Formally Defining and Iterating Infinite Models (MODELS 2012)

FORMALLY DEFINING AND ITERATING INFINITE MODELS Benoit Combemale University of Rennes 1, IRISA, France)

Xavier Thirioux ENSEEIHT, IRIT, France

Benoit Baudry Inria Rennes, France

Very Large Models • Examples:

•  The Eclipse platform: 5M model elements •  Civil engineering models: 7.3M model elements [Steel et al.,

SoSyM'12] •  Etc.

• Existing approaches:

•  Lazy model processing [Tisi et al., MoDELS'11] •  NoSQL-based approach for model persistence [Pagán et al.,

MoDELS'11]

Context Formally Defining and Iterating Infinite Models, MODELS 2012 2

Models at Runtime • Examples:

•  Monitoring systems •  Adaptive systems •  Etc.

• Existing approaches: •  Models@runtime based on CEP •  Active Operations [Beaudoux et al., MODELS 2010]

Context Formally Defining and Iterating Infinite Models, MODELS 2012 3

Infinite Model •  Intuitive Definition:

Models whose the comprehensive set of model elements is too large to be loaded or even not available

Context

• Challenges: •  Identify locally in an OO metamodel sources of infinity in the

conforming models. •  Understanding the exact meaning of a query over a model for which

the interpretation does not know the size at a given point in time

Formally Defining and Iterating Infinite Models, MODELS 2012 4

• Current Issues: •  Implicit and global infinite evaluation of the model •  Missing a formal and unified semantics (implementation-

independent)

Contributions

Contributions Formally Defining and Iterating Infinite Models, MODELS 2012 5

Let’s specify infinite models explicitly, locally, formally, and in a implementation-independent way!

Contributions 1.  A MOF extension to locally identify in

metamodels the infinite parts of the conforming models

2.  A corresponding coinductive semantics for

evaluating such infinite parts with OCL iterators


Example: the UML State Machine

… Small and Terminating Program … Large or Non-Terminating Program

Formally Defining and Iterating Infinite Models, MODELS 2012 7 Contributions

s1_1

s2_1

s2_2

s2_m

sn_1t1t1

t1

t2 tn-1...

Let’s imagine the execution trace of a…

s1_1

s2_1

s2_2

s2_m

sn_1

initial

final

t1t1

t1

t2 tn-1...

•  Ex1: lazily built at design time while exploring the graph of reachable states

•  Ex2: continuously built at run time while monitoring the system execution

How Infinite Models would come? • Let’s consider:

• Models are (complex) graphs

• Graphs conform to metamodels

• Metamodels are described using a object-oriented meta-language


<<conformsTo>>

*{ordered}

StateMachine

State Transitionsourcetarget Trigger

initial

InjectEvent

1

1 EventOccurence

<<enumeration>>EventKind

endogenousexogenous

RuntimeEvent

kind: EventKind0..1

cause

outgoingincoming

Event

eventToProcess

type1

1

*

*1

1

*

***

(Finite)Trace

SendEvent* effect

type1

/nextStates*

Excerpt fromthe UML2

StateMachineMetamodel

with a Finite Interpretation

context State::reachableStates : Set(State) derive : self->asSet()->closure(outgoing->collect(target));

How Infinite Models would come?


s1_1

s2_1

s2_2

s2_m

sn_1t1t1

t1

t2 tn-1...s1_1

s2_1

s2_2

s2_m

sn_1

initial

final

t1t1

t1

t2 tn-1...

•  IN BREADTH: upper bound of a collection (ex: eventToProcess)

•  IN DEPTH: unfolding of a transitive closure (ex: nextStates)

