University of Macaulibrary.umac.mo/etheses/b3086480x_ft.pdfAcknowledgements Firstly, I would like to express my sincere gratitude to my supervisors, Prof. Xi-aoshan Li and Dr. Zhiming

Enabling Component-Based Model Transformations

with QVT

by

Li Dan

Doctor of Philosophy in Software Engineering

2013

Faculty of Science and Technology

University of Macau

Enabling Component-Based Model Transformations

with QVT

by

Li Dan

SUPERVISOR: Prof. Xiaoshan Li

CO-SUPERVISOR: Dr. Zhiming Liu

Department of Computer and Information Science

Doctor of Philosophy in Software Engineering

2013

Faculty of Science and Technology

University of Macau

Author’s right 2013 by

LI Dan

Acknowledgements

Firstly, I would like to express my sincere gratitude to my supervisors, Prof. Xi-

aoshan Li and Dr. Zhiming Liu, for giving me the chance to start my PhD study, and

for their guidance and help over the past four years. Also, I would like to thank Prof.

Gong Zhiguo, Dong Mingchui, Xu Qiwen, and Robert P. Biuk-Aghai of the Univer-

sity of Macau, and Prof. Anders P. Ravn of Aalborg University, Prof. T.H. Tse of the

University of Hong Kong, Prof. Shaoying Liu of Hosei University, for having taken

time and efforts to review my thesis and to serve on the examination committees of my

thesis proposal and oral defense.

Particularly, I am grateful to Dr. Volker Stolz of the University of Oslo, who has

helped me a lot during my PhD study. I would also like to express my thanks to

my colleagues Mr. Liang Zhao, Ruzhen Dong, Xiaoliang Wang, Jiaqi Zhu, Jian Zhu,

Yuanzhang Chang, Danning Li, Ms. Shuling Wang, Lijie Yang, Prof. Mingyi Zhang,

and all the colleagues of UNU-IIST, University of Macau, Institute of Software of

CAS, and Guizhou Academy of Sciences, for their cooperation, discussion and friendly

advice that are of great help in my work. Special thanks to UNU-IIST and general ser-

vices staff Ms. Wendy Hoi, Alice Pun and Kitty Chan for their administrative support

these years.

I am greatly indebted to my family - my parents, my wife and my son, for their

patience, love and endless support in all these years I was away from home.

Chapter2& 3 of this thesis are partly based on the literature [46; 74; 134; 135; 148]

and [38; 39; 82; 97; 112; 181], respectively. I would like to acknowledge and thank all

the authors of these publications.

i

Abstract

Model Driven Architecture(MDA) has become a mainstream framework formodel-

drivenandcomponent-baseddevelopment. To achieve the faster and less costly soft-

ware development promised by MDA, automating the development process with tools

is critical, but not easy. One reason is that MDA lacks a precise and concrete devel-

opment methodology. On the other side, stepwise refinement is a formal mechanism

which facilitates the development of systems correct-by-construction by incrementally

applying the refinement rules. But the limitation of available refinement rules and the

lack of integrated support tools make the method hard to scale up to complex models.

The research presented in this thesis aims at exploring techniques to automate the

MDA development process through application of the refinement mechanism as model

transformations. We use therefinement for Component and Object Systems(rCOS) in

the research, as the formal theory supports component-based modeling, and includes

a comprehensive refinement calculus. We define a UML profile that augments rCOS

with standard UML elements and diagrams, implement a set of the refinement rules as

model transformations, and integrate them into a CASE tool. Thus the full component-

based development process can be driven by interactively applying the refinement

transformations. Particularly, we present a transformation from object-oriented mod-

els to component models, so the OO design and component-based techniques can be

seamlessly combined in the development process.

Automation of these transformations places a high demand on transformation tools.

We adopt the graphical notation ofQVT Relations, an intuitive and powerful language

for defining model transformations. But currently there is no practical support tool

available. We propose an approach to implement QVT transformations as executable

XSLT programs. A tool, named QVTR-XSLT, has been developed to support the ap-

proach. The tool has a graphical editor for specifying a QVT transformation with the

graphical notation, and a code generator which automatically translates the transfor-

mation to XSLT programs. However, the QVTR-XSLT tool marks a useful attempt to

bring the OMG standard language to practice.

ii

Declaration

I declare that this thesis has not been previously submitted for a degree or other

qualification at this or any other higher education institution. To the best of my knowl-

edge and belief, this thesis contains no material previously published or written by

another person, except where due reference or acknowledgement is made.

I also acknowledge that I have read and understood the Rules on Handling Student

Academic Dishonesty and the Regulations of the Student Discipline of the University

of Macau.

iii

Contents

Contents iv

List of Figures x

1 Introduction 1

1.1 General Background . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.2 Specific Background . . . . . . . . . . . . . . . . . . . . . . . . . .17

1.3 Research Goals and Objectives . . . . . . . . . . . . . . . . . . . . .19

1.4 Research Methodology and Design . . . . . . . . . . . . . . . . . . .21

1.5 Potential Contributions . . . . . . . . . . . . . . . . . . . . . . . . .23

1.6 Organization of the Thesis . . . . . . . . . . . . . . . . . . . . . . .25

1.7 Statement of Originality . . . . . . . . . . . . . . . . . . . . . . . .28

2 Model-Driven Development 30

2.1 Model Driven Architecture (MDA) . . . . . . . . . . . . . . . . . . 31

2.1.1 Models of MDA . . . . . . . . . . . . . . . . . . . . . . . . 32

2.1.2 Development process of MDA . . . . . . . . . . . . . . . . .34

2.2 Meta Object Facility (MOF) . . . . . . . . . . . . . . . . . . . . . .35

2.2.1 Essential MOF (EMOF) . . . . . . . . . . . . . . . . . . . .37

2.2.2 XML Metadata Interchange (XMI) . . . . . . . . . . . . . .38

2.3 Unified Modeling Language (UML) . . . . . . . . . . . . . . . . . .39

2.3.1 UML diagrams . . . . . . . . . . . . . . . . . . . . . . . . .40

2.3.2 UML profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 48

2.4 Object Constraint Language (OCL) . . . . . . . . . . . . . . . . . .51

2.5 Model Transformations and QVT . . . . . . . . . . . . . . . . . . .53

2.6 Component-Based Development (CBD) . . . . . . . . . . . . . . . .60

2.6.1 Component definition . . . . . . . . . . . . . . . . . . . . .62

iv

CONTENTS

2.6.2 Component composition . . . . . . . . . . . . . . . . . . . .64

2.6.3 Component diagram . . . . . . . . . . . . . . . . . . . . . .65

2.6.4 Component interaction protocol . . . . . . . . . . . . . . . .66

2.6.5 Component-based development process . . . . . . . . . . . .67

3 Refinement for Component and Object Systems – rCOS 69

3.1 UTP - Background of rCOS . . . . . . . . . . . . . . . . . . . . . .70

3.1.1 Programs as designs . . . . . . . . . . . . . . . . . . . . . .72

3.1.2 Refinement of designs . . . . . . . . . . . . . . . . . . . . .73

3.1.3 Reactive designs . . . . . . . . . . . . . . . . . . . . . . . .74

3.2 Object-Orientation of rCOS . . . . . . . . . . . . . . . . . . . . . .75

3.2.1 Syntax of rCOS . . . . . . . . . . . . . . . . . . . . . . . .76

3.2.2 Semantics of rCOS . . . . . . . . . . . . . . . . . . . . . . .79

3.2.3 Object-oriented refinements of rCOS . . . . . . . . . . . . .82

3.3 Component Model of rCOS . . . . . . . . . . . . . . . . . . . . . .85

3.3.1 Close components and refinement . . . . . . . . . . . . . . .86

3.3.2 Open components and composition . . . . . . . . . . . . . .88

3.3.3 Processes and coordination . . . . . . . . . . . . . . . . . . .91

3.4 Development Method of rCOS . . . . . . . . . . . . . . . . . . . . .92

3.4.1 Requirements modeling . . . . . . . . . . . . . . . . . . . .94

3.4.2 Object-oriented design . . . . . . . . . . . . . . . . . . . . .97

3.4.3 Component-based design . . . . . . . . . . . . . . . . . . . .98

3.4.4 Platform specific design and implementation . . . . . . . . .100

3.5 Tool Support for rCOS . . . . . . . . . . . . . . . . . . . . . . . . .101

4 QVTR-XSLT: A Tool for Graphical Notation of QVT Relations 102

4.1 State of the Art . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108

4.1.1 Graph transformation languages and tools . . . . . . . . . . .109

4.1.2 QVT-like languages and tools . . . . . . . . . . . . . . . . .111

v

CONTENTS

4.1.3 Efforts to support graphical notation of QVT Relations . . . .115

4.1.4 XSLT related approaches . . . . . . . . . . . . . . . . . . . .116

4.2 QVT Relations and XSLT . . . . . . . . . . . . . . . . . . . . . . .117

4.2.1 QVT Relations . . . . . . . . . . . . . . . . . . . . . . . . .117

4.2.2 XPath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

4.2.3 XSLT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

4.2.4 Comparison of QVT Relations and XSLT . . . . . . . . . . .127

4.3 OCL to XPath . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

4.3.1 Mapping OCL types . . . . . . . . . . . . . . . . . . . . . .130

4.3.2 Mapping OCL expressions . . . . . . . . . . . . . . . . . . .131

4.3.3 Mapping OCL operations . . . . . . . . . . . . . . . . . . .134

4.4 QVT Relations to XSLT . . . . . . . . . . . . . . . . . . . . . . . .136

4.4.1 Mapping source domain to selection pattern . . . . . . . . . .137

4.4.2 Creating variable declarations . . . . . . . . . . . . . . . . .139

4.4.3 Generating construction instructions . . . . . . . . . . . . .. 140

4.4.4 Translating relation calls . . . . . . . . . . . . . . . . . . . .141

4.5 Support Semantics of QVT Relations . . . . . . . . . . . . . . . . .142

4.5.1 Transformation direction and check-before-enforce semantics 142

4.5.2 Relation domains . . . . . . . . . . . . . . . . . . . . . . . .143

4.5.3 Rule scheduling . . . . . . . . . . . . . . . . . . . . . . . . .144

4.5.4 Pattern matching . . . . . . . . . . . . . . . . . . . . . . . .146

4.5.5 Object creation using patterns . . . . . . . . . . . . . . . . .147

4.5.6 Transformation traceability . . . . . . . . . . . . . . . . . .148

4.5.7 Transformation composition . . . . . . . . . . . . . . . . . .149

4.5.8 In-place transformation . . . . . . . . . . . . . . . . . . . .151

4.6 Extensions to QVT Relations . . . . . . . . . . . . . . . . . . . . .153

4.6.1 Transformation parameter . . . . . . . . . . . . . . . . . . .153

4.6.2 Relation alias name and priority . . . . . . . . . . . . . . . .155

vi

CONTENTS

4.6.3 Conditional relation call . . . . . . . . . . . . . . . . . . . .157

4.7 Model Query with QVT-R Graphical Notation . . . . . . . . . . . .157

4.7.1 Syntax of the query facility . . . . . . . . . . . . . . . . . .158

4.7.2 Semantics of the query facility . . . . . . . . . . . . . . . . .161

4.7.3 Mapping domain patterns to XPath path expressions . . . .. 162

4.7.4 Generating XSLT functions for queries . . . . . . . . . . . .164

4.8 Tool Design and Implementation . . . . . . . . . . . . . . . . . . . .165

4.8.1 A UML profile for QVT Relations . . . . . . . . . . . . . .165

4.8.2 QVT-R graphical editor . . . . . . . . . . . . . . . . . . . .173

4.8.3 XSLT code generator . . . . . . . . . . . . . . . . . . . . . .176

4.8.4 A collection of predefined transformations . . . . . . . . . .. 177

4.9 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178

4.9.1 Simple UML to simple RDBMS transformation . . . . . . .178

4.9.2 Model querying examples . . . . . . . . . . . . . . . . . . .184

4.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

5 A UML Profile for rCOS 193

5.1 A Metamodel of rCOS . . . . . . . . . . . . . . . . . . . . . . . . .194

5.1.1 Types and classes of rCOS . . . . . . . . . . . . . . . . . . .194

5.1.2 Components of rCOS . . . . . . . . . . . . . . . . . . . . . .196

5.2 A UML Profile for rCOS . . . . . . . . . . . . . . . . . . . . . . . .198

5.2.1 Mapping rCOS Concepts to UML . . . . . . . . . . . . . . .199

5.2.2 rCOS modeling architecture . . . . . . . . . . . . . . . . . .201

5.2.3 Class and interface modeling . . . . . . . . . . . . . . . . .202

5.2.4 Component modeling . . . . . . . . . . . . . . . . . . . . .204

5.2.5 rCOS sequence diagram . . . . . . . . . . . . . . . . . . . .209

5.2.6 State machine diagram . . . . . . . . . . . . . . . . . . . . .212

5.2.7 Visual diagram modeling . . . . . . . . . . . . . . . . . . .214

vii

CONTENTS

5.2.8 Profile constraints . . . . . . . . . . . . . . . . . . . . . . .216

5.2.9 Profile implementation . . . . . . . . . . . . . . . . . . . . .217

5.3 Supporting rCOS Development . . . . . . . . . . . . . . . . . . . .220



5.3.3 Component-based model design . . . . . . . . . . . . . . . .223

5.3.4 Code generation . . . . . . . . . . . . . . . . . . . . . . . .224

5.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224

5.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227

6 Enabling Model Transformations of rCOS 228

6.1 From Requirements Models to Design Models . . . . . . . . . . . .232

6.1.1 From sequence diagrams to protocol state machines . . . .. 234

6.1.2 Labeling protocol state machines . . . . . . . . . . . . . . .241

6.1.3 Generation of controller classes . . . . . . . . . . . . . . . .243

6.1.4 An example : clinic reception . . . . . . . . . . . . . . . . .246

6.2 From OO Design- to Component-Based Models . . . . . . . . . . .250

6.2.1 Selection of object lifelines . . . . . . . . . . . . . . . . . . .251

6.2.2 Validating the lifeline selection . . . . . . . . . . . . . . . . .253

6.2.3 Generating a component from selected lifelines . . . . . .. . 255

6.2.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . .256

6.3 Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258



6.3.3 Component-based design . . . . . . . . . . . . . . . . . . . .267

6.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277

6.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281

viii

CONTENTS

7 Conclusions and Future Work 283

7.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283

7.2 Limitations of Current Study . . . . . . . . . . . . . . . . . . . . . .290

7.3 Perspectives for Future Work . . . . . . . . . . . . . . . . . . . . . .293

References 295

Appendix 311

A EBNF for OCL used in QVTR-XSLT tool 312

A.1 Basic definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312

A.2 Expression definitions . . . . . . . . . . . . . . . . . . . . . . . . . .313

