finite. In this section we will show how adding a time bound to consider only behaviors up to the bound provides us a way to restrict a potentially infinite set of reachable states to a finite set which can then be model checked. In [91], the authors describe the changes that must be performed to a timed module to make the specifications susceptible to model checking. Considering the encoding presented in Section 7.3, these modifications only affect the tick rule, but it differs from the modifications shown in previous sections. In this case, we need to add a self-loop for each state which could tick beyond the time bound in one step. Assuming that we want to consider a time bound of 500 time units, the corresponding tick rule will be modeled as follows: c r l [ tick ] : {MODEL} in time T => i f ( ( T plus TE ) le toRat ( 5 0 0 ) ) then {delta ( MODEL , TE ) } in time ( T plus TE ) else {MODEL} in time T fi i f TE : = mte ( MODEL ) / \ TE =/= zero . Note that in this tick rule we have considered the maximal tick mode. Of course, the default tick mode could be considered instead by modifying the value assigned to TE (as shown previously). Once we have the appropriate rewrite system on which we can perform model checking, 7.4. F ORMAL A NALYSIS OF R EAL -T IME D OMAIN S PECIFIC M ODELS WITH M AUDE 179 we are ready to define the predicates that will be involved in the specification of safety and liveness properties (see Section 6.2.3). In our example, we define three predicates: requested, responded and stored. They refer, respectively, to whether a message has been sent (the request), retransmitted (the response), or it is currently stored. Note that the first two predicates refer to performed actions, i.e., they refer to whether a message has been a participant of a realized Request or Response action execution, respectively. v a r s O O ’ OR : Oid . v a r s SFS SFS ’ : Set{@StructuralFeatureInstance} . var OBJSET : Set{@Object} . var L L ’ : List{OCL−Exp} . var S : MSet{OCL−Exp} . var T : Time . ops stored requested responded : Oid −> Prop . eq { @rttp@ { < O : Node | receivedMessages : Sequence{ L # O ’ # L ’ } # SFS > < O ’ : Message | SFS ’ > OBJSET } } in time T | = stored ( O ’ ) = true . eq { @rttp@ { < O : AtomicActionExec | action : "Request" # status : realized # participants : Set{OR ; S} # SFS > < OR : ObjectRole | actualObject : O ’ # role : "m" > < O ’ : Message | SFS ’ > OBJSET } } in time T | = requested ( O ’ ) = true . eq { @rttp@ { < O : AtomicActionExec | action : "Response" # status : realized # participants : Set{OR ; S} # SFS > < OR : ObjectRole | actualObject : O ’ # role : "m" > < O ’ : Message | SFS ’ > OBJSET } } in time T | = responded ( O ’ ) = true . We have only specified for what ClockedSystem patterns the given state predicates evaluate to true, since the remaining case is already included in our Maude infrastructure. var CS : ClockedSystem . var PROP : Prop . eq CS | = PROP = false [ owise ] . After defining these predicates, we are ready to model check different LTL properties. Making use of the henceforth LTL connective ([]), we can model check, for instance, that once a message (say ’21) is stored, it will not be removed (i.e., it will remain stored), as follows: Maude> r e d u c e modelCheck ( init ( rttpModel ) , [ ] ( stored ( ’ 2 1 ) −> [ ] stored ( ’ 2 1 ) ) ) . r e s u l t Bool : true 180 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S Or, if we make use of the eventually LTL connective (<>) too, we can model check, for example, that a message that is sent as a request, it will be retransmitted (as a response) at any time: Maude> r e d u c e modelCheck ( init ( rttpModel ) , [ ] ( requested ( ’ 2 1 ) −> <> responded ( ’ 2 1 ) ) ) . r e s u l t Bool : true 7.5 The e-Motions Tool The e-Motions tool [99, 100, 107] is a language and a graphical framework developed for Eclipse that supports the specification, simulation, and formal analysis of real-time systems. The dynamic behavior of a DSML is specified by means of graphical in-place model transformation. In particular, the tool supports the two extensions presented in this chapter: the model of time and the mechanism to state action properties. There are two models involved in the definition of the behavior of a DSML: a graphical concrete syntax (gcs) model and a behavior model. The gcs model defines the graphical appearance of the concepts of the DSML’s metamodel, and the behavior model makes use of it to define the behavioral rules of the system. The gcs model is automatically generated from the definition of our DSML’s metamodel. Once created, we only have to assign a picture to each metaclass of our metamodel. Objects whose metaclasses do not have assigned any picture will be drawn as yellow rectangles (the default shape). Figure 7.25 shows the gcs model we have defined for the MPN example. Figure 7.25: A gcs model for the MPN example. Gcs models conforms to the GCS metamodel, which is depicted in Figure 7.26. The root of gcs models is a MetamodelGD (metamodel graphical definition) element. Then, it contains as many PackageGD and ClassGD elements as EPackage and EClass elements belong to the DSML’s metamodel. Each PackageGD and ClassGD element will refer to the corresponding 7.5. T HE e-Motions T OOL 181 EPackage and EClass element for which they are defining its graphical appearance. The user has only to set the figurePath attribute of the ClassGD elements, which refers to the path of the picture that we want to assign to the corresponding class. Figure 7.26: The GCS metamodel. The behavior model uses the gcs model to graphically represent the behavioral rules of our DSML. A behavior model is associated with two editors: the behavior editor, and the rule editor. The behavior editor is used to define the set of rules and helpers that constitute the behavior of the DSML. The rule editor is used to define the components of a specific rule: its variables, its patterns, the elements contained in the patterns, etc. Figure 7.27 shows the two editors for the MPN example. Once we have defined the behavioral specifications of our DSML, we can perform simulation and analysis over our DSML models. The e-Motions tool automatically generates the Maude specifications of the DSML’s metamodel, DSML’s behavior, and an initial model, following the Maude encoding presented in this thesis. Currently, simulation can be performed directly in the Eclipse platform without being aware of Maude at all. However, in order to perform reachability and model checking analysis we need to move to the Maude environment (which is also available for the Eclipse platform [5]). Figure 7.28 shows the simulation window of the e-Motions tool. To perform a simulation, we have to select the structural and behavioral specifications of our DSML (i.e., the DSMLs’ metamodel and behavior model), and the file where we want the resulting EMF model to be stored. Additionally, we may specify a default time elapse, a time bound for the simulation, and an initial model for it. The resulting model will conform to the DSML’s metamodel, i.e., 182 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S Figure 7.27: The behavior and rule editors of the e-Motions tool. Figure 7.28: The simulation window of the e-Motions tool. it will only contain DSML model objects (all the objects generated by our infrastructure in the process of the simulation will be ignored). If the default time elapse is left undefined, the maximal tick mode will be considered; otherwise, the default tick mode will be applied. In case we do not specify an initial model, the tool will consider an empty model (note that we can create a model by means of a rule, see Section 7.2.3). The e-Motions tool as well as its documentation and several examples defined with it can be downloaded from our website [2]. 7.6. R ELATED W ORK 183 7.6 Related Work As we mentioned in Section 6.5, there are several approaches that propose in-place model transformation to deal with the behavior of DSMLs, from textual to graphical. However, none of them includes a quantitative model of time. When time is needed, it is usually modeled in an intrusive way, by adding clocks or timers to the DSML’s metamodel. This is, for example, the approach followed in [64], where graph transformation systems are provided with a model of time by representing logical clocks as a special kind of node attributes. These clocks are handled in the same way as common objects, which forces designers to modify the DSML’s metamodel to include time aspects. Furthermore, this does not constrain designers from unwillingly defining time-inconsistent sequences of states. This work, based on Time Environment-Relationship (TER) nets [62] (an approach to modeling time in high-level Petri nets) does not extend the base formalism but specializes it (as its predecessor), and enables the incorporation of the theoretical results of graph transformation. The verification of the system time-consistency is achieved by introducing several semantic choices and a global monotonicity theorem, which provides conditions for the existence of time ordered transformation sequences. Syriani and Vangheluwe propose in [118] to complement graph grammar rules with the Discrete EVent system Specification (DEVS) formalism to model time-dependent behavior. In particular, they embed graphs in DEVS events and individual transformation rules in DEVS blocks. This embedding allows users to describe how many time units are consumed to execute a rule. Other time properties such as periodicity or a non-deterministic duration of a rule are not considered. The approach requires specialized knowledge and expertise on the DEVS formalism, and does not provide analysis capabilities: system evaluation is accomplished through simulation. Boronat and Ölveczky have recently proposed in [26] a collection of built-in timed constructs for defining the timed behavior of model-based systems that are specified with in-place model transformations. These timed constructs are basically clocks and timers, and can be added to the DSML’s metamodel itself, or separately defined in another metamodel (in a nonintrusive way). In-place model transformations are formalized into (a simplified version of) Real-Time Maude, where the behavioral semantics of these timed constructs is predefined. The model of time they use can be considered as a straightforward translation from the RealTime Maude model of time: opposite to our approach, in which in-place rules are extended with time-related constructs and then transparently encoded in Real-Time Maude with timer 184 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S objects, they propose handling these timers directly in the model transformation. They provide tool support by means of the MOMENT [5, 24] tool, where in-place model transformation are specified textually. As the authors point out, the current MOMENT implementation only allows untimed analysis, although Real Time-Maude-style time-bounded analysis could be achieved by manually modeling a timer for that purpose. Finally, note that our approach subsumes the definition of their timed constructs by simply defining ongoing rules that model the corresponding behavior of the clocks and timers (by increasing and decreasing their values, respectively). Lara and Vangheluwe has also very recently proposed in [50] a model of time for graph transformation. Using the analogy of their base formalism, Time Petri Nets (TPNs, [82]), they provide graph transformation rules with a time interval. Similarly to our approach, this time interval represents the minimum and the maximum amount of time that the action may take. However, there are two main differences with respect to the time interval that we propose for atomic actions: a) their time interval is static, i.e., the duration of the rule cannot depend, for instance, on properties of the matched objects, and b) an occurrence of a rule (a match) must be continuously maintained in order for the rule to be finally applied, i.e., LHS and NAC patterns act as an “invariant” of the rule instead of as a precondition. In a previous work [107], we gave LHS and NAC patterns the same semantics. Rules that were triggered but which LHS or NAC patterns were not satisfied at some moment of time during its execution were canceled by the system. This resulted in many unexpected rule abortions when the user simulate him/her system. For instance, a phone needs coverage to perform a call, but if it runs out of coverage in the middle of a conversation, the call has not to be necessary aborted immediately (the phone may not receive voice signal for a while, but the communication can be recovered). In the work presented in this thesis, LHS and NAC patterns act as a precondition, and the user can explicitly model any abnormal situation (exception) by using action executions. Furthermore, we also provide another type of timed rules to model ongoing actions. Their approach also supports on-the-fly model-checking of reachability properties by encoding the DSML specifications into TPNs. This encoding is not performed automatically: the user has to select which elements may be encoded as places and which elements may be encoded as tokens. None of the mentioned extensions for in-place model transformation provides a mechanism to state action properties, i.e., to refer to and reason about actions as first class citizens. Further works make use of an MDE methodology different from in-place model transformation for modeling real-time systems, such as Real-Time Fujaba, MARTE or AADL. RealTime Fujaba [31, 32] aims at supporting the model-driven development of correct software for 7.6. R ELATED W ORK 185 safety-critical, networked, real-time systems. The tool supports the modeling of the system structure by means of UML component diagrams, and the modeling of real-time behavior by means of real-time extended UML state machines. These state machines extensions comprise time invariants, clock resets associated with entry and exit methods, worst case execution times for the entry, do and exit methods, and a period for the do method. The resulting specifications may drive the system to time-inconsistent executions. To partially solve it, they provide (incomplete) algorithms to check the temporal consistency. A way to define incremental model checking has also been developed to complete this verification. The Architecture Analysis and Design Language (AADL) [1] is a textual and graphic language used to design the software and hardware architectures of embedded and real-time systems. The language is used to describe the structure of such systems as an assembly of software components that are mapped to an execution platform. It is based on the component-connector paradigm. Component descriptions are used to describe functional interfaces of components (e.g., data inputs and outputs, event inputs and outputs) and performance-related aspects (such as latency and error handling). Connection characteristics (i.e., asynchronous or synchronous) among software components have precise operational semantics and are enforced by the AADL modeling environment. MARTE [6] is an UML profile that adds capabilities to UML for model-driven development of real-time and embedded systems. The profile is structured around two concerns, one to model the features of real-time and embedded systems, and the other to annotate application models so as to support analysis of system properties. MARTE focuses on performance and schedulability analysis, although it defines also a general framework for quantitative analysis which intends to refine/specialize any other kind of analysis. Just like with AADL, when analysis of non-functional requirements is required, we need to translate the model of a system into an external formalism that provides verification techniques. 