ArticlePublisher preview available

Alliance of model-driven engineering with a proof-based formal approach

Authors:
Akram Idani at Grenoble Institute of Technology
Akram Idani
Yves Ledru at Joseph Fourier University
Yves Ledru
Germán Vega at French National Centre for Scientific Research
Germán Vega
Read publisher preview
Download citation
To read the full-text of this research, you can request a copy directly from the authors.

Abstract and Figures

Model-driven engineering (MDE) promotes the use of models throughout the software development cycle in order to increase abstraction and reduce software complexity. It favors the definition of domain-specific modeling languages (DSMLs) thanks to frameworks dedicated to meta-modeling and code generation like EMF (Eclipse Modeling Framework). The standard semantics of meta-models allows interoperability between tools such as language analysers (e.g., XText), code generators (e.g., Acceleo), and also model transformation tools (e.g., ATL). However, a major limitation of MDE is the lack of formal reasoning tools allowing to ensure the correctness of models. Indeed, most of the verification activities offered by MDE tools are based on the verification of OCL constraints on instances of meta-models. However, these constraints mainly deal with structural properties of the model and often miss out its behavioral semantics. In this work, we propose to bridge the gap between MDE and the rigorous world of formal methods in order to guarantee the correctness of both structural and behavioral properties of the model. Our approach translates EMF meta-models into an equivalent formal B specification and then injects models into this specification. The equivalence between the resulting B specification and the original EMF model is kept by proven design steps leading to a rigorous MDE technique. The AtelierB prover is used to guarantee the correctness of the model’s behavior with respect to its invariant properties, and the ProB model-checker is used to animate underlying execution scenarios which are translated back to the initial EMF model. Besides the use of these automatic reasoning tools in MDE, proved B refinements are also investigated in this paper in order to gradually translate abstract EMF models to concrete models which can then be automatically compiled into a programming language.
Figures - available from: Innovations in Systems and Software Engineering
This content is subject to copyright. Terms and conditions apply.
A preview of this full-text is provided by Springer Nature.
Learn more
Content available from Innovations in Systems and Software Engineering
This content is subject to copyright. Terms and conditions apply.
Innovations in Systems and Software Engineering (2020) 16:289–307
https://doi.org/10.1007/s11334-020-00366-3
ORIGINAL ARTICLE
Alliance of model-driven engineering with a proof-based formal
approach
Akram Idani1·Yves Ledru1·German Vega1
Received: 30 November 2018 / Accepted: 18 May 2020 / Published online: 1 June 2020
© Springer-Verlag London Ltd., part of Springer Nature 2020
Abstract
Model-driven engineering (MDE) promotes the use of models throughout the software development cycle in order to increase
abstraction and reduce software complexity. It favors the definition of domain-specific modeling languages (DSMLs) thanks
to frameworks dedicated to meta-modeling and code generation like EMF (Eclipse Modeling Framework). The standard
semantics of meta-models allows interoperability between tools such as language analysers (e.g., XText), code generators
(e.g., Acceleo), and also model transformation tools (e.g., ATL). However, a major limitation of MDE is the lack of formal
reasoning tools allowing to ensure the correctness of models. Indeed, most of the verification activities offered by MDE
tools are based on the verification of OCL constraints on instances of meta-models. However, these constraints mainly deal
with structural properties of the model and often miss out its behavioral semantics. In this work, we propose to bridge the
gap between MDE and the rigorous world of formal methods in order to guarantee the correctness of both structural and
behavioral properties of the model. Our approach translates EMF meta-models into an equivalent formal B specification and
then injects models into this specification. The equivalence between the resulting B specification and the original EMF model
is kept by proven design steps leading to a rigorous MDE technique. The AtelierB prover is used to guarantee the correctness
of the model’s behavior with respect to its invariant properties, and the ProB model-checker is used to animate underlying
execution scenarios which are translated back to the initial EMF model. Besides the use of these automatic reasoning tools in
MDE, proved B refinements are also investigated in this paper in order to gradually translate abstract EMF models to concrete
models which can then be automatically compiled into a programming language.