B Algorithms for OO- to component sequence diagram transformation 314

B.1 Calculate strongly connected lifelines . . . . . . . . . . . . . .. . . 314

B.2 Generate component from selected object lifelines . . . . .. . . . . 314

B.3 Generate required interface . . . . . . . . . . . . . . . . . . . . . . .316

Curriculum Vitae 317

ix

List of Figures

1.1 Research methodology (adapted from [127]) . . . . . . . . . . . . . . 22

1.2 Dependency relationships of the major chapters . . . . . . . .. . . . 28

2.1 The four modeling layers of MOF . . . . . . . . . . . . . . . . . . .36

2.2 Extract of the EMOF metamodel . . . . . . . . . . . . . . . . . . . .37

2.3 A use case diagram . . . . . . . . . . . . . . . . . . . . . . . . . . .42

2.4 A class diagram for the POS system . . . . . . . . . . . . . . . . . .44

2.5 A state diagram for classSale . . . . . . . . . . . . . . . . . . . . . 45

2.6 A sequence diagram for operationenterItem . . . . . . . . . . . . . . 47

2.7 Model transformation . . . . . . . . . . . . . . . . . . . . . . . . . .54

2.8 QVT Architecture (from [134]) . . . . . . . . . . . . . . . . . . . . . 57

3.1 Basic operations of UTP . . . . . . . . . . . . . . . . . . . . . . . .72

3.2 Syntax of rCOS OO language (RCOSP) . . . . . . . . . . . . . . . . 76

3.3 rCOS development methodology . . . . . . . . . . . . . . . . . . . .93

4.1 Overall process of using QVTR-XSLT tool . . . . . . . . . . . . . .105

4.2 Comparison of transformation approaches and tools . . . . .. . . . . 114

4.3 QVT Relations metamodel . . . . . . . . . . . . . . . . . . . . . . .118

4.4 Example QVT-R relation in graphical notation . . . . . . . . . .. . . 119

4.5 An excerpt of XML data model . . . . . . . . . . . . . . . . . . . . .122

4.6 XSLT metamodel . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

4.7 Trace class model . . . . . . . . . . . . . . . . . . . . . . . . . . . .148

4.8 In-place transformation example - relation PullUpAttribute. . . . . . . 152

4.9 Abstract syntax of QVT-R extensions . . . . . . . . . . . . . . . . .153

4.10 Definition of additional transformation parameters. . .. . . . . . . . 154

4.11 Metamodel of the model query . . . . . . . . . . . . . . . . . . . . .159

x

LIST OF FIGURES

4.12 Example of the model query . . . . . . . . . . . . . . . . . . . . . .161

4.13 The UML profile for QVT-R . . . . . . . . . . . . . . . . . . . . . .166

4.14 TheMetaModelpackage of QVT-R profile. . . . . . . . . . . . . . .169

4.15 The stereotype for mapping UML to XMI . . . . . . . . . . . . . . .169

4.16 A stereotype for in-place transformation. . . . . . . . . . . .. . . . . 170

4.17 The toolbar for the QVT-R graphical editor . . . . . . . . . . . .. . 174

4.18 Validating the transformation model . . . . . . . . . . . . . . . .. . 175

4.19 The XSLT code generator . . . . . . . . . . . . . . . . . . . . . . . .176

4.20 Simple UML metamodel . . . . . . . . . . . . . . . . . . . . . . . .180

4.21 Simple RDBMS metamodel . . . . . . . . . . . . . . . . . . . . . .180

4.22 The transformation model . . . . . . . . . . . . . . . . . . . . . . . .180

4.23 The root relation . . . . . . . . . . . . . . . . . . . . . . . . . . . .180

4.24 Class to table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181

4.25 Attribute to column . . . . . . . . . . . . . . . . . . . . . . . . . . .181

4.26 Association to foreign key . . . . . . . . . . . . . . . . . . . . . . .181

4.27 Primitive attribute to column . . . . . . . . . . . . . . . . . . . . . .181

4.28 Complex attribute to column . . . . . . . . . . . . . . . . . . . . . .182

4.29 Attribute in super class to column . . . . . . . . . . . . . . . . . . .182

4.30 Target metamodel . . . . . . . . . . . . . . . . . . . . . . . . . . . .185

4.31 Top-level relation . . . . . . . . . . . . . . . . . . . . . . . . . . . .185

4.32 Display query result . . . . . . . . . . . . . . . . . . . . . . . . . . .185

4.33 Count number of classes . . . . . . . . . . . . . . . . . . . . . . . .186

4.34 Classes with number of associations . . . . . . . . . . . . . . . . .. 186

4.35 Maximal depth of inheritance . . . . . . . . . . . . . . . . . . . . . .188

4.36 Number of super classes . . . . . . . . . . . . . . . . . . . . . . . .188

4.37 Find elements by name . . . . . . . . . . . . . . . . . . . . . . . . .189

4.38 Getting attribute names . . . . . . . . . . . . . . . . . . . . . . . . .189

xi

LIST OF FIGURES

5.1 Types package of rCOS metamodel . . . . . . . . . . . . . . . . . . .195

5.2 Class package of rCOS metamodel . . . . . . . . . . . . . . . . . . .195

5.3 Components package of rCOS metamodel . . . . . . . . . . . . . . .197

5.4 Mapping from rCOS concepts to UML . . . . . . . . . . . . . . . . .199

5.5 Overall structure of rCOS model . . . . . . . . . . . . . . . . . . . .201

5.6 ClassandInterfacemodels . . . . . . . . . . . . . . . . . . . . . . .203

5.7 Modeling rCOS component . . . . . . . . . . . . . . . . . . . . . . .205

5.8 Realizing component composition . . . . . . . . . . . . . . . . . . .206

5.9 An example of component composition . . . . . . . . . . . . . . . .208

5.11 rCOS sequence diagram . . . . . . . . . . . . . . . . . . . . . . . .209

5.12 Protocol state machine . . . . . . . . . . . . . . . . . . . . . . . . .212

5.13 Metamodel of diagram interchange (DI) . . . . . . . . . . . . . . .. 215

5.14 Definitions of rCOS profile . . . . . . . . . . . . . . . . . . . . . . .218

5.15 Requirements modeling in the rCOS modeler . . . . . . . . . . . .. 221

5.16 OO design in rCOS modeler . . . . . . . . . . . . . . . . . . . . . .222

5.17 Component-based design in the rCOS modeler . . . . . . . . . . .. . 223

6.1 Starting theSD to PSMtransformation . . . . . . . . . . . . . . . . .235

6.2 Rule formessage occurrence. . . . . . . . . . . . . . . . . . . . . . 236

6.3 Applying rule formessage occurrence. . . . . . . . . . . . . . . . . 236

6.4 Applying rule foralt . . . . . . . . . . . . . . . . . . . . . . . . . . 237

6.5 Applying rule forbreak . . . . . . . . . . . . . . . . . . . . . . . . . 237

6.6 Applying rule forloop . . . . . . . . . . . . . . . . . . . . . . . . . 238

6.7 Applying rule foropt . . . . . . . . . . . . . . . . . . . . . . . . . . 238

6.8 Applying rules forpar andcritical . . . . . . . . . . . . . . . . . . . 240

6.9 Applying rule forref . . . . . . . . . . . . . . . . . . . . . . . . . . 240

6.10 LabeledPSM from Fig.6.7 . . . . . . . . . . . . . . . . . . . . . . . 242

6.11 LabeledPSM from Fig.6.8 . . . . . . . . . . . . . . . . . . . . . . . 242

xii

LIST OF FIGURES

6.12 Use case and component for clinic reception . . . . . . . . . . . . . .246

6.13 Interface and controller class for componentReception . . . . . . . . 246

6.14 System sequence diagram for interfaceReceptDesk. . . . . . . . . . 247

6.15 Protocol state machine for interfaceReceptDesk. . . . . . . . . . . . 248

6.16 A relation to generate a component lifeline . . . . . . . . . . .. . . . 257

6.17 Domain class diagram of CoCoME example . . . . . . . . . . . . . .259

6.18 Use caseProcessSale. . . . . . . . . . . . . . . . . . . . . . . . . . 259

6.19 ComponentProcessSale . . . . . . . . . . . . . . . . . . . . . . . . 259

6.20 Sequence diagram forCInter . . . . . . . . . . . . . . . . . . . . . . 260

6.21 Interface ofProcessSale . . . . . . . . . . . . . . . . . . . . . . . . 260

6.22 Protocol state machine forCInter . . . . . . . . . . . . . . . . . . . . 261

6.23 The controller class for interfaceCInter . . . . . . . . . . . . . . . . 262

6.24 Interactively applying expert pattern . . . . . . . . . . . . . .. . . . 263

6.25 The object sequence diagram after applying expert pattern . . . . . . 264

6.26 The object sequence diagram after OO refinement . . . . . . . .. . . 265

6.27 Design class diagram of CoCoME example . . . . . . . . . . . . . .265

6.28 Select lifelines to become a component . . . . . . . . . . . . . . .. . 268

6.29 Validation error message . . . . . . . . . . . . . . . . . . . . . . . .269

6.30 The sequence diagram after the first transformation . . . .. . . . . . 270

6.31 Component diagram after first transformation . . . . . . . . .. . . . 270

6.32 Definitions of componentCOM_proce . . . . . . . . . . . . . . . . . 271

6.33 Component sequence diagram for componentProcessSale . . . . . . 271

6.34 Component diagram forProcessSale. . . . . . . . . . . . . . . . . . 272

6.36 SD ofCOM_store. . . . . . . . . . . . . . . . . . . . . . . . . . . .273

6.37 PSM ofCOM_store . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

6.38 PSM for the required interface of componentCOM_proce. . . . . . . 273

6.39 Apply component composition . . . . . . . . . . . . . . . . . . . . .274

6.40 Result of component composition . . . . . . . . . . . . . . . . . . .275

xiii

LIST OF FIGURES

6.41 Sequence diagram for componentCOM_pay_SH . . . . . . . . . . . 275

6.42 PSM for componentCOM_pay_SH . . . . . . . . . . . . . . . . . . 276

6.43 Optimized component diagram forProcessSale. . . . . . . . . . . . 277

xiv

Chapter 1

Introduction

Nowadays software systems become more and more intricate and complex. The grow-

ing complexity comes from two fundamental sources. Firstly, some complexity is in-

herent in the difficulty of the underlying application problems, as they have to provide

a large variety of services and features, and become increasingly distributed, dynamic

and mobile. Secondly, the complexity comes from the software technologies used to

solve the problems, as there exists a wide conceptual gap between the application do-

main concepts and the technical solutions that implement the problems as software

systems. Bridging the gap using traditional code-centric approaches gives rise to the

complexity [63]. To cope with this, new software paradigms and technologiesare intro-

duced, such ascomponent-based development, model-driven development, andmodel

transformations.

Component-based development (CBD) [84; 160]. CBD is a reuse-based software

development approach to develop components and compose components into systems.

A component is a reusable block of software for a particular task. It has well-defined

interfaces, and its internals are encapsulated and inaccessible except through the inter-

faces. Components are designed, implemented and verified independently. A complete

system or a new component can be built by composition of the prefabricated compo-

nents. CBD helps to conquer the inherent complexity by dividing a complex sys-

tem into smaller modules that relate to a common function or logical/physical feature,

and encapsulating such a module as a component to hide its complex details. CBD

promises the benefits of reduced production cost, and shorter development time by

reuse of the components developed in other applications or developed by third parties.

1

1. Introduction

Model-driven development (MDD) [78; 147]. MDD is a software development ap-

proach that proposes application of models and model technologies in various devel-

opment activities in a software life cycle, such as the specification, design, and imple-

mentation. A model is an abstraction of a system that captures only certain aspects

of features. MDD aims to reduce complexity and thus improve the software quality

through applying the principles ofraising the level of abstractionandseparation of

concerns. In MDD, an application problem is first modeled at a high level of abstrac-

tion with concepts and structures that are close to the application domains. Thenmodel

transformationsare used to gradually add detailed and platform specific information

to the abstract model, and finally obtain a concrete software implementation.

Model transformation and QVT. Model transformation is an automated process

that takes one or more source models as input and produces one or more target mod-

els as output, following a set of transformation rules [152]. In MDD, model trans-

formation is the main means to support rigorous model refinement, evolution, verifi-

cation and code generation. Many model transformation approaches and tools have

been developed [45; 120]. To address the need for a common transformation lan-

guage, theObject Management Group(OMG) proposed theQuery/View/Transforma-

tion language(QVT) standard [134], which consists of three different transformation

languages. Among them,QVT Relations(QVT-R) is a high-level declarative trans-

formation language that has two concrete syntax styles: textual and graphical. The

graphical notation of QVT-R provides a concise, intuitive and yet powerful way to de-

fine model transformations.

In a MDD development process, there exists multiple models that represent a sys-

tem at different levels of abstraction, as well as from different views, such as static

structure, dynamic behavior, and functionality. These views are closely related, and

sometimes overlapping, in the sense that the same concept may redundantly appear in

2

different views. This brings new complexity, as it is difficult to maintain mutual con-

sistency among the replicated concepts in the views, and ensure the conformance of

models at different levels of abstraction. Additionally, as more models and views are

introduced, more relationships among them are introduced, and management of these

interrelations becomes complicated. Whenever an interrelated part changes, some or

all of its related parts can be affected [78].

Thus, MDD and CBD paradigms pose a set of challenges to software engineering:

1. Theoretical foundations: As a system is modeled from different views at dif-

ferent abstract levels, we need a formal semantic theory to define the precise

relations among the views and the abstract levels, so the consistent analysis and

verification of the models is possible. In order to combine the advantages of both

MDD and CBD techniques, the theory must provide an appropriate framework

to describe objects, components and their compositions, and help us to develop

a coherent and comprehensive understanding of the whole system [112].

2. Development methodologies: Developing complex systems is a difficult task

which cannot be done in one step. Development methodologies provide the

best practice to guide the development process, which consists of a sequence

of phases, activities and steps. A development methodology should support the

identification of crucial aspects of the system at different stages of the devel-

opment, allow us to factor a system into sub-models of different views, and

systematically evolve models across the different abstraction levels.

3. Supporting tools: MDD and CBD are effective only when the theories and

methodologies have been integrated into automated tool support. Particularly,

automating the development process, at least for some key steps or activities,

is crucial for the success of a software project. Carrying out these activities

manually is time consuming, tiresome and error-prone. As model transformation

is the basic means to manipulate models, the development of suitable approaches

3

1. Introduction

and tools for automating the transformations becomes very important.