186 C HAPTER 7. R EAL -T IME B EHAVIORAL S EMANTICS OF DSML S Chapter 8 Conclusions and Future Work 8.1 Conclusions This thesis tries to promote the definition of Domain Specific Modeling Languages (DSMLs) in a formal and precise way. We want the Model Driven Engineering (MDE) community to take a step forward and focus beyond purely structural aspects (i.e., models and metamodels). We want MDE to become a real engineering, where not only model browsers and editors are needed, but also model analyzers, simulators, matchmakers, quality evaluators, etc. This thesis tries, among other things, to bring closer two usually separated worlds: modeling and formal languages. In this thesis, we have shown how a DSML can be defined in terms of two views: structure and behavior. We have identified the elements that are involved in the definition of these views: abstract syntax, concrete syntax and semantics; and we have presented an approach that prevent the DSML designer from explicitly defining the semantics of the DSML (see Figure 8.1). Defining the structure and behavior as models separately from a semantic domain bring several advantages: • several DSMLs can be defined to specify the structure and behavior of a DSML in a graphical and intuitive way; • we can make use of the analysis tools provided by different semantic domains (if we properly define semantic bridges between the DSMLs used to represent the structure and behavior of a DSML and the semantic domains themselves); and • we do not need to be aware of the semantic domains, i.e., if the semantic bridges are defined in an proper way (by means of automatic model transformations), the DSML 187 188 C HAPTER 8. C ONCLUSIONS AND F UTURE W ORK designer do not need to have a deep knowledge on the target formalisms, but he/she can still use their analysis tools. Figure 8.1: Our approach to define DSMLs. To define the structural model of a DSML, we have selected the Ecore language, an implementation of the (meta-metamodel) MOF specification developed for the Eclipse platform. Eclipse is an open source community platform widely used in the MDE community due to the wide spectrum of (open) modeling tools that it provides, such as model transformation languages and tools for developing textual and graphical concrete syntaxes for DSMLs. To define the behavioral model of a DSML, we have developed our own DSML and tool (for the the Eclipse platform too), called e-Motions, that supports the specification, simulation, and formal analysis of real-time systems. The e-Motions tool extends in-place model transformation with a model of time and a mechanism to state action properties, easing the specification of real-time DSMLs’ behavior. In-place model transformation provides a quite intuitive way to represent the behavior of DSMLs (especially when it enables the use of the graphical concrete syntax of the language), allowing modelers to perceive themselves as working directly with domain concepts. The presented extensions were defined to cope with real-time and complex systems too, and they promote the separation of concerns between the structural and behavioral specifications: they avoid unnaturally modifying the DSML’s metamodel—which defines the structural concepts of a DSML—to include time and action properties—which are related to the behavior of the language—, as done by most of current approaches. 8.1. C ONCLUSIONS 189 Figure 8.2: General view of our approach. Then, as a proof of concept, we have selected a particular formalism, namely rewriting logic in Maude, and we have developed all the infrastructure necessary to use it as the target domain on which to provide DSMLs with semantics (see Figure 8.2), and perform model simulation and (reachability and model checking) analysis. In particular, we have developed semantic bridges between the Ecore and e-Motions languages and Maude by means of model transformations. These semantic bridges allow us to benefit from both platforms: an intuitive way to define the structure and behavior of DSMLs with the Eclipse tools, and a powerful mechanism to provide models with semantics and to simulate and analyze them with Maude. The developed infrastructure has also served to provide formal support for other paradigms, such as Feature-Oriented Software Development [78]. The use of Maude as a semantic domain brings several advantages. With Maude we can deal with complex structural and behavioral specifications (i.e., not limited to place/transition systems), and conduct reachability and model-checking analysis on the systems. In addition, Maude offers an integrated environment and a toolkit for conducting several different kinds of analysis [42, 43], such as the Church-Rosser checker [53], the coherence checker [54], the termination tool [52], etc., so we do not need to define several semantic mappings to different domains to perform each of these analyses. Furthermore, Maude has already been successfully used in software engineering tools and several applications (see, e.g., [80]); it is efficient enough to be of practical use, able to execute more than three million rewriting steps per second on standard PCs; it has already been integrated in the Eclipse platform; and it performs simplification of terms modulo equational theories such as associativity, commutativity and identity, which enables the specification of many model operations at a very high level of ab- 190 C HAPTER 8. C ONCLUSIONS AND F UTURE W ORK straction, and has allowed us to complete our tool with a relatively short development time when compared with approaches using conventional languages like Java or C++. The work presented in this thesis has given raise to the development of two tools, the Maudeling and e-Motions tools, and the integration of our approach with a third one, AToM3 . • Maudeling is a model management tool that allows users to perform model validation, subtyping and difference related operations on EMF models, i.e., on models defined in the Eclipse platform. Model management operations are computed in Maude in a completely transparent way to the user. The development of these tools involved, among other things, the definition of a metamodel, a parser and a serializer for Maude; model transformations from EMF models and metamodels to their corresponding Maude representation; and a model transformation from the resulting Maude models to their original notation in EMF. • e-Motions is a DSML and graphical framework developed for the Eclipse platform that supports the specification, simulation and analysis of real-time DSMLs. It enables the use of the concrete syntax of the DSML to define its corresponding time-dependant behavior, making this task quite intuitive. Contrary to other in-place model transformation approaches (especially graph transformation ones), the e-Motions tool supports attribute computations and ordered collections, which are specified by means of OCL expressions. OCL is fully supported thanks to the mOdCL tool [10]. The current version of the tool allows us to perform simulation over DSML models being completely unaware of its target semantic domain (Maude). However, to perform reachability and model checking we still need to move to the Maude environment. The development of this tools has also involved (together with the infrastructure already mentioned for the Maudeling tool) the definition of a model transformation from OCL to the mOdCL tool, the definition of a model transformation from the e-Motions language to its corresponding Maude encoding, and the integration of the tool with the Maude’s simulation facilities. • AToM3 is a tool for multi-paradigm modeling based on graph grammars. With AToM3 , we can specify the behavior of our DSML by means of graphical graph transformation rules. In collaboration with Juan De Lara and Esther Guerra, we have built a Maude parser and code generator, and integrated them in AToM3 to provide the tool with Maude’s reachability analysis capabilities (the integration of the Maude’s LTL model checking tool is left for future work). 8.2. F UTURE W ORK 191 The development of these tools has involved the use of many other current MDE tools, such as model transformation languages, code generators, metamodeling tools, etc. Most of these tools have been evolving at the same time that this thesis was being developed, so we have been witnesses of the considerable advance of the MDE tool support. In summary, many of these tools have really helped us in the development of the tool support for this work, and we may say that some of them are mature enough to be of a great help (e.g., ATL). However, even being of a great help, there are some tool-related problems that still remain. Some of these issues follow: • There is a big amount of modeling tools developed for the Eclipse platform. However, each of these tools usually has different dependencies with different versions of other tools. This fact usually makes the user to end up installing different Eclipse configurations to be able to make use of a subset of them. • One of the tools that really helped us in the definition of the graphical framework developed for the e-Motions tool is GMF. However, when the user tries to provide the graphical framework with interesting capabilities, he/she has to still manipulate (and understand) the Java code that GMF generates. Moreover, when the metamodel of his/her DSML evolves, because of the way that EMF assigns identifiers to objects (by their position in the tree of the model), the user has not only to add or modify the elements related to this evolution, but has also to check the correctness of almost every reference of the mapping model. 8.2 Future Work There are several lines of work in which we are currently engaged, or that we plan to address in the near future. In what follows, we present them grouped by topic. Model management. So far, our subtyping algorithm takes into account the properties that we specify per each metamodel element. However, a metamodel can also be enriched with invariants, by making use, e.g., of OCL. We plan to extend our subtyping algorithm to take into consideration these invariants. This extension will imply the study of the several possible relationships between OCL constraints, such as contradiction, inclusion, etc. In Section 5.1.2.1, we showed how we can apply different relaxations to the subtyping algorithm to obtain the different kinds of subtyping relationships. When one of these kinds 192 C HAPTER 8. C ONCLUSIONS AND F UTURE W ORK of subtyping, namely subtyping with renaming, flattened subtyping or flattened subtyping with renaming, is considered, we will usually need to adapt the model operations defined over a metamodel to make them applicable to any of its subtype metamodels. Therefore, we also plan to implement a transformative approach to adapt these model operations. In particular, we would like to define a model transformation that renames the affected elements (in case of subtyping with renaming) or modifies the classifiers package if an ambiguity is possible (in case of flattened subtyping). In Section 5.1.2.1 we presented the do and undo operations. The do operation applies to a model all the changes specified in a difference model. The undo operation reverts all the changes specified in a difference model. Intuitively, the undo operation is the inverse operation of the do operation. We leave as future work the formal proof of the formulas undo(do(Ms , Md ), Md ) = Ms and do(undo(Mm , Md ), Md ) = Mm , that implies the formal proof of, given modelDiff(Mm ,Ms ) = Md , do(Ms ,Md ) = Mm and undo(Mm ,Md ) = Ms . Given the complexity of the implementation of the difference operation, the use of Maude’s built-in primitive data types [42], and other features not currently supported by the tools in Maude’s formal environment [43], they, and in particular its inductive theorem prover [44, 68], cannot be directly used over the current specifications. We would like to study the possibility of adapting (or simplifying) our specifications of the model difference to make them a valid input for the Maude’s theorem prover. The e-Motions tool. We are currently working on several extensions for the e-Motions tool. In the first place, we are in the process of automating the interaction with Maude and its analysis tools using the native visual notation of the DSML. This will make the use of Maude completely transparent to users. Regarding reachability analysis, we will reuse the e-Motions rule editor for defining a search pattern, which will be composed of a LHS pattern and zero or many NAC patterns. Regarding LTL model checking, we are now studying an intuitive way to represent state predicates and LTL properties. We are also working on refining the internal Maude encoding to improve the performance of real-time simulation and analysis, by reducing the time and memory consumption. In particular, we are studying new mechanisms to decrease the number of generated objects, equations and rule conditions. • We are currently integrating in our tool a new mode that do not keep track of realized actions. In cases where reasoning about realized actions is not needed, this mode will decrease the number of generated objects substantially. Furthermore, this mode will 8.2. F UTURE W ORK 193 not prevent users from referring to actions that are currently being performed in the specifications of the behavioral rules, nor to reason about interrupted