Keywords Software systems ·Model-driven engineering ·Formal methods ·Visual animation ·Proofs
1 Introduction
Model-driven engineering (MDE) is a promising paradigm
in software systems development because it provides solu-
tions to the software complexity on the one hand, and it
shows how to bridge the gap between conceptual models and
coding activities, on the other hand. The definition and the
use of domain-specific models throughout the engineering
life-cycle makes MDE a powerfull asset. Furthermore, MDE
is assisted by numerous tools (EMF,1XText,2ATL,3etc)
1EMF: https://www.eclipse.org/modeling/emf/.
2Xtext: https://www.eclipse.org/Xtext/.
3ATL: http://www.eclipse.org/atl/.
BAkram Idani
akram.idani@imag.fr
1Univ. Grenoble Alpes, Grenoble INP, CNRS, LIG, 38000
Grenoble, France
dedicated to put into practice a clear separation of concerns
ranging from requirements to target platforms, and going
through several design stages. Interoperability between these
tools is favored by the use of standardized meta-modeling
formalisms which increases automation especially for devel-
oping domain specific modeling languages (called DSMLs).
These advantages allow to reduce the risk that human errors
such as misinterpretation of the requirements and specifica-
tion documents lead to erroneously validate the specification,
and hence to produce the wrong system. Still, while MDE
provides solutions to the validation problem (“do the right
system”), the verification problem (“do the system right”)
remains a major challenge. Indeed, most of the verification
activities offered by MDE tools are based on the verification
of OCL constraints given instances of meta-models. How-
ever, these constraints mainly deal with properties of the
structure of the model, but not of its behavior. There is hence
noway in MDE to prove invariant preservation while execut-
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
... However, in this abstraction, the presence of each concept and correlated requirement has to be justified. While building a Domain Specific Language (DSL) that can be executed, Meeduse [6,7] provides a solution to confront the understanding of the system architect and of the domain expert. This motivates the current work, which is an application of the tool to a real case study. ...
... This work extends and applies the Meeduse 5 language workbench [7]. The tool is dedicated to formally instrument DSLs using the B-Method. ...
... Figure 5 shows the generated Sets, Properties of the Constants, and the related typing invariants. For more details about this translation we refer the reader to [6,7]. ...
An Iterative Formal Model-Driven Approach to Railway Systems Validation
Conference Paper
Full-text available
  • Sep 2024
European Rail Traffic Management System (ERTMS) is a standard for the train control and signalling system whose application is spreading throughout Europe. The ETCS (European Train Control Sys-AQ1 tem) level 3 is attracting experts because it is still in the design phase. Many works provide formal models to the verification of ERTMS/ETCS using formal methods, but they did not investigate the validation problem. To deal with this challenge we propose an iterative formal model-driven approach that helps validating step-by-step a real formal specification of ERTMS/ETCS hybrid level 3. Our approach introduces Domain-Specific Languages (DSLs) to help system experts understand existing specifications that are already proven. To this purpose we extend and apply Meeduse, the only existing language workbench today that allows embedding formal semantics within DSLs. The paper presents this application and discusses the lessons learned from the railway and formal method experts' points of view.
View
... A. Idani duse [7][8][9], a MDE tool built on the formal B method [10]. The tool is currently the only available tool that applies theorem proving to DSLs and jointly animates their execution. ...
... In our proposal, we advocate for collaborations between the formal methods community and the MDE community in order to take benefits of their respective tooling. Our approach [9], and its tool support Meeduse [7,8], favours this collaboration since it makes possible the use of DSL builders and formal methods tools together in one unified framework (i.e. EMF). ...
... In this work, we propose an alternative definition of the Petri-net semantics (that we call PNet Reference ) using Meeduse [8,9], a MDE tool that we developed in order to mix the formal B method and EMF-based DSLs. The use of a well-established formal approach assisted by provers and model-checkers, would at least guarantee the consistency of the Petri-net DSL and its conformance to the expected semantics (other benefits will be discussed later). ...