The research presented in this thesis is aimed to address the last mentioned chal-

lenge, that is, exploring techniques to automate a model-driven development process

of component-based software through the application of model transformations.

1.1 General Background

In this section, we review the mainstream frameworks for MDD and CBD, finding

existing problems that impede the automation of the development process. Then we

go to the relevant techniques of formal methods and identify what can be introduced to

solve the problems. Finally, we inspect the current model transformation approaches

and tools, and conclude the importance of supporting the graphical notation of QVT-R.

Model Driven Architecture

The best known MDD initiative,Model Driven Architecture(MDA) [ 142], is proposed

by theObject Management Group(OMG) as its vision of MDD. MDA provides a set of

standards: 1) to define models and modeling languages (Unified Modeling Language

(UML) [ 135], Meta Object Facility(MOF) [132], Object Constraint Language(OCL)

[131]); 2) to define interoperability of modeling tools (XML Metadata Interchange

(XMI) [ 133]); and 3) to specify model transformations (MOF 2.0 Queries, Views and

Transformations(QVT) [134]).

UML. Among all these standards, UML has been widely accepted as a standardized

visual language to represent models. It provides a certain degree of support for both

MDD and CBD. In order to specify a model from different views, UML defines thir-

teen types of diagrams which are divided into two categories: representing static struc-

ture and dynamic behavior. For example, we normally adoptuse case diagramsfor

requirements elicitation,class diagramsfor structural design,sequence diagramsand

4

1.1. General Background

state diagramsfor modeling system interactions and reactive behaviors. With the help

of component diagrams, composite structure diagrams, and a number of other model-

ing constructs, such asconnector, port, required/provided interface, UML provides a

semi-formal means for specifying components, their composition and deployment. To

enhance the expressiveness of UML, OCL is used to navigate in a model and formulate

constraints on it. In addition, many tools have been developed for UML, with functions

ranging from drawing simple diagrams to supporting reverse software engineering.

Since UML is designed as a general-purpose modeling language which can be

used in many application domains and implementation platforms, OMG only provides

UML with a rather loose semantics defined in natural language. As the consequence,

lots of ambiguities are introduced. The lack of a precise semantics makes it difficult

to automate verification and analysis, which is essential to ensure the correctness and

consistency for separation of concerns and multi-view modeling. Moreover, UML is

claimed to be methodology-independent. That is to say UML is defined as only a

modeling language, OMG does not provide methodological support for using UML

in a development process. In addition, UML involves too many concepts and mecha-

nisms, many of them are overlapping and far from being intuitive in many cases, and

this becomes a drawback rather than an advantage. From a practical point of view, the

loosely defined semantics, numerous modeling concepts, and the lack of a developing

methodology make "pure" UML difficult to apply in practice of MDD and CBD [62].

Development of MDA. The development strategy of MDA focuses on the definition

of two kinds of models:Platform Independent Model(PIM) andPlatform Model(PM).

Here a platform is a particular technology on which an application is implemented,

such asModel-View-Controller(MVC) architecture, CORBA or .NET. PIM considers

only the problems of an application domain, and PM details information of a platform.

In a subsequent step, using model transformations, the two models are combined to

build a Platform Specific Model(PSM) that captures both application concerns and

5

1. Introduction

implementation techniques. Selecting a different PM, the same PIM can be easily

applied on a different platform by generating a specific PSM. OMG estimates that the

PIM-to-PSM transformation is already 50-70% automated in current tools, and the

next development step, generation of the executable code from PSM, is virtually fully

automated already [136].

However, in practice, a model may evolve through different sub-stages inside the

PIM stage. MDA lacks a systematic methodology to develop a complete and consistent

PIM. According to the survey of [43], MDA does not provide a comprehensive and

concrete process that could govern software development activities, thus each project

that uses MDA has to define its own development process or select one from existing

MDA based methodologies.

Methodology support for MDA has been rather slow in coming [18]. Many de-

velopment methodologies proposed in the literature are compatible with MDA and

tightly coupled to UML, such asRational Unified Process(RUP) [100], Agile Software

Process(ASP), etc. In terms of software development process, use case driven itera-

tive development and object-oriented modeling have become a predominant paradigm,

which normally consists of a number of development phases, and each phase is in turn

divided into different development tasks and activities.

For example, RUP defines an incremental development life cycle which is divided

into four phases:inception, elaboration, construction, and transition. Each phase

involves tasks such asbusiness modeling, requirements elicitation, analysis & design,

implementation, testing, deployment, etc. RUP applies use cases as the main method

to capture requirements, and UML activity diagrams, collaboration/sequence diagrams

and class diagrams are used in analysis and design.

RUP is very extensive and heavy weight. Other development methodologies pro-

mote simpler and more flexible development processes with fewer phases and activi-

ties. However, as the purpose of these development methodologies is to provide guid-

ance for the developers to follow in software design, the development activities and

6


steps are in general not concrete and fine-grained enough, and no precise semantics is

defined for them. This brings difficulty to the automation of the development process.

From OO design to component-based models.As a natural step of model driven

development, object-oriented models are often further evolved to component-based

models to get the benefits of reusability, maintenance, as well as distributed and inde-

pendent deployment. As nearly all existing component-based technologies are realized

in object-oriented technologies, most design processes start with an OO development

process and then at the end of the process an OO design is directly implemented using

a component-based technology, such .COM or .NET.

Surveys of approaches and techniques for identification reusable components from

object-oriented models can be found in [25; 167]. Based on the principle of “high

cohesion and low coupling”, researchers try to cluster classes into components. The

basic ideas are: calculate the strength of semantic dependencies between classes and

represent them as a weighted directional graph, then cluster the graph using graph

clustering or matrix analysis techniques [167]. Using clustering analysis, components

with high cohesion and low coupling are expected to be obtained in order to reduce

composition cost.

Identifying reusable components from object-oriented models is considered to be

one of the most difficult tasks in the software development process [59]. Most existing

approaches just provide general guidelines for component identification. They lack

more precise criteria and methods [44]. Because of the complexity of source infor-

mation and the component model itself, it is not advisable for component designers to

manually develop component-based models from object-oriented models [167]. Alas,

there are almost no (semi)-automatic tools to help designers in the process [153].

In summary, to support model-driven development process of component-based

software in the framework of MDA, our approach should take advantage of the stan-

7

1. Introduction

dard graphical modeling notation of UML and its existing support tools, and follow the

use case driven development paradigm of RUP style. However, we have to complement

it with a precise semantics and a meticulous development methodology, while restrict-

ing the UML modeling elements that will be used. In addition, we need strong support

for component modeling, and enabling the evolution from OO models to component-

based models. In the follows, we will review the relevant techniques of formal meth-

ods, seeking solutions to meet these requirements.

Formal methods and stepwise refinement

Formal methods are the application of mathematical theories, techniques and tools to

model and verify software/hardware systems. In software engineering, formal methods

can be used to build a rigorous specification of a system. The specification can be

verified with respect to functionality, consistency, safety and certain other properties

through applying semi-automated or automated techniques like theorem proving and

model-checking. Finding and fixing flaws in earlier development phases is known

to significantly reduce the overall cost of software projects. Formal methods can be

also used in system design, architecture, testing, etc. The use of formal methods,

with their rigorous mathematical foundations for system specification, verification and

refinement, offer help to address the challenges faced by MDD and CBD.

Over the past decades, a rich body of formal theories and supporting tools have

been developed. We mention some of the state-based formal methods:Z [27], VDM

[92], ASM [26], B [6] andEvent-B[7], and process-based formal methods:CSP[85],

Petri Nets[144], SOFL [109], etc. Successful application of formal methods can be

seen in safety-critical systems such as for transportation, defence and medical appli-

cations [22; 175]. However, in spite of these successes and the theoretical potential,

formal methods have not seen widespread adoption as a routine part of systems devel-

opment practice [175]. Some of the reasons could be:

8


• Formal methods and tools are difficult to understand and use because they re-

quire deep mathematical background and adopt complex formal notations;

• The use of formal methods increases the burden on the system developers, even

though they can benefit from the improved system quality;

• A wider acceptance of formal methods is also hindered by their scalability, as

real systems are much more complex than the examples used in textbooks.

Combining formal methods with UML. Integrating formal methods into UML

opens up a powerful approach to support MDD and CBD. A formal method can sup-

ply UML with a precise semantics, and formal consistency verification and refinement

techniques. For the formal method’s side, the advantage of combining with UML is the

possibility to specify a system with a unified, standardized graphical notation, and to

exploit many available UML tools for saving development effort and time. Thus some

inherent shortcomings of formal methods, such as the complexity of the notations, the

mathematical background required for comprehending the formulations, and the lack

of easy-to-use tools, can be efficiently overcome. The formal methods could therefore

potentially reach a wider user-base.

The work of integrating formal methods into UML for supporting MDD has been

investigated for the past few years. Möller et al. [123] have integrated a formal method,

namelyCSP-OZ, into UML and Java. In their work, UML diagrams are first trans-

lated to CSP-OZ specifications, and then converted intoJML specifications, so the

hand-written Java programs can be checked against the assertions inJML to guarantee

the correct implementation of the formal specifications. In [13], a framework called

UML+Z was introduced for building, analyzing and refining models based on UML

and Z. A UML+Z model consists of class, state and object diagrams. The translation

of UML class diagram and sequence diagram intoVDM++ was discussed in [66]. A

sequence diagram is transformed to traces of VDM++ for the derivation of test cases.

9

1. Introduction

The UML-B [154] provides a framework to support modeling with UML class dia-

grams and state machine diagrams. Translation from UML-B into Event-B enables the

Rodin[8] proof obligation generator and provers to be utilized.

Verification and refinement. The vast majority of existing formal approaches, whether

automated or interactive, symbolic or computational, are designed forpost-hocveri-

fication of complete models [156]. It means that the developers have to first build a

complete model, either manually or with the help of some tools, and in the next step,

check or analyze the model using techniques like model checking and theorem proving.

Developers get little assistance in constructing a model, which makes formal modeling

more laborious and therefore increases the burden on the developers [89]. However, a

practical formal method, like in other engineering disciplines, should consider "calcu-

lating a correct design" more than just "proof of correctness" [139].

To improve the situation, the notion ofrefinementcould be helpful.Refinement

[20; 125] is one of the cornerstones in formal methods. The precise definition of re-

finement depends on the chosen modeling framework and hence might have different

semantics and degree of rigor. Informally, refinement describes an intended relation

between models at different levels of abstraction: a refined model retains all the es-

sential properties of its abstract counterpart, such as providing at least the same func-

tionalities as the abstract model. From the perspective of the system development,

refinement is a process in which new details are introduced into an existing model, or

the model is altered to become more concrete (closer to implementation), while the

refinement relation is preserved. Refinement is another useful mechanism for tackling

complexity by allowing to derive a consistent implementation from the specification.

Refinement styles. Techniques proposed for achieving provable refinement can be

roughly classified into two styles: "posit-and-prove" and "transformational" [104].

The posit-and-proverefinement is still a kind ofpost-hocverification, in which the

10


user firstpositsa refined model, and then the model is formally justified against its

abstract version using theorem provers or model checkers. This is typically achieved

by discharging a set of so-calledproof obligations, which are generated from both the

positedmodel and the abstract model. The proof of the refinement usually requires

considerable mathematical knowledge and could be tedious. In addition, the user must

prepare thepositedmodel manually or using other tools in advance.

On the other hand, a refinement oftransformationalstyle, also calledrule-based,

proceeds by applying a set of pre-defined and verified rules on the origin model to

transform it to a refined model. The soundness of the rules ensures the correctness of a

refinement. The refinement rules can be implemented ascorrectness preserving model

transformations. Thus, this approach can automatically generate the refined models,

keep the burden of proof minimal, and therefore helps the developers considerably

in the system development process. Its practicality is limited by the set of available

refinement rules and how well the supporting tools are integrated in the development

environment.

Stepwise refinement. The stepwise refinement method[125; 174] is an important

and well-established formal technique. It is well compatible with the development

process of MDA. Development starts from a specification at a high level of abstraction,

which is gradually transformed into a specification closer to the implementation by

performing a succession of refinement steps. In each step, some design decisions are

explicitly made, such as adding more details, changing data types or control structures,

or decomposing parts of the specification into more concrete expressions. Correctness

of the resulting specification is ensured by correctness of the refinement steps, or can

be verified by mathematical proofs.

The idea of using stepwise refinement for program construction originated in the

work of [52; 174], and then was further developed by C. Morgan [124]. One of the

classic formalizations of stepwise refinement is therefinement calculusof R. Back

11

1. Introduction

[20], which is a framework for reasoning about correctness and refinement by follow-

ing a succession of refinement rules. The calculus was first designed for traditional

imperative programs, and then it was extended to include object-oriented programs

[35]. In addition, refinement calculi have been studied in other formal notations such

as Z, B, and VDM, and in different contexts. In particular, a refinement calculus has

been defined for Eiffel contracts and encoded in PVS [138]. However, these meth-

ods use theposit-and-provestyle of refinement. A developer has to write down a new

model and then verify if it is a refinement of its predecessor.

A typical example isEvent-B[7], a successor of the B language. It is a textual lan-

guage based on set-theory and first-order logic. Object-oriented and component-based

designs are not supported. Event-B emphasizes system development through stepwise

refinement. A refinement step is checked for correctness by discharging proof obli-

gations with the help of theorem provers, and the proof obligations are automatically

generated by the Event-B toolRodin. Using the tool, a user can manually construct an

Event-B model in a stepwise way, and fixes the errors by making use of the feedback

from the tool, e.g., the unproved proof obligations. Moreover, applying refinement in

the transformational style for Event-B was explored in the work of [89]. It proposes

amechanism for automation of formal refinement based on reusable refinement steps,

calledrefinement patterns.

Refinement of UML models. MDA-based models are extremely complicated, as

they are usually specified with multi-view graphical notations from different aspects

and involve object-oriented designs and component-based architectures. It is difficult

and tedious to carry out the refinement process with generic UML tools while keeping

the consistency of various parts of a model. Some work has been done to support the

refinement of UML-based models. The UML-B project [145; 154] provides a UML-

like graphical front end for Event-B. UML-B introduces a number of refinement rules

which are used to add model elements to the class diagrams and state machines, such

12


as adding new attributes, new classes, new nested state machines, etc. The authors in

[141] try to recognize a set of refinement rules found in Object-Z, and then apply them

to refine UML class diagrams annotated with OCL expressions.

