Skip to main content
Springer Nature Link
Log in

Formal verification of QVT transformations for code generation

  • Regular Paper
  • Published:
Software & Systems Modeling Aims and scope Submit manuscript

Abstract

We present a formal calculus for operational QVT. The calculus is implemented in the interactive theorem prover KIV and allows to prove properties of QVT transformations for arbitrary meta models. Additionally, we present a framework for provably correct Java code generation. The framework uses a meta model for a Java abstract syntax tree as the target of QVT transformations. This meta model is mapped to a formal Java semantics in KIV. This makes it possible to formally prove (interactively) with the QVT calculus that a transformation always generates a Java model (i.e. a program) that is type correct and has certain semantical properties. The Java model can be used to generate source code by a model-to-text transformation or byte code directly.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

Notes

  1. http://www.informatik.uni-augsburg.de/lehrstuehle/swt/se/projects/secureMDD/. The direct link is http://swt.informatik.uni-augsburg.de/kiv/projects/secureMDD/uml2jastSimple/index.xml.

  2. The full specification can be found at http://swt.informatik.uni-augsburg.de/kiv/projects/secureMDD/ecore/project.xml.

  3. http://swt.informatik.uni-augsburg.de/kiv/projects/secureMDD/ecore/specs/modelFitsMetaModel/export/unit.xml.

  4. As far back as 2003, several issues were opened to clarify the behavior of the conditional http://www.omg.org/issues/ocl2-rtf.open.html#Issue6554 and forAll/exists http://www.omg.org/issues/ocl2-rtf.open.html#Issue6539 that are still unresolved.

  5. Development on SmartQVT seems to have stopped. Unfortunately, the available open source version does not work with newer Eclipse releases.

  6. The original theorem is toJavaClass-induction-fulltc in specification UMLCDSimple at http://swt.informatik.uni-augsburg.de/kiv/projects/secureMDD/uml2jastSimple/project.xml.

References

  1. Anastasakis, K., Bordbar, B., Georg, G., Ray, I.: UML2Alloy: a challenging model transformation. In: MODELS 2007—10TH International Conference on Model Driven Engineering Languages and Systems. Springer LNCS 4735 (2007)

  2. Arendt, T., Biermann, E., Jurack, S., Krause, C., Taentzer, G.: Henshin: advanced concepts and tools for in-place EMF model transformations. In: MODELS, Model Driven Engineering Languages and Systems, 13th International Conference. Springer LNCS 6394 (2010)

  3. Balser, M., Reif, W., Schellhorn, G., Stenzel, K., Thums, A.: Formal system development with KIV. In: Fundamental Approaches to Software Engineering. Springer LNCS 1783 (2000)

  4. Beckert, B., Hähnle, R., Schmitt, P. (eds.): Verification of Object-Oriented Software: The KeY Approach. Springer LNAI 4334 (2007)

  5. Boronat, A., Heckel, R., Meseguer, J.: Rewriting logic semantics and verification of model transformations. In: FASE 2009. Springer LNCS 5503 (2009)

  6. Brucker, A., Krieger, M., Wolff, B.: Extending OCL with null-references: towards a formal semantics for OCL 2.1. In: MODELS 2009 Workshops. Springer LNCS 6002 (2010)

  7. Brucker, A.D., Wolff, B.: The hol-ocl book. Technical Report 525, ETH Zürich (2006)

  8. Büttner, F., Kuhlmann, M.: Shortcomings of the embedding of OCL into QVT ImperativeOCL. In: Workshops and Symposia at MODELS’08. Springer LNCS 5421 (2009)

  9. Calegari, D., Szasz, N.: Verification of model transformations: a survey of the state-of-the-art. Electron. Notes Theor. Comput. Sci. 292, 5–25 (2013)

    Article  Google Scholar 

  10. Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., Talcott, C.: All About Maude: A High-Performance Logical Framework. Springer LNCS 4350 (2007)

  11. Czarnecki, K., Helsen, S.: Feature-based survey of model transformation approaches. IBM Syst. J. 45(3), 621–645 (2006)

    Google Scholar 

  12. Drossopoulou, S., Eisenbach, S.: Describing the semantics of Java and proving type soundness. In: Alves-Foss, J. (ed.) Formal Syntax and Semantics of Java. Springer LNCS 1523 (1999)

  13. Ehrig, H., Ehrig, K., Prange, U., Taentzer, G.: Fundamentals of Algebraic Graph Transformation. Springer, Heidelberg (2006)

    MATH  Google Scholar 

  14. Engels, G., Kleppe, A., Rensink, A., Semenyak, M., Soltenborn, C., Wehrheim, H.: From UML activities to TAAL: towards behaviour-preserving model transformations. In: ECMDA-FA 2008. Springer LNCS 5095 (2008)