or aborted actions. • We are studying a new encoding for normal (non-soft) rules that avoids the generation of the related mte equation. For this purpose, we are studying how to apply some priority control mechanisms. • We are adding more “intelligence” to the model transformation defined from the eMotions language to Maude to reduce the number of generated rule conditions, since in Maude unconditional rules are notably more efficient. For instance, we want to avoid the inclusion of attribute conditions that compute (evaluate through mOdCL) basic values (such as true, 0, etc.) and specify them in the left-hand sides of the rules directly. Further extensions of the tool include a) to integrate an OCL tool with OCL expression completion and validation facilities to ease the specification of behavioral rules; b) to integrate the facilities presented in Section 7.4.2.1 to query the result of a simulation; and c) to support the definition of non-injective rules, as already done by the AToM3 tool [102]: by generating different Maude rules for each match possibility. Untimed search and untimed model checking. In Section 7.4 we showed how we can perform timed simulation, search and model checking over real-time systems. We showed how time-bounded search and model checking is a reasonably natural way of restricting the possibly infinite number of reachable states in a system to the finite subset which is reachable within a given time. However, the set of states reachable from an initial state in a timed specification may well be finite, in which case the search and model checking should terminate. Currently, our internal representation of time and action properties adds time information (such as the starting time of an action or the value of the clock instance) to each system state, making the reachable state space infinite, unless the specification is terminating. We are studying an alternative encoding that avoids the inclusion of such information to preserve the finiteness of the reachable state space, being able in that way to perform untimed search and untimed model checking. Analysis of behavioral rules. We have shown how we can make use of the simulation, search and model checking facilities that Maude provides. However, Maude also offers a powerful set of analysis tools that we do not have exploited yet, as its termination checker [52] or its confluence checker [53]. By using these and other tools, some of them currently under development, 194 C HAPTER 8. C ONCLUSIONS AND F UTURE W ORK we plan to study the possibility of accomplishing other kinds of analyses over the behavioral specifications of DSMLs, not only over domain specific models themselves, but also over behavioral rules. For instance, we would like to reason about whether all the models reachable by the application of a model’s rules satisfy the constraints established by its metamodel. Non-functional properties and QoS requirements. Once we have provided a way to specify time properties in the behavioral specifications of a DSML, we are studying the integration of more non-functional properties and QoS requirements into our in-place model transformation. Our first attempts can be found in [122] and [121]. In these works we present an approach to specify QoS requirements based on the observation of the system actions and of the state of its objects. For this purpose, we define a metamodel for observer objects whose objective is to monitor the value of one of these parameters. The observer metamodel can be reused across different DSMLs, and the behavior of these observers is specified together with the behavioral rules of the DSML. We show how the approach enables the natural specification of other important features of systems, such as the automatic reconfiguration of the system when the value of some of the QoS properties change. 8.3 List of Publications The development of this thesis have given rise to the following publications (listed by category and in reverse chronological order): Journal papers • J. E. Rivera, A. Vallecillo, and F. Durán. Formal specification and analysis of domain specific languages using Maude. Simulation: Transactions of the Society for Modeling and Simulation International, 85(11/12):778–792, 2009. • J. R. Romero, J. E. Rivera, F. Durán, and A. Vallecillo. Formal and tool support for model driven engineering with Maude. Journal of Object Technology, 6(9):187–207, Oct. 2007. Book chapters 8.3. L IST OF P UBLICATIONS 195 • J. E. Rivera, N. Moreno, and A. Vallecillo. Desarrollo de Software dirigido por Modelos. Chapter 2 of Fábricas de Software: Experiencias, Tecnologı́as y Organización, pages 2960. RAMA, Madrid, July 2007. International conferences • J. Troya, J. E. Rivera, and A. Vallecillo. by observation. Simulating domain specific visual models In Proc. of the Symposium on Theory of Modeling and Simulation (DEVS’10), Orlando, Florida (US), Apr. 2010. • J. E. Rivera, F. Durán, and A. Vallecillo. A graphical approach for modeling time- dependent behavior of DSLs. In Proc. of the IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC’09), pages 51–55, Sept. 2009. IEEE Computer Society. • J. E. Rivera, E. Guerra, J. de Lara, and A. Vallecillo. Analyzing rule-based behavioral semantics of visual modeling languages with Maude. In Proc. of the 1st International Conference on Software Language Engineering (SLE’08), volume 5452 of LNCS, pages 54–73, 2008. Springer-Verlag. • J. E. Rivera and A. Vallecillo. Representing and operating with model differences. In Proc. of the 46th International Conference on Objects, Models, Components, Patterns (TOOLS’08), volume 11 of Lecture Notes in Business Information Processing, pages 141–160. Springer, 2008. • J. E. Rivera and A. Vallecillo. Adding behavioral semantics to models. In Proc. of the 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC’07), pages 169–180. IEEE Computer Society, Oct. 2007. International workshops • J. E. Rivera, F. Durán, and A. Vallecillo. On the behavioral semantics of real-time domain specific visual languages. In P. C. Ölveczky, editor, Proc. of the 8th International Workshop on Rewriting Logic and its Applications (WRLA’10), to appear in LNCS, Paphos, Cyprus, Mar. 2010. Springer-Verlag. • J. Troya, J. E. Rivera, and A. Vallecillo. On the specification of non-functional properties of systems by observation. In Proc. of the 2nd International Workshop of Non-functional 196 C HAPTER 8. C ONCLUSIONS AND F UTURE W ORK System Properties in Domain Specific Modeling Languages (NFPinDSML’09), Denver, Colorado (US), Oct. 2009. • J. E. Rivera, J. R. Romero, A. Vallecillo. Behavior, Time and Viewpoint Consistency: Three Challenges for MDE. In Proc. of the ChaMDE Workshop at MODELS 2008, pages 60-65, volume 5421 of LNCS, Tolouse, France, Sep. 2009. Springer-Verlag. Iberoamerican conferences • J. E. Rivera, C. Vicente-Chicote, and A. Vallecillo. Extending visual modeling languages with timed behavioral specifications. In Proc. of the XII Workshop Iberoamericano de Ingeniera de Requisitos y Ambientes de Software (IDEAS’09), pages 87–100, Medellı́n, Colombia, Apr. 2009. • J. E. Rivera and N. Moreno. Subtipado de modelos: Una definición basada en la sustitución entre tipos y en la aplicabilidad de operaciones. In Proc. of the XI Workshop Iberoamericano de Ingeniera de Requisitos y Ambientes de Software (IDEAS’08), pages 375–380, Recife, Brasil, Feb. 2008. Spanish conferences • R. E. Lopez-Herrejon and J. E. Rivera. Realizing feature oriented software development with equational logic: An exploratory study. In Proc. of the XIV Jornadas de Ingenierı́a del Software y Bases de Datos (JISBD09), pages 269–274, Sept. 2009. • J. E. Rivera and A. Vallecillo. Un acercamiento a la representación e implementación de la diferencia entre modelos. In Proc. of the IV Taller sobre Desarrollo de Software Dirigido por Modelos (DSDM’07), pages 1–10, Sept. 2007. • J. E. Rivera, F. Durán, A. Vallecillo, and J. R. Romero. Maudeling: Herramienta de gestión de modelos usando Maude. In Proc. of the XII Jornadas de Ingenierı́a del Software y Bases de Datos (JISBD’07), pages 409–410, Sept. 2007. Technical reports • J. E. Rivera, F. Durán, and A. Vallecillo. A metamodel for Maude. Technical report, University of Málaga, 2008. Available at http://atenea.lcc.uma.es/images/ e/e0/MaudeMM.pdf. 8.4. P ROJECTS 197 8.4 Projects This thesis has been developed in the context of the following projects: • MDD-MERTS: Diseño y monitorización dirigido por modelos de sistemas empotrados y de tiempo real. Funded by MICINN (TIN2008-03107). • MOVIS: Modernización y visualización de sistemas de información complejos. Funded by Junta de Andalucı́a (P07-TIC-03184). 198 C HAPTER 8. C ONCLUSIONS AND F UTURE W ORK Appendix A Maude Definitions for Models and Metamodels mod MGmOdCL i s pr mOdCL ∗ ( --- Renamings of CONFIGURATION module elements s o r t Cid t o @Class , s o r t Object t o @Object , s o r t Attribute t o @StructuralFeatureInstance , s o r t AttributeSet t o Set{@StructuralFeatureInstance } , op none : −> AttributeSet t o empty , --- Renamings of mOdCL elements s o r t AttributeName t o @StructuralFeature , s o r t Enum t o @EnumerationInstance , s o r t BasicType t o @DataTypeInstance , --- Renamings of _,_ due to conflict with prefix notation op _ ‘ , _ t o _#_ , op _ : _ t o _ : _ [ prec 20 gather ( e &) ] ) . --- Relationship established by Ecore s u b s o r t @EnumerationInstance < @DataTypeInstance . --- OrderedSet operations that are not defined in OCL eq asSequence ( OrderedSet{L : List{OCL−Exp } } ) = Sequence{L : List{OCL−Exp}} . eq exclude ( I : OCL−Type , OrderedSet{L : List{OCL−Exp } } ) = OrderedSet{delete−all$L ( I : OCL−Type , L : List{OCL−Exp } ) } . endm mod METAMODEL−CTORS i s pr MGmOdCL . *** METAMODEL ELEMENTS *** --- We create a sort for every (Ecore) metamodel element --- We use CONFIGURATION (and mOdCL) elements renamed where possible --- Sorts not included in mOdCL 199 200 A PPENDIX A. M AUDE D EFINITIONS FOR M ODELS AND M ETAMODELS s o r t @NamedElement . s o r t @Metamodel . s o r t @Package . s o r t @Classifier . s o r t @Attribute . s o r t @Reference . s o r t @DataType . s o r t @Enumeration . --- Subsort relationships s u b s o r t s @Metamodel @Package @Classifier @StructuralFeature < @NamedElement . s u b s o r t s @Class @DataType < @Classifier . s u b s o r t s @Attribute @Reference < @StructuralFeature . s u b s o r t @Enumeration < @DataType . --- Basic data types op @String : −> @DataType . op @Int : −> @DataType . op @Bool : −> @DataType . op @Float : −> @DataType . op @DataType : −> @DataType . *** MODEL ELEMENTS *** s o r t @Model . op _ ‘ { _ ‘ } : @Metamodel Set{@Object} −> @Model [ ctor ] . s o r t Set{@Object} . s u b s o r t @Object < Set{@Object} < Configuration . op __ : Set{@Object} Set{@Object} −> Set{@Object} [ ctor ditto ] . op none : −> Set{@Object} [ ctor ditto ] . s u b s o r t @AttributeInstance @ReferenceInstance < @StructuralFeatureInstance . s o r t @AttributeInstance . op _ : _ : @Attribute OCL−Type −> @AttributeInstance [ ctor ditto ] . s o r t @ReferenceInstance . --- OCL-Type includes collections defined over BasicTypes and Oids op _ : _ : @Reference OCL−Type −> @ReferenceInstance [ ctor ditto ] . s o r t Set{@AttributeInstance} . s u b s o r t @AttributeInstance < Set{@AttributeInstance} < Set{@StructuralFeatureInstance} . op _#_ : Set{@AttributeInstance} Set{@AttributeInstance} −> Set{@AttributeInstance} [ ctor ditto ] . s o r t Set{@ReferenceInstance} . s u b s o r t @ReferenceInstance < Set{@ReferenceInstance} < Set{@StructuralFeatureInstance} . op _#_ : Set{@ReferenceInstance} Set{@ReferenceInstance} −> Set{@ReferenceInstance} [ ctor ditto ] . 201 s o r t EmptySet . s u b s o r t s EmptySet < Set{@ReferenceInstance} Set{@AttributeInstance} . op _#_ : EmptySet EmptySet −> EmptySet [ ctor ditto ] . op empty : −> EmptySet [ ctor ditto ] . --- Operator @Object (equivalent to (Ecore) EObject) op @Object : −> @Class . endm mod MYQID i s pr MGmOdCL . pr QID ∗ ( --- Same renamings as in mOdCL op _ | _ : Nat Nat −> Nat t o _ | N_ , op _xor_ : Nat Nat −> Nat t o _nxor_ , op _<_ : Nat Nat −> Bool t o _<N_ , op _<=_ : Nat Nat −> Bool t o _<=N_ , op _>_ : Nat Nat −> Bool t o _>N_ , op _>=_ : Nat Nat −> Bool t o _>=N_ , op _∗_ : Nat Nat −> Nat t o _∗N_ , op _+_ op _<_ : Nat Nat −> Nat t o _+N_ , : String String −> Bool t o _lt_ , op _<=_ : String String −> Bool t o _leq_ , op _>_ : String String −> Bool t o _gt_ , op _>=_ : String String −> Bool t o _geq_ , op _+_ : String String −> String t o _++_ , --- Renamings of Qid op string : Qid −> String t o toString ) . --- We use quoted identifiers as object identifiers s u b s o r t Qid < Oid . endm mod MGMAYBE{X : : TRIV} i s pr MGmOdCL . s o r t Maybe{X} . s u b s o r t X$Elt OclVoid < Maybe{X} . endm --- List defined for gathering the properties of metamodel elements fmod MGLIST{X : : TRIV} i s s o r t MGNeList{X} MGList{X} . s u b s o r t X$Elt < MGNeList{X} . s u b s o r t EmptyList MGNeList{X} < MGList{X} . s o r t EmptyList . op nil : −> EmptyList [ ctor ] . op __ : EmptyList EmptyList −> EmptyList [ ctor assoc id : nil prec 2 5 ] . op __ : MGList{X} MGList{X} −> MGList{X} [ ctor ditto ] . var E E ’ : X$Elt . 202 A PPENDIX A. M AUDE D EFINITIONS FOR M ODELS AND M ETAMODELS v a r s A L : MGList{X} . op append : EmptyList EmptyList −> EmptyList . op append : MGList{X} MGList{X} −> MGList{X} . eq append ( A , L ) = A L . op occurs : X$Elt MGList{X} −> Bool . eq occurs ( E , nil ) = false . eq occurs ( E , E ’ L ) = i f E == E ’ then true else occurs ( E , L ) fi . op _in_ : X$Elt MGList{X} −> Bool . eq ( E in L ) = occurs ( E , L ) . op reverse : EmptyList −> EmptyList . op reverse : MGList{X} −> MGList{X} . eq reverse ( L ) = $reverse ( L , nil ) . op $reverse : EmptyList EmptyList −> EmptyList . op $reverse : MGList{X} MGList{X} −> MGList{X} . eq $reverse ( nil , A ) = A . eq $reverse ( E L , A ) = $reverse ( L , E A ) . endfm view @NamedElement from TRIV t o METAMODEL−CTORS i s s o r t Elt t o @NamedElement . endv view @Reference from TRIV t o METAMODEL−CTORS i s s o r t Elt t o @Reference . endv view @Attribute from TRIV t o METAMODEL−CTORS i s s o r t Elt t o @Attribute . endv view @Metamodel from TRIV t o METAMODEL−CTORS i s s o r t Elt t o @Metamodel . endv view @Package from TRIV t o METAMODEL−CTORS i s s o r t Elt t o @Package . endv view @DataType from TRIV t o METAMODEL−CTORS i s s o r t Elt t o @DataType . endv mod METAMODEL−PROP i s pr METAMODEL−CTORS . pr MYQID . pr MGLIST{@NamedElement} ∗ ( s o r t MGList{@NamedElement} t o MyList ) . 