However, the scientific success of refinement seems in contrast with its acceptance

in industrial practice [87]. Obviously, most refinement techniques are somehow hard

to scale up to MDA-based modeling [175], as it is currently difficult to use with UML

notations as well as component-based systems. In addition, there is a lack of method-

ological studies related to the incremental development of complex systems across the

full development process using refinement mechanisms [15].

To summarize, integration with formal methods supplies UML with the precise

semantics necessary to support MDD and CBD, and the stepwise refinement mecha-

nism provides a solid foundation for automation of the development process. These

ideas form the basis of our approach. Implementation of the refinement rules as model

transformations is therefore the key to our work, and dictates a high demand for trans-

formation approaches and tools.

Model transformation approaches and tools

Graph transformations. Model transformation is the core of MDD. A lot of effort

has already been spent on developing different approaches for model transformations

[45; 120]. Many of them are based on graph transformations and adopt graphical

notations. We mentionAttributed Graph Grammars(AGG) [34], Fujaba[33], GReAT

[10], and these based on theTriple Graph Grammars(TGG) [149], such asMOFLON

[14] and ATM3 [51]. Graph transformation languages are mainly built on the theory

of graph rewriting over extensions or variations of typed-attributed labeled graphs. A

transformation is defined by an attributed type graph and a set of transformation rules,

where each rule consists of two or three graphs.

13

1. Introduction

Graph transformation approaches enjoy a solid formal foundation which allows au-

tomatically analysis and verification of the transformations. Furthermore, the graphical

notation can be visually attractive since it is easier and faster for the designers to un-

derstand the visual representation of a model’s structure and the relationships among

its parts, especially in design transformations that are based on UML-like graphical

metamodels. But graphical notation also has its own drawback of being quite verbose,

and the expressive power of graph transformation rules is often weak. In order to ex-

press a non-trivial transformation rule, the whole diagram is filled with lines, symbols

and labels of different colors, making it hard to read and understand. To improve the

expressive power, a need for integration of graph transformation and OCL has been

discussed in [77; 98; 99]. However, these works are still not mature enough to be used

in practical applications.

ATL. Probably the most mature and widely used transformation language is theAtlas

Transformation Language(ATL) [ 93]. ATL is mainly a declarative language, though

some imperative constructs are allowed to ease the coding of complex transformations.

An ATL transformation program is composed of rules that describe how to create and

initialize the elements of the target models. ATL transformations are always unidi-

rectional. Source models are read only and can be navigated, while target models are

write-only and cannot be navigated. However, ATL is only a QVT-aligned language.

Its concrete syntax and semantics are quite different from those given by the QVT

specification.

QVT-R and tools. QVT-R is a declarative model transformation language proposed

by the OMG as part of the QVT standard. It has both textual and graphical notations.

In QVT-R, a transformation is defined as a set ofrelations(rules) between the source

and target metamodels, where a relation specifies how two object diagrams, called

domain patterns, relate to each other. Optionally, a relation may have a pair ofwhen-

14


andwhere-clauses specified with OCL to define the pre- and post-conditions of the

relation, respectively.

Tool support for QVT-R is still immature [101]. Very few tools are considered

to be fully supporting the standard. Themedini QVT[117] is one QVT-R tool that

has a high degree of compatibility with the QVT standard. Features of medini QVT

include use of traces to enable incremental updates, limited support for bidirectional

transformations and thecheck-before-enforcesemantics. Yet some features, such as

collection template, are still missing.

The medini QVT provides a powerful QVT interpreter, and a transformation editor

with syntax highlighting, code completion, and debugging facilities. It is distributed

as an Eclipse plug-in or a stand-alone system. Currently, medini QVT seems to be

the most stable, mature and state-of-art implementation of QVT-R. It is chosen as the

model transformation tool in many researches. Our work also takes medini QVT as

the reference implementation of QVT-R. However, it looks difficult to integrate medini

QVT into CASE tools that are not based on the Eclipse platform.

Developed by Tata Consultancy Services Ltd.,ModelMorf [122] is another tool for

QVT-R. It supportsin-placetransformations, trace output, transformation inheritance

and relation overriding, incremental execution and collection templates. However, not

all language features of QVT-R are supported. For example, only two non-primitive

domains are allowed in a relation. The independent version of ModelMorf is only a

command-line QVT engine. It provides no integrated development environment, or

IDE. The transformations, models and metamodels have to be edited in other tools,

and exported in textual or XMI format.

Graphical notation of QVT-R. Both medini QVT and ModelMorf support only the

textual notation of QVT-R. However, we consider the graphical notation of QVT-R

more attractive. It uses UML object diagrams to define the structural matching pat-

terns of transformation rules. In addition, it has textual regions where OCL expres-

15

1. Introduction

sions can be used to specify rule constraints, evaluate values for local variables, and

decide the execution order of rules. The textual part therefore coexists with the visual

presentation so that users have a choice to appropriately present different aspects of a

rule using either textual or graphical expressions. Just as the combination of the virtual

diagrams and the OCL makes UML a perfect tool to define models, the graphical nota-

tion of QVT-R, with its visual presentations and OCL expressions, provides a concise,

intuitive and powerful way to specify model transformations. In [55; 58; 173], the

graphical notation of QVT-R was recognized as an intuitive, natural option to define

transformation, and the majority of transformations should be represented by the QVT

graphical notation [118]. In our research, we decide to use the graphical notation of

QVT-R to define the refinement transformations.

Some efforts have been made to support the graphical notation. The project of

Declarative QVT[3] intends to support QVT-R. Its goals include offering a graphical

editor for the graphical notation of QVT-R, and implementing a QVT engine on the

ATL virtual machine. In UPT [118], a UML profile for QVT graphical transformation

was presented. The purpose of the profile is to represent transformations using any

UML tool and send these transformations to different tools using the XMI standard.

Instead of using object diagrams, UPT uses a kind of class diagram to express the

transformation rules, so it is not fully QVT compatible. Also, theVisual Modeling

and Transformation System(VMTS) [30] provides a deployable QVT eclipse plug-

in [166]. Based on the VMTS tool, a QVT-R editor can be defined. Transformation

rules can be graphically specified in the editor, and then translated to VMTS code.

Nevertheless, currently the tools for the graphical notation of QVT-R are still far away

from practical use in software engineering.

16

1.2. Specific Background

1.2 Specific Background

MDD and CBD need sound theoretical foundations and strong methodology supports.

Particularly for the work of the thesis, we need a precise semantic theory for consistent

analysis and verification, as well as supporting object-oriented design and component-

based modeling. The latter is usually not within the consideration of the majority of

current formal approaches. More importantly, the formal method should contain a

comprehensive set of refinement rules for component and object systems. In this re-

gard, therefinement for Component and Object Systems(rCOS) [39; 97; 107; 112]

promotes a formal component-based model driven development method (CB-MDD)

for software development. Its scope covers theories, techniques, and tools for model-

ing, analysis, design, validation, and verification.

The rCOS has a formal semantic theory based on an extension of UTP [86] to in-

clude the concepts of classes, objects, components, interfaces, contracts, composition

(connectors), coordination and glue. It provides the behavioral semantics of these con-

cepts with high level rules for refinement and verification. This theory supports precise

checking of consistency among different model views, including static structure, inter-

actions and functionalities. It allows techniques and tool support to be integrated into

engineering processes with theories unified to underpin and justify the development of

tools and their integrated applications [97].

More importantly, rCOS provides the refinement calculus we need for supporting

the stepwise refinement in model-driven development process. It supportscorrect by

designwith its refinement calculus, includingdata functionality refinement, interac-

tion refinementandobject-oriented structure refinement[36; 82; 181]. The rCOS also

scales up refinement rules via formal use of design patterns [82; 114] and abstract-

ing of components from objects [107]. Application of such refinement rules as model

transformations generatesproof obligationsfor verification of properties of the models

before and after the transformations [112]. The verification tasks can be carried out by

17

1. Introduction

integrated verification tools, such as theorem provers, static checkers, or model check-

ers. The semantic theory of rCOS supports integrating verification into automated

correctness preserving model transformations.

The use ofdesign patterns[65; 103] makes rCOS refinement more systematic and

thus has much higher possibility for automation [82; 114]. Particularly, theexpert

pattern [103] is repeatedly applied to object-oriented design models forsupporting

stepwise refinement. The expert pattern provides a systematic decomposition of the

functionality of a method of an object into responsibilities of its related objects, called

information experts, which maintain or know the information for carrying out these

responsibilities [112]. Other patterns, such ashigh cohesion, low coupling[82; 103],

and rCOS refactoring rules [61; 114; 181] are used to optimize the structure of the

design models through introducing new classes, decomposing existing classes, and

adding or moving attributes of classes.

To support component-based design, rCOS defines a formal component model with

the notion of interface, component and component composition. In rCOS, a set of

composition operators are defined, such asparallel composition, plugging, disjoint

union, coordination, renaminginterface methods,hiding interface methods, etc. The

effects of these operators are proven in rCOS refinement calculus [97].

In addition, rCOS follows a use-case driven, incremental and iterative development

methodology that seamlessly combines model-driven, object-oriented and component-

based design and analysis techniques. The development process goes through the

stages of requirements elicitation, object-oriented design, logical component-based de-

sign, and to coding. Models in later development phases are constructed from those in

earlier phases by correctness preserving model transformations based on the rCOS re-

finement calculus. The main advantage of the rCOS methodology is that we can assure

consistency of the multi-view specifications at different abstraction levels [111].

18

1.3. Research Goals and Objectives

1.3 Research Goals and Objectives

Research problems. From the above discussion, we identify the following problems

to be addressed:

• Developing complex systems is a difficult task which cannot be done in one step.

Stepwise refinement is a useful method to help automating the development pro-

cess of MDA. But the current refinement techniques are difficult to apply on de-

veloping complex UML-based models across the full development phases from

requirements modeling to component architecture design, due to the limitation

of available refinement rules, the lack of methodological studies related to the

incremental refinement mechanisms, and the lack of integrated supporting tools.

Especially, applying refinements in theposit-and-provestyle, as done in many

existing formal methods, assists developers little in constructing models.

To take full advantage of stepwise refinement, we need a sound formal frame-

work that involves a comprehensive refinement calculus for supporting both the

object-oriented and component-based design. We also need to combine the for-

mal framework with UML, implement the refinement rules as correctness pre-

serving model transformations, and integrate them into a CASE tool, so the

graphical representations of the UML diagrams can be simultaneously updated

as the corresponding UML models are refined. In addition, as the judgement of

which model elements require to be refined is difficult, we mainly rely on the

developers to make the decisions. Thus it is worth studying how to effectively

apply the refinement transformations in an incremental and interactive way.

• It is often the case that an object-oriented model is developed first and then it

is further evolved to a component-based model to get the benefits of component

architecture, such as better reuse and maintenance. Identifying reusable compo-

nents from object-oriented models is considered to be one of the most difficult

19

1. Introduction

tasks in software development. Many of the existing approaches just provide

general guidelines without precise criteria and methods to automate the deriva-

tion of components from objects.

In order to seamlessly unify OO design and component-based design, and sup-

port OO implementation of component-based technologies, we need to provide

a transformation from an object-oriented design model to a component-based

model. Such a transformation can be used to transform a flattened OO design to

composition of a number of architectural components, and therefore decompose

a large component into a combination of internal sub-components. However, the

research challenge for the transformation is the formal definition of the correct-

ness criteria, and the algorithm for automation.

• The graphical notation of QVT-R provides a concise, intuitive and yet powerful

way to define model transformations. But the lack of tool support hinders its ap-

plication in real settings. It is also worth developing implementation techniques

and a supporting tool for this language. Particularly, this tool can meet our re-

quirement for implementing the refinement rules as model transformations.

Research goals and objectives.The research presented in this thesis is aimed at de-

veloping techniques to automate model-driven development of component-based soft-

ware through the application of model transformations. Particularly, in the context of

rCOS, this thesis addresses design and implementation of a set of rCOS refinement

rules as model transformations, and the use of the transformations to automate the

rCOS development process in an interactive and stepwise way. Because the automa-

tion of these transformations places a high demand on transformation tools, we have

developed the QVT-XSLT tool, by which a transformation can be specified using the

graphical notation of QVT-R, and become executable as programs of XSLT [178], a

standard language recommended by the W3C for transforming XML documents.

20

1.4. Research Methodology and Design

This goal is broken down into a set of partial objectives:

• Design and implementation of a model transformation approach and tool:

1. Analysis and evaluation of the QVT specification and related work, identi-

fying the most suitable way to implement the language;

2. Extend QVT-R if necessary;

3. Investigate an approach to support the graphical notation of QVT-R;

4. Design and implement a tool for supporting the approach;

• Support rCOS development methodology with model transformations:

1. Investigate rCOS theory and methodology to analyze and identify model

transformations required in rCOS development;

2. Investigate an approach for modeling rCOS in UML;

3. Design algorithms for the rCOS model transformations;

4. Implement the transformations using our transformation tool and integrate

them into the rCOS CASE tool;

5. Develop a method in which the full process of system development is

driven by interactively applying the model transformations with the CASE

tool.

1.4 Research Methodology and Design

The work of the thesis concerns engineering research and development. Similar to

scientific research, the research work in engineering is also about confirming particu-

lar theoretical predictions, but the artistry of design and the spirit of "make something

work" are also essential [47]. On the other side, development is the systematic use of

scientific and technical knowledge directed toward the production of useful materials,

21

1. Introduction

devices, or systems, including design and development of prototypes and processes.

Systems must be developed in order to test and measure the underlying theories. Sys-

tem development is therefore a key element of engineering research [127].

Figure 1.1: Research methodology (adapted from [127])

Our research work has been performed according to an integrateddesign research

methodologyproposed in [127]. As shown in Fig.1.1, this methodology corresponds

to a set of research activities:

• Theory building: includes development of new ideas and concepts, new methods,

or mathematical models. The theories may be used to suggest research hypothe-

ses, guide the design of experiments, and conduct systematic observations;

• Experimentation: includes research strategies such as computer and experimen-

tal simulation, as well as laboratory and field experiments. It straddles the gap

between theory building and observation by validating the underlying theories,

and evaluating the acceptance of systems and technology transfer. Experimental

designs are guided by theories and facilitated by system development. Results

from experimentation may be used to refine theories and improve systems;

22

1.5. Potential Contributions

• Observation: includes research work such as case studies, field studies, and lit-

erature surveys. Observation is often used when relatively little is known and it

can provide a general feeling for what is involved in a research domain;

• Systems development: includes concept design, constructing the architecture of

the system, prototyping, product development, and technology transfer. Concept

design is the adaptation of technologies and theories into potentially practical ap-

plications. It leads to a conceptual framework based on the theory building and

experiments. A system architecture provides a road-map for building system.