  15. Favre, L.: A formal foundation for metamodeling. In: Ada-Europe 2009, Proceedings. Springer LNCS 5570 (2009)

  16. Giese, H., Glesner, S., Leitner, J., Schäfer, W., Wagner, R.: Towards verified model transformations. In: Proceedings of the MoDeVa Workshop at MoDELS’06 (2006)

  17. Gogolla, M., Büttner, F., Richters, M.: USE: a UML-based specification environment for validating UML and OCL. Sci. Comput. Program. 69 (2007)

  18. Gogolla, M., Kuhlmann, M., Hamann, L.: Consistency, independence and consequences in UML and OCL Models. In: Dubois, C. (ed.) Proceedings of 3rd International Conference Test and Proof (TAP’2009), pp. 90–104. Springer, Berlin, LNCS 5668 (2009)

  19. Gosling, J., Joy, B., Steele, G., Bracha, G.: The Java (tm) Language Specification, 3rd edn. Addison-Wesley, Boston (2005)

    Google Scholar 

  20. Grandy, H., Stenzel, K., Reif, W.: A refinement method for Java programs. In: Formal Methods for Open Object-Based Distributed Systems (FMOODS). Springer LNCS 4468 (2007)

  21. Haneberg, D., Bäumler, S., Balser, M., Grandy, H., Ortmeier, F., Reif, W., Schellhorn, G., Schmitt, J., Stenzel, K.: The user interface of the KIV verification system: a system description. Electron. Notes Theor. Comput. Sci. UITP special issue (2006)

  22. Harel, D., Kozen, D., Tiuryn, J.: Dynamic Logic. MIT Press, Cambridge (2000)

    MATH  Google Scholar 

  23. Huisman, M., Jacobs, B.: Java program verification via a Hoare logic with abrupt termination. In: Fundamental Approaches to Software Engineering (FASE’00). Springer LNCS 1783 (2000)

  24. Jackson, D.: Software Abstractions: Logic, Language, and Analysis. MIT Press, Cambridge (2006)

    Google Scholar 

  25. Jouault, F., Kurtev, I.: On the architectural alignment of ATL and QVT. In: 21st ACM Symposium on Applied Computing. ACM Press, New York (2006)

  26. Jouault, Frédéric, Allilaire, Freddy, Bézivin, Jean, Kurtev, Ivan, Valduriez, Patrick: ATL: a model transformation tool. Sci. Comput. Program. 72(1–2), 31–39 (2008)

    Article  MATH  Google Scholar 

  27. Kastenberg, H., Rensink, A.: Model checking dynamic states in GROOVE. In: Model Checking Software (SPIN). Springer LNCS 3925 (2006)

  28. KIV homepage. http://www.informatik.uni-augsburg.de/swt/kiv

  29. Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an OS kernel. In: Proceedings of the 22nd ACM Symposium on Operating Systems Principles, pp. 207–220. ACM, Big Sky, MT, USA, October (2009)

  30. Krieger, M., Knapp, A.: Executing underspecified OCL operation contracts with a SAT solver. In: Proceedings of the 8th International Workshop on OCL Concepts and Tools (OCL 2008) at MoDELS 2008. Electronic Communications of the EASST, vol. 15 (2008)

  31. Lano, K., Kolahdouz-Rahimi, S., Poernomo, I.: Comparative evaluation of model transformation specification approaches. Int. J. Softw. Inform. 6(2), 233–269 (2012)

    Google Scholar 

  32. Lucas, F.J., Toval, A.: Model transformations powered by rewriting logic. In: Proceedings of the Forum at the CAiSE’08 Conference. CEUR Workshop Proceedings, 2008. http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-344/

  33. Moebius, N., Stenzel, K., Grandy, H., Reif, W.: SecureMDD: a model-driven development method for secure smart card applications. In: Workshop on Secure Software Engineering, SecSE, at ARES 2009. IEEE Press (2009)

  34. Moebius, N., Stenzel, K., Reif, W.: Modeling security-critical applications with UML in the secureMDD approach. Int. J. Adv. Softw. 1(1), 59–79 (2008)

    Google Scholar 

  35. Moebius, N., Stenzel, K., Reif, W.: Generating formal specifications for security-critical applications: a model-driven approach. In: ICSE 2009 Workshop: International Workshop on Software Engineering for Secure Systems (SESS’09). IEEE/ACM Digital Library (2009)

  36. Moebius, N., Stenzel, K., Reif, W.: Formal verification of application-specific security properties in a model-driven approach. In: Proceedings of ESSoS 2010: International Symposium on Engineering Secure Software and Systems. Springer LNCS 5965 (2010)