203 pr MGMAYBE{@Package} + MGMAYBE{@Metamodel} + MGMAYBE{@DataType} + MGMAYBE{@Reference} + MGMAYBE{@Attribute} . var MM : @Metamodel . var P : @Package . var OBJSET : Set{@Object} . var CLF : @Classifier . var C C2 : @Class . var OBJ : @Object . var O : Oid . var SF SF2 : @StructuralFeature . var REF : @Reference . var ATT : @Attribute . var SFI : @StructuralFeatureInstance . var SFIS : Set{@StructuralFeatureInstance} . var ATTIS : Set{@AttributeInstance} . var REFIS : Set{@ReferenceInstance} . v a r s DT DT2 : @DataType . v a r s DTI DTI1 DTI2 : @DataTypeInstance . v a r s I1 I2 : Int . var L : MyList . var LO : List{OCL−Exp} . var OCLTYPE : OCL−Type . var CONF : Configuration . var VALUE : OCL−Type . *** METAMODEL PROPERTIES *** --- NamedElement op name : @NamedElement −> String . --- Metamodel op packages : @Metamodel −> MyList . --- Of @Package --- Packages op metamodel : @Package −> @Metamodel . op superPackage : @Package −> Maybe{@Package} . op subPackages : @Package −> MyList . --- Of @Package op classes : @Package −> MyList . --- Of @Class --- Classifiers op package : @Classifier −> Maybe{@Package} . --- For data types that are not enumerations eq package ( DT ) = null [ owise ] . --- Classes op superTypes : @Class −> MyList . --- Of @Class op references : @Class −> MyList . --- Of @Reference op attributes : @Class −> MyList . --- Of @Attribute op isAbstract : @Class −> Bool . 204 A PPENDIX A. M AUDE D EFINITIONS FOR M ODELS AND M ETAMODELS --- StructuralFeatures op type : @StructuralFeature −> @Classifier . op type : @Attribute −> @DataType [ ditto ] . op type : @Reference −> @Class [ ditto ] . op lowerBound : @StructuralFeature −> Int . op upperBound : @StructuralFeature −> Int . op containingClass : @StructuralFeature −> @Class . op isOrdered : @StructuralFeature −> Bool . op isUnique : @StructuralFeature −> Bool . --- Attributes op specificDefaultValue : @Attribute −> OCL−Type . --- Of @DataTypeInstance eq specificDefaultValue ( ATT ) = null [ owise ] . op isId : @Attribute −> Bool . --- References op opposite : @Reference −> Maybe{@Reference} . op isContainment : @Reference −> Bool . --- Enumerations op defaultValue : @Enumeration −> @EnumerationInstance . --- [ditto] . op literals : @Enumeration −> List{OCL−Exp} . --- Of @EnumerationInstance . --- List{OCL-Exp} is taken from mOdCL --- Enumeration Instances op meta : @EnumerationInstance −> @Enumeration . *** METAMODEL DERIVED PROPERTIES AND OPERATIONS *** --- Metamodels op allClasses : @Metamodel −> MyList . --- Of @Class eq allClasses ( MM ) = classesAux ( allPackages ( MM ) ) . op allPackages : @Metamodel −> MyList . --- Of @Package eq allPackages ( MM ) = ( packages ( MM ) allSubPackages ( packages ( MM ) ) ) . --- Packages op allSubPackages : MyList −> MyList . --- Of @Package (both) . eq allSubPackages ( nil ) = nil . eq allSubPackages ( P ) = ( subPackages ( P ) allSubPackages ( subPackages ( P ) ) ) . eq allSubPackages ( ( P L ) ) = ( allSubPackages ( P ) allSubPackages ( L ) ) . op allClasses : @Package −> MyList . --- Of @Class eq allClasses ( P ) = ( classes ( P ) classesAux ( allSubPackages ( P ) ) ) . op classesAux : MyList −> MyList . --- Of @Package, @Class eq classesAux ( nil ) = nil . eq classesAux ( P L ) = ( classes ( P ) classesAux ( L ) ) . --- DataTypes --- This operation is also defined for enumerations in the metamodels equations 205 op defaultValue : @DataType −> @DataTypeInstance . eq defaultValue ( @String ) = "" . eq defaultValue ( @Int ) = 0 . eq defaultValue ( @Bool ) = false . eq defaultValue ( @Float ) = 0 . 0 . eq defaultValue ( DT ) = null [ owise ] . --- DataTypes and DataTypesInstances --- This operation is also defined for enumerations in the metamodels equations op metaAux : @DataTypeInstance −> @DataType . eq metaAux ( S : String ) = @String . eq metaAux ( I : Int ) = @Int . eq metaAux ( B : Bool ) = @Bool . eq metaAux ( S : Float ) = @Float . eq metaAux ( DTI ) = @DataType [ owise ] . op subTypeOf : @DataType @DataType −> Bool . eq subTypeOf ( DT , @DataType ) = true . eq subTypeOf ( DT , DT ) = true . eq subTypeOf ( DT , DT2 ) = false [ owise ] . --- Classifiers op metamodel : @Classifier −> Maybe{@Metamodel} . eq metamodel ( CLF ) = i f ( package ( CLF ) == null ) then null else metamodel ( package ( CLF ) ) fi . eq metamodel ( CLF ) = metamodel ( package ( CLF ) ) . --- Classes op structuralFeatures : @Class −> MyList . --- Of @StructuralFeature eq structuralFeatures ( C ) = attributes ( C ) references ( C ) . op allSuperTypes : MyList −> MyList . --- Of @Class (both) eq allSuperTypes ( nil ) = nil . eq allSuperTypes ( C ) = ( superTypes ( C ) allSuperTypes ( superTypes ( C ) ) ) . eq allSuperTypes ( C L ) = ( allSuperTypes ( C ) allSuperTypes ( L ) ) . op allReferences : MyList −> MyList . --- Of @Class, @Reference eq allReferences ( nil ) = nil . eq allReferences ( C ) = ( references ( C ) allReferences ( superTypes ( C ) ) ) . eq allReferences ( C L ) = ( allReferences ( C ) allReferences ( L ) ) . op containmentReferences : @Class −> MyList . --- Of @References eq containmentReferences ( C ) = containmentReferences ( allReferences ( C ) ) . op containmentReferences : MyList −> MyList . --- Of @References (both) eq containmentReferences ( nil ) = nil . eq containmentReferences ( REF L ) = i f ( isContainment ( REF ) ) then ( REF containmentReferences ( L ) ) else containmentReferences ( L ) fi . op allAttributes : MyList −> MyList . --- Of @Class, @Attribute eq allAttributes ( nil ) = nil . 206 A PPENDIX A. M AUDE D EFINITIONS FOR M ODELS AND M ETAMODELS eq allAttributes ( C ) = ( attributes ( C ) allAttributes ( superTypes ( C ) ) ) . eq allAttributes ( C L ) = ( allAttributes ( C ) allAttributes ( L ) ) . op allStructuralFeatures : @Class −> MyList . --- Of @StructuralFeature eq allStructuralFeatures ( C ) = ( allAttributes ( C ) allReferences ( C ) ) . op superTypeOf : @Class @Class −> Bool . eq superTypeOf ( @Object , C2 ) = true . eq superTypeOf ( C , C2 ) = ( name ( C ) == "EObject" and−then name ( package ( C ) ) == "ecore" ) or−else C in allSuperTypes ( C2 ) [ owise ] . --- This equation is equivalent to: --- eq subTypeOf(C, EObject@ecore) = true . --- However, the Ecore Metamodel is not imported yet op subTypeOf : @Class @Class −> Bool . eq subTypeOf ( C , C2 ) = superTypeOf ( C2 , C ) . op idAttribute : @Class −> Maybe{@Attribute} . eq idAttribute ( C ) = idAttribute ( allAttributes ( C ) ) . op idAttribute : MyList −> Maybe{@Attribute} . --- Of @Attribute eq idAttribute ( nil ) = null . eq idAttribute ( ATT L ) = i f isId ( ATT ) then ATT else idAttribute ( L ) fi . --- StructuralFeatures op isMany : @StructuralFeature −> Bool . eq isMany ( SF ) = ( 2 <=Card upperBound ( SF ) ) . op isRequired : @StructuralFeature −> Bool . eq isRequired ( SF ) = ( 1 <=Card lowerBound ( SF ) ) . op metamodel : @StructuralFeature −> @Metamodel . eq metamodel ( SF ) = metamodel ( package ( containingClass ( SF ) ) ) . op defaultValue : @StructuralFeature −> OCL−Type . --- Attributes op defaultValue : @Attribute −> OCL−Type [ ditto ] . --- Of @DataTypeInstance eq defaultValue ( ATT ) = i f not ( specificDefaultValue ( ATT ) == null ) then specificDefaultValue ( ATT ) else i f ( isMany ( ATT ) and−then isRequired ( ATT ) ) then i f isOrdered ( ATT ) then i f isUnique ( ATT ) then OrderedSet{ defaultValue ( type ( ATT ) ) } else Sequence{ defaultValue ( type ( ATT ) ) } fi else i f isUnique ( ATT ) then Set{ defaultValue ( type ( ATT ) ) } else Bag{ defaultValue ( type ( ATT ) ) } fi fi else i f isMany ( ATT ) 207 then i f isOrdered ( ATT ) then i f isUnique ( ATT ) then OrderedSet{ mt−ord } else Sequence{ mt−ord } fi else i f isUnique ( ATT ) then Set{ mt } else Bag{ mt } fi fi else i f ( isRequired ( ATT ) ) then defaultValue ( type ( ATT ) ) else null fi fi fi fi . --- References op defaultValue : @Reference −> OCL−Type [ ditto ] . --- Of Oid eq defaultValue ( REF ) = i f isMany ( REF ) then i f isOrdered ( REF ) then i f isUnique ( REF ) then OrderedSet{} else Sequence{} fi else i f isUnique ( REF ) then Set{} else Bag{} fi fi else null fi . op isContainer : @Reference −> Bool . eq isContainer ( REF ) = isContainment ( opposite ( REF ) ) . --- DataType Instances op meta : OCL−Type −> Maybe{@DataType} . --- Of @DataTypeInstance eq meta ( VALUE ) = metaListAux(<< VALUE −> asSequence ( ) >>) . op metaListAux : Sequence −> Maybe{@DataType} . --- Of @DataTypeInstance eq metaListAux ( Sequence{mt−ord } ) = null . eq metaListAux ( Sequence{DTI1 } ) = metaAux ( DTI1 ) . eq metaListAux ( Sequence{DTI1 # DTI2 # LO } ) = i f ( metaAux ( DTI1 ) == metaListAux ( Sequence{DTI2 # LO } ) ) then metaAux ( DTI1 ) else null fi . --- StructuralFeature Instances op meta : @StructuralFeatureInstance −> @StructuralFeature . eq meta ( SF : VALUE ) = SF . op isOrdered : @StructuralFeatureInstance −> Bool . eq isOrdered ( SFI ) = isOrdered ( meta ( SFI ) ) . op isUnique : @StructuralFeatureInstance −> Bool . eq isUnique ( SFI ) = isUnique ( meta ( SFI ) ) . op isOrdered : OCL−Type −> Bool . eq isOrdered ( B : Bag ) = false . 208 A PPENDIX A. M AUDE D EFINITIONS FOR M ODELS AND M ETAMODELS eq isOrdered ( S : Set ) = false . eq isOrdered ( VALUE ) = true [ owise ] . op isUnique : OCL−Type −> Bool . eq isUnique ( S : Sequence ) = false . eq isUnique ( B : Bag ) = false . eq isUnique ( VALUE ) = true [ owise ] . op isMany : OCL−Type −> Bool . eq isMany ( COL : Collection ) = true . eq isMany ( VALUE ) = false [ owise ] . op atts : Set{@StructuralFeatureInstance} −> Set{@AttributeInstance} . eq atts ( ( ATTIS # REFIS ) ) = ATTIS . op refs : Set{@StructuralFeatureInstance} −> Set{@ReferenceInstance} . eq refs ( ( ATTIS # REFIS ) ) = REFIS . op get : Set{@StructuralFeatureInstance} @StructuralFeature −> OCL−Type . eq get ( ( SF : VALUE # SFIS ) , SF ) = VALUE . eq get ( SFIS , SF ) = null [ owise ] . --- Objects op meta : @Object −> @Class . eq meta(< O : C | SFIS >) = C . op get : @Object @StructuralFeature −> OCL−Type . eq get(< O : C | ( SF : VALUE # SFIS ) >, SF ) = VALUE . eq get ( OBJ , SF ) = null [ owise ] . --- The complete operation adds to a object all the structural features-value pairs (with --- their default value) that are missing op complete : @Object −> @Object . eq complete(< O : C | SFIS >) = complete(< O : C | SFIS >, allStructuralFeatures ( C ) ) . op complete : @Object MyList −> @Object . eq complete(< O : C | SF : VALUE # SFIS >, ( SF L ) ) = complete(< O : C | SF : VALUE # SFIS >, L ) . eq complete(< O : C | SFIS >, ( SF L ) ) = complete(< O : C | SF : defaultValue ( SF ) # SFIS >, L ) [ owise ] . eq complete(< O : C | SFIS >, nil ) = < O : C | SFIS > . --- Model op meta : @Model −> @Metamodel . eq meta ( MM { OBJSET } ) = MM . op objectsSet : @Model −> Set{@Object} . eq objectsSet ( MM { OBJSET } ) = OBJSET . --- Cardinality op ∗ : −> Int . eq ∗ = −1 . 209 op maxCard : Int Int −> Int [ comm ] . eq maxCard( −1 , I1 ) = −1 . eq maxCard ( I1 , I2 ) = max ( I1 , I2 ) [ owise ] . op minCard : Int Int −> Int [ comm ] . eq minCard( −1 , I1 ) = I1 . eq minCard ( I1 , I2 ) = min ( I1 , I2 ) [ owise ] . op _<=Card_ : Int Int −> Bool . eq I1 <=Card −1 = true . eq −1 <=Card I2 = ( I2 == −1) . eq I1 <=Card I2 = I1 <= I2 [ owise ] . *** mOdCL OPERATION ADAPTATIONS *** --- Eval now can be applied over @Model terms op eval : OCL−Exp Msg @Model −> OCL−Exp . eq eval ( EXP : OCL−Exp , env ( VARS : Set{VarPair } ) , MM { OBJSET } ) = i f ( VARS : Set{VarPair} == empty ) then eval−aux ( EXP : OCL−Exp , env ( self <− foo−self ) OBJSET , none ) else eval−aux ( EXP : OCL−Exp , env ( VARS : Set{VarPair } ) OBJSET , non ) fi . op <<_ ; _>> : OCL−Exp @Model −> OCL−Exp . --- We cannot use the same <<_:_>> mOdCL operator due to conflicts --- (it returns the invalid value) eq << EXP : OCL−Exp ; MM { OBJSET } >> = ---<< EXP:OCL-Exp : OBJSET >> . eval−aux ( EXP : OCL−Exp , env ( empty ) OBJSET , none ) . --- The second argument are the context avriables op <<_ ; _ ; _>> : OCL−Exp Msg @Model −> OCL−Exp . eq << EXP : OCL−Exp ; env ( VARS : Set{VarPair } ) ; MM { OBJSET } >> = eval−aux ( EXP : OCL−Exp , env ( VARS : Set{VarPair } ) OBJSET , none ) . --- Operation required by mOdCL --- Note that for this OCL operation a class is subclass of itself --- op isSubClass : Cid Cid -> Bool . eq isSubClass ( C , C2 ) = ( C == C2 ) or−else subTypeOf ( C , C2 ) . --- To handle not (name-)qualified attributes in OCL expressions --- op getAttr : Universal Configuration -> Universal [poly (1 0)] . ceq get−attr ( O ( . SF ) . OCL−Attr , < O : C | SF2 : OCLTYPE # SFIS > CONF ) = OCLTYPE i f ( name ( SF ) == name ( SF2 ) ) . endm 210 A PPENDIX A. M AUDE D EFINITIONS FOR M ODELS AND M ETAMODELS Appendix B Maude Encoding of the Ecore Metamodel mod MAUDELING i s pr MODELCONFORMANCE . ... endm mod @ECORE@ i s pr MAUDELING . op @Ecore@ : −> @Metamodel . eq name ( @Ecore@ ) = "Ecore" . eq packages ( @Ecore@ ) = ecore . op ecore : −> @Package . eq name ( ecore ) = "ecore" . eq metamodel ( ecore ) = @Ecore@ . eq superPackage ( ecore ) = null . eq subPackages ( ecore ) = nil . eq classes ( ecore ) = EAttribute@ecore EAnnotation@ecore EClass@ecore EClassifier@ecore EDataType@ecore EEnum@ecore EEnumLiteral@ecore EFactory@ecore EModelElement@ecore ENamedElement@ecore EObject@ecore EOperation@ecore EPackage@ecore EParameter@ecore EReference@ecore EStructuralFeature@ecore ETypedElement@ecore EStringToStringMapEntry@ecore EGenericType@ecore ETypeParameter@ecore . s o r t EAttribute@ecore . s u b s o r t s EAttribute@ecore < EStructuralFeature@ecore . op EAttribute@ecore : −> EAttribute@ecore . eq name ( EAttribute@ecore ) = "EAttribute" . eq isAbstract ( EAttribute@ecore ) = false . eq package ( EAttribute@ecore ) = ecore . eq superTypes ( EAttribute@ecore ) = EStructuralFeature@ecore . eq references ( EAttribute@ecore ) = eAttributeType@EAttribute@ecore . eq attributes ( EAttribute@ecore ) = iD@EAttribute@ecore . s o r t EAnnotation@ecore . 