It puts the system components into perspective, specifies the system function-

alities, and defines the structural relationships and dynamic interactions among

system components. Prototyping is used as a proof-of-concept to demonstrate

feasibility. Much systems development stops at this stage. However, in order to

test the system in a real-world setting, an effort to further develop a prototype

into a product and the transfer of the product into an organization is necessary.

This allows a realistic evaluation of the impacts of the included technologies

and theories and their potential acceptance. The accumulated experiences and

knowledge will be helpful in redesigning the system. Thus systems development

is the hub of research that interacts with other activities to form an integrated re-

search life cycle.

1.5 Potential Contributions

In the domain of component-based and model driven software engineering, the follow-

ing contributions are made:

• C1. A framework to support stepwise refinement in MDD & CBD development.

It includes:

– C1.1. A UML profile for rCOS modeling, which augments rCOS with

23

1. Introduction

standard UML elements and diagrams, and defines the architecture and the

parts of an rCOS model;

– C1.2. Design and implementation of a set of model transformations that

realize the rCOS refinement rules, including:

∗ C1.2.1. OO design model to component-based model:Incrementally

applying the transformation obtains a correct refinement of an OO de-

sign model to a component-based architecture model, in which each

component of the requirements model becomes a composition of a

number of components. With the help of the transformation, the OO

design and component-based techniques can be seamlessly combined

in the development process.

∗ C1.2.2. Requirements model to object-oriented design model: This

transformation converts a requirements model into an initial OO de-

sign model, from which detailed OO design can start. The transfor-

mation helps to bridge the gap between requirement models and OO

design models;

– C1.3. We integrate the profile and the refinement transformations into an

rCOS CASE tool, and propose a development procedure for rCOS models

in the tool through applying these transformations in an interactive, step-

wise way.

• C2. A model transformation approach and tool for the graphical notation of

QVT-R, including:

– C2.1. An approach to map QVT-R transformations into executable XSLT

programs;

– C2.2.A method to map OCL, which is heavily used in QVT-R, into XPath,

a sub-language of XSLT;

24

1.6. Organization of the Thesis

– C2.3. An extension to existing QVT-R with three new constructs, for the

purpose of improving its usability in practice;

– C2.4. A graphical model query facility that adopts the graphical notation,

checking semantics and pattern matching mechanism of QVT-R;

– C2.5.A UML profile for modeling QVT-R in UML;

– C2.6. A supporting tool named QVTR-XSLT that consists of a QVT-R

graphical editor and an XSLT code generator. A QVT-R transformation

can be specified in the graphical editor using the graphical notation, and

then automatically translated into executable XSLT programs, which can

run fast and efficiently process large-scale models, and

– C2.7.A set of predefined transformations for improving the interoperabil-

ity of the tool, and for transformation verification and validation.

Since at the present time practical tool supports for the graphical notation of

QVT-R is scarce, our approach and tool mark a useful attempt to bring the

OMG’s standard language to practice.

ContributeC1 is presented in Chapter5 and6. Particularly, the rCOS profile of

contributionC1.1 is provided in Section5.2 and published as paper #1 in the publi-

cation list of Section1.7. The transformations of contributionC1.2 are given in Sec-

tion 6.2and6.1. Among them, contributionC1.2.1is reported in paper #3. We present

contributionC1.3 in Section5.3. In addition, Chapter4 is dedicated to contribution

C2, the QVTR-XSLT approach and tool. Particularly, contributionC2.2andC2.4are

published in paper #6 and #2, respectively. The applications of the QVTR-XSLT tool

are reported in paper #4 and #5.

1.6 Organization of the Thesis

The thesis is organized as follows:

25

1. Introduction

Chapter 1: Introduction. This chapter presents the motivation and the general

background of this thesis, lists its research goals and contributions.

Chapter 2: Model-Driven Development. In this chapter, we present an introduction

to the world of model-driven and component-based development, as the technical back-

ground for this thesis. We first introduce OMG’sModel Driven Architecture(MDA),

along with a set of its standards:Meta Object Facility(MOF), Unified Modeling Lan-

guage(UML), and Object Constraint Language(OCL). As model transformation is

the main means of manipulating models, we give an overview of model transforma-

tions and theQuery/View/Transformations(QVT), the standard model transformation

language of OMG. Finally, we review the concepts and general process of component-

based development.

Chapter 3: Refinement for Component and Object Systems – rCOS. In this

chapter, we review the fundamental concepts of rCOS and its development method-

ology. We first introduce the theoretical background of rCOS - theUnifying Theories

of Programming(UTP). Then we discuss the object-oriented part of rCOS with its syn-

tax, semantics and refinement rules. It is followed by component modeling techniques

of rCOS, and finally we describe its development process.

Chapter 4: QVTR-XSLT – A Tool for Graphical Notation of QVT Relations. We

present in this chapter our model transformation approach and tool for supporting the

graphical notation of QVT-R. We start with an introduction to the state of the art of

model transformation approaches and tools, and then compare the technical features

of QVT-R and XSLT. As QVT-R relies heavily on the use of OCL, we discuss how a

sub-set of OCL can be mapped into XPath, a sub-language of XSLT. We then present

the approach to translate QVT-R into XSLT, and discuss the semantic features of QVT-

R supported by the approach. To improve the usability of QVT-R, we provide some

26

1.6. Organization of the Thesis

extensions. In addition, we define a novel graphical model query facility which can

work within QVT-R. To support our approach, we propose a UML profile for QVT-R

and design a tool that consists of a QVT-R graphical editor and an XSLT code gener-

ator. Finally, we apply the tool on a case study and compare the results with another

QVT-R tool.

Chapter 5: A UML Profile for rCOS. In this chapter we present a UML profile

for the purpose of applying rCOS in practical UML-based software engineering. This

profile augments rCOS with standard UML model elements and diagrams, while en-

hances UML with the precise semantics and methodology of rCOS. We first briefly

review the major concepts of rCOS using a metamodel, which then maps to stereo-

types and their attributes of the rCOS profile. Then we define the UML elements used

in rCOS method. After that, we discuss the implementation of the profile in a CASE

tool and how rCOS development process is supported by the tool.

Chapter 6: Enabling Model Transformations of rCOS. In this chapter we show

how a set of rCOS refinement rules can be designed and implemented as model trans-

formations, and integrated into the rCOS CASE tool for supporting the rCOS devel-

opment. We present four of the transformations that are frequently used in rCOS, and

discuss in detail two of them. The first transformation automatically processes system

sequence diagrams into controller classes with method guards that enforce the seman-

tics of sequence diagrams, through an intermediate step of generating protocol state

machines. The second one, the object sequence diagram to component sequence dia-

gram transformation, enables component-based model-driven software design in prac-

tice by allowing the seamless combination of object-oriented and component-based

techniques. It is followed by a case study of a sale management system to show the

full development steps.

27

1. Introduction

Chapter 7: Conclusions and Future Work. In this chapter we summarize the re-

search work this thesis, discuss the limitations, and suggest future topics of research.

The contributions of the thesis are mainly discussed in Chapters4, 5 and6. The

main ideas and dependency relationships of the major chapters are depicted in Fig.1.2.

Figure 1.2: Dependency relationships of the major chapters

1.7 Statement of Originality

Part of the work presented in this thesis has been previously published as the following

three journal papers and five conference papers.

Publication list

1. Dan Li, Xiaoshan Li, Zhiming Liu, Volker Stolz,Support Formal Component-

based Development with UML Profile, In Proceedings 22nd Australasian Soft-

ware Engineering Conference (ASWEC 2013), IEEE Computer Society, Mel-

bourne, Australia, P191-200, June 2013.

28

1.7. Statement of Originality

2. Dan Li, Xiaoshan Li, Volker Stolz,Model Querying with Graphical Notation of

QVT Relations, ACM SIGSOFT Software Engineering Notes, Vol. 37, No. 4,

P1-8, July 2012.

3. Dan Li, Xiaoshan Li, Zhiming Liu, Volker Stolz,Interactive Transformations

from Object-Oriented Models to Component-Based Models, In Proceedings 8th

International Symposium on Formal Aspects of Component Software (FACS2011),

Vol. 7253 of LNCS, Springer-Verlag, Oslo, Norway, P97-114, Sep. 2011.

4. Dan Li, Xiaoshan Li, Volker Stolz,Solving the TTC 2011 Compiler Optimiza-

tion Case with QVTR-XSLT, In Proceedings Fifth Transformation Tool Contest

(TTC 2011), Vol. 74, Electronic Proceedings in Theoretical Computer Science

(EPTCS), Zürich, Switzerland, P54-69, June 2011.

5. Dan Li, Xiaoshan Li, Volker Stolz,Saying HelloWorld with QVTR-XSLT – A

Solution to the TTC 2011 Instructive Case, In Proceedings Fifth Transforma-

tion Tool Contest (TTC 2011), Vol. 74, Electronic Proceedings in Theoretical

Computer Science (EPTCS), Zürich, Switzerland, P223-236, June 2011.

6. Dan Li, Xiaoshan Li, Volker Stolz,QVT-Based Model Transformation Using

XSLT, ACM SIGSOFT Software Engineering Notes, Vol. 36, No. 1, P1-8, Jan.

2011.

7. Dan Li,QVT Based Model Transformation from Sequence Diagram to CSP, In

Proceedings 15th International Conference on Engineering of Complex Com-

puter Systems (ICECCS 2010), IEEE Computer Society, Oxford, United King-

dom, P349-354, March 2010.

8. Dan Li, Xiaoshan Li, Jicong Liu, Zhiming Liu,Validation of Requirement Mod-

els by Automatic Prototyping, Innovations in Systems and Software Engineering,

Vol. 4, No. 3, P241-248, Oct. 2008.

29

Chapter 2

Model-Driven Development

With the advent of visual modeling languages like UML, models and modeling tech-

niques have been widely applied in software engineering. As an emerging paradigm

for software development,Model-Driven Development(MDD) [119; 150] promotes

models as the primary software artifacts that can be explicitly manipulated by tools,

and systems are modeled at several levels of abstraction and from multiple perspec-

tives.

The key feature of MDD is that models are used in each stage of the software de-

velopment, from requirements to design to implementation, and it strongly emphasizes

model transformations between models used in the development process. That means

models in different development stages are linked through transformations, and the

ideas introduced in earlier stages contribute directly to building models in later stages.

Finally, these models can then be transformed into running systems by using gener-

ators or by executing the models at run-time [63]. Therefore, MDD requires models

to be complete, precise, and consistent specifications of a system with clearly-defined

semantics.

The main promises of model-driven development include [28]:

• increased productivity through automation of software production;

• improved manageability of complexity through higher level of abstraction;

• increased quality and reliability;

• better maintainability and documentation;

• easy portability to different platforms.

30

2.1. Model Driven Architecture (MDA)

However, model-driven development is still in its infancy compared to its ambi-

tious goals of having a (semi-)automatic, tool-supported stepwise refinement process

from vague requirements specifications to a fully-fledged running program. A lot of

unresolved questions exist for modeling tasks as well as for automated model transfor-

mations [57].

This chapter provides a general overview of model-driven techniques, including the

basic ideas of component-based development, as the background for this thesis. The

discussion of this chapter is partly based on the literature [46; 74; 134; 135; 148]. More

technical details and further related work will be discussed in the remaining chapters.

The structure of the chapter is as follows. We first introduce the best known MDD

initiative, Model Driven Architecture(MDA), the Object Management Group (OMG)

vision of MDD (Section2.1). MDA is founded on a set of standards. In Section2.2, we

focus on theMeta Object Facility (MOF) that basically allows for definition of mod-

eling languages. Section2.3describes theUnified Modeling Language(UML), which

is used to visually specify models, and its extension mechanism. Section2.4presents

Object Constraint Language(OCL) that complements the visual models by textual

constraints for clarifying the static semantics. As model transformation is the main

means of manipulating models, in Section2.5 we give an overview of model trans-

formations and theQuery/View/Transformations(QVT), the standard model transfor-

mation language of OMG. Finally, we review the fundamental concepts and general

process of component based development in Section2.6.

2.1 Model Driven Architecture (MDA)

One of the precursors of MDD is theObject Management Group(OMG), who defined

theModel Driven Architecture(MDA) [ 121] which has become rather popular today

in the software industry. OMG promotes MDA as a framework for system develop-

ment based on models. It is said to be model-driven because it provides means for

31

2. Model-Driven Development

using models to direct the course of understanding, design, construction, deployment,

maintenance and modification [121].

One of the main aims of MDA is to separate system design from system archi-

tecture. As the concepts and technologies used to realize designs and architectures

have changed at their own pace, decoupling them allows system developers to choose

from the best and most fitting in both areas. The design addresses the functional (use

case) requirements while architecture provides the infrastructure through which non-

functional requirements like scalability, reliability and performance are realized [171].

MDA also aims at integrating existing technologies standardized by OMG. It may

be seen as a specialization of MDD based on OMG standards. For instance, models are

expressed in UML. If another modeling language is needed, it should be defined using

the meta-modeling language of theMeta Object Facility(MOF), or defined as an ex-

tension of UML using theUML Profile. MDA usesXML Metadata Interchange(XMI)

for serialization of MOF models in XML format to persist models and to facilitate

the exchange of models between tools. In addition, theQuery/Views/Transformation

(QVT) language is used to transform models from one level of abstraction to another

abstraction level. We discuss these techniques in the subsequent sections.

2.1.1 Models of MDA

In MDA, models are specified from differentviewpoints, and a viewpoint is typically

focused on a specific system aspect. In [121], the term viewpoint is also clarified:

A viewpoint on a system is a technique for abstraction using a selected set of archi-

tectural concepts and structuring rules, in order to focus on particular concerns within

that system. Here ”abstraction” is used to mean the process of suppressing selected

detail to establish a simplified model.

MDA classifies models according to their abstraction level. In accordance to var-

ious stages of system development, MDA proposes four types of models:Computa-

32

2.1. Model Driven Architecture (MDA)

tion Independent Model(CIM), Platform Independent Model(PIM), Platform Specific

Model(PSM) andImplementation Specific Models(ISM). In the following we discuss

the first three of them:

1. Computation Independent Model (CIM): A description of a system from the

computation independent viewpoint, which focuses on the context and require-

ments of the system without consideration for its structure or processing. This

viewpoint is sometimes referred to as aconceptual viewpoint. A CIM describes

the domain and requirements of the system. Therefore, it aids understanding of

the domain problem, and it provides a system specific vocabulary for use in other

models. CIMs are often referred to as business or domain models, and play an

important role in bridging the gap between domain experts on the one hand, and

experts in design and construction of system artifacts, on the other hand.