Formal model-driven executable DSLs
Article
Full-text available
  • Jul 2021
  • Innovat Syst Software Eng
One of the promising techniques to address the dependability of a system is to apply, at early design stages, domain-specific languages (DSLs) with execution semantics. Indeed, an executable DSL would not only represent the expected system’s structure, but it is intended to itself behave as the system should run. In order to make executable DSLs a powerful asset in the development of safety-critical systems, not only a rigorous development process is required but the domain expert should also have confidence in the execution semantics provided by the DSL developer. To this aim, we recently developed the Meeduse tool and showed how to bridge the gap between MDE and a proof-based formal approach. In this work, we apply our approach to the Petri-net DSL and we present MeeNET, a proved Petri-net designer and animator powered by Meeduse. MeeNET is built on top of PNML (Petri-Net Markup Language), the international standard ISO/IEC 15909 for Petri-nets, and provides underlying formal static and dynamic semantics that are verified by automated reasoning tools. This paper first presents simplified MDE implementations of Petri-nets applying Java, QVT, Kermeta and fUML that we experimented in order to debug a safety-critical system and summarises the lessons learned from this study. Then, it provides formal alternatives, based on the B method and process algebra, which are well-established techniques allowing interactive animation on the one hand and reasoning about the behaviour correctness, on the other hand.
View
... During the last three years we investigated and developed a solution to this problem by proposing a Formal Model-Driven Engineering (FMDE) approach to create zero-fault DSLs, which are DSLs whose semantics (static and dynamic) are mathematically proved correct with regards to their structural and logical properties. We developed the Meeduse tool [10] to make the bridge between MDE and the formal B method [1]. Technically the tool is built on EMF [28] (The Eclipse Modeling Framework) and ProB [20], an animator and model-checker of the B method that is certified T2 SIL4 (Safety Integrity Level), which is the highest safety level according to the Cenelec EN 50128 standard. ...
... By using a state-based language built on the set theory and the first order predicate logic, the semantical gap with MOF can be easily managed. We refer the reader to [10] for the technical details about how the execution results can be translated back to the original model without extending the abstract syntax of the DSL. ...
The B Method meets MDE: Review, progress and future
Conference Paper
Full-text available
  • May 2022
Existing surveys about language workbenches (LWBs) ranging from 2006 to 2019 observe a poor usage of formal methods within domain-specific languages (DSLs) and call for identifying the reasons. We believe that the lack of automated formal reasoning in LWBs, and more generally in MDE, is not due to the complexity of formal methods and their mathematical background, but originates from the lack of initiatives that are dedicated to the integration of existing tools and techniques. To this aim we developed the Meeduse LWB and investigated the use of the B method to rigorously define the semantics of DSLs. The current applications of Meeduse show that the integration of DSLs together with theorem proving, animation and model-checking is viable and should be explored further. This technique is especially interesting for executable DSLs (xDSLs), which are DSLs with behavioural features. This paper is a review of our Formal MDE (FMDE) approach for xDSLs and a proposal for new avenues of investigation.
View
... MDE offers several benefits, including enabling early validation and verification through techniques like model analysis and simulation, ultimately leading to a more robust and efficient software solution. Additionally, MDE can enhance development productivity by automating tasks such as code generation [33]. ...
View
... In our previous work [19] we applied deep embedding and the B method [1] to formally define the semantics of executable Domain Specific Languages (DSLs) in a Model-Driven Engineering (MDE) architecture. The work led to the development of Meeduse [17,31], the only existing language workbench today that applies theorem proving to deal with the correctness of DSLs. ...
View
... MDE offers several benefits, including enabling early validation and verification through techniques like model analysis and simulation, ultimately leading to a more robust and efficient software solution. Additionally, MDE can enhance development productivity by automating tasks such as code generation [33]. ...
Model-Driven Engineering for Quantum Programming: A Case Study on Ground State Energy Calculation
Preprint
Full-text available
  • May 2024
This study introduces a novel framework that brings together two main Quantum Programming methodologies, gate-based Quantum Computing and Quantum Annealing, by applying the Model-Driven Engineering principles. This aims to enhance the adaptability, design and scalability of quantum programs, facilitating their design and operation across diverse computing platforms. A notable achievement of this research is the development of a mapping method for programs between gate-based quantum computers and quantum annealers which can lead to the automatic transformation of these programs. Specifically, this method is applied to the Variational Quantum Eigensolver Algorithm and Quantum Anneling Ising Model, targeting ground state solutions. Finding ground-state solutions is crucial for a wide range of scientific applications, ranging from simulating chemistry lab experiments to medical applications, such as vaccine development. The success of this application demonstrates Model-Driven Engineering for Quantum Programming frameworks's practical viability and sets a clear path for quantum Computing's broader use in solving intricate problems.
View
... On the other hand, approaches used to reduce complexity would provide useful input for software artifacts' statistical modeling. Research in [37] focuses on model-driven engineering to promote models to facilitate the abstraction of information in the software development landscape. Framework for meta-modeling and code generation is an exciting area that can inspire this study. ...