211 212 A PPENDIX B. M AUDE E NCODING OF THE E CORE M ETAMODEL s u b s o r t s EAnnotation@ecore < EModelElement@ecore . op EAnnotation@ecore : −> EAnnotation@ecore . eq name ( EAnnotation@ecore ) = "EAnnotation" . eq isAbstract ( EAnnotation@ecore ) = false . eq package ( EAnnotation@ecore ) = ecore . eq superTypes ( EAnnotation@ecore ) = EModelElement@ecore . eq references ( EAnnotation@ecore ) = details@EAnnotation@ecore eModelElement@EAnnotation@ecore contents@EAnnotation@ecore references@EAnnotation@ecore . eq attributes ( EAnnotation@ecore ) = source@EAnnotation@ecore . s o r t EClass@ecore . s u b s o r t s EClass@ecore < EClassifier@ecore . op EClass@ecore : −> EClass@ecore . eq name ( EClass@ecore ) = "EClass" . eq isAbstract ( EClass@ecore ) = false . eq package ( EClass@ecore ) = ecore . eq superTypes ( EClass@ecore ) = EClassifier@ecore . eq references ( EClass@ecore ) = eSuperTypes@EClass@ecore eOperations@EClass@ecore eAllAttributes@EClass@ecore eAllReferences@EClass@ecore eReferences@EClass@ecore eAttributes@EClass@ecore eAllContainments@EClass@ecore eAllOperations@EClass@ecore eAllStructuralFeatures@EClass@ecore eAllSuperTypes@EClass@ecore eIDAttribute@EClass@ecore eStructuralFeatures@EClass@ecore eGenericSuperTypes@EClass@ecore eAllGenericSuperTypes@EClass@ecore . eq attributes ( EClass@ecore ) = abstract@EClass@ecore interface@EClass@ecore . s o r t EClassifier@ecore . s u b s o r t s EClassifier@ecore < ENamedElement@ecore . op EClassifier@ecore : −> EClassifier@ecore . eq name ( EClassifier@ecore ) = "EClassifier" . eq isAbstract ( EClassifier@ecore ) = true . eq package ( EClassifier@ecore ) = ecore . eq superTypes ( EClassifier@ecore ) = ENamedElement@ecore . eq references ( EClassifier@ecore ) = ePackage@EClassifier@ecore eTypeParameters@EClassifier@ecore . eq attributes ( EClassifier@ecore ) = instanceClassName@EClassifier@ecore instanceClass@EClassifier@ecore defaultValue@EClassifier@ecore instanceTypeName@EClassifier@ecore . s o r t EDataType@ecore . s u b s o r t s EDataType@ecore < EClassifier@ecore . op EDataType@ecore : −> EDataType@ecore . eq name ( EDataType@ecore ) = "EDataType" . eq isAbstract ( EDataType@ecore ) = false . eq package ( EDataType@ecore ) = ecore . eq superTypes ( EDataType@ecore ) = EClassifier@ecore . eq references ( EDataType@ecore ) = nil . eq attributes ( EDataType@ecore ) = serializable@EDataType@ecore . s o r t EEnum@ecore . s u b s o r t s EEnum@ecore < EDataType@ecore . op EEnum@ecore : −> EEnum@ecore . 213 eq name ( EEnum@ecore ) = "EEnum" . eq isAbstract ( EEnum@ecore ) = false . eq package ( EEnum@ecore ) = ecore . eq superTypes ( EEnum@ecore ) = EDataType@ecore . eq references ( EEnum@ecore ) = eLiterals@EEnum@ecore . eq attributes ( EEnum@ecore ) = nil . s o r t EEnumLiteral@ecore . s u b s o r t s EEnumLiteral@ecore < ENamedElement@ecore . op EEnumLiteral@ecore : −> EEnumLiteral@ecore . eq name ( EEnumLiteral@ecore ) = "EEnumLiteral" . eq isAbstract ( EEnumLiteral@ecore ) = false . eq package ( EEnumLiteral@ecore ) = ecore . eq superTypes ( EEnumLiteral@ecore ) = ENamedElement@ecore . eq references ( EEnumLiteral@ecore ) = eEnum@EEnumLiteral@ecore . eq attributes ( EEnumLiteral@ecore ) = value@EEnumLiteral@ecore instance@EEnumLiteral@ecore literal@EEnumLiteral@ecore . ... s o r t EObject@ecore . s u b s o r t s EObject@ecore < @Class . op EObject@ecore : −> EObject@ecore . eq name ( EObject@ecore ) = "EObject" . eq isAbstract ( EObject@ecore ) = false . eq package ( EObject@ecore ) = ecore . eq superTypes ( EObject@ecore ) = nil . eq references ( EObject@ecore ) = nil . eq attributes ( EObject@ecore ) = nil . ... op eAttributeType@EAttribute@ecore : −> @Reference . eq name ( eAttributeType@EAttribute@ecore ) = "eAttributeType" . eq type ( eAttributeType@EAttribute@ecore ) = EDataType@ecore . eq opposite ( eAttributeType@EAttribute@ecore ) = null . eq lowerBound ( eAttributeType@EAttribute@ecore ) = 1 . eq upperBound ( eAttributeType@EAttribute@ecore ) = 1 . eq containingClass ( eAttributeType@EAttribute@ecore ) = EAttribute@ecore . eq isContainment ( eAttributeType@EAttribute@ecore ) = false . eq isOrdered ( eAttributeType@EAttribute@ecore ) = true . eq isUnique ( eAttributeType@EAttribute@ecore ) = true . op details@EAnnotation@ecore : −> @Reference . eq name ( details@EAnnotation@ecore ) = "details" . eq type ( details@EAnnotation@ecore ) = EStringToStringMapEntry@ecore . eq opposite ( details@EAnnotation@ecore ) = null . eq lowerBound ( details@EAnnotation@ecore ) = 0 . eq upperBound ( details@EAnnotation@ecore ) = ∗ . eq containingClass ( details@EAnnotation@ecore ) = EAnnotation@ecore . eq isContainment ( details@EAnnotation@ecore ) = true . eq isOrdered ( details@EAnnotation@ecore ) = true . eq isUnique ( details@EAnnotation@ecore ) = true . 214 A PPENDIX B. M AUDE E NCODING OF THE E CORE M ETAMODEL op eModelElement@EAnnotation@ecore : −> @Reference . eq name ( eModelElement@EAnnotation@ecore ) = "eModelElement" . eq type ( eModelElement@EAnnotation@ecore ) = EModelElement@ecore . eq opposite ( eModelElement@EAnnotation@ecore ) = eAnnotations@EModelElement@ecore . eq lowerBound ( eModelElement@EAnnotation@ecore ) = 0 . eq upperBound ( eModelElement@EAnnotation@ecore ) = 1 . eq containingClass ( eModelElement@EAnnotation@ecore ) = EAnnotation@ecore . eq isContainment ( eModelElement@EAnnotation@ecore ) = false . eq isOrdered ( eModelElement@EAnnotation@ecore ) = true . eq isUnique ( eModelElement@EAnnotation@ecore ) = true . op contents@EAnnotation@ecore : −> @Reference . eq name ( contents@EAnnotation@ecore ) = "contents" . eq type ( contents@EAnnotation@ecore ) = EObject@ecore . eq opposite ( contents@EAnnotation@ecore ) = null . eq lowerBound ( contents@EAnnotation@ecore ) = 0 . eq upperBound ( contents@EAnnotation@ecore ) = ∗ . eq containingClass ( contents@EAnnotation@ecore ) = EAnnotation@ecore . eq isContainment ( contents@EAnnotation@ecore ) = true . eq isOrdered ( contents@EAnnotation@ecore ) = true . eq isUnique ( contents@EAnnotation@ecore ) = true . op references@EAnnotation@ecore : −> @Reference . eq name ( references@EAnnotation@ecore ) = "references" . eq type ( references@EAnnotation@ecore ) = EObject@ecore . eq opposite ( references@EAnnotation@ecore ) = null . eq lowerBound ( references@EAnnotation@ecore ) = 0 . eq upperBound ( references@EAnnotation@ecore ) = ∗ . eq containingClass ( references@EAnnotation@ecore ) = EAnnotation@ecore . eq isContainment ( references@EAnnotation@ecore ) = false . eq isOrdered ( references@EAnnotation@ecore ) = true . eq isUnique ( references@EAnnotation@ecore ) = true . op eSuperTypes@EClass@ecore : −> @Reference . eq name ( eSuperTypes@EClass@ecore ) = "eSuperTypes" . eq type ( eSuperTypes@EClass@ecore ) = EClass@ecore . eq opposite ( eSuperTypes@EClass@ecore ) = null . eq lowerBound ( eSuperTypes@EClass@ecore ) = 0 . eq upperBound ( eSuperTypes@EClass@ecore ) = ∗ . eq containingClass ( eSuperTypes@EClass@ecore ) = EClass@ecore . eq isContainment ( eSuperTypes@EClass@ecore ) = false . eq isOrdered ( eSuperTypes@EClass@ecore ) = true . eq isUnique ( eSuperTypes@EClass@ecore ) = true . ... op iD@EAttribute@ecore : −> @Attribute . eq name ( iD@EAttribute@ecore ) = "iD" . eq type ( iD@EAttribute@ecore ) = @Bool . eq lowerBound ( iD@EAttribute@ecore ) = 0 . eq upperBound ( iD@EAttribute@ecore ) = 1 . 215 eq containingClass ( iD@EAttribute@ecore ) = EAttribute@ecore . eq isId ( iD@EAttribute@ecore ) = false . eq isOrdered ( iD@EAttribute@ecore ) = true . eq isUnique ( iD@EAttribute@ecore ) = true . op source@EAnnotation@ecore : −> @Attribute . eq name ( source@EAnnotation@ecore ) = "source" . eq type ( source@EAnnotation@ecore ) = @String . eq lowerBound ( source@EAnnotation@ecore ) = 0 . eq upperBound ( source@EAnnotation@ecore ) = 1 . eq containingClass ( source@EAnnotation@ecore ) = EAnnotation@ecore . eq isId ( source@EAnnotation@ecore ) = false . eq isOrdered ( source@EAnnotation@ecore ) = true . eq isUnique ( source@EAnnotation@ecore ) = true . op abstract@EClass@ecore : −> @Attribute . eq name ( abstract@EClass@ecore ) = "abstract" . eq type ( abstract@EClass@ecore ) = @Bool . eq lowerBound ( abstract@EClass@ecore ) = 0 . eq upperBound ( abstract@EClass@ecore ) = 1 . eq containingClass ( abstract@EClass@ecore ) = EClass@ecore . eq isId ( abstract@EClass@ecore ) = false . eq isOrdered ( abstract@EClass@ecore ) = true . eq isUnique ( abstract@EClass@ecore ) = true . op interface@EClass@ecore : −> @Attribute . eq name ( interface@EClass@ecore ) = "interface" . eq type ( interface@EClass@ecore ) = @Bool . eq lowerBound ( interface@EClass@ecore ) = 0 . eq upperBound ( interface@EClass@ecore ) = 1 . eq containingClass ( interface@EClass@ecore ) = EClass@ecore . eq isId ( interface@EClass@ecore ) = false . eq isOrdered ( interface@EClass@ecore ) = true . eq isUnique ( interface@EClass@ecore ) = true . op instanceClassName@EClassifier@ecore : −> @Attribute . eq name ( instanceClassName@EClassifier@ecore ) = "instanceClassName" . eq type ( instanceClassName@EClassifier@ecore ) = @String . eq lowerBound ( instanceClassName@EClassifier@ecore ) = 0 . eq upperBound ( instanceClassName@EClassifier@ecore ) = 1 . eq containingClass ( instanceClassName@EClassifier@ecore ) = EClassifier@ecore . eq isId ( instanceClassName@EClassifier@ecore ) = false . eq isOrdered ( instanceClassName@EClassifier@ecore ) = true . eq isUnique ( instanceClassName@EClassifier@ecore ) = true . ... endm 216 A PPENDIX B. M AUDE E NCODING OF THE E CORE M ETAMODEL Appendix C Maude Definitions for Time and Action Properties 1 --- We import Real-Time Maude modules TIMED-PRELUDE, LTIME-INF, NAT-TIME-DOMAIN-WITH-INF 2 --- and POSRAT-TIME-DOMAIN-WITH-INF. They provide support for different time domains, 3 --- such as discrete and dense time domains. 4 5 6 fmod MGTIMED−PRELUDE i s pr TIMED−PRELUDE ∗ ( --- Time renamings 7 --- (to be consistent with dense and discrete time renamings) 8 op _gt_ : Time Time −> Bool t o _gtT_ , op _lt_ : Time Time −> Bool t o _ltT_ ) . 9 10 endfm 11 12 13 fmod MGLTIME−INF i s pr LTIME−INF ∗ ( --- Time renamings --- (to be consistent with dense and discrete time renamings) 14 15 op _gt_ : TimeInf TimeInf −> Bool t o _gtT_ , 16 op _lt_ : TimeInf TimeInf −> Bool t o _ltT_ , 17 op min : TimeInf TimeInf −> TimeInf t o minT , op max : TimeInf TimeInf −> TimeInf t o maxT ) . 18 19 endfm 20 21 22 23 24 mod MGTIME i s pr MGTIMED−PRELUDE . pr MGLTIME−INF . endm 25 26 27 fmod DISCRETE_TIME i s pr NAT−TIME−DOMAIN−WITH−INF ∗ ( --- Same renamings as in mOdCL 28 op _xor_ : Nat Nat −> Nat t o _nxor_ , 29 op _ | _ : Nat Nat −> Nat t o _ | N_ , 30 op _<_ : Nat Nat −> Bool t o _<N_ , 31 op _<=_ : Nat Nat −> Bool t o _<=N_ , 217 218 A PPENDIX C. M AUDE D EFINITIONS FOR T IME AND ACTION P ROPERTIES 32 op _>_ : Nat Nat −> Bool t o _>N_ , 33 op _>=_ : Nat Nat −> Bool t o _>=N_ , 34 op _−_ : Nat Nat −> Nat t o _−N_ , 35 op _∗_ : Nat Nat −> Nat t o _∗N_ , 36 op _+_ : Nat Nat −> Nat t o _+N_ , 37 --- Time renamings 38 op _gt_ : TimeInf TimeInf −> Bool t o _gtT_ , 39 op _lt_ : TimeInf TimeInf −> Bool t o _ltT_ , 40 op min : TimeInf TimeInf −> TimeInf t o minT , op max : TimeInf TimeInf −> TimeInf t o maxT ) . 41 42 endfm 43 44 45 fmod DENSE_TIME i s pr POSRAT−TIME−DOMAIN−WITH−INF ∗ ( --- Same renamings as in mOdCL 46 op _xor_ : Nat Nat −> Nat t o _nxor_ , 47 op _ | _ : Nat Nat −> Nat t o _ | N_ , 48 op _<_ : Nat Nat −> Bool t o _<N_ , 49 op _<=_ : Nat Nat −> Bool t o _<=N_ , 50 op _>_ : Nat Nat −> Bool t o _>N_ , 51 op _>=_ : Nat Nat −> Bool t o _>=N_ , 52 op _−_ : Nat Nat −> Nat t o _−N_ , 53 op _∗_ : Nat Nat −> Nat t o _∗N_ , 54 op _+_ : Nat Nat −> Nat t o _+N_ , 55 op −_ : Int −> Int t o −I_ , 56 op _ / _ 57 op floor : PosRat −> Nat t o floorR , : Rat Rat −> Rat to _ / / _ , 58 op ceiling : PosRat −> Nat t o ceilingR , 59 --- Time renamings 60 op _gt_ : TimeInf TimeInf −> Bool t o _gtT_ , 61 op _lt_ : TimeInf TimeInf −> Bool t o _ltT_ , 62 op min : TimeInf TimeInf −> TimeInf t o minT , op max : TimeInf TimeInf −> TimeInf t o maxT ) . 63 64 endfm 65 66 mod MGBEHAVIORMM i s 67 pr @ECORE@ . 68 pr MGTIME . 69 70 --- We include Time as a data type 71 op @Time : −> @DataType . 72 --- subsorts OclVoid < Time < @DataTypeInstance . 73 s u b s o r t s TimeInf < @DataTypeInstance . 74 eq defaultValue ( @Time ) = zero . 75 eq metaAux ( T : Time ) = @Time . 76 77 *** BEHAVIOR METAMODEL *** 78 79 op @MGBehavior@ : −> @Metamodel . 80 eq name ( @MGBehavior@ ) = "MGBehavior" . 81 eq packages ( @MGBehavior@ ) = MGBehavior . 82 219 83 op MGBehavior : −> @Package . 84 eq name ( MGBehavior ) = "BehaviorMG" . 85 eq metamodel ( MGBehavior ) = @MGBehavior@ . 86 eq superPackage ( MGBehavior ) = null . 87 eq subPackages ( MGBehavior ) = nil . 88 eq classes ( MGBehavior ) = ActionExec@MGBehavior AtomicActionExec@MGBehavior 89 OngoingActionExec@MGBehavior Variable@MGBehavior Clock@MGBehavior Counter@MGBehavior 90 ObjectRole@MGBehavior . 91 92 --- Classes to represent rule properties 93 s o r t Rule@MGBehavior . 94 s u b s o r t Rule@MGBehavior < @Class . 95 op Rule@MGBehavior : −> Rule@MGBehavior . 96 eq name ( Rule@MGBehavior ) = "Rule" . 97 eq isAbstract ( Rule@MGBehavior ) = false . 98 eq package ( Rule@MGBehavior ) = MGBehavior . 99 eq superTypes ( Rule@MGBehavior ) = nil . 100 eq references ( Rule@MGBehavior ) = nil 101 eq attributes ( Rule@MGBehavior ) = name@Rule@MGBehavior lowerBound@Rule@MGBehavior 102 . upperBound@Rule@MGBehavior soft@Rule@MGBehavior . 103 104 op name@Rule@MGBehavior : −> @Attribute . 105 eq name ( name@Rule@MGBehavior ) = "name" . 106 eq type ( name@Rule@MGBehavior ) = @String . 107 eq lowerBound ( name@Rule@MGBehavior ) = 1 . 108 eq upperBound ( name@Rule@MGBehavior ) = 1 . 109 eq containingClass ( name@Rule@MGBehavior ) = Rule@MGBehavior . 110 eq isId ( name@Rule@MGBehavior ) = true . 111 eq isOrdered ( name@Rule@MGBehavior ) = true . 112 eq isUnique ( name@Rule@MGBehavior ) = true . 113 114 op lowerBound@Rule@MGBehavior : −> @Attribute . 115 eq name ( lowerBound@Rule@MGBehavior ) = "lowerBound" . 116 eq type ( lowerBound@Rule@MGBehavior ) = @Time . 117 eq lowerBound ( lowerBound@Rule@MGBehavior ) = 0 . 118 eq upperBound ( lowerBound@Rule@MGBehavior ) = 1 . 119 eq containingClass ( lowerBound@Rule@MGBehavior ) = Rule@MGBehavior . 120 eq isId ( lowerBound@Rule@MGBehavior ) = false . 121 eq isOrdered ( lowerBound@Rule@MGBehavior ) = true . 122 eq isUnique ( lowerBound@Rule@MGBehavior ) = true . 123 124 op upperBound@Rule@MGBehavior : −> @Attribute . 125 eq name ( upperBound@Rule@MGBehavior ) = "upperBound" . 126 eq type ( upperBound@Rule@MGBehavior ) = @Time . 127 eq lowerBound ( upperBound@Rule@MGBehavior ) = 0 . 128 eq upperBound ( upperBound@Rule@MGBehavior ) = 1 . 129 eq containingClass ( upperBound@Rule@MGBehavior ) = Rule@MGBehavior . 130 eq isId ( upperBound@Rule@MGBehavior ) = false . 131 eq isOrdered ( upperBound@Rule@MGBehavior ) = true . 132 eq isUnique ( upperBound@Rule@MGBehavior ) = true . 133 220 A PPENDIX C. M AUDE D EFINITIONS FOR T IME AND ACTION P ROPERTIES 134 op soft@Rule@MGBehavior : −> @Attribute . 135 eq name ( soft@Rule@MGBehavior ) = "soft" . 136 eq type ( soft@Rule@MGBehavior ) = @Bool . 137 eq lowerBound ( soft@Rule@MGBehavior ) = 1 . 138 eq upperBound ( soft@Rule@MGBehavior ) = 1 . 139 eq containingClass ( soft@Rule@MGBehavior ) = Rule@MGBehavior . 140 eq isId ( soft@Rule@MGBehavior ) = false . 141 eq isOrdered ( soft@Rule@MGBehavior ) = true . 142 eq isUnique ( soft@Rule@MGBehavior ) = true . 143 144 s o r t AtomicRule@MGBehavior . 145 s u b s o r t AtomicRule@MGBehavior < Rule@MGBehavior . 