2. Platform Independent Model (PIM) : A view of a system from theplatform

independent viewpoint. Here a platform is defined as a set of subsystems and

technologies that provide a coherent set of functionality through interfaces and

usage patterns [121]. The platform independent viewpoint, also known as the

design viewpoint, focuses on the operational capabilities of a system while dis-

regarding platform specific details. Platform independent views expose aspects

of a system that are shared between distinct target platforms. A PIM introduces

more details of logical and structural concerns, but is still independent of any

implementation technology. So it is possible to map a PIM to more than one

technology specific platforms.

3. Platform Specific Model (PSM): A model specified from aplatform specific

viewpoint. It is focused on the use of a specific platform. The viewpoint is

often identified as thedeployment viewpoint. A PSM augments its counterpart

PIM with details on how the system uses a particular type of platform and the

associated implementation technology. However, a PSM is still considered as an

33


abstract model, since it may not include all of the details necessary to produce

an implementation on that platform.

2.1.2 Development process of MDA

MDA envisages to shift the work of the developers to higher levels of abstraction and

then generating the source code of the desired system automatically by applying mul-

tiple transformation steps. According to MDA, with respect to the previously defined

model types, a typical MDD cycle for a software system contains the following phases

[148]:

1. Specification of CIMs: Through analyzing the business processes addressed,

requirements and domain specific knowledge are specified within CIMs that pri-

marily describe the application’s context, and define a common vocabulary for

all forthcoming models. For capturing the requirements, UML use case diagrams

and system sequence diagrams [103] can be used.

2. Development of PIMs: Platform independent models are developed in accor-

dance to the application’s domain models (CIMs). This is done by taking more

computational issues into account, such as business logic, but still disregards

platform-specific details. These information can be represented in UML class

diagrams, object diagrams, activity diagrams and interaction diagrams. A PIM

should also be precise enough to support transformation into target PSMs.

3. Platform Specification: The underlying system’s technical concepts, like avail-

able interfaces, usage patterns, architectural properties, but also physical parts,

and available resources are specified in the platform specifications.

4. Transformation of PIMs to PSMs: The heart of a MDA compliant MDD pro-

cess is the transformation of PIMs to PSMs. The model transformations must

34

2.2. Meta Object Facility (MOF)

have been developed beforehand. Taking as input a particular platform specifi-

cation, the transformations automatically translate a PIM into a PSM by adding

platform specific patterns and architectural properties defined in that platform

specification. Note that a number of PSMs can be derived from a same PIM.

5. Transformation of PSMs to Code: A final step within a MDD process is code

generation. Typically, PSMs are translated into deployable executable code. This

transformation is mostly carried out by translating PSMs to source code that in

succession is compiled and linked into an executable binary.

Thus the development process of MDA is characterized by independently (and mostly

manually) developing an abstract model and an additional model with the platform

information, and a transformation is used to automatically merge the two models into

a more concrete model or implementation.

2.2 Meta Object Facility (MOF)

TheMeta Object Facility(MOF) [132] is an OMG standard that provides a framework

for specifying, constructing, and managing metamodels. MOF is recommended as

a main technology of MDA for defining modeling languages. Many other OMG’s

standards rely on MOF.

MOF conforms to the classic four-layer metamodeling architecture. In general,

a model in layern is calledan instance ofthe corresponding model in layern + 1,

which in turn is called itsmetamodel, and a model must conforms to its metamodel. In

Fig. 2.1, we illustrate these four modeling layers:

• Layer M0: The Instances. The bottom layer contains run-time instances of

model elements in a concrete system. These instances are considered as part

of the real world that is modeled and therefore M0 should not be regarded as a

35


Figure 2.1: The four modeling layers of MOF

model level. The instances are manifested in various forms, such as objects in

object-oriented applications. M0 models are called snapshots of M1 models.

• Layer M1: The Model. This layer contains the model elements describing the

the concepts of a system. Within the MOF architecture, a UML model resides on

this layer. For example, the structural concepts of a university can be modeled

in terms of a class model and comprise classes such asdepartmentor student.

• Layer M2: The Metamodel. This layer contains the elements of the meta-

model. Models at M1 are expressed in modeling languages defined by means of

meta-models located at layer M2, e.g. UML metamodel. It should be noted that

the main purpose of the MOF model is to define modeling languages at layer

M2.

• Layer M3: The Meta-Metamodel. Finally, the top layer, the most abstract one,

contains the meta-metamodel, known as the MOF metamodel. It provides the

core modeling facilities for defining modeling languages, where classes repre-

sent modeling concepts, attributes for their variations, and associations for their

relationships. An example of this layer is the MOF itself, MOF is defined recur-

sively, that is, a model on this layer is an instance of itself

36

2.2. Meta Object Facility (MOF)

2.2.1 Essential MOF (EMOF)

Currently there are two versions of MOF:Complete MOF(CMOF) andEssential

MOF (EMOF). CMOF provides all modeling capabilities of the standard with more

sophisticated concepts, such as the reflection mechanism. It is used to specify complex

modeling languages such as UML. EMOF is a subset of CMOF. It provides a ”kernel

metamodeling capability” for defining simple metamodels using simple concepts while

supporting extensions. The EMOF is motivated by the fact that many metamodels do

not require the expressive power provided by CMOF.

EMOF is a straightforward, simple framework built on a restricted version of UML

class model that provides concepts and graphical notation. In other words, MOF and

UML are aligned to share a common core of concepts, which are presented as simple

classes with attributes and operations. Therefore, the OMG factored out the common

part of MOF and UML class model into the UMLinfrastructure, the minimal set of

object-oriented language elements, which is then reused to define MOF and UML class

diagrams.

Figure 2.2: Extract of the EMOF metamodel

The most important parts of the EMOF metamodel are shown in Fig.2.2. Basically,

the EMOF model consists ofclassesthat can be related with each other using various

kinds of associations, which can be directed such as thesuperClassrelation. Classes

37


may containoperationsandproperties. For example, theNamedElementhas one at-

tribute called "name" of typeString. Properties can be either attributes or association

ends. To put it simple, classes can be regarded as types of model elements, whereas

associations can be seen as types for the links between model elements.

2.2.2 XML Metadata Interchange (XMI)

A standard related to MOF is the OMG’sXML Metadata Interchange(XMI) [ 133]

specification, which provides a set of rules that map the graph-based models to/from

tree-based XML documents. One purpose of XMI is to enable easy interchange of

models between UML-based modeling tools and MOF-based model data repositories.

XMI is also commonly used as the medium by which models are passed from modeling

tools to software generation tools as part of model-driven engineering.

XMI defines the method to serialize EMOF elements with XML tags. The structure

of an XMI document tightly matches that of the corresponding MOF model, with the

same names and an element hierarchy that follows the model’s hierarchy. As a result, a

model and its XMI serialization are isomorphic. The great advantage of XMI is that it

can be processed by the whole range of generic XML processors which are available in

every popular programming language. But unfortunately, XMI is excessively verbose

and is not easy for humans to read. Even small models yield large XMI files. Moreover,

XMI is not yet implemented in a standard way by tool vendors, e.g. MagicDraw XMI

is different from Visio XMI.

EMF Eclipse Modeling Framework (EMF) [54] is a modeling framework based on

an implementation of EMOF. It employs an XMI serializer to provide storage capa-

bilities for persistent models. The EMF XMI has essentially implemented XMI 2.0,

but keeps the document to a reasonable size. In contrast to graphs, an EMF model

has a tree structure which is characterized by the containment relations between their

elements. An EMF model has a root element that all the other elements are transi-

38

2.3. Unified Modeling Language (UML)

tively contained in, and may have non-containment references in addition [24]. The

ability to output models in EMF XMI format is becoming a standard feature in many

major modeling CASE tools, such asMagicDraw UML [126] andTopcased[165]. In

practice,EMF UML andEcoreare two most often used model types.

2.3 Unified Modeling Language (UML)

Currently, the object-oriented paradigm has become a prevalent paradigm in software

engineering. Supporting the concepts of object orientation, theUnified Modeling Lan-

guage(UML) [ 76; 135] has become thede-factostandard modeling language for sys-

tem analysis and design. As UML is widely used in industry and academia for model-

ing purposes, a large number of tools have been developed to support it.

UML is a visual modeling language for specifying, visualizing, constructing, and

documenting the artifacts of software systems [90]. A UML model has a graphical

representation. UML provides a set of notations that describes a system from dif-

ferent, partly overlapping perspectives. The whole complex system is separated into

several sub-models, and each sub-model specifies an aspect of the system, like its static

structure, or its behavior. In total, UML defines thirteen types of diagrams, which are

divided into two categories:

• Structure diagrams: show the static structure of the objects in a system. That is,

they depict those elements in a specification that are irrespective of time. The

elements in a structure diagram represent meaningful concepts of an applica-

tion, and may include abstract, real-world and implementation concepts. This

category includes class, object, composite structure, component and deployment

diagrams, etc.

• Behavior diagrams: depict dynamic behavior of the objects of a system, such as

their collaborations, activities, and state histories, which can be described as a

39


series of changes to the system over time. This category includes activity, state

machine, and use case diagrams, interaction diagrams (including communica-

tion, interaction overview, and sequence diagrams), etc.

Advantages of using UML are numerous. UML is expressive enough to specify

complex system. As a standardized language it improves communication between dif-

ferent stakeholders, and provides a means to document software intensive systems. By

offering a common language it allows tool interoperation between different vendors.

In spite of its success, however, UML has its drawbacks. Since UML is designed

as a general-purpose modeling language which can be used in many application do-

mains and on many implementation platforms, it becomes a rather bloated and com-

plex language. UML involves too many concepts and mechanisms, many of them are

overlapping and far from being intuitive in many cases. There are also issues with the

semantics of UML. OMG only provides UML with a rather loose semantics defined in

natural language, where lots of ambiguities are introduced. For example, the seman-

tics of UML behavioral modeling brings certain ambiguities, and the problem cannot

be resolved by OCL [60]. Therefore, the validation of unrestricted UML applications

cannot be achieved in a precise way. Moreover, UML is claimed to be methodology-

independent. That is to say UML is defined as only a modeling language, there is a

lack of methodological support for using UML in development processes.

2.3.1 UML diagrams

In the following, we give a general description of UML diagrams used in the thesis.

A more formal definition of them will be given in Section5.2. We use as example

thepoint-of-sale system(POS) taken from Larman’s textbook [103]. This example de-

scribes a trading system that is typically used in supermarkets. This system deals with

business processes such as checking out at a cash desk, handling payments, managing

users, etc.

40


Use case diagrams

Use case diagrams specify high-level user interactions with a system. They are useful

for defining the usage requirements for the system. A use case diagram describes a set

of actions (use cases) that the system (subject) should or can perform in collaboration

with one or more external users of the system (actors). Actors are either real (human)

user roles, or other systems which are using the system under development. Each use

case represents some abstract activity that the actor may perform and for which the

system provides the support. Thus, the use case diagram defines the system bound-

ary, in which use cases may be applied to define the coarsest-grained logical system

modules. The modules can then be implemented as high-level components.

In addition, use case diagrams show the associations between the actors and the

use cases. An association exists whenever an actor is involved with an interaction

described by a use case. Use case diagrams also indicate the relationships between use

cases. A use case may be a variation of some other use case (the«extend» relationship),

or may incorporate one or more use cases using the«include» relationship, where the

behavior of the included use case is inserted into the behavior of the including (base)

use case.

Overall, use case diagrams are applied at initial requirements engineering phases

in the software life cycle to specify the different roles and functionalities of the system.

Use case diagrams are often defined in terms of the actual business processes of the

application domain. Fig.2.3 displays an example use case diagram for the checkout

system of the POS example. There are four use cases specified in the diagram, in

which the use caseCheckoutrefers to the included use caseDoPayment, and the use

caseHelp extends the use caseCheckout.

41


Figure 2.3: A use case diagram

Class diagrams

As the main building block of object oriented modeling, class diagram is the most

widely used type of UML diagram. It is usually used to capture the static, logical

structure of a system, and specify the functionalities performed by the system. In

general, a class diagram consists of a number of classes that represent static concepts

of the application domain of the system. For each class it is possible to list its attributes

and operations. Syntactically a class is displayed as a rectangle that consists of a name

compartment in the top, an attribute compartment in the middle, and an operation

compartment in the bottom.

The relationships between classes come with different meanings:

• A normal association(for shortassociation) defines any arbitrary relationship

between two classes. It specifies how instances of the classes are linked to-

gether. An association can be labeled with a name, which uniquely identifies the

association. An association can also haverole namesannotated at theassocia-

tion ends, which can be used to refer to the associated instances. In addition,

42


multiplicity of an association end indicates how many of the instances at this end

can be allowed to participate in the relation.

• An aggregationis a special association which indicates that a class (the aggre-

gate) is comprised of another class (the part). It specifies a whole-part relation-

ship. This is in fact similar to the containment model, and is not specific about

who creates and owns the subordinate classes.

• A composition associationis a strong form of aggregation to indicate an owner-

ship relation between classes. The part class is contained in the owner class and

not shared with other classes. Composition associations have coincident life-

times of whole and part. That means once an object of the part class is created,

it must be destroyed before or at the same time with its owner.

• A generalizationis a form of association that indicates an inheritance relation-

ship between two classes, that is, a relationship between a more general class

(superclass) and a more specific class (subclass). The specific class inherits part

of the definition, including attributes, associations, and operations, from the gen-

eral class.

In the work of the thesis, we use only the binary association, the most common

kind of association. Other association kinds, such asternary, n-ary or association

classes, will not be considered. Also we will not consider the aggregation, and use the

composition associations only, since the latter covers most of the functionality of the

former. Fig.2.4 shows an example class diagram that describes the domain concepts

and their relationships of the POS system.

Another UML diagram that is closely related to class diagrams is theobject dia-

gram. An object diagram represents an instance of a class diagram. It shows class

instances depicted as objects connected bylinks, which are instances of associations

defined in the class diagram. An object has itsslotsthat are instances of the attributes

43


datetime : Datetotal : MoneyisComplete : Boolean

+makePayment( amt )+makeLineItem( desc, qty )+becomeComplete()+getTotal()+cancel()+abandon()

Sale

id : String

+makeNewSale()+enterItem( id, qty )+endSale()+makePayment( amt )

Register

amount : Money

Payment itemID : ItemID description : String price : Double

ProductDescription

+getDesc( id )

ProductCatalog

quantity : Double

+getSubTotal()

SaleLineItem

name : String address : String

+addSale( s )

Store

name : String address : String

User

+catalog1

+workon

1

+completedSales

0..*

+description

1

+lineItems

1..*

+store

1

+payment 0..1 +descriptions 1..*

+currentSale 0..1

Figure 2.4: A class diagram for the POS system

of the corresponding class. Object diagrams can be consider as the snapshots of a

running system, representing thesystem stateat a particular moment.