  37. Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: A Proof Assistant for Higher-Order Logic, volume 2283 of LNCS. Springer, Berlin (2002)

    Book  Google Scholar 

  38. Object Management Group (OMG). Meta Object Facility (MOF) 2.0 Query/View/Transformation Specification, Version 1.1 (2011)

  39. Object Management Group (OMG). Meta Object Facility (MOF) Core, Version 2.4.1 (2011)

  40. Object Management Group (OMG). Object Constraint Language, Version 2.3.1 (2012)

  41. Queralt, A., Rull, G., Teniente, E., Farré, C., Urpí, T.: AuRUS: automated reasoning on UML/OCL schemas. In: ER 2010, 29th International Conference on Conceptual Modeling. Springer LNCS 6412 (2010)

  42. QVT Operational (Eclipse Project). http://www.eclipse.org/projects/project_summary.php?projectid=modeling.m2m.qvt-oml

  43. Rahim, L., Whittle, J.: Verifying semantic conformance of state machine-to-java code generators. In: MODELS 2010. Springer LNCS 6394 (2010)

  44. Rensink, A.: The GROOVE simulator: a tool for state space generation. In: Applications of Graph Transformations with Industrial Relevance (AGTIVE). Springer LNCS 3062 (2004)

  45. Romeikat, R., Roser, S., Müllender, P., Bauer, B.: Translation of QVT relations into QVT operational mappings. In: ICMT 2008. Springer LNCS 5063 (2008)

  46. Rozenberg, G. (ed.) Handbook of Graph Grammars and Computing by Graph Transformation, vol. 3. World Scientific Publishing Co., Singapore (1997)

  47. The SAL symbolic analysis laboratory. http://sal.csl.sri.com/

  48. Schürr, A.: Specification of graph translators with triple graph grammars. In: Mayr, E.W., Schmidt, G., Tinhofer, G. (eds.) WG 94: Graph-Theoretic Concepts in Computer Science. Springer LNCS 903 (1994)

  49. SmartQVT. http://sourceforge.net/projects/smartqvt/

  50. Soeken, M., Wille, R., Dreschsler, R.: Encoding OCL data types for SAT-based verification of UML/OCL models. In: Proceedings of the Conference on Tests and Proofs (TAP) 2011. Springer LNCS 6706 (2011)

  51. Stärk, R.F., Schmid, J., Börger, E.: Java and the Java Virtual Machine: Definition, Verification, Validation. Springer, Berlin (2001)

    Book  Google Scholar 

  52. Steinberg, D., Budensky, F., Paternostro, M., Merks, E.: EMF Eclipse Modeling Framework, 2nd edn. Addison-Wesley, Boston (2009)

    Google Scholar 

  53. Stenzel, K.: A formally verified calculus for full Java Card. In: Algebraic Methodology and Software Technology (AMAST) 2004, Proceedings. Springer LNCS 3116 (2004)

  54. Stenzel, K.: Verification of Java Card Programs. PhD thesis, Faculty of Informatics, Augsburg University, Germany (2005)

  55. Troya, J., Vallecillo, A.: Towards a rewriting logic semantics for ATL. In: ICMT 2010. Springer LNCS 6142 (2010)

  56. Varró, Dániel: Automated formal verification of visual modeling languages by model checking. Softw. Syst. Model. 3, 85–113 (2004)

    Article  Google Scholar 

  57. Varró, Dániel, Balogh, András: The model transformation language of the VIATRA2 framework. Sci. Comput. Program. 68, 214–234 (2007)

    Article  MATH  Google Scholar 

  58. Varró, D., Pataricza, A.: Automated formal verification of model transformations. In: Jürjens, J., Rumpe, B., France, R., Fernandez, E.B. (eds.) CSDUML 2003: Critical Systems Development in UML; Proceedings of the UML’03 Workshop, number TUM-I0323 in Technical Report. Technische Universität München (2003)

  59. von Oheimb, D., Nipkow, T.: Machine-checking the Java specification: proving type-safety. In: Alves-Foss, J. (ed.) Formal Syntax and Semantics of Java. Springer LNCS 1523 (1999)

  60. Wirsing, M.: Algebraic specification. In: Handbook of Theoretical Computer Science, vol B, chapter 13, pp. 675–788. Elsevier, Oxford (1990)

  61. XP and http://wiki.eclipse.org/Xpand

Download references

Acknowledgments

This work is partly sponsored by the Deutsche Forschungsgemeinschaft DFG with grant RE 828/8-1 (SecureMDD).

Author information

Authors and Affiliations

  1. Institute for Software and Systems Engineering, Augsburg University, 86135 , Augsburg, Germany

    Kurt Stenzel, Nina Moebius & Wolfgang Reif

Authors
  1. Kurt Stenzel
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Nina Moebius
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Wolfgang Reif
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Kurt Stenzel.