The realist approach for evaluation of computational intelligence in software engineering
Article
Full-text available
  • Mar 2021
  • Innovat Syst Software Eng
Secured software development must employ a security mindset across software engineering practices. Software security must be considered during the requirements phase so that it is included throughout the development phase. Do the requirements gathering team get the proper input from the technical team? This paper unearths some of the data sources buried within software development phases and describes the potential approaches to understand them. Concepts such as machine learning and deep learning are explored to understand the data sources and explore how these learnings can be provided to the requirements gathering team. This knowledge system will help bring objectivity in the conversations between the requirements gathering team and the customer's business team. A literature review is also done to secure requirements management and identify the possible gaps in providing future research direction to enhance our understanding. Feature engineering in the landscape of software development is explored to understand the data sources. Experts offer their insight on the root cause of the lack of security focus in requirements gathering practices. The core theme is statistical modeling of all the software artifacts that hold information related to the software development life cycle. Strengthening of some traditional methods like threat modeling is also a key area explored. Subjectivity involved in these approaches can be made more objective.
View
View
Data-Driven Analysis of Batch Processing Inefficiencies in Business Processes
Chapter
Full-text available
  • May 2022
Batch processing reduces processing time in a business process at the expense of increasing waiting time. If this trade-off between processing and waiting time is not analyzed, batch processing can, over time, evolve into a source of waste in a business process. Therefore, it is valuable to analyze batch processing activities to identify waiting time wastes. Identifying and analyzing such wastes present the analyst with improvement opportunities that, if addressed, can improve the cycle time efficiency (CTE) of a business process. In this paper, we propose an approach that, given a process execution event log, (1) identifies batch processing activities, (2) analyzes their inefficiencies caused by different types of waiting times to provide analysts with information on how to improve batch processing activities. More specifically, we conceptualize different waiting times caused by batch processing patterns and identify improvement opportunities based on the impact of each waiting time type on the CTE. Finally, we demonstrate the applicability of our approach to a real-life event log.
View
View
Incremental Development of a Safety Critical System Combining formal Methods and DSMLs
Chapter
Full-text available
  • Jul 2019
  • Lect Notes Comput Sci
In order to assist domain experts, several tools exist for the definition of graphical or textual domain specific modeling languages (DSMLs). The resulting models are useful, but not sufficient, for an overall understanding of the system, especially when formal methods are being applied. Indeed, formal methods failures often result from misunderstandings of the requirements, even if the system is entirely proved. This is confirmed by several industrial experiments which showed that the poor readability of the formal notations is not convenient for communication with domain experts and hence the validation activity is often tedious, time consuming and complex. In order to circumvent this shortcoming, we propose to make domain specific models provable and also executable thanks to the animation of their expected behaviour directly in a dedicated DSML tool. Our approach starts from an intuitive description of the system’s operational semantics thanks to high-level Petri-nets which abstract away structural constraints and focus on safety-critical behaviours. Then we take benefit of the B method in order to refine and prove these operational semantics on the one hand, and to merge them with the static semantics of a given DSML, on the other hand. This work is applied to the design of ERTMS/ETCS 3 which is an emergent solution for railway system management.
View
View
Omniscient Debugging for Executable DSLs
Article
Full-text available
  • Nov 2017
  • J SYST SOFTWARE
Omniscient debugging is a promising technique that relies on execution traces to enable free traversal of the states reached by a model (or program) during an execution. While a few General-Purpose Languages (GPLs) already have support for omniscient debugging, developing such a complex tool for any executable Domain Specific Language (DSL) remains a challenging and error prone task. A generic solution must: support a wide range of executable DSLs independently of the metaprogramming approaches used for implementing their semantics; be efficient for good responsiveness. Our contribution relies on a generic omniscient debugger supported by efficient generic trace management facilities. To support a wide range of executable DSLs, the debugger provides a common set of debugging facilities, and is based on a pattern to define runtime services independently of metaprogramming approaches. Results show that our debugger can be used with various executable DSLs implemented with different metaprogramming approaches. As compared to a solution that copies the model at each step, it is on average sixtimes more efficient in memory, and at least 2.2faster when exploring past execution states, while only slowing down the execution 1.6times on average.
