This section introduces two methods that are commonly used during the formal analysis of model transformations. (i) The finding of the intact elements is a technique for decreasing the number of rules that need to be analyzed for the analysis of certain properties by searching for the rules that can be proved not to influence the satisfaction of the concrete properties. (ii)Composite ruletechnique is used to compute the composition of two sequential rules that help analyze complete rules sequences as one single rule.
7.2.1 Intact Elements
Motivation. When a concrete property is needed to be verified for a model transformation, it may be beneficial to exclude some rules that do not influence the satisfaction of the property. This can happen if the excluded rules work on only the types of elements that does not appear in the formula that specifies the property to be verified. In other words, when the processing of an element is followed throughout a whole transformation control flow, it is important to determine which rules influence the processing of the element. Note that it is possible that such an excluded rule may indirectly influence the satisfaction of the property (e.g. it may influence the execution order of the rules), but in several cases it may be beneficial to find these rules.Intact elements are the ones that are not modified by a rule, as we will define it formally. In a semi-automated analysis of a model transformation, the framework can leverage the work of the developer if intact elements can be automatically found.
Applicability. This technique helps analyzing a transformation process by decreasing the number of rules that need to be analyzed when concentrating on the processing of a concrete element in the input model.
Structure. The intact elements MTA technique is formalized in the following definition. Informally, it states that given a rewriting rule interface ruleand a pattern P, if a match ofP is present in the input model before the application of the rule implies that the same elements must be present in the output model and vice versa, then the rule leaves pattern P weakly intact. It is important that the same elements are present, not just an arbitrary instance of the pattern. The pattern is left strongly intact if the attributes of instances ofP are not modified at all.
Definition 7.1 (intact pattern). Let P be a pattern of the metamodel interface M and let rule be a rewriting rule interface. We say that rule leaves P weakly intact if the following conditions hold: Letµ= (M, M0, r) be a relation model such that the direct model transformation interface from M to M0 can be described by rule according to Definition 6.5. We require that for any possible
7. Model Transformation Analysis (MTA) Methods
relation model µ, if there exists a valid match p:P →M, then there must exist a valid match p0:P →M0 such that p0=r◦p. Similarly, we require that if there exists a valid match p0:P →M0, then there must exist a valid match p:P →M such that p0=r◦p. Let v=V(M), v0=V(M0). We say that P is left strongly intact by rule rule if P is left weakly intact and it is always true that
∀l∈ L(P),∀a∈attrs(type(l)) :v(p(l), a) =v0(p0(l), a) where type=τ(P) is the clan morphism of the
graph ofP. 2
Automation. This technique is based on a simple definition, but examining many rewriting rules manually is time-consuming and may lead to errors. An appropriate tool support may automatically determine if some patterns are left intact by some rules. The conditions in the following proposition guarantee that a rule leaves a pattern intact.
Proposition 7.2. Let P be a pattern and r= (L, l, K, r, R, C) be a rewriting rule interface. Compose each possible jointly surjective composition of P and L. The result is a pattern L0 with two jointly surjective pattern morphismsp:P →L0, m:L→L0 as presented inEquation 7.1. We ignore the cases where⊗(C(L0)). (Recall that ⊗(C)denotes that the constraints of the setC are conflicting.) After the application of the rewriting rule interface on L0, let s=r0◦l0−1 and let p0=s◦p. For each possible such construction, we requirep0 to be a total pattern morphism such that C(R0)⇒p0(C(P)).
P
p0
==
p L
(1) m
K
k (2)
oo l r //R
n
L0
=
s
99K0
= l0
oo r0 //R0
(7.1)
We repeat the procedure, in the reverse direction, i.e. we compose each possible jointly surjective composition ofRandP, which result inR0, n:R→R0, p0:P→R0. We ignore the cases where⊗(C(R0)).