146 op AtomicRule@MGBehavior : −> AtomicRule@MGBehavior . 147 eq name ( AtomicRule@MGBehavior ) = "AtomicRule" . 148 eq isAbstract ( AtomicRule@MGBehavior ) = false . 149 eq package ( AtomicRule@MGBehavior ) = MGBehavior . 150 eq superTypes ( AtomicRule@MGBehavior ) = Rule@MGBehavior . 151 eq references ( AtomicRule@MGBehavior ) = nil 152 eq attributes ( AtomicRule@MGBehavior ) = periodicity@AtomicRule@MGBehavior . . 153 154 op periodicity@AtomicRule@MGBehavior : −> @Attribute . 155 eq name ( periodicity@AtomicRule@MGBehavior ) = "periodicity" . 156 eq type ( periodicity@AtomicRule@MGBehavior ) = @Time . 157 eq lowerBound ( periodicity@AtomicRule@MGBehavior ) = 0 . 158 eq upperBound ( periodicity@AtomicRule@MGBehavior ) = 1 . 159 eq containingClass ( periodicity@AtomicRule@MGBehavior ) = AtomicRule@MGBehavior . 160 eq isId ( periodicity@AtomicRule@MGBehavior ) = false . 161 eq isOrdered ( periodicity@AtomicRule@MGBehavior ) = true . 162 eq isUnique ( periodicity@AtomicRule@MGBehavior ) = true . 163 164 --- Classes to represent action executions 165 s o r t ActionExec@MGBehavior . 166 s u b s o r t ActionExec@MGBehavior < @Class . 167 op ActionExec@MGBehavior : −> ActionExec@MGBehavior . 168 eq name ( ActionExec@MGBehavior ) = "ActionExec" . 169 eq isAbstract ( ActionExec@MGBehavior ) = true . 170 eq package ( ActionExec@MGBehavior ) = MGBehavior . 171 eq superTypes ( ActionExec@MGBehavior ) = nil . 172 eq references ( ActionExec@MGBehavior ) = participants@ActionExec@MGBehavior 173 174 . variables@ActionExec@MGBehavior eq attributes ( ActionExec@MGBehavior ) = startingTime@ActionExec@MGBehavior 175 endingTime@ActionExec@MGBehavior action@ActionExec@MGBehavior 176 maxTimer@ActionExec@MGBehavior . 177 178 op participants@ActionExec@MGBehavior : −> @Reference 179 eq name ( participants@ActionExec@MGBehavior ) = "participants" . 180 eq type ( participants@ActionExec@MGBehavior ) = ObjectRole@MGBehavior . 181 eq opposite ( participants@ActionExec@MGBehavior ) = null . 182 eq lowerBound ( participants@ActionExec@MGBehavior ) = 0 . 183 eq upperBound ( participants@ActionExec@MGBehavior ) = ∗ . 184 eq containingClass ( participants@ActionExec@MGBehavior ) = ActionExec@MGBehavior . . 221 185 eq isContainment ( participants@ActionExec@MGBehavior ) = true . 186 eq isOrdered ( participants@ActionExec@MGBehavior ) = false . 187 eq isUnique ( participants@ActionExec@MGBehavior ) = true . 188 189 op variables@ActionExec@MGBehavior : −> @Reference 190 eq name ( variables@ActionExec@MGBehavior ) = "variables" . 191 eq type ( variables@ActionExec@MGBehavior ) = Variable@MGBehavior . 192 eq opposite ( variables@ActionExec@MGBehavior ) = null . 193 eq lowerBound ( variables@ActionExec@MGBehavior ) = 0 . 194 eq upperBound ( variables@ActionExec@MGBehavior ) = ∗ . 195 eq containingClass ( variables@ActionExec@MGBehavior ) = ActionExec@MGBehavior . 196 eq isContainment ( variables@ActionExec@MGBehavior ) = true . 197 eq isOrdered ( variables@ActionExec@MGBehavior ) = false . 198 eq isUnique ( variables@ActionExec@MGBehavior ) = true . . 199 200 op startingTime@ActionExec@MGBehavior : −> @Attribute . 201 eq name ( startingTime@ActionExec@MGBehavior ) = "startingTime" . 202 eq type ( startingTime@ActionExec@MGBehavior ) = 203 eq lowerBound ( startingTime@ActionExec@MGBehavior ) = 1 . 204 eq upperBound ( startingTime@ActionExec@MGBehavior ) = 1 . 205 eq containingClass ( startingTime@ActionExec@MGBehavior ) = ActionExec@MGBehavior . 206 eq isId ( startingTime@ActionExec@MGBehavior ) = false . 207 eq isOrdered ( startingTime@ActionExec@MGBehavior ) = true . 208 eq isUnique ( startingTime@ActionExec@MGBehavior ) = true . @Time . 209 210 op endingTime@ActionExec@MGBehavior : −> @Attribute . 211 eq name ( endingTime@ActionExec@MGBehavior ) = "endingTime" . 212 eq type ( endingTime@ActionExec@MGBehavior ) = 213 eq lowerBound ( endingTime@ActionExec@MGBehavior ) = 0 . 214 eq upperBound ( endingTime@ActionExec@MGBehavior ) = 1 . 215 eq containingClass ( endingTime@ActionExec@MGBehavior ) = ActionExec@MGBehavior . 216 eq isId ( endingTime@ActionExec@MGBehavior ) = false . 217 eq isOrdered ( endingTime@ActionExec@MGBehavior ) = true . 218 eq isUnique ( endingTime@ActionExec@MGBehavior ) = true . @Time . 219 220 op action@ActionExec@MGBehavior : −> @Attribute . 221 eq name ( action@ActionExec@MGBehavior ) = "action" . 222 eq type ( action@ActionExec@MGBehavior ) = 223 eq lowerBound ( action@ActionExec@MGBehavior ) = 1 . 224 eq upperBound ( action@ActionExec@MGBehavior ) = 1 . 225 eq containingClass ( action@ActionExec@MGBehavior ) = ActionExec@MGBehavior . 226 eq isId ( action@ActionExec@MGBehavior ) = false . 227 eq isOrdered ( action@ActionExec@MGBehavior ) = true . 228 eq isUnique ( action@ActionExec@MGBehavior ) = true . @String . 229 230 op maxTimer@ActionExec@MGBehavior : −> @Attribute . 231 eq name ( maxTimer@ActionExec@MGBehavior ) = "maxTimer" . 232 eq type ( maxTimer@ActionExec@MGBehavior ) = 233 eq lowerBound ( maxTimer@ActionExec@MGBehavior ) = 0 . 234 eq upperBound ( maxTimer@ActionExec@MGBehavior ) = 1 . 235 eq containingClass ( maxTimer@ActionExec@MGBehavior ) = ActionExec@MGBehavior . @Time . 222 A PPENDIX C. M AUDE D EFINITIONS FOR T IME AND ACTION P ROPERTIES 236 eq isId ( maxTimer@ActionExec@MGBehavior ) = false . 237 eq isOrdered ( maxTimer@ActionExec@MGBehavior ) = true . 238 eq isUnique ( maxTimer@ActionExec@MGBehavior ) = true . 239 240 s o r t AtomicActionExec@MGBehavior . 241 s u b s o r t AtomicActionExec@MGBehavior < ActionExec@MGBehavior . 242 op AtomicActionExec@MGBehavior : −> AtomicActionExec@MGBehavior . 243 eq name ( AtomicActionExec@MGBehavior ) = "AtomicActionExec" . 244 eq isAbstract ( AtomicActionExec@MGBehavior ) = false . 245 eq package ( AtomicActionExec@MGBehavior ) = MGBehavior . 246 eq superTypes ( AtomicActionExec@MGBehavior ) = ActionExec@MGBehavior . 247 eq references ( AtomicActionExec@MGBehavior ) = nil 248 eq attributes ( AtomicActionExec@MGBehavior ) = minTimer@AtomicActionExec@MGBehavior 249 executionTime@AtomicActionExec@MGBehavior status@AtomicActionExec@MGBehavior . . 250 251 op minTimer@AtomicActionExec@MGBehavior : −> @Attribute . 252 eq name ( minTimer@AtomicActionExec@MGBehavior ) = "minTimer" . 253 eq type ( minTimer@AtomicActionExec@MGBehavior ) = 254 eq lowerBound ( minTimer@AtomicActionExec@MGBehavior ) = 0 . 255 eq upperBound ( minTimer@AtomicActionExec@MGBehavior ) = 1 . 256 eq containingClass ( minTimer@AtomicActionExec@MGBehavior ) = AtomicActionExec@MGBehavior . 257 eq isId ( minTimer@AtomicActionExec@MGBehavior ) = false . 258 eq isOrdered ( minTimer@AtomicActionExec@MGBehavior ) = true . 259 eq isUnique ( minTimer@AtomicActionExec@MGBehavior ) = true . @Time . 260 261 op executionTime@AtomicActionExec@MGBehavior : −> @Attribute . 262 eq name ( executionTime@AtomicActionExec@MGBehavior ) = "executionTime" . 263 eq type ( executionTime@AtomicActionExec@MGBehavior ) = 264 eq lowerBound ( executionTime@AtomicActionExec@MGBehavior ) = 1 . 265 eq upperBound ( executionTime@AtomicActionExec@MGBehavior ) = 1 . 266 eq containingClass ( executionTime@AtomicActionExec@MGBehavior ) 267 @Time . = AtomicActionExec@MGBehavior . 268 eq isId ( executionTime@AtomicActionExec@MGBehavior ) = false . 269 eq isOrdered ( executionTime@AtomicActionExec@MGBehavior ) = true . 270 eq isUnique ( executionTime@AtomicActionExec@MGBehavior ) = true . 271 272 op status@AtomicActionExec@MGBehavior : −> @Attribute . 273 eq name ( status@AtomicActionExec@MGBehavior ) = "status" . 274 eq type ( status@AtomicActionExec@MGBehavior ) = ActionStatus@MGBehavior . 275 eq lowerBound ( status@AtomicActionExec@MGBehavior ) = 1 . 276 eq upperBound ( status@AtomicActionExec@MGBehavior ) = 1 . 277 eq containingClass ( status@AtomicActionExec@MGBehavior ) = AtomicActionExec@MGBehavior . 278 eq isId ( status@AtomicActionExec@MGBehavior ) = false . 279 eq isOrdered ( status@AtomicActionExec@MGBehavior ) = true . 280 eq isUnique ( status@AtomicActionExec@MGBehavior ) = true . 281 282 s o r t ActionStatus@MGBehavior . 283 op ActionStatus@MGBehavior : −> @Enumeration . 284 s u b s o r t ActionStatus@MGBehavior < @EnumerationInstance . 285 286 --- An atomic action execution can be 223 287 --- a) Unfinished 288 --- b) Realized 289 --- c) Interrupted (deleted explicitly by a rule) 290 --- d) Aborted (the realization rule cannot be applied) 291 op unfinished@ActionStatus@MGBehavior : −> ActionStatus@MGBehavior . 292 op realized@ActionStatus@MGBehavior : −> ActionStatus@MGBehavior . 293 op interrupted@ActionStatus@MGBehavior : −> ActionStatus@MGBehavior . 294 op aborted@ActionStatus@MGBehavior : −> ActionStatus@MGBehavior . 295 296 s o r t OngoingActionExec@MGBehavior . 297 s u b s o r t OngoingActionExec@MGBehavior < ActionExec@MGBehavior . 298 op OngoingActionExec@MGBehavior : −> OngoingActionExec@MGBehavior . 299 eq name ( OngoingActionExec@MGBehavior ) = "OngoingActionExec" . 300 eq isAbstract ( OngoingActionExec@MGBehavior ) = false . 301 eq package ( OngoingActionExec@MGBehavior ) = MGBehavior . 302 eq superTypes ( OngoingActionExec@MGBehavior ) = ActionExec@MGBehavior . 303 eq references ( OngoingActionExec@MGBehavior ) = nil 304 eq attributes ( OngoingActionExec@MGBehavior ) 305 . = upperBoundTimer@OngoingActionExec@MGBehavior . 306 307 op upperBoundTimer@OngoingActionExec@MGBehavior : −> @Attribute . 308 eq name ( upperBoundTimer@OngoingActionExec@MGBehavior ) = "upperBoundTimer" . 309 eq type ( upperBoundTimer@OngoingActionExec@MGBehavior ) = 310 eq lowerBound ( upperBoundTimer@OngoingActionExec@MGBehavior ) = 0 . 311 eq upperBound ( upperBoundTimer@OngoingActionExec@MGBehavior ) = 1 . 312 eq containingClass ( upperBoundTimer@OngoingActionExec@MGBehavior ) 313 @Time . = OngoingActionExec@MGBehavior . 314 eq isId ( upperBoundTimer@OngoingActionExec@MGBehavior ) = false . 315 eq isOrdered ( upperBoundTimer@OngoingActionExec@MGBehavior ) = true . 316 eq isUnique ( upperBoundTimer@OngoingActionExec@MGBehavior ) = true . 317 318 s o r t Variable@MGBehavior . 319 s u b s o r t Variable@MGBehavior < @Class . 320 op Variable@MGBehavior : −> Variable@MGBehavior . 321 eq name ( Variable@MGBehavior ) = "Variable" . 322 eq isAbstract ( Variable@MGBehavior ) = false . 323 eq package ( Variable@MGBehavior ) = MGBehavior . 324 eq superTypes ( Variable@MGBehavior ) = nil . 325 eq references ( Variable@MGBehavior ) = nil . 326 eq attributes ( ObjectRole@MGBehavior ) = name@Variable@MGBehavior 327 value@Variable@MGBehavior . 328 329 op name@Variable@MGBehavior : −> @Attribute . 330 eq name ( name@Variable@MGBehavior ) = "name" . 331 eq type ( name@Variable@MGBehavior ) = 332 eq lowerBound ( name@Variable@MGBehavior ) = 1 . 333 eq upperBound ( name@Variable@MGBehavior ) = 1 . 334 eq containingClass ( name@Variable@MGBehavior ) = Variable@MGBehavior . 335 eq isId ( name@Variable@MGBehavior ) = false . 336 eq isOrdered ( name@Variable@MGBehavior ) = true . 337 eq isUnique ( name@Variable@MGBehavior ) = true . @String . 224 A PPENDIX C. M AUDE D EFINITIONS FOR T IME AND ACTION P ROPERTIES 338 339 op value@Variable@MGBehavior : −> @Attribute . 340 eq name ( value@Variable@MGBehavior ) = "value" . 341 eq type ( value@Variable@MGBehavior ) = 342 eq lowerBound ( value@Variable@MGBehavior ) = 1 . 343 eq upperBound ( value@Variable@MGBehavior ) = 1 . 344 eq containingClass ( value@Variable@MGBehavior ) = Variable@MGBehavior . 345 eq isId ( value@Variable@MGBehavior ) = false . 346 eq isOrdered ( value@Variable@MGBehavior ) = true . 347 eq isUnique ( value@Variable@MGBehavior ) = true . @DataType . 348 349 s o r t ObjectRole@MGBehavior . 350 s u b s o r t ObjectRole@MGBehavior < @Class . 351 op ObjectRole@MGBehavior : −> ObjectRole@MGBehavior . 352 eq name ( ObjectRole@MGBehavior ) = "ObjectRole" . 353 eq isAbstract ( ObjectRole@MGBehavior ) = false . 354 eq package ( ObjectRole@MGBehavior ) = MGBehavior . 355 eq superTypes ( ObjectRole@MGBehavior ) = nil . 356 eq references ( ObjectRole@MGBehavior ) = actualObject@ObjectRole@MGBehavior 357 eq attributes ( ObjectRole@MGBehavior ) = role@ObjectRole@MGBehavior . . 358 359 op actualObject@ObjectRole@MGBehavior : −> @Reference . 360 eq name ( actualObject@ObjectRole@MGBehavior ) = "actualObject" . 361 eq type ( actualObject@ObjectRole@MGBehavior ) = 362 eq opposite ( actualObject@ObjectRole@MGBehavior ) = null . 363 eq lowerBound ( actualObject@ObjectRole@MGBehavior ) = 1 . 364 eq upperBound ( actualObject@ObjectRole@MGBehavior ) = 1 . 365 eq containingClass ( actualObject@ObjectRole@MGBehavior ) = ObjectRole@MGBehavior . 366 eq isContainment ( actualObject@ObjectRole@MGBehavior ) = false . 367 eq isOrdered ( actualObject@ObjectRole@MGBehavior ) = true . 368 eq isUnique ( actualObject@ObjectRole@MGBehavior ) = true . @Object . 369 370 op role@ObjectRole@MGBehavior : −> @Attribute . 371 eq name ( role@ObjectRole@MGBehavior ) = "role" . 372 eq type ( role@ObjectRole@MGBehavior ) = 373 eq lowerBound ( role@ObjectRole@MGBehavior ) = 1 . 374 eq upperBound ( role@ObjectRole@MGBehavior ) = 1 . 375 eq containingClass ( role@ObjectRole@MGBehavior ) = ObjectRole@MGBehavior . 376 eq isId ( role@ObjectRole@MGBehavior ) = false . 377 eq isOrdered ( role@ObjectRole@MGBehavior ) = true . 378 eq isUnique ( role@ObjectRole@MGBehavior ) = true . @String . 379 380 --- The Clock 381 s o r t Clock@MGBehavior . 382 s u b s o r t Clock@MGBehavior < @Class . 383 op Clock@MGBehavior : −> Clock@MGBehavior . 384 eq name ( Clock@MGBehavior ) = "Clock" . 385 eq isAbstract ( Clock@MGBehavior ) = false . 386 eq package ( Clock@MGBehavior ) = MGBehavior . 387 eq superTypes ( Clock@MGBehavior ) = nil . 388 eq references ( Clock@MGBehavior ) = nil . 225 389 eq attributes ( Clock@MGBehavior ) = time@Clock@MGBehavior . 390 391 op time@Clock@MGBehavior : −> @Attribute . 392 eq name ( time@Clock@MGBehavior ) = "time" . 393 eq type ( time@Clock@MGBehavior ) = 394 eq lowerBound ( time@Clock@MGBehavior ) = 1 . 395 eq upperBound ( time@Clock@MGBehavior ) = 1 . 396 eq containingClass ( time@Clock@MGBehavior ) = Clock@MGBehavior . 397 eq isId ( time@Clock@MGBehavior ) = false . 398 eq isOrdered ( time@Clock@MGBehavior ) = true . 399 eq isUnique ( time@Clock@MGBehavior ) = true . @Time . 400 401 --- Counters: to create new identifiers and count the random operation invocations 402 s o r t Counter@MGBehavior . 403 s u b s o r t Counter@MGBehavior < @Class . 404 op Counter@MGBehavior : −> Counter@MGBehavior . 405 eq name ( Counter@MGBehavior ) = "Counter" . 406 eq isAbstract ( Counter@MGBehavior ) = false . 407 eq package ( Counter@MGBehavior ) = MGBehavior . 408 eq superTypes ( Counter@MGBehavior ) = nil . 409 eq references ( Counter@MGBehavior ) = nil . 