<<conformsTo>>

StateMachine


initial

InjectEvent

1

1 EventOccurence

ω{ordered}


endogenousexogenous

RuntimeEvent

kind: EventKind0..1

cause

outgoingincoming

Event

eventToProcess

type1

1

*

*1

1

*

***

/nextStates*



with an Infinite Interpretation

(Infinite)Trace

SendEvent* effect

type1

Formally Defining and Iterating Infinite Models, MODELS 2012 10

StateMachine


initial

InjectEvent

1

1 EventOccurence

ω{ordered}


endogenousexogenous

RuntimeEvent

kind: EventKind0..1

cause

outgoingincoming

Event

eventToProcess

type1

1

*

*1

1

*

***

/nextStates*



with an Infinite Interpretation

(Infinite)Trace

*{ordered}

SendEvent* effect

typeStateMachine


initial

InjectEvent

1

1 EventOccurence


endogenousexogenous

RuntimeEvent

kind: EventKind0..1

cause

outgoingincoming

Event

eventToProcess

type1

1

*

*1

1

*

***

(Finite)Trace

SendEvent* effect

type11

s1_1

s2_1

s2_2

s2_m

sn_1

initial

final

t1t1

t1t2 tn-1

/nextStates*



with a Finite Interpretation

<<conformsTo>><<conformsTo>>

<<conformsTo>>

... s1_1

s2_1

s2_2

s2_m

sn_1

initial

t1t1

t1t2 tn-1...

Finite Interpretation Infinite Interpretation

<<conformsTo>>

Propertylower: Integer = 1 upper : UnlimitedNatural = 1isOrdered : Boolean = false isComposite: Boolean = falsedefault: String = ""

ClassisAbstract: Boolean = false

{ordered} 0..*ownedAttribute

0..1opposite

NamedElementname: String

0..*superClass

Type TypedElementtype1

DataTypeowner

cyclic digraph

upper bound

Contributions

Let’s consider MOF (+OCL) as meta-language

How MOF/OCL Does Not Support Infinite Models?


•  upper is typed by UnlimitedNatural taken from UML •  UML involves a notation for the unlimited value (*) interpreted as bounded in the type Collection (e.g., result of the OCL iterators) ⇒  All elements are considered as available at any time of the iteration

Propertylower: Integer = 1 upper : UnlimitedNatural = 1isOrdered : Boolean = false isComposite: Boolean = falsedefault: String = ""

ClassisAbstract: Boolean = false

{ordered} 0..*ownedAttribute

0..1opposite

NamedElementname: String

0..*superClass

Type TypedElementtype1

DataTypeowner

cyclic digraph

upper bound

•  The OCL closure refers to the type Collection for the result!⇒  The closure is a finite processing, which assumes that the whole model is available for evaluation

Defining Infinite Models: A MOF Extension • Upper bound of a MOF property

•  new type for upper identifying possible infinite collection •  upper: Naturalω, s.t. m < * < ω where m∈N •  Naturalω is an extension of UnlimitedNatural from MOF

•  Transitive closure of a MOF property •  additional attribute in Property identifying possible infinite

unfolding (only for reflexive relation)


A Bcontext A::a : A derive :

self.b->collect(a)->flatten();a 0..* b

0..*/a 0..*

Iterating Infinite Models: A Coinductive Semantics

•  The coinductive principle •  Provides the formal and abstract foundations for reasoning

over infinite data structures •  Come equipped with a ‘produce’ operator instead of a

‘reduce’ operator in the induction principle •  Supported by some of the proof assistant

•  We used COQ in our case!

• We provide: •  a CoIterate operator to iterate over infinite collections •  a CoClosure operator to infinitely unfold reflexive relations


Iterating Infinite Models: A Coinductive Semantics

• CoIterate over infinite collections:

• CoClosure for infinite unfolding of relations:


Example: the UML State Machine •  Iterating the events to be processed

• Unfolding the reachable states

Evaluation Formally Defining and Iterating Infinite Models, MODELS 2012 15

Conclusion & Perspectives • Contributions

•  A MOF extension (abstract and concrete syntaxes) •  Explicit identification of infinite models in metamodels •  Precise and local specification of the infinite parts in the conforming models

•  A coinductive semantics (implemented using COQ) •  Formal evaluation of such infinite parts with OCL iterators •  Provides the foundations for the verification of operations that must process

models of unknown size •  Independent of various possible implementations and would be used as

reference for interoperability issues

Conclusion Formally Defining and Iterating Infinite Models, MODELS 2012 16

(object-oriented) definition and (coinductive) semantics for iterating

(in breadth, in depth)

implementations(lazy evaluation, models@runtime)

•  Future Work: •  Investigate equivalent translations to various

implementations (platform model) •  Investigate the coiterate iterator for model transformation

(using model as accumulator) to formally deal with the production of models at runtime.

Software

Formally Defining and Iterating Infinite Models (MODELS 2012)