We apply the rewriting rule interface onR0 in the reverse direction, which results in the construction of the following diagram. Let s0=r0◦l0−1 We require that for each possible construction there exists a total pattern morphismp:P→L0 such thats◦p=p0 and C(L0)⇒p(C(P))
L
(1) m
K
k (2)
oo l r //R
n
P
p
__
p0
~~
L0
s
99K0
= l0
oo r0 //R0
=
(7.2)
If the previous two requirements are satisfied, then rule rule0 leaves pattern P weakly intact. Let r0 = (L0, l0, K0, r0, R0, C0) be the extracted rule of the previous constructions. If for each possible such rule0, ∀l∈ L(P), a∈attrs(typeP(l)) : C(rule0)⇒[p(l).a==p0(l).a] (where typeP =τ(P)), then rule also leaves P strongly intact. (Recall that [x.a==y.b] denotes an abstract attribute constraint that specifies that the attributea of the element x must be equal to the attribute b of y.)
Proof. According to the definition of the application of rewriting rule interfaces, it can be seen that the first requirement guarantees that ifP is present in the input model, the same elements will be present in the output model such that their constraints will be satisfied. Similarly, the second requirement performs the same operation, but in the reverse direction. Finally, it can be seen that a pattern is left strongly typed, if the last requirement is satisfied, because it explicitly states that the attribute
values are not modified.
It is important that these conditions can be algorithmically checked by replacing ’⇒’ by IsDerivable, ’⊗’ by IsInConflict, and ’→’ by CheckImplication.
Benefits. When following the processing of elements throughout a whole transformation process, it is important to distinguish between rules that create, delete, or modify the element, and the ones that leave them intact. Sometimes, the modification of the attributes is unimportant in the sense that it does not influence the applicability of other rules, in this case, the definition of weakly intact patterns contains enough conditions. It is also important that automated support can be provided to determine if a rule leaves a pattern intact. The method can be improved by taking the current input formula of the rule into account. It may happen that a rule does not leave a pattern intact, but in the current configuration when the input model must satisfy a specific input formula, the pattern is actually left intact.
Known uses. Analysis methods often apply the concept ofIntact Element, but the formal description of the fact that a rule does not delete, does not create, does not modify a concrete type of element has not yet been stated as a recurring technique.
Example 7.3. Consider the first rule of the model transformation DB2NF as shown inFigure 2.7. It can be seen that patterns that contain elements of typeTableare not left intact by this rule, because the rule creates a newTable. If a pattern contains elements of type Column, then the pattern can be left only weakly intact, because the rule modifies the attribute of aColumn.
7.2.2 Composite Rule MTA Technique
Motivation. When analyzing the processing of a model by a rule sequence, we usually need to treat this sequence as a single direct graph transformation that can be described as the application of a single composite rule. If multiple compositions of the rule sequence may exist, we only know that the application of the rule sequence can be substituted by one of the possible compositions, but we do not know which one. If we can prove a property for all possible compositions, the property will be true for the whole sequence. TheComposite Rule MTA technique formalizes how the composition of two sequential rules can be computed. The computation of the structure of the composed rules (i.e.
their graphs) is performed based on the definition of the E-concurrent production. (SeeSection 2.2.3 for more details about the composition of graph rewriting rules.) However, it is also important to exclude scenarios where the composed constraints are conflicting and to compute the constraints of the composed rule as well.
Applicability. The use of theComposite Rule MTA technique is advantageous in many situations:
• Suppose that a transformation does not implement an MTA design pattern precisely. For ex-ample, a step that should be defined with one rule is realized by two rules because of additional requirements of the implementation. Replacing the two rules with the E-concurrent production (with the composite rule) may result that the transformation becomes well-formed enough to be a complete implementation of the pattern. In other words, the composite rule technique is used to reshape a transformation to facilitate further analysis, for example, to be well-formed enough to apply certain analysis patterns automatically.
• Another motivation of using Composite Rule is that it may facilitate the analysis of a rule sequence by reducing the complexity of the transformation. As mentioned in the motivation, we need to examine each possible composition separately and if we can prove a property for all of them, then the property will be true for the whole sequence as well.
• Composing rules along a loop in a control flow can be really helpful if a structural regularity can be observed. The propositions in [Levendovszky et al., 2006] use this technique to decide termination.
7. Model Transformation Analysis (MTA) Methods
Structure. This MTA technique is based on the definition of E-concurrent production of rules, its goal is to produce all possible composition of two sequential rules. The composition and its correctness is formalized in the following definition and proposition.
