Integrating Formal Methods with Model-driven Engineering Angelo Gargantini Elvinia Riccobene Patrizia Scandurra Università di Bergamo, Italy Università degli Studi di Milano, Italy Università di Bergamo, Italy [email protected] [email protected] [email protected] Abstract around ASMs [5], [6]. Here, we also propose an in- the-loop integration that allows the development of In this paper, we present our position and experience a general framework for software engineering where on integrating formal methods with the Model-driven rigorousness and preciseness of FMs (in our case, Engineering (MDE) approach to software development. ASMs) are combined with flexibility and automation Both these two approaches have advantages and dis- of the MDE. advantages, and we here show how the advantages The remainder of this paper is organized as fol- of one can be exploited to cover or weaken the lows. Sect. 2 presents our integration envisioning by disadvantages of the other. We also propose an in- suggesting how MDE methodologies and technologies the-loop integration which allows the development of can be combined with FMs. Sect. 3 provides basic a general framework for software engineering where concepts concerning ASMs. Sections 4 and 5 show rigorousness and preciseness of formal methods are a concrete scenario of in-the-loop integration between combined with flexibility and automation of the MDE. the ASM formal method and the EMF framework. We discuss the feasibility of unifying these two separate Sect. 6 sketches some related work. Finally, our con- worlds, referring to our experience on integrating the clusion and future directions are provided in Sect. 7. Abstract State Machine formal method with the Eclipse Modeling Framework supporting MDE facilities. 2. Integration Envisioning 1. Introduction Fig. 1 briefly summaries advantages and disadvan- tages of the MDE and FMs. It is nowadays widely acknowledged that the use of Advantages of FMs. The use of formal methods Formal Methods (FMs), based on rigorous mathemat- in system engineering is becoming essential, especially ical foundations, is essential for system development, during the early phases of the development process. especially for high-integrity systems where safety or Indeed, an abstract model of the system can be used security are important. On the other hand, the Model- to understand if the system under development satisfies driven Engineering (MDE) [1], [2] is emerging as a the given requirements (by simulation and model-based new paradigm in software engineering, which bases testing), and guarantees certain properties by formal system development on (meta-)modeling and model analysis (validation & verification). transformations, and provides methods to build bridges between similar or different technical spaces and do- mains Both these two approaches have advantages and Advantages Disadvantages disadvantages. * User-friendly notation * Lack of semantics MDE In this paper, we discuss how these two approaches * Derivative artifacts for * Unfit for model can be combined showing how the advantages of one tool development analysis can be exploited to cover or weaken the disadvantages * Automated model of the other. We refer to our experience in integrating transformations * Hard notation the Abstract State Machine (ASM) formal method FM * Rigorous mathematical [3] with the EMF (Eclipse Modeling Framework) (as foundation * Lack of tools * Suitable for model * Lack of integration framework for MDE). The effort of this work has analysis been up to now twofold worth: ASMs used to provide semantics to languages defined in the MDE context Figure 1. Formal methods and MDE [4], and MDE used in building and integrating tools Disadvantages of FMs. While there are several tools development and integration around the FM. cases proving the applicability of formal methods in On the other hand, the problem of providing a industrial applications and showing very good results, way to express the semantics of metamodel-based many practitioners are, however, still reluctant to adopt languages and to perform model validation and ver- formal methods. Besides the well-known lack of train- ification can be solved by the use of FMs. Sect. 2.2 ing, this skepticism is mainly due to: the complex presents an approach to endow language metamodels notations that formal techniques use rather than other with precise (and possibly executable) semantics, and lightweight and more intuitive graphical notations, like to associate formal models, suitable for model analy- the Unified Modeling Language (UML); the lack of sis, to language terminal models by automatic model easy-to-use tools supporting a developer during the life mapping. cycle activities of the system development, possibly in a seamless manner; and the lack of integration among 2.1. MDE for FMs formal methods themselves and their associated tools. Advantages of MDE. MDE technologies with a Applying the MDE development principles to a greater focus on architecture and automation yield formal method should