Additional information

Communicated by Prof. Tony Clark.

Appendices

Appendix A: the rest of the example transformation

See Figs. 13 and 14.

Fig. 13
figure 13

Operations creating JAST expressions

Full size image
Fig. 14
figure 14

Auxiliary operations

Full size image

Appendix B: main lemma for the type correctness proof

Below is a simplified version of the man inductive lemma for the mapping css->map toJavaClass() (line 12 in Fig. 5, line 10 below). Footnote 6 It is generalized to allow induction on then number of classes to map, and it contains the look ahead argument that eventually all classes will be type correct. The formula is explained below.

  1. 1.

    valid(in, UML), suitable(in), classrefs \(=\) select(‘packaged Element’, in),

  2. 2.

    css \(\sqsupseteq \) classrefs, unmapped(css, trace),

  3. 3.

    valid(out, JAST), out \(=\) out’ + jcs, isJavaClasses(jcs), # jcs \(+\) # css \(=\) # classrefs,

  4. 4.

    \(\forall \)  tds. tds \(=\) model2sem(jcs)

  5. 5.

              \(\rightarrow \) tds.names = firstN(# tds, classrefs.names)

  6. 6.

              \(\wedge \) parttc(tds) \(\wedge \) types\({{\exists \ }}\)(tds.alltypes, classrefs)

  7. 7.

              \(\wedge \) \(\forall \)  td, cntxt. td \(\in \) tds \(\wedge \) td \(\in \) cntxt

  8. 8.

                            \(\wedge \) types\({{\exists \ }}\)(td.alltypes, cntxt)

  9. 9.

                            \(\rightarrow \) fulltc(td, cntxt)

  10. 10.

    \(\vdash \langle \) (in, out, trace) res := css->map toJavaClass() \(\rangle \)

  11. 11.

    \(\exists \)jcs’. out \(=\) out’ \(+\) jcs \(+\) jcs’ \(\wedge \) res \(=\) pointsTo(jcs’)

  12. 12.

             \(\wedge \) \(\forall \)  tds. tds = model2sem(jcs + jcs’)

  13. 13.

                     \(\rightarrow \) tds.names = classrefs.names

  14. 14.

                   \(\wedge \) parttc(tds) \(\wedge \) types\({{\exists \ }}\)(tds.alltypes, classrefs)

  15. 15.

                     \(\wedge \) \(\forall \)  td, cntxt. td \(\in \) tds \(\wedge \) td \(\in \) cntxt

  16. 16.

                                    \(\wedge \) types\({{\exists \ }}\)(td.alltypes, cntxt)

  17. 17.

                                    \(\rightarrow \) fulltc(td, cntxt)

  • Generalized invariant: The precondition describes a situation in the middle of the iteration. The original list is classrefs, the UML classes of the input model (line 1). The classes in css have not yet been mapped (unmapped (css, trace), line 2), hence css is a postfix of classrefs (css \(\sqsupseteq \) classrefs, line 2). The output model contains some Java classes jcs (isJavaClasses(jcs) and out \(=\) out’ + jcs, line 3). The length of css plus the length of jcs equals the length of the original classrefs (# jcs \(+\) # css \(=\) # classrefs, line 3). The idea is that jcs holds the result of the already mapped UML classes. Now let tds be the Java classes jcs converted to the formal semantics (line 4). Then their class names (tds.names, line 5) equal the first n names of the original UML classes (line 5).

  • Type correctness: Theses Java classes tds are partially type correct (parttc(tds), line 6) and they contain only class types that are UML classes (types\({{\exists \ }}\)(tds.alltypes, classrefs), line 6). Every Java class td that occurs in tds and in an arbitrary context cntxt (line 7) and where all types occurring anywhere in td also exist as Java classes in cntxt (types\({{\exists \ }}\)(td.alltypes, cntxt), line 8) is (fully) type correct (fulltc(td, cntxt), line 9).

  • Postcondition: Then the output model contains additional Java classes jcs’ (line 11) that are referenced by the result variable res, and the Java classes from the precondition jcs plus jcs’ together (tds = model2sem(jcs \(+\) jcs’), line 12) have all names of the original UML classes (tds.names \(=\) classrefs.names, line 13), i.e. the iteration has finished.

The rest of the postcondition (lines 14–17) is identical to the precondition (lines 6–9).

The postcondition implies that all Java classes are fully type correct.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Stenzel, K., Moebius, N. & Reif, W. Formal verification of QVT transformations for code generation. Softw Syst Model 14, 981–1002 (2015). https://doi.org/10.1007/s10270-013-0351-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10270-013-0351-7

Keywords