Definition 7.4. Given two rewriting rule interfaces r1 = (L1, l1, K1, r1, R1, C1) and r2 = (L2, l2, K2, r2, R2, C2), the set of all possible composition of r1 and r2 is denoted by r1∗r2 that is a set of rewriting rule interfaces produced as follows. We compose each possible jointly surjective composition ofR1, L2 whereE is the composed pattern ande1:R1→E,e2:L2→E are the jointly surjective morphisms. If ⊗(C(E)), then we can ignore the current E. Otherwise, by applying r1 in the inverse direction on E, and by applying r2 on E, we got the following diagram according to the definition of E-concurrent production where (1)(2) and (3)(4) form double pushouts and (5) is a pullback.
L1 m1
(1)
K1 l1
oo
k1
r1 //
(2)
R1 e1
L2 e2
(3)
K2 l2
oo
k2
r2 //
(3) (4)
R2 n2
L K01l0oo //E
(5)
K20
oo r0 //R
K
k10
gg
k02
77
l
jj
r
44
In this case, the rewriting rule interface r= (L, l, K, r, R,∅) is in the set r1∗r2. Similarly to the notation of E-concurrent production, a concrete rewriting rule interface r that is composed by a concrete patternE is denoted byr1∗Er2, i.e. r1∗r2=∪∀E(r1∗Er2). 2 Definition 7.5 (E-related transformation). Let M be an arbitrary input model, whose processing along the matchm1:L1→M according to the rewriting rule interfacer1is presented inEquation 7.3.
Let H be the result of the processing. Then, the processing of H along the match m2 according to the rewriting rule interface r2 is also presented in Equation 7.3. This processing results inM0. This transformation sequence is denoted byM⇒r1,m1H⇒r2,m2M0. The transformation is called E-related tor1∗Er2 if there exist morphisms h:E⇒H, c1:K10 →D1 and c2:K20 →D2 such that h◦e1=n1, h◦e2=m2, (1)(2), (3)(4), (5)(6), (7)(8) form double pushouts,m1=s01◦s01 and n2=s02◦s2
L1
s1 (1)
m1
K1
(2) l1
oo
k1
r1 //
R1
e1
n1
L2
e2 (3)
m2
K2
(4) l2
oo
k2
r2 //
R2
s2
n2
L
s01
(5)
K10
oo
c1
//
(6)
E
h
K20
(8)
//
oo
c2
(7)
R
s02
M oo D1 //Hoo D2 //M0
(7.3)
2 Proposition 7.6 (concurrency theorem for rewriting rule interfaces). Let (E, e1, e2) be an E-dependency relation for the rewriting rule interfacesr1 andr2 leading to the E-concurrent production r1∗Er2.
(i) Synthesis: given an E-related sequence of direct transformation interfaces M ⇒G⇒M0 via r1 and r2, then there is a synthesis construction leading to a direct transformation M ⇒M0 via r1∗Er2.
(ii) Analysis : given a direct transformation interfaceM⇒M0 viar2∗Er2, then there is an analysis construction leading to an E-related sequence of direct transformation interfaces M⇒H⇒M0 via r1 and r2.
(iii) Bijective correspondence: The synthesis and analysis constructions are inverse to each other up to isomorphism.
The proof ofProposition 7.6is provided in Appendix B.
Example 7.7. An example of creating the E-concurrent production of two rules is presented in Fig-ure 7.1. One of the possibleE-graphs is depicted in middle of the figure. As formally presented, the E-graph is a graph that contains RHS of the first rule and LHS of the second rule as well. In other words it describes how elements in RHS of the first rule are mapped to the elements in LHS of the second rule. Note that there are other possible E-graphs as well, but only one is presented in this figure.
Automation. In the case of the composite rule MTA technique, tool support can be provided to compose the E-concurrent production of two rules. Frameworks should take constraints into account when computing all possible composite rules.
Benefits. It is advantageous to apply this pattern for the scenarios that have been discussed in the motivation of this MTA technique.
Known uses. Replacing a rule sequence with the composite rule can be used in various cases.
In [Lambers et al., 2008], sufficient criteria for applicability and non-applicability of rule sequences are defined. The contributed methods use the composite rule of sequential rules to make application of criteria possible. In [Levendovszky et al., 2006], a termination criterion based on the application of composite rules is presented.