410 eq attributes ( Counter@MGBehavior ) = value@Counter@MGBehavior . 411 412 op value@Counter@MGBehavior : −> @Attribute . 413 eq name ( value@Counter@MGBehavior ) = "value" . 414 eq type ( value@Counter@MGBehavior ) = 415 eq lowerBound ( value@Counter@MGBehavior ) = 1 . 416 eq upperBound ( value@Counter@MGBehavior ) = 1 . 417 eq containingClass ( value@Counter@MGBehavior ) = Counter@MGBehavior . 418 eq isId ( value@Counter@MGBehavior ) = false . 419 eq isOrdered ( value@Counter@MGBehavior ) = true . 420 eq isUnique ( value@Counter@MGBehavior ) = true . @Int . 421 422 --- To get Clock and ActionExec properties through OCL expressions 423 op startingTime@OCLSf : −> @StructuralFeature . 424 eq name ( startingTime@OCLSf ) = "startingTime" . 425 op endingTime@OCLSf : −> @StructuralFeature . 426 eq name ( endingTime@OCLSf ) = "endingTime" . 427 op executionTime@OCLSf : −> @StructuralFeature . 428 eq name ( executionTime@OCLSf ) = "executionTime" . 429 op time@OCLSf : −> @StructuralFeature . 430 431 eq name ( time@OCLSf ) = "time" . endm 226 A PPENDIX C. M AUDE D EFINITIONS FOR T IME AND ACTION P ROPERTIES Appendix D Maude Operations for Querying a Simulation The following Maude operations have been defined to query the result of a simulation, and to present it in a more readable way. In these operations, oid, name and t represent variables of sort Oid, String and Time, respectively, while system represents a variable of sort either ClockedSystem or @Model. • finalizedActions(system) Displays information on the actions that are finalized (either realized, interrupted, or aborted) in the system. The result is a list of elements composed of the name of the action, the time at which the action was triggered, the time at which the action was finalized, and the set of the identifiers of the participant elements. • currentActions(system) Displays information on the actions that are triggered but not finalized (i.e., the unfinished actions) in the system. The result is a list of elements composed of the name of the action, the time at which the action was triggered, and the set of the identifiers of the participant elements. • finalizedOccurrencesOf(name, system) Displays information on the occurrences of the name rule that are finalized in the system. The result is a list of elements composed of the time at which the rule was triggered, the time at which the rule was finalized, and the set of the identifiers of the participant elements. 227 228 A PPENDIX D. M AUDE O PERATIONS FOR Q UERYING A S IMULATION • finalizedOccurrencesOf(oid, name, system) Displays information on the occurrences of the name rule that are finalized in the system in which oid is one of the participants. The result is a list of elements composed of the time at which the rule was triggered and the time at which the rule was finalized. • finalizedActionsOf(oid, system) Displays information on the actions in the system in which oid is a participant that are finalized. The result is a list of elements composed of the name of the action, the time at which the action was triggered, and the time at which the action was finalized. • actionsAt(t, system) Displays information on the actions in the system that are under execution at time t. The result is a list of elements composed of the name of the action and the set of the identifiers of the participant elements. • actionsAt(oid, t, system) Displays information on the actions in the system in which oid is a participant that are under execution at time t. The result is a list of elements composed of the name of the action and the set of the identifiers of the remaining participant elements. • occurrenceAt?(oid, name, t, system) Displays a boolean value stating whether an occurrence of the rule with label name in which oid is a participant is under execution at time t in the system or not. • startingActionsAt(t, system) Displays information on the actions that start at time t in the system. The result is a list of elements composed of the name of the action and the set of the identifiers of the participant elements. • finalizedActionsAt(t, system) Displays information on the actions that are finalized at time t in the system. The result is a list of elements composed of the name of the action and the set of the identifiers of the participant elements. Bibliography [1] The AADL web site. currentsite/. Available at http://www.aadl.info/aadl/ [2] Atenea group. Available at http://atenea.lcc.uma.es. [3] The ATLAS Transformation Language (ATL) web site. Available at http://www. eclipse.org/m2m/atl/. [4] Maude manual and examples. maude2-manual/. Available at http://maude.cs.uiuc.edu/ [5] The MOMENT web site. Available at http://moment.dsic.upv.es. [6] The official OMG MARTE web site. Available at http://www.omgmarte.org/. [7] Textual Concrete Syntax (TCS). index.php/TCS. Available at http://wiki.eclipse.org/ [8] The Eclipse Graphical Modeling Framework (GMF). Available at http://www. eclipse.org/modeling/gmf/. [9] The Eclipse Modeling Framework (EMF). Available at http://www.eclipse. org/modeling/emf/. [10] The mOdCL tool. Available at http://maude.lcc.uma.es/mOdCL. [11] The Object Management Group (OMG). Available at http://www.omg.org/. [12] The MOVA tool: a validation tool for UML, 2006. Available at http://maude. sip.ucm.es/mova/. [13] S. Alagic and P. Bernstein. A model theory for generic schema management. In G. Ghelli and G. Grahne, editors, Proc. of the 8th International Workshop on DataBase Programming Languages (DBPL’01), volume 2397 of LNCS, pages 228–246. Springer-Verlag, 2002. [14] M. Alanen and I. Porres. Difference and union of models. In Proc. of the 6th International Conference on the Unified Modeling Language: Modeling Languages and Applications (UML’03), volume 2863 of LNCS, pages 2–17. Springer-Verlag, 2003. 229 230 BIBLIOGRAPHY [15] P. Baldan, A. Corradini, and B. König. A static analysis technique for graph transformation systems. In Proc. of the 12th International Conference on Concurrency Theory (CONCUR’01), volume 2154 of LNCS, pages 381–395. Springer-Verlag, 2001. [16] L. Baresi and P. Spoletini. On the use of Alloy to analyze graph transformation systems. In Proc. of the 3rd International Conference on Graph Transformation (ICGT’06), volume 4178 of LNCS, pages 306–320. Springer-Verlag, 2006. [17] D. Batory, M. Azanza, and J. Saraiva. The objects and arrows of computational design. In Proc. of the 11th International Conference on Model Driven Engineering Languages and Systems (MoDELS’08), pages 1–20. Springer-Verlag, 2008. [18] D. F. Bender, B. Combemale, X. Crégut, J. M. Farines, B. Berthomieu, and F. Vernadat. Ladder metamodeling and PLC program validation through time Petri nets. In Proc. of the 4th European Conference on Model Driven Architecture: Fondations and Applications (ECMDA-FA’08), pages 121–136. Springer-Verlag, 2008. [19] P. Bernstein. Applying model management to classical metadata problems. In Proc. of the 1st Conference on Innovative Database Research (CIDR’03), pages 209–220, 2003. [20] J. Bézivin. On the unification power of models. Journal on Software and Systems Modeling, 4(2):171–188, 2005. [21] J. Bézivin and F. Jouault. KM3: a DSL for metamodel specification. In Procs. of the 8th IFIP International Conference on Formal Methods for Open Object-based Distributed Systems (FMOODS’06), volume 4037 of LNCS, pages 171–185. Springer-Verlag, Apr. 2006. [22] X. Blanc, M.-P. Gervais, and P. Sriplakich. Model bus: Towards the interoperability of modelig tools. In U. Aßmann, M. Aksit, and A. Rensink, editors, Proc. of the 2th Working Conference on Model Driven Architecture: Foundations and Applications (MDA-FA’04), volume 3599 of LNCS, pages 17–32. Springer-Verlag, 2005. [23] A. Boronat, J. A. Carsı́, and I. Ramos. Automatic support for traceability in a generic model management framework. In Proc. of the 1st European Conference on Model Driven Architecture: Fondations and Applications (ECMDA-FA’05), volume 3748 of LNCS, pages 316–330. Springer-Verlag, 2005. [24] A. Boronat, R. Heckel, and J. Meseguer. Rewriting logic semantics and verification of model transformations. In Proc. of the 12th International Conference on Fundamental Approaches to Software Engineering (FASE’09), pages 18–33, 2009. [25] A. Boronat and J. Meseguer. An algebraic semantics for MOF. In Proc. of the 11th International Conference on Fundamental Approaches to Software Engineering (FASE’08), volume 4961 of LNCS, pages 377–391. Springer-Verlag, 2008. BIBLIOGRAPHY 231 [26] A. Boronat and P. C. Ölveczky. Formal real-time model transformations in MOMENT2. In D. S. Rosenblum and G. Taentzer, editors, Proc. of the 13th International Conference on Fundamental Approaches to Software Engineering (FASE’10), volume 6013 of LNCS, pages 29–43. Springer-Verlag, 2010. [27] A. Bouhoula, J.-P. Jouannaud, and J. Meseguer. Specification and proof in membership equational logic. Theoretical Computer Science, 236(1):35–132, 2000. [28] R. Breu, R. Gosu, F. Huber, B. Rumpe, and W. Schwerin. Towards a precise semantics for object-oriented modeling techniques. In Proc. of Object-Oriented Technology: ECOOP’97 Workshops, volume 1357 of LNCS, pages 205–210. Springer-Verlag, 1998. [29] C. Brun and A. Pierantonio. Model differences in the Eclipse Modeling Framework. Upgrade, Special Issue on Model-Driven Software Development, IX(2), Apr. 2008. [30] R. Bruni and J. Meseguer. Semantic foundations for generalized rewrite theories. Theoretical Computer Science, 360(1-3):386–414, 2006. [31] S. Burmester and H. Giese. The Fujaba real-time statechart plugin. In H. Giese and A. Zündorf, editors, Proc. of the 1st International Fujaba Days, pages 1–8. University of Paderborn, 2003. [32] S. Burmester, H. Giese, M. Hirsch, D. Schilling, and M. Tichy. The Fujaba real-time tool suite: model-driven development of safety-critical, real-time systems. In Proc. of the 27th International Conference on Software Engineering (ICSE’05), pages 670–671. ACM, 2005. [33] F. Büttner and M. Gogolla. Realizing graph transformations by pre- and postconditions and command sequences. In Proc. of the 3rd International Conference on Graph Transformation (ICGT’06), volume 4178 of LNCS, pages 398–413. Springer-Verlag, 2006. [34] J. Cabot, R. Clarisó, E. Guerra, and J. de Lara. Analysing graph transformation rules through OCL. In Proc. of the 1st International Conference on Model Transformation (ICMT’08), volume 5063 of LNCS, pages 225–239. Springer-Verlag, 2008. [35] C. Calero, M. Genero, and M. Piattini. Metrics for Software Conceptual Models. Imperial College Press, 2005. [36] M. V. Cengarle, A. Knapp, A. Tarlecki, and M. Wirsing. A heterogeneous approach to uml semantics. In H. Hussmann, editor, Concurrency, Graphs and Models: Essays dedicated to Ugo Montanari on the occasion of his 65th birthday, volume 2029 of LNCS, pages 383–402. Springer-Verlag, 2008. [37] K. Chen, J. Sztipanovits, S. Abdelwalhed, and E. Jackson. Semantic anchoring with model transformations. In Proc. of the 1st European Conference on Model Driven Architecture: Fondations and Applications (ECMDA-FA’05), volume 3748 of LNCS, pages 115–129. Springer-Verlag, 2005. 232 BIBLIOGRAPHY [38] A. Cicchetti, D. D. Ruscio, and A. Pierantonio. A domain-specific modeling language for model differences. Technical report, Università di L’ Aquila, 2006. [39] A. Cicchetti, D. D. Ruscio, and A. Pierantonio. A metamodel independent approach to difference representation. Journal of Object Technology, 6(9):165–185, Oct. 2007. [40] T. Clark, P. Sammut, and J. Willans. Applied Metamodelling. Ceteva, 2 edition, 2004. [41] M. Clavel, F. Durán, S. Eker, P. Lincoln, N. Martı́-Oliet, J. Meseguer, and J. Quesada. Maude: specification and programming in rewriting logic. Theoretical Computer Science, 285:187–243, Aug. 2002. [42] M. Clavel, F. Durán, S. Eker, P. Lincoln, N. Martı́-Oliet, J. Meseguer, and C. Talcott. All About Maude – A High-Performance Logical Framework, volume 4350 of LNCS. Springer-Verlag, 2007. [43] M. Clavel, F. Durán, J. Hendrix, S. Lucas, J. Meseguer, and P. Ölveczky. The Maude formal tool environment. In T. Mossakowski, U. Montanari, and M. Haveraaen, editors, Proc. of the 2nd Conference on Algebra and Coalgebra in Computer Science (CALCO’07), volume 4624 of LNCS, pages 173–178. Springer-Verlag, Aug. 2007. [44] M. Clavel, M. Palomino, and A. Riesco. Introducing the ITP tool: a tutorial. Journal of Universal Computer Science, 12(11):1618–1650, 2006. [45] A. Cuccuru, C. Mraidha, F. Terrier, and S. Grard. Enhancing UML extensions with operational semantics: Behaviored profiles with templates. In Proc. of the 10th International Conference on Model Driven Engineering Languages and Systems (MoDELS’07), volume 4735 of LNCS, pages 271–285. Springer-Verlag, 2007. [46] K. Czarnecki and S. Helsen. Classification of model transformation approaches. In OOPSLA’03 Workshop on Generative Techniques in the Context of Model-Driven Architecture, 2003. [47] J. de Lara, R. Bardohl, H. Ehrig, K. Ehrig, U. Prange, and G. Taentzer. Attributed graph transformation with node type inheritance. Theoretical Computer Science, 376(3):139– 163, 2007. [48] J. de Lara and H. Vangheluwe. Defining visual notations and their manipulation through meta-modelling and graph transformation. Journal of Visual Languages and Computing, 15(3–4):309–330, 2006. [49] J. de Lara and H. Vangheluwe. Translating model simulators to analysis models. In Proc. of the 11th International Conference on Fundamental Approaches to Software Engineering (FASE’08), volume 4961 of LNCS, pages 77–92. Springer-Verlag, 2008. [50] J. de Lara and H. Vangheluwe. Automating the transformation-based analysis of visual languages. Formal Aspects of Computing, 22(3-4):297–326, May 2010. BIBLIOGRAPHY 233 [51] F. Durán. A Reflective Module Algebra with Applications to the Maude Language. PhD thesis, Universidad de Málaga, Spain, June 1999. Available at http://maude.csl. sri.com/papers. [52] F. Durán, S. Lucas, and J. Meseguer. MTT: The Maude Termination Tool (system description). In Proc. of the 4th International Joint Conference on Automated Reasoning (IJCAR ’08), pages 313–319. Springer-Verlag, 2008. [53] F. Durán and J. Meseguer. A Church-Rosser checker tool for conditional order-sorted equational Maude specifications. In P. C. Ölveczky, editor, Proc. of the 8th International Workshop on Rewriting Logic and its Applications (WRLA’10), LNCS. Springer-Verlag, Mar. 2010. [54] F. Durán and J. Meseguer. A Maude coherence checker tool for conditional order-sorted equational Maude specifications. In P. C. Ölveczky, editor, Proc. of the 8th International Workshop on Rewriting Logic and its Applications (WRLA’10), LNCS. Springer-Verlag, Mar. 2010. [55] F. Durán, M. Roldán, and A. Vallecillo. Invariant-driven strategies for Maude. In Proc. of the 4th International Workshop on Reduction Strategies in Rewriting and Programming (WRS’04). Elsevier, June 2005. [56] J. Edwards, D. Jackson, and E. Torlak. A type system for object models. SIGSOFT Software Engineering Notes, 29(6):189–199, 2004. [57] H. Ehrig, K. Ehrig, U. Prange, and G. Taentzer. Fundamentals of algebraic graph transformation. Springer-Verlag, 2006. [58] S. Eker, N. Martı́-Oliet, J. Meseguer, and A. Verdejo. Deduction, strategies, and rewriting. Electron. Notes Theor. Comput. Sci., 174(11):3–25, 2007. [59] S. Eker, J. Meseguer, and A. Sridharanarayanan. The Maude LTL model checker. In Proc. of the 4th International Workshop on Rewriting Logic and its Applications (WRLA’02), volume 71 of ENTCS, pages 115–142. Elsevier, Sept. 2002. [60] G. Engels, J. H. Hausmann, R. Heckel, and S. Sauer. Dynamic meta modeling: A graphical approach to the operational semantics of behavioral diagrams in UML. In Proc. of the 3th International Conference on the Unified Modeling Language: Modeling Languages and Applications (UML’00), volume 1939 of LNCS, pages 323–337. Springer-Verlag, 2000. [61] T. Fischer, J. Niere, L. Torunski, and A. Zündorf. Story diagrams: A new graph rewrite language based on the unified modeling language. In Proc. of the 6th International Workshop on Theory and Application of Graph Transformation (TAGT’98), 1998. [62] C. Ghezzi, D. Mandrioli, S. Morasca, and M. Pezzè. A unified high-level petri net formalism for time-critical systems. IEEE Trans. Softw. Eng., 17(2):160–172, 1991. 