However, UML introduces the conceptclassifieras a general super-class of model

elements that have common behavioral or structural features. A classifier is a classi-

fication of objects according to their features. Many UML model elements, such as

actors, classes, components, interfaces, use cases, as well asenumerationsandprim-

itive types, are all descendants of the classifier. Classifier is an abstract metaclass and

therefore cannot be instantiated. To simplify the expressions, sometimes we use ”in-

stance of aclassifier” instead of ”instance of instantiable descendants of aclassifier”.

State machine diagrams

The state machine diagram is one of the UML diagrams used to model dynamic nature

of a system. Particularly, it describes a system’s reactive behaviors, that is, how a

system responds to the external or internal stimuli. As the life cycle of an object can be

considered as a sequence of differentstates, a state diagram depicts the various states

that an object may be in and the transitions between those states. The state machine can

44


Paid

Archived

NewCreated

HasItemscancel

abandon

makeNewSale

makeLineItem

makePayment

becomeComplete

makeLineItem

Figure 2.5: A state diagram for classSale

be used for modeling discrete behavior of an instance of class, or part of the system,

such as use cases and operations. In addition, it can also be used to express the usage

protocol for part of a system. These two kinds of state machines are defined in UML

asbehavioral state machineandprotocol state machine.

The state machines are made up of states, events and transitions. Astate is an

exposed stable situation of an instance, in which it satisfies some condition, performs

some action, or waits for some event. States are represented by the values of the at-

tributes of the instance. They are shown in rounded rectangles in the state diagrams.

It is possible to have initial state and final state, the former represents the one that

an object is in when it is first created, whereas the latter indicates the last situation

throughout the life cycle of an instance. A state may comprise other encapsulated sub-

states. In such a case, the state is acomposite state. A transitionis a progression from

one state to another. It is triggered by aneventthat may be the invocation of a method

that causes an important change in state, or the sending of a message to the instance. A

transition is shown as an arrow, labeled with the triggered event. Fig.2.5 presents an

example state machine diagram specifying the state migrations for an instance of the

Saleclass.

45


Sequence diagrams

UML interaction diagrams depict the detailed interaction steps between actors and

other entities of a system involved in particular use cases, or particular sequence in-

teractions between objects of a system. Two types of interaction diagrams are used in

UML: communication diagramsandsequence diagrams. We will mainly use sequence

diagrams in our work.

Sequence diagrams focus on time passage, that is shown vertically, increasing from

top to bottom. A sequence diagram consists of a frame, representing the environment

of the specified system. Inside the frame, the vertical dashed lines, calledlifelines,

represent individual instances that participant in the interaction. An instance could be

an object of a class, a component, an interface, an actor, or a system. Each lifeline can

have a name that should be unique within the diagram. The instances communicate

by means ofmessages, represented as horizontal arrows that are sent and received by

lifelines. The messages on one lifeline are always ordered (hence we describe them as

a sequence). A message can be a signal or an operation call. In the latter case, a small

vertical rectangle on a lifeline represents the execution period of the called operation.

In addition,combined fragmentsare drawn as big rectangles that may cover several

lifelines and contains several messages. Depending on the so-calledoperator labeled

in the top left corner, a combined fragment provides additional control flows, such as

conditional choice (opt or alt) and recursion (loop).

The intuitively appealing character and conceptual simplicity make the sequence

diagram an ideal tool for describing interaction behaviors of a system, even for non-

experts. During the requirements modeling phase, architects and developers can use

the diagram to specify the scenarios of use cases more precisely. A use case is often

refined into one or more sequence diagrams. This kind of sequence diagrams is often

called asystem sequence diagram, as it involves only two lifelines, one representing

an actor, and the other representing the system. In the design phase, sequence dia-

46


[i] : SaleLineItem : ProductCatalog

sl : SaleLineItem

: Cashier : Register : Sale

enterItem(id,qty)1:

desc=getDesc(id)2:

makeLineItem(desc, qty)3:

create(desc,qty)4:

add(sl)5:

Figure 2.6: A sequence diagram for operationenterItem

grams can also be used to specify how the functionality of an operation is spread over

multiple objects, and how such a functionality is implemented through sequences of

method invocations. Fig.2.6presents an example sequence diagram for the operation

enterItemintroduced in classRegisterof Fig. 2.4. This sequence diagram describes

the interactions among related objects to realize the functionality of the operation. The

following program code shows how this operation is implemented in Java.

public classRegister {

private Sale currentSale;

private ProductCatalog catalog;

public void enterItem(String id, Doubleqty) {

ProductDescription desc = catalog.getDesc(id);

currentSale.makeLineItem(desc,qty);

}

......

}

public classSale {

private Set <SaleLineItem> lineItems;

public void makeLineItem (ProductDescription desc,Doubleqty) {

47


private SaleLineItem sl;

sl= new SaleLineItem(desc,qty);

lineItems.add(sl);

}

......

}

public classSaleLineItem {

private ProductDescription description;private Double quantity;

public SaleLineItem((ProductDescription desc,Doubleqty) {

description = desc; quantity = qty;

}

......

}

2.3.2 UML profiles

As a general-purpose modeling language, UML includes two kinds of extension mech-

anisms, which can be used to define UML based domain-specific languages. Exten-

sibility mechanisms enable tailoring and extension by adding new building blocks,

creating new properties and specifying new semantics in order to customize a model-

ing language to a specific problem domain in a controlled way. The first mechanism,

a heavyweight one, is based on direct modification of the UML metamodel. A new

metaclass may be defined by inheriting from an existing UML metaclass, with con-

straints, meta-attributes and associations specified. This approach sets no restrictions

on what is allowed to change in the UML metamodel, but the user models that uses the

new metaclasses are usually not supported by existing CASE tools.

On the other hand, there is a lightweight extension mechanism which easily adapts

UML through the use of profiles. A UML profile describes how UML elements are

48


tailored to support usage in a particular modeling domain by

1. introducing new concepts, syntax/notation and constraints;

2. introducing new terminology, semantics, and,

3. limiting the visibility and usage of particular model elements to the system de-

signers.

The primary extension means is thestereotype, which extends an existing UML ele-

ment with new attributes and associations, additional constraints and semantics. UML

uses thesemantic variation pointsto plug the additional semantics into the UML con-

cepts. Through themetamodelReferencepackage, we can specify the filtering rules that

determine which UML elements are visible when the profile is applied and which ones

are hidden [135]. However the profiles mechanism is not a first-class extension mech-

anism. It is not possible to take away any of the constraints that apply to a metamodel,

and also it is impossible to add properties to the extended classifier. As a consequence,

a meta-attribute (tagged value) can only be owned by a stereotype.

In brief, a UML profile is a kind of UMLpackagededicated to group UML ex-

tensions: stereotypes, tagged values, constraints defining well-formedness rules, icons

representing the stereotypes, pre-defined domain-specific model elements as libraries,

and imported UML model elements to support modeling in specific domains. Profiles

should be independent of tools. That’s to say the design of UML profiles should not

constrain to particular tools, and the profiles, together with models to which they have

been applied, must be possible to interchange among the vast majority of UML case

tools [135]. Moreover, a profile presents the usage of the modeling concepts in it, and

gives a generalized description of the possible systems after applying the profile.

Currently, there is no standard approach to define a UML profile for a specific

domain. Several authors [49; 102; 151] have proposed a set of steps for the creation of

aprofile. We use the following procedure to define our profiles for the thesis:

49


1. Define the domain metamodel: a metamodel for the application domain is de-

fined to specify the concepts and their associations, as well as the semantics and

the constraints. This metamodel should be strictly based on the needs of the

application domain, without any consideration of the UML concepts;

2. Design the structure of the profile: how to organize the concepts of the meta-

model into different packages;

3. Define stereotypes: identify the UML elements to be extended, map the meta-

model concepts into these elements, and add necessary associations and at-

tributes. The UML elements whose semantics are closest to the semantics of

the domain concepts will be selected first as the base metaclasses;

4. Define well-formedness constraints: the constraints for the stereotypes are de-

fined using OCL;

5. Specify semantics: normally use natural language. Ideally, the semantics should

be defined in a formal manner for each stereotype; and,

6. Provide tool supports: develop tools for applying the profile in practice, either

built from scratch or adjusted from available tools.

Following the standard UML profile notation, the stereotype definition part of a profile

is presented as UMLprofile diagrams. A UML profile diagram is a special kind of

class diagram where a class either has label«metaclass» or «stereotype». The former

(metaclass) must be a standard UML metamodel element that is extended (the arrows

with the filled-triangle arrowhead) by the latter (stereotype). The name of the stereo-

type declares a new user-defined stereotype. All associations can only be directed from

a stereotype into a metaclass, or to another stereotype. Different from regular profile

diagram, we also indicate some associations between metaclasses. These associations

have already been defined in the UML specification, but we find them important to

express the semantics and to facilitate the definition of OCL constraints.

50

2.4. Object Constraint Language (OCL)

2.4 Object Constraint Language (OCL)

In general, a visual modeling language like UML is not expressive enough to achieve

the level of modeling precision required by MDD. In order to express complex relations

and restrictions in models, theObject Constraint Language(OCL) [131] is introduced

as part of the UML 2.0 standard. OCL is a textual, declarative language. A particular

characteristic of OCL is its mathematical foundation without mathematical symbols

[168]. OCL is based on mathematical set theory and predicate logic, but uses plain

ASCII words to express the concepts. This makes UML easier to learn for a broad

community of system designers and developers.

OCL is a strongly typed, side-effect-free language. Each OCL expression has a

type. The evaluation of an expression always returns a value as the result, and never

changes the system state. The type system of OCL is based on two kinds of types:

predefined types and user-defined types. The predefined types includes basic types,

such asInteger, String, and collection types, such asSet, Bag. The OCL standard

library [131] defines all these predefined types and the operations on thesetypes, for

examples, logical operations likeand, or, not, and arithmetic operations. As an OCL

expression is always evaluated on a contextual element that is defined in a class model,

the class model provides all the user-defined types for the OCL expression. However,

in an OCL expression, the contextual element can be explicitly referred to by theself

keyword.

OCL allows specification of formal constraints over MOF-based models. It serves

several purposes. Firstly invariants can be specified for classes. An invariant is a pred-

icate that must always holds before and after the execution of an operation. The invari-

ants are also called well-formedness rules. As OCL are, in theory, modeling language-

independent, OCL constraints can be defined on meta-metamodel (M3), metamodel

(M2) and model (M1) layers, and always affect the instances of the constrained ele-

ments on a lower metalevel, e.g., well-formedness rules for a model are validated on

51


instances of the model. For instance, a rule says that theid as the identifier should be

unique in all instances of the classRegisterdefined in Fig.2.4.

context Register

inv uniqueId : Register→forAll (r1,r2 | r1< >r2implies r1.id< >r2.id)

A model which violates any invariant simply does not conform to its metamodel.

In particular, well-formedness rules on the metamodel layer define thestatic semantics

of a modeling language. On the model layer, business rules of the application domain

can be expressed as class invariants.

Secondly OCL supports the design-by-contract principle by defining contracts for

operations. Each contract consists of a pair of pre- and post-conditions that are boolean

expressions. Pre-conditions specify the conditions that must hold when the execution

of an operation is triggered, and post-conditions specify the conditions that must hold

when the execution of the operation terminates [131]. Third, OCL can be used to

define additional attributes and operations. Attributes added using OCL are always

derived attributes, i.e., their values are calculated from the values of other attributes.

OCL expressions can also be used to provide initial values for the attributes.

In addition, OCL 2.0 has matured from a constraint language to a full model query

language. It can navigate models and form collections of objects that satisfy given con-

ditions. Through the introduction of the tuple type, OCL now has the expressive power

of queries inrelational algebra. It supports a set of relational algebra operations, such

asunion, difference, selectionandcartesian product. However, even though OCL has

enough expressive power, a textual query language like OCL does not blend well with

visual models. Moreover, standard OCL expressions are claimed to be too verbose,

even defining simple queries quickly leads to complex query statements [157]. To

address these problems, a graphical query notation could help.

52

2.5. Model Transformations and QVT

Essential OCL Essential OCL is the minimal OCL required to work with EMOF

[131]. It is motivated by the same considerations as EMOF, that is,providing a simple

query and constraint language for simple metamodels. In essential OCL, concepts that

are specific to UML (likestateandmessagenotions) are removed, and special OCL

types such asAnyType, VoidType, andInvalidType, are not supported. In the work of

the thesis, we mainly use essential OCL.

2.5 Model Transformations and QVT

Model transformations

Model transformation represents one of the cornerstones of MDA. It is the process of

converting models into other models for the purposes of supporting rigorous model

evolution, verification, refinement, and code generation [63]. As shown in Fig.2.7, the

problem of model translation can be stated as follows: given a source metamodelMMA,

asource modelMA (as an instance ofMMA ) and a target metamodelMMB , define and

execute a transformationTAB which generates a modelMB that is an instance ofMMB

and suitably corresponds toMA. The transformationTAB conforms to its metamodel

MMT , but it involves also the metamodelsMMA andMMB to define the transformation

rules. All the metamodels finally conform to the meta-metamodel MOF at model layer

M3. In a more general case, a transformation can has multiple source models, and

produces multiple target models.

However, a transformationTAB itself can also be a model, called atransformation

model, which conforms to its metamodelMMT . Just as a normal model, a transforma-

tion model can be created, modified, and augmented through model transformations,

calledhigher-order transformations, to achieve the objectives of optimizing the trans-

formation, or producing a transformation model in another transformation language.

This uniformity implies that transformations can themselves be generated and handled

53


Figure 2.7: Model transformation

by model-driven development, and this allows reusing tools and methods of the same

transformation frameworks.

Metamodels and models are in general complex information structures, because

they represent different kinds of information. Therefore, it is challenging to develop

languages and tools for automatic model transformations, because it requires different

types of knowledge and techniques to understand and handle the application domains,

and the syntactic and semantic issues.

Model transformations can be classified from different perspectives. According to

the metamodels, to which the source and target models conform to, two kinds of trans-

formation can be distinguished:exogenousandendogenous. An endogenous transfor-

mation, also called anin-placetransformation, translates a source model into a target

model that conforms to the source model’s metamodel (that is,MMA = MMB), e.g., a

refactoring of a UML class model. In contrast, an exogenous transformation, orout-

placetransformation, uses different source and target metamodels (MMA <> MMB),

e.g., transforming UML class models to relational database models.