have the following overall goal: higher levels of abstraction in system development by (a) to provide an intuitive modeling notation having promoting models as first-class artifacts to maintain, rigorous syntax and semantics, possibly supporting a analyze, simulate, and eventually reduce into code or graphical view of the model; (b) to allow modeling transformed into other models. Meta-modeling is a key techniques which facilitate the use of FMs in many concept of the MDE paradigm and it is intended as stages of the development process, and analysis tech- a way to endow a language or a formalism with an niques that combine validation (by simulation and test- abstract notation, so separating the abstract syntax and ing) and verification (by model checking or theorem semantics of the language from its different concrete proving) methods at any desired level of detail; and (c) notations. Metamodel-based modeling languages are to support an open and flexible architecture to make increasingly being defined and adopted for specific easier the development of new tools and the integration domains of interest addressing the inability of third- with other existing tools. generation languages to alleviate the complexity of In practice, this activity consists mainly of platforms and express domain concepts effectively [2]. ² designing the formal language by metamodeling Disadvantages of MDE. Although the definition (i.e. building a metamodel of the formal notation), of a language abstract syntax by a metamodel is well ² defining language concrete syntaxes, i.e. meta- mastered and supported by many meta-modeling model derivatives (also called language artifacts), environments (EMF/Ecore, GME/MetaGME, to handle (i.e. create, storage, control, exchange, AMMA/KM3, XMF-Mosaic/Xcore, etc.), the access, manipulate) language models, and semantics definition of this class of languages is ² developing processing tools by exploiting the cho- an open and crucial issue. Currently, meta-modeling sen metamodeling framework and the language environments are able to cope well with most syntactic artifacts able to process and analyze such models. and transformation definition issues, but they lack In principle, the choice of a specific meta-modeling of any standard and rigorous support to provide the framework should not prevent the use of mod- (possibly executable) semantics of metamodels, which els in other different meta-modeling spaces, since is usually given in natural language. This implies that model transformations among meta-modeling frame- most currently adopted metamodel-based languages work should be theoretically supported by the environ- are not yet suitable for effective model analysis due ments. However, although in theory one could switch to their lack of a strong semantics necessary for a framework later, a commitment with a precise meta- formal model analysis assisted by tools. modeling framework is better done at the very early stage of the development process, mainly for practical The lack of user-friendly notations, of integration of reasons. The chosen MDE framework should support techniques, and of their tool inter-operability, is still easy (e.g. graphical) editing of (meta) models, model a significant challenge for formal methods that can to model transformations, and text to model and model be achieved by exploiting the metamodeling approach to texts mappings to assist the developing a concrete suggested by the MDE. Sect. 2.1 briefly introduces notations in textual form. It should also possibly a process for language engineering which starts by provide a mapping to a programming language (i.e. defining an abstract notation for a FM in terms of a API artifacts) to allow the integration in programs and metamodel, and then to build a general framework for software applications. MDE FM 2.2. FMs for MDE apply MDE to FM (1) Applying a formal method to a language L de- fined in a meta-modeling framework should have the following overall goal: (a) allow the definition of the behaviors (semantics) of models conforming to L apply FM to MDE (2) and (b) provide several techniques and methods for the formal analysis of such models (e.g. validation, Figure 2. In the loop integration of FM and MDE property proving, model checking, etc, ). A metamodel-based language L has a well-defined semantics if a semantic domain S is identified and by a set of tools for model simulation, testing, and a semantic mapping MS : A ! S is provided [7] between the L’s abstract syntax A (i.e. the metamodel verification. of L) and S to give meaning to syntactic concepts of L in terms of the semantic domain elements. 2.3. In-the-loop integration The semantic domain S and the mapping MS can be described in varying degrees of formality, from Although the two activities of applying the MDE to natural language to rigorous mathematics. It is very a FM and apply a FM to the MDE can be considered important that both S and MS are defined in a precise, unrelated and could be performed in parallel even clear, and readable way.