5. If Γ does not contain any isomorphic relation pattern toγ, then addγ to Γ and continue with a next possible pair of jointly surjective relation pattern morphisms (item 2). 2
4. Formal Background for Describing Model Transformation Properties
these different implementations must be consistent, i.e. they cannot contradict to each other. In other words, it may happen that given two constraintsc1 and c2, one implementation of the functions may prove thatc1 and c2 are conflicting. It may also happen that another implementation is not able to prove it, but it is forbidden that this implementation could prove thatc1 and c2 are not conflicting.
It is important to note that the types of the attributes can help during the analysis of the con-straints. However, we omitted the attribute types from the definition of metamodel interfaces. The analysis of the constraints is performed by an external component that is not part of our system. It can be seen that our framework only relies on the results of the external constraint logic, therefore, in our system, we do not need to work with attribute types.
Finally, we explain why the constraint logic is separated from our framework and how this is realized. Analyzing constraints is a very complex task and it has its own research field [Marriott and Stuckey, 1998, Dechter, 2003, Tsang, 1993], therefore, we define the interface of constraints to another framework that is outside of the boundaries of our core system. However, to do this, we need to define constraints in a general way and provide them to the constraint logic in a way that the constraints are not connected to their graphs closely. If it were not so, we would restrict the set of possible constraint logics to be applied. Therefore, constraints are described as functions with a fixed number of parameters, and they are connected to graphs only when they are evaluated.
4.4.2 Determining the Relations of Abstract Attribute Constraints
Definition 4.82 (conflicting constraints). LetC be a set of abstract attribute constraints over the graph G. C is conflicting (or is in conflict), if @v∈π(G) :v C, i.e. there is no attribute value assignment such that all constraints of the set are satisfied. Otherwise, C is not conflicting, i.e.
∃v∈π(G) :vC. We use ⊗(C) to denote that the set C of constraints is conflicting. 2 Definition 4.83 (derivable constraints). Given two sets Cder and Cf rom of abstract attribute con-straints over the same graph G, Cder is derivable from Cf rom, denoted by Cf rom ⇒ Cder (or Cf rom ⇒GCder if we want to mark the context graph G explicitly), if ∀v∈π(G) :vCf rom im-plies vCder, i.e. if Cf rom is satisfied, it implies that Cder is also satisfied. Otherwise, Cder is not derivablefrom Cf rom denoted byCf rom;Cder (orCf rom;GCder if we want to emphasizeG), i.e.
in this case,∃v∈π(G) :vCf rom, butv2Cder. 2
Proposition 4.84 (pattern morphism by relations of constraints). Given patterns P1 and P2 of the same metamodel interface Mand a pattern morphism p:P1→P2:
(i) p is invalid iff the constraints of P2 and the mapped constraints of P1 are conflicting, i.e.
⊗(p(C(P1))∪ C(P2)).
(ii) pis a weak pattern morphism iffP2is valid, and the constraints ofP2 and the mapped constraints of P1 are not conflicting.
(iii) p is a strong pattern morphism iff P2 is valid, and the mapped constraints of P1 are derivable from the constraints of P2, i.e. C(P2)⇒G(P2)p(C(P1)).
Proof of Proposition 4.84. Directly follows from Definition 4.42,Definition 4.82 and Definition 4.83.
We introduce the interface of the two functions that are supposed to be able to analyze arbitrary sets of constraints in order to determine the relations between them. We assume that the implemen-tations of both of these functions are available in our system.
• The function IsInConf lict(C) takes a set C of constraints whose elements are defined over the same graph. Given any possible parameters, this function returns a valuetrue,false, or unknown. The value true means that it can be proved that the constraints in the set C are conflicting,falsemeans that it can be proved that the constraints inCare not conflicting, and
unknown means that neither can be proved, i.e. the system does not have enough information to decide.
• The functionIsDerivable(Cf rom, Cder) takes two setsCf rom,Cderof constraints that are defined over the same graph. Given any possible parameters, this function returns a valuetrue,false, orunknown. The value true means thatCder can be proved to be derivable fromCf rom,false means that it can be proved that Cder is not derivable from Cf rom, and unknown means that neither can be proved, i.e. the system does not have enough information to decide.
The assumption that we have these two functions seems to be very restrictive, since in complex attribute constraint description languages, it is really hard to determine the relation between arbitrary constraints. However, the implementation of the previous functions always has the possibility to return the value unknown. In several cases, the analysis of the transformations and the verification of the model properties are based on the relations of certain constraint sets. If the relation between the sets can be determined by the currentIsInConf lictandIsDerivable functions, we can obtain more information and derive the proof of more properties. However, if the relations between the sets are unknown, the system may not be able to prove certain properties. Hence, the usability and efficiency of our framework largely depend on the capabilities of the current implementation of the previous two functions. We define one more requirement of the implementations of the functions. Because they are outside the boundaries of our framework, we need them to terminate for all possible inputs.