234 BIBLIOGRAPHY [63] J. A. Goguen. Data, schema, ontology and logic integration. Logic Journal of the IGPL, 13(6):685–715, Nov. 2005. [64] S. Gyapay, R. Heckel, and D. Varró. Graph transformation with time: Causality and logical clocks. In Proc. of 1st International Conference on Graph Transformation (ICGT’02), pages 120–134. Springer-Verlag, 2002. [65] A. Habel and K.-H. Pennemann. Satisfiability of high-level conditions. In Proc. of the 3rd International Conference on Graph Transformation (ICGT’06), volume 4178 of LNCS, pages 430–444. Springer-Verlag, 2006. [66] D. Harel and B. Rumpe. Meaningful modeling: What’s the semantics of “semantics”? Computer, 37(10):64–72, 2004. [67] R. Heckel, J. M. Küster, and G. Taentzer. Confluence of typed attributed graph transformation systems. In Proc. of 1st International Conference on Graph Transformation (ICGT’02), volume 2505 of LNCS, pages 161–176. Springer-Verlag, 2002. [68] J. D. Hendrix. Decision procedures for equationally based reasoning. PhD thesis, University of Illinois at Urbana-Champaign, 2008. Technical Report: UIUCDCS-R2008-2999. [69] J. L. C. Izquierdo and J. G. Molina. Gra2mol: Una herramienta para la extraccin demodelos en modernizacin de software. In A. Vallecillo and G. Sagardui, editors, Proc. of the XIV Jornadas de Ingenierı́a del Software y Bases de Datos (JISBD’09), pages 162–165, Sept. 2009. [70] F. Jouault, J. Bézivin, and I. Kurtev. TCS: a DSL for the specification of textual concrete syntaxes in model engineering. In Proc. of the 5th International Conference on Generative Programming and Component Engineering (GPCE’06), pages 249–254. ACM, 2006. [71] F. Jouault and I. Kurtev. Transforming models with atl. In Satellite Events at the MoDELS 2005 Conference, volume 3844 of LNCS, pages 128–138. Springer-Verlag, 2006. [72] S.-K. Kim and D. Carrington. Formalizing the UML class diagram using Object-Z. In R. B. France and B. Rumpe, editors, Proc. of the 2nd International Conference on the Unified Modeling Language (UML’99), volume 1723 of LNCS, pages 83–98. SpringerVerlag, 1999. [73] A. Kleppe. A language description is more than a metamodel. In Proc. of 4th International Workshop on Software Language Engineering (ATEM’07), Oct. 2007. [74] A. G. Kleppe, J. Warmer, and W. Bast. MDA Explained: The Model Driven Architecture: Practice and Promise. Addison-Wesley Longman Publishing Co., Inc., 2003. [75] P. Krishnan. Consistency checks for uml. In Proc. of the 7th Asia-Pacific Software Engineering Conference (APSEC’00), pages 162–169. IEEE Computer Society, 2000. BIBLIOGRAPHY 235 [76] V. I. Levenshtein. Binary codes capable of correcting deletions, insertions, and reversals. Soviet Physics Doklady, 10:707, 1966. [77] Y. Lin, J. Gray, and F. Jouault. DSMDiff: A differentiation tool for domain-specific models. European Journal of Information Systems, 16:349–361, 2007. [78] R. E. Lopez-Herrejon and J. E. Rivera. Realizing feature oriented software development with equational logic: An exploratory study. In A. Vallecillo and G. Sagardui, editors, Proc. of the XIV Jornadas de Ingenierı́a del Software y Bases de Datos (JISBD’09), pages 269–274, Sept. 2009. [79] S. Marković and T. Baar. Semantics of OCL Specified with QVT. Journal of Software and Systems Modeling (SoSyM), 2008. [80] N. Martı́-Oliet and J. Meseguer. Rewriting logic: roadmap and bibliography. Theoretical Computer Science, 285(2):121–154, 2002. [81] T. Mens. A state-of-the-art survey on software merging. IEEE Transactions on Software Engineering, 28(5):449–462, 2002. [82] P. M. Merlin. A study of the recoverability of computer systems. PhD thesis, University of California, Irvine, Apr. 1974. [83] J. Meseguer. Conditional rewriting logic as a unified model of concurrency. Theoretical Computer Science, 96:73–155, 1992. [84] J. Meseguer. The temporal logic of rewriting: A gentle introduction. In Concurrency, Graphs and Models, volume 5065 of LNCS, pages 354–382. Springer-Verlag, 2008. [85] J. Meseguer, M. Palomino, and N. Martı́-Oliet. Equational abstractions. In Proc. of the 19th International Conference on Automated Deduction (CADE’03), volume 2741 of LNCS, pages 2–16. Springer-Verlag, 2003. [86] P.-A. Muller, F. Fleurey, and J.-M. Jézéquel. Weaving executability into object-oriented meta-languages. In Proc. of the 8th ACM/IEEE International Conference on Model Driven Engineering Languages and Systems (MoDELS’05), volume 3713 of LNCS, pages 264–278. Springer-Verlag, 2005. [87] D. Ohst, M. Welle, and U. Kelter. Difference tools for analysis and design documents. In Proc. of the International Conference on Software Maintenance (ICSM’03), page 13. IEEE Computer Society, 2003. [88] D. Ohst, M. Welle, and U. Kelter. Differences between versions of uml diagrams. SIGSOFT Software Engineering Notes, 28(5):227–236, 2003. [89] P. C. Ölveczky. Real-Time Maude 2.3 Manual, 2007. Available at http://www. ifi.uio.no/RealTimeMaude/. [90] P. C. Ölveczky and J. Meseguer. Abstraction and completeness for real-time maude. Electron. Notes Theor. Comput. Sci., 176(4):5–27, 2007. 236 BIBLIOGRAPHY [91] P. C. Ölveczky and J. Meseguer. Semantics and pragmatics of Real-Time Maude. Higher-Order and Symbolic Computation, 20(1-2):161–196, 2007. [92] OMG. Meta Object Facility (MOF) 2.0 Core Specification. OMG, 2003. OMG doc. ptc/03-10-04, available at http://www.omg.org/docs/ptc/03-10-04.pdf. [93] OMG. Model Driven Arquitecture Guide. OMG, Nov. 2005. OMG doc. formal/05-1103. [94] OMG. Unified Modeling Language 2.1.1 Superstructure Specification. OMG, Feb. 2007. OMG doc. formal/07-02-05. [95] I. Poernomo. Proofs-as-model-transformations. In Proc. of the 1st International Conference on Model Transformation (ICMT’08), volume 5063 of LNCS, pages 210–224. Springer-Verlag, 2008. [96] G. Reggio, M. Cerioli, and E. Astesiano. Towards a rigorous semantics of uml supporting its multiview approach. In H. Hussmann, editor, Proc. of the 4th International Conference on Fundamental Approaches to Software Engineering (FASE’01), volume 2029 of LNCS, pages 171–186. Springer-Verlag, 2001. [97] A. Rensink. Explicit state model checking for graph grammars. In Concurrency, Graphs and Models, volume 5065 of LNCS, pages 114–132. Springer-Verlag, 2008. [98] J. E. Rivera, F. Durán, and A. Vallecillo. A metamodel for maude. Technical report, University of Málaga, 2008. Available at http://atenea.lcc.uma.es/images/ e/e0/MaudeMM.pdf. [99] J. E. Rivera, F. Durán, and A. Vallecillo. A graphical approach for modeling timedependent behavior of DSLs. In Proc. of the IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC’09), pages 51–55. IEEE Computer Society, Sept. 2009. [100] J. E. Rivera, F. Durán, and A. Vallecillo. On the behavioral semantics of real-time domain specific visual languages. In P. C. Ölveczky, editor, Proc. of the 8th International Workshop on Rewriting Logic and its Applications (WRLA’10), LNCS. Springer-Verlag, Mar. 2010. [101] J. E. Rivera, F. Durán, A. Vallecillo, and J. R. Romero. Maudeling: Herramienta de gestión de modelos usando Maude. In Proc. of the XII Jornadas de Ingenierı́a del Software y Bases de Datos (JISBD’07), pages 409–410, Sept. 2007. [102] J. E. Rivera, E. Guerra, J. de Lara, and A. Vallecillo. Analyzing rule-based behavioral semantics of visual modeling languages with Maude. In Proc. of the 1st International Conference on Software Language Engineering (SLE’08), volume 5452 of LNCS, pages 54–73. Springer-Verlag, 2008. BIBLIOGRAPHY 237 [103] J. E. Rivera and N. Moreno. Subtipado de modelos: Una definición basada en la sustitución entre tipos y en la aplicabilidad de operaciones. In Proc. of the XI Workshop Iberoamericano de Ingeniera de Requisitos y Ambientes de Software (IDEAS’08), pages 375–380, Feb. 2008. [104] J. E. Rivera and A. Vallecillo. Adding behavioral semantics to models. In Proc. of the 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC’07), pages 169–180. IEEE Computer Society, Oct. 2007. [105] J. E. Rivera and A. Vallecillo. Representing and operating with model differences. In Proc. of the 46th International Conference on Objects, Models, Components, Patterns (TOOLS’08), volume 11 of Lecture Notes in Business Information Processing, pages 141–160. Springer-Verlag, 2008. [106] J. E. Rivera, A. Vallecillo, and F. Durán. Formal specification and analysis of domain specific languages using Maude. Simulation: Transactions of the Society for Modeling and Simulation International, 85(11/12):778–792, 2009. [107] J. E. Rivera, C. Vicente-Chicote, and A. Vallecillo. Extending visual modeling languages with timed behavioral specifications. In Proc. of the XII Workshop Iberoamericano de Ingeniera de Requisitos y Ambientes de software (IDEAS’09), pages 87–100, Apr. 2009. [108] M. Roldán and F. Durán. Representing UML models in mOdCL. Manuscript. Available at http://maude.lcc.uma.es/mOdCL, 2008. [109] M. Roldán, F. Durán, and A. Vallecillo. Invariant-driven specifications in maude. Science of Computer Programming, 74(10):812–835, Aug. 2009. [110] J. R. Romero, J. E. Rivera, F. Durán, and A. Vallecillo. Formal and tool support for model driven engineering with Maude. Journal of Object Technology, 6(9):187–207, Oct. 2007. [111] G. Rozenberg, editor. Handbook of Graph Grammars and Computing by Graph Transformations, Volume 1: Foundations. World Scientific, 1997. [112] D. D. Ruscio. Specification of model transformation and weaving in Model Driven Engineering. PhD thesis, Università del l’Aquila, 2007. [113] D. D. Ruscio, F. Jouault, I. Kurtev, J. Bézivin, and A. Pierantonio. Extending AMMA for supporting dynamic semantics specifications of DSLs. Technical Report 06.02, Laboratoire d’Informatique de Nantes-Atlantique (LINA), Apr. 2006. [114] J. Sáez, A. Toval-Álvarez, and J. L. Fernández-Alemán. Tool support for transforming UML models to a formal language. In Proc. of Workshop on Transformations of UML Models (WTUML’01), pages 111–115, Apr. 2001. [115] D. C. Schmidt. Model-driven engineering. IEEE Computer, 39(2), February 2006. BIBLIOGRAPHY 238 [116] J. Steel and J.-M. Jézéquel. Model typing for improving reuse in model-driven engineering. In L. Briand and C. Williams, editors, Proc. of the 8th ACM/IEEE International Conference on Model Driven Engineering Languages and Systems (MoDELS’05), volume 3713 of LNCS, pages 84–96. Springer-Verlag, July 2005. [117] J. Steel and J.-M. Jézéquel. 6(4):401–413, Dec. 2007. On model typing. Software and Systems Modeling, [118] E. Syriani and H. Vangheluwe. Programmed graph rewriting with time for simulationbased design. In Proc. of the 1st International Conference on Model Transformation (ICMT’08), volume 5063 of LNCS, pages 91–106. Springer-Verlag, 2008. [119] A. Toulmé. The EMF compare utility, 2007. Available at http://www.eclipse. org/modeling/emft/. [120] A. Toval-Álvarez and J. L. Fernández-Alemán. Formally modeling uml and its evolution: a holistic approach. In Proc. of the 4th International Conference on Formal Methods for Open Object-based Distributed Dystems (FMOODS’00), pages 183–206. Kluwer Academic Publishers, 2000. [121] J. Troya, J. E. Rivera, and A. Vallecillo. On the specification of non-functional properties of systems by observation. In Proc. of the 2nd International Workshop of Non-functional System Properties in Domain Specific Modeling Languages (NFPinDSML’09), Oct. 2009. [122] J. Troya, J. E. Rivera, and A. Vallecillo. Simulating domain specific visual models by observation. In Proc. of the Symposium on Theory of Modeling and Simulation (DEVS’10), Apr. 2010. [123] A. Vallecillo. A journey through the secret life of models. In U. As̈mann, J. Bézivin, R. Paige, B. Rumpe, and D. C. Schmidt, editors, Perspectives Workshop: Model Engineering of Complex Systems (MECS), number 08331 in Dagstuhl Seminar Proceedings, 2008. [124] H. Vangheluwe and J. de Lara. Automatic generation of model-to-model transformations from rule-based specifications of operational semantics. In Proc. of the 7th OOPSLA Workshop on Domain-Specific Modeling (DSM’07), Oct. 2007. [125] D. Varró. Automated formal verification of visual modeling languages by model checking. Software and System Modeling, 3(2):85–113, 2004. [126] G. Wachsmuth. Metamodel adaptation and model co-adaptation. In E. Ernst, editor, Proc. of the 21st European Conference on Object-Oriented Programming (ECOOP’07), volume 4609 of LNCS, pages 600–624. Springer-Verlag, July 2007. [127] Z. Xing and E. Stroulia. Umldiff: an algorithm for object-oriented design differencing. In Proc. of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE’05), pages 54–65. ACM Press, 2005. BIBLIOGRAPHY 239 [128] Y. Zhang and B. Xu. A survey of semantic description frameworks for programming languages. SIGPLAN Not., 39(3):14–30, 2004. 240 BIBLIOGRAPHY Cuando tomamos conciencia de que no hay una sola interpretación, que hay múltiples puntos de vista y ninguna representa “la verdad”, también descubrimos que podemos elegir nuestra manera de observar, de ver el punto de vista que nos destruye y encontrar el que nos enriquece. Silvia Salinas: Todo (no) terminó. i