View
Reusable specification templates for defining dynamic semantics of DSLs
Article
Full-text available
  • Feb 2019
  • SOFTW SYST MODEL
In the context of model-driven engineering, the dynamic (execution) semantics of domain-specific languages (DSLs) is usually not specified explicitly and stays (hard)coded in model transformations and code generation. This poses challenges such as learning, debugging, understanding, maintaining, and updating a DSL. Facing the lack of supporting tools for specifying the dynamic semantics of DSLs (or programming languages in general), we propose to specify the architecture and the detailed design of the software that implements the DSL, rather than requirements for the behavior expected from DSL programs. To compose such a specification, we use specification templates that capture software design solutions typical for the (application) domain of the DSL. As a result, on the one hand, our approach allows for an explicit and clear definition of the dynamic semantics of a DSL, supports separation of concerns and reuse of typical design solutions. On the other hand, we do not introduce (yet another) specification formalism, but we base our approach on an existing formalism and apply its extensive tool support for verification and validation to the dynamic semantics of a DSL.
View
Diagram-Led Formal Modelling Using iUML-B for Hybrid ERTMS Level 3
Chapter
  • May 2018
  • Lect Notes Comput Sci
We demonstrate diagrammatic Event-B formal modelling of a hybrid, ‘fixed virtual block’ approach to train movement control for the emerging European Rail Traffic Management System (ERTMS) level 3. We perform a refinement-based formal development and verification of the no-collision safety requirement. The development reveals limitations in the specification and identifies assumptions on the environment. We reflect on our team-based approach to finding useful modelling abstractions and demonstrate a systematic modelling method using the UML-like state and class diagrams of iUML-B. We suggest enhancements to the existing iUML-B method that would have benefitted this development.
View
XCORE: Support for developing program analysis tools
Conference Paper
  • Feb 2017
Building program analysis tools is hard. A recurring development task is the implementation of the meta-model around which a tool is usually constructed. The XCORE prototype supports this task by generating the implementation of the meta-model. For this purpose, developers will add directly into the source code of the tool under construction some meta-information describing the desired meta-model. Our demo presents some internal details of XCORE and emphasizes the advantages of our tool by describing the construction of a basic analysis instrument.
View
Verification of UML models by translation to UML-B
Article
  • Jan 2011
UML-B is a `UML like' notation based on the Event-B formalism which allows models to be progressively detailed through refinements that are proven to be consistent and to satisfy safety invariants using the Rodin platform and its automatic proof tools. UML, on the other hand, encourages large models to be expressed in a single, detailed level and relies on simulation and model testing techniques for verification. The advantage of proof over model-testing is that the proof is valid for all instantiations of the model whereas a simulation must choose a typical instantiation. In the INESS project we take an extant UML model of a railway interlocking system and explore methodical ways to translate it into UML-B in such a way as to facilitate proof that the model satisfies certain safety properties which are expressed as invariants. We describe the translation attempted so far and insights that we have gained from attempting to prove a safety property. We propose some possible improvements to the translation which we believe will make the proof easier.
View
View
Semantic Model Differencing Utilizing Behavioral Semantics Specifications
Conference Paper
  • Sep 2014
  • Lect Notes Comput Sci
Identifying differences among models is a crucial prerequisite for several development and change management tasks in model-driven engineering. The majority of existing model differencing approaches focus on revealing syntactic differences which can only approximate semantic differences among models. Significant advances in semantic model differencing have been recently made by Maoz et al [16] who propose semantic diff operators for UML class and activity diagrams. In this paper, we present a generic semantic differencing approach which can be instantiated to realize semantic diff operators for specific modeling languages. Our approach utilizes the behavioral semantics specification of the considered modeling language, which enables to execute models and capture execution traces representing the models’ semantic interpretation. Based on this semantic interpretation, semantic differences can be revealed.
View
Applying model transformation and event-B for specifying an industrial DSL
Article
  • Jan 2013
In this paper we describe our experience in applying the Event-B formalism for specifying the dynamic semantics of a real-life industrial DSL. The main objective of this work is to enable the industrial use of the broad spectrum of specification analysis tools that support Event-B. To leverage the usage of Event-B and its analysis techniques we developed model transformations, that allowed for automatic generation of Event-B specifications of the DSL programs. The model transformations implement a modular approach for specifying the semantics of the DSL and, therefore, improve scalability of the specifications and the reuse of their verification.
View