Definition 4.85 (derivation analyzer function). A functionIsDerivable is a derivation analyzer function over a metamodel interface M if its domain is defined as follows: for any graph G of M and two sets of constraints Cf rom and Cder defined over G, the double (Cf rom, Cder) is in the domain ofIsDerivable. Moreover, the return value of the function is one of the members of the set {true,false,unknown} and the following implications are true:
(i) If IsDerivable(Cf rom, Cder) =true, thenCf rom⇒Cder must be true.
(ii) If IsDerivable(Cf rom, Cder) =false, thenCf rom;Cder must be true.
(iii) If IsDerivable(Cf rom, Cder) =unknown, then Cf rom⇒Cder, or Cf rom;Cder, or none of them can be true.
An algorithmIsDerivableis a valid implementation of a derivation analyzer function ifIsDerivable satisfies the conditions defined above and terminates for all possible inputs. 2 Definition 4.86 (conflict analyzer function). The function IsInConf lict is a conflict analyzer functionover a metamodel interfaceMif its domain is defined as follows: for any graphGofMand a set of constraintsCdefined overG,C is in the domain ofIsInConf lict. Moreover, the return value of the function is one member of the set{true,false,unknown} and the following implications are true:
(i) If IsInConf lict(C) =true, then the constraints inC must be conflicting.
(ii) If IsInConf lict(C) =false, then the constraints ofC must not be conflicting.
(iii) If IsInConf lict(C) =unknown, then the constraints ofC may be conflicting, may not be con-flicting, or none of them can be true.
An algorithmIsInConflictis a valid implementation of a conflict analyzer function ifIsInConflict satisfies the conditions defined above and terminates for all possible inputs. 2 It is important to show that different implementations are consistent, i.e. the relations that are proved in one implementation cannot be proved to be wrong in another. Proposition 4.87guarantees the consistency of the functions.
Proposition 4.87 (consistency of the derivation and conflict analyzer functions). Given two dif-ferent derivation analyzer functions and two difdif-ferent conflict analyzer functions: IsInConf lict1, IsInConf lict2, and IsDerivable1, IsDerivable2, and two sets of constraints C1, C2 over the same graphG:
4. Formal Background for Describing Model Transformation Properties
(i) If IsInConf lict1(C1) =true, then IsInConf lict2(C1),false.
(ii) If IsInConf lict1(C1) =false, then IsInConf lict2(C1),true.
(iii) If IsDerivable1(C1, C2) =true, then IsDerivable2(C1, C2),false.
(iv) If IsDerivable1(C1, C2) =false, then IsDerivable2(C1, C2),true.
Proof of Proposition 4.87. For the proof of each item, we apply proof by contradiction.
(i) IfIsInConf lict1(C1) =true, then the constraints ofC1are conflicting. Hence, ifGis the graph over which the constraints of C1 are defined, there is no complete value assignment v over G such thatvC1. Assume thatIsInConf lict2(C1) =false, in this case the constraint setC1 is not conflicting, i.e. there exists a complete attribute value assignmentvoverGsuch thatvC1. This is a contradiction, therefore, the original condition must hold.
(ii) Similarly to the proof of item i, assuming theIsInConf lict2(C1) =true, it would contradict to the fact that IsInConf lict1(C1) =false, i.e. the constraints of C1 are not conflicting.
(iii) IsDerivable1(C1, C2) =true implies that C1⇒C2, i.e. there is no complete value assignment v over Gsuch that vC1, but v2C2. Assume that IsDerivable2(C1, C2) =false, in this case C1 ;C2, i.e. there is a complete attribute value assignment v over G such that vC1, but v2C2, which is a contradiction, therefore, the original condition must hold.
(iv) Similarly to the proof ofitem iii, assuming theIsDerivable2(C1, C2) =true, it would contradict
to the fact that IsDerivable1(C1, C2) =false.
Corollary 4.88. Given two patterns P1 and P2 of the same metamodel interface M, a pattern morphism p:P1→P2, a derivation analyzer function IsDerivable and a conflict analyzer function IsInConf lict:
(i) P2 is valid and IsInConf lict(C(P2)∪p(C(P1))) =true implies thatp is invalid.
(ii) IsInConf lict(C(P2)∪p(C(P1))) =false implies that p is a weak pattern morphism.
(iii) P2 is valid andIsDerivable(C(P2), p(C(P1))) =trueimplies thatpis a strong pattern morphism.
Proof. It directly follows from Proposition 4.84.