54


According to the transformation directions, a transformation can beunidirectional

or bidirectional. A unidirectional model transformation has only one execution direc-

tion, that is, it always modifies the target model according to the source model. In

case of a bidirectional transformation, the source model may be changed along with

the target model if the transformation is executed in the direction of target-to-source.

Many approaches have been proposed for model transformations. Based on the

classifying work of [45; 120], we can divide transformation approaches into the fol-

lowing major categories:

• Direct manipulation: General purpose programming languages, such as Java,

C++, can be used to implement model transformations aided by the use of APIs

libraries. Thevisitor patternis usually used to traverse the internal representa-

tion of a model to find matches. An advantage of this approach is that program-

mers do not need to learn a new language. On the other side, transformations

are defined at a low level of abstraction, thus they tend to be too complex and

unmaintainable.

• Template-based:It is commonly used with model-to-text transformations. Tem-

plates contain fragments of the target text and variables that can be replaced by

values from the source model elements. A typical example of this approach is

AndroMDA [1].

• Imperative/Operational: This approach is similar to the direct manipulation

approach, but with some high level constructs and language concepts. The trans-

formation is described as a sequence of rules that explicitly state how and when

to create elements of the target model from elements of the source one; the exe-

cution order of the transformation rules is also explicitly controlled. Imperative

languages offer flexibility and allow for efficient implementation. Since the large

amount of detail required for the transformation description, the transformation

55


rules tend to become lengthy [120]. QVT-Operational Mappings [134] is an

example of the imperative languages.

• Graph transformation : Graph transformation languages build mainly on the

theoretical foundations of graph rewriting over extensions or variations of typed,

attributed, labeled graphs. Models are interpreted as graphs, and a transforma-

tion consists of an attributed type graph and a set of transformation rules (or

productions). AGG [34] and Fujaba [33] are among the many tools realizing this

approach. Recently, Triple Graph Grammars (TGG) [149] has become a promis-

ing approach as an extension of graph transformation. Its rules are specified by

three different graphs. Several tools such as MOFLON [14] and ATM3 [51] im-

plement TGG for model transformations. However, the solid formal foundation

allows automatically analysis of graphical transformations, but the expressive

power of graph transformation rules is often weak.

• Declarative/Relational: Declarative model transformations describe the rela-

tions between the source and the target metamodels, instead of specifying how

the transformation should be explicitly executed. The focus is on what should be

mapped by the transformation. Graph transformation is a subcategory of declara-

tive languages. Declarative languages are in general compact and transformation

descriptions are normally short and concise. QVT Relations is a perfect example

of the declarative model transformation approach.

• Hybrid : Hybrid transformation languages provide both imperative language

constructs and declarative language styles, and leave the user to choose which

style to use. Some widely used languages adopt a hybrid approach, and advocate

that the declarative style should prevail over the imperative one.

Of all these approaches, we are particularly interested in the declarative ones, as

they are usually more concise, and make reasoning about the transformation rules eas-

56


ier. In this thesis, the declarative model transformation language QVT Relations (QVT-

R) is used to define model transformations of the rCOS method.

In declarative style, a model transformation always consists of a set of transforma-

tion rules. In general, a rule is expressed in three parts: two patterns, one from each

metamodel of the transformation, and a rule body. A pattern specifies a fragment of a

metamodel, either visually or textually. Thus, the source pattern indicates which seg-

ment of source model can be transformed, and the target pattern is used as a template

to generate a segment of the target model. In the context of graph transformation, the

source pattern is called the left hand side (LHS) and the target pattern is called the

right-hand-side (RHS). The rule body defines the link, also called relation, between

the source pattern and the target pattern. Also the rule body provides the conditions

under which this rule can be applied. Consequently, the rule body itself can be spec-

ified graphically, as in the case of graph transformations, or textually, where OCL is

frequently used.

Query/Views/Transformation (QVT)

Figure 2.8: QVT Architecture (from [134])

In 2002, the OMG issued a request for proposals to standardize in the domain of

Queries, Views and Transformations (QVT RFP) [130]. And in 2005, the OMG pro-

posed a standard consisting of three languages for model transformation: Relations,

Core and Operational Mapping [134]. The QVT specification defines the abstract syn-

tax (using MOF metamodels), concrete syntax (using EBNF and examples) and se-

57


mantics (using natural language andRelationsto Coremapping). Among all the three

languages, QVT Relations is the most abstract and user-friendly [115].

These three languages are arranged in a layered architecture shown in Fig.2.8.

They form a hybrid transformation approach: Relations and Core are declarative lan-

guages at two different levels of abstraction, with a normative mapping between them.

The Operational Mapping language is an imperative language that provides constructs

commonly found in imperative languages (loops, conditions, etc.) [134]. Furthermore,

programs written in other programming languages may offer a ”MOF operation” that

can be plugged-in as black-box implementations, because their actual codes is not ac-

cessible or visible from the QVT side.

QVT Relations (QVT-R)

QVT Relations (QVT-R) is a high-level, user-friendly declarative transformation lan-

guage. It has both textual and graphical notations; the latter provides a concise, in-

tuitive and yet powerful way to specify transformations. In this language, a model

transformation is defined as a set of relations. A relation specifies a set of domains -

one domain for each participating model, relating to each other. Optionally, a relation

can have awhenclause that specifies conditions under which the relationship needs to

hold, and awhereclause that specifies conditions that must be satisfied by the model

elements that are being related.

A domain is defined by a pattern, which can be viewed as an object diagram of

object nodes, their properties and links originating from a metamodel. In addition to

the normal object diagrams, free variables can be used to indicate object identifiers and

values of attributes. The same variable can occur in domain patterns and both thewhen,

whereclauses, and refers at all occurrences to the same value [116]. A domain pattern

can be considered a template for objects and their properties that must be located,

modified, or created in a candidate model to satisfy the relation. Detail syntaxes and

semantics of QVT relational language will be discussed later in Section4.2.1.

58


The following transformation scenarios are supported by thecheck-before-enforce

semantics of QVT-R, which ensures the target model elements that satisfy the relations

are not modified.

1. Check-only transformations: The execution of the transformation only checks

if given models satisfy the relations specified in the transformation. No models

are modified or newly created.

2. Bidirectional transformations: When this kind of transformation is defined, no

execution direction is assumed. When it is executed, one model is selected as the

target, and the transformation runs in this direction. This puts some requirements

on the definition of a transformation, that is: given a source model, it must return

the unique target model which is correctly related to the source, and vice versa.

3. Model synchronization: Supported by the bidirectional transformation, the ex-

isting elements of the target model can be updated or deleted if the relations are

not satisfied. Meanwhile, changes manually made on the target model can also

be propagated back to the source model. This scenario is motivated by the need

for handling model updates in an incremental fashion.

4. In-place transformations: Both source and target models are bound to the same

metamodel at runtime. Actually, there is only one model that may be changed

in this scenario. Normally just a small part of the model will be touched by the

transformation, and most part of the model remains unchanged.

QVT Core

QVT Core is a simple, low-level declarative language. It is just as expressive as QVT-

R, but transformation definitions written in it tend to be longer. A transformation in

Core is a set of mappings that roughly correspond to relations in QVT-R. The concepts

of enforced and check domains are also available. It supports pattern matching over

59


a set of variables, where the variables of source, target and trace models are treated

symmetrically. In QVT Core, trace models must be defined explicitly. In contrast,

Relations Language implicitly creates trace classes and objects to record what occurred

during a transformation. The semantics of the Core language can be defined more

simply and formally. Thus, in the QVT specification, the semantics of the QVT-R is

given as a transformation to the Core.

Operational Mappings

QVT Operational Mappings is an imperative transformation language which extends

QVT-R with imperative constructs commonly found in imperative languages (loops,

conditions, etc.). It provides OCL extensions with side effects that allow defining a

transformation in a more procedural style. Transformations are always unidirectional.

The basic idea in this language is that the object patterns specified in the relations are

instantiated by using imperative constructs. In that way a declarative transformation is

imperatively implemented.

A transformation in Operational Mappings consists of a set ofmappingsand helper

operations. A mapping calledmainservers as an entry point for transformation execu-

tion. From themain, other mappings can be invoked.

This language is motivated by the problem that sometimes it is difficult to provide

a complete declarative solution to a complex transformation. Thus QVT Operational

Mapping can be used to complement relational transformations with imperative oper-

ations, or define the whole transformations using a completely imperative approach.

2.6 Component-Based Development (CBD)

Component-based development (CBD) aims at the development of cost-effective and

sound software systems, which build on reusable components. Components are sup-

posed to be off-the-shelf products delivered by third-parties, or at least developed inde-

60

2.6. Component-Based Development (CBD)

pendently. CBD promises to increase software quality and productivity, as it is based

on well-tested, mature and reliable components, reduces the efforts to design, develop

a system from scratch, and simplifies the maintenance and evolution by substitution

(and adaption) of components. For that purpose, components from different vendors

have to interact seamlessly. Therefore, it is important to develop components as en-

capsulated blocks that are equipped with a precise description of their static structures

as well as their dynamic behaviors, and have a framework to achieve reusability by

composing systems out of the prefabricated component.

The component description and composition framework must be specified at an

appropriate abstraction level to avoid too much implementation detail but with enough

knowledge to judge appropriateness for use in given systems. This can be achieved

by model-driven techniques – defining component models. In general, a component

model contains at least the following information that is necessary to fully understand

and use the components :

• Component definition: provides structural, functional and behavioral specifica-

tion of the component;

• Composition standard: The key to CBD is composition. It must be clearly de-

fined how and when the components are connected together (the design-time and

run-time infrastructure);

• Run-time interaction protocol: defines how data are exchanged and what hap-

pens to the flow of control within connected components when the system is

running.

Examples of the component model includeCOM (Component Object Model),

DCOM, CORBA, CCM, EJB and .NET. Each of them has its distinct syntax and se-

mantics which may render them incompatible with other component models. More-

over, frameworks, e.g. Fractal [29] or SOFA [32], provide more theoretical component

61


models. In the following, we mainly discuss the UML component model [135]. It sup-

ports the specification of both logical components (e.g., business components, process

components) and physical components (e.g., EJB components, CORBA components,

COM+ and .NET components, WSDL components, etc.),

2.6.1 Component definition

In UML, a component can always be considered as an autonomous unit within a sys-

tem. A component represents a module of a system that encapsulates its contents and

whose manifestation is replaceable within its environment, and its behavior is defined

in terms of provided and required interfaces. As a sub-class of UMLclass, a com-

ponent may have its ownoperations, properties, as well asports that represent the

connection points of the component. Its internals are hidden and inaccessible. At run-

ning time, software artifacts thatrealize the component are used in the application,

instead of the component.

2.6.1.1 Interfaces

Components are characterized by theirinterfaces, which specify their possible inter-

action with the environment and offer the points of interaction for components. An

interface declares a set of public features and obligations that define acontract; any

instance of a classifier that realizes the interface must fulfill that contract. Due to the

descriptive nature of an interface, it does not specify how it is to be implemented, but

merely what needs to be supported by realizing instances.

Depending on the role of interfaces in a component, two kinds of them have to be

distinguished:

• Provided interface: The provided interfaces specify how a component can be

used and summarize what it offers to its environment. They are the interfaces

realized by the component.

62


• Required interface: Besides the provided interfaces, a component can specify

what services the environment should provide in order for the component to be

able to perform its functionality. These services are explicated by the required

interfaces.

The public features of a component describe the structural aspect of the component.

They are represented as a set ofoperationsthat represent the services offered by the

interface, and a set of accessible data elements – itsproperties. Operations are uniquely

specified by their signature, a tuple consisting of the operation’s name and an ordered

list of parameters. And a property is specified as a tuple containing the name and data

type of the property. Properties owned by interfaces are abstract and only imply that

the implementing classifier should maintain the information with corresponding type

and multiplicity of the property.

On the other side, obligations of the interface contract can be specified by various

techniques, including invariants, pre- and post-conditions of the services offered/re-

quired by the interfaces, different kinds of logics, automata-like specifications, etc.

Moreover they can be defined at various levels of abstraction and can address various

needs.

In the normal case, each operation of the interface is provided with a functional

specification that describes the externally visible effects of the operation. The func-

tional specification comprises of a pair of pre- and post-conditions written in OCL.

The pre-conditions for an operation define conditions that must be true when the op-

eration is invoked, and the post-conditions define conditions that will be true when

the invocation of the operation completes successfully. Both conditions describe what

the operation does, and not how it does it. They typically comprise constraints on the

inputs and output of the operation, as well as the states before and after the operation

invocation. An implementation of this operation will satisfy the conditions.

In addition, we define the dynamic behavior of an interface as the allowed invo-

63


cation sequences on operations of the interface. The behavior can be specified with

a UML protocol state machine attached to the interface. The protocol state machine

presents the possible and permitted transitions on the states of the interface or its own-

ing component, together with the operations that carry out the transitions. Here a state

is a particular configuration of the data values of properties of the component and the

interface. Thus the protocol state machine allows definition of a precise external view

by making dynamic constraints on the sequence of operation calls explicit.

However, since both the functional specifications and the protocol state machine

describe the behavior of same interface, they are required to be compatible. That is,

there should not be conflicts between the two specifications.

2.6.1.2 Ports

Port represents a distinct interaction point between a component and its environment

or between that component and its internal parts. Ports can support unidirectional

communication or bi-directional communication. Interfaces can directly attach to a

component, or to a port of the component. In the latter case, a message arriving at the

interface will first be forwarded to the port, and then be handled either directly by the

component itself or by forwarding it to a part of the component’s internal structure.

The results are also returned through the port. Thus ports provide a way to fully isolate

internals of the component. Both the provided and required interfaces can connect to

ports.

2.6.2 Component composition

The key to CBD is composition. Systems are developed by composition of components

usingconnectors, resulting in what is called a composite component. It in turn can be

encapsulated within a component that can again be used for composition with other

components and connectors.

64


UML provides various ways to express component composition:

• Assembly connector: An assembly connector is a connector between provisions

and requirements of components. It simply connects a provided interface of

one component to a required interface of another component. Assembly con-

nectors are often use to interconnect components at the same hierarchical level

and having the same parent, and consequently form a flat composition of these

components. The connection is established if the corresponding required and

provided interfaces matches. That is, all operations in the required interface are

a subset of the operations in the provided interface.

• Delegation connector: A delegation connector connects provisions to provisions

of components, or requirements to requirements. It is often used to link a pro-

vided or required interface of a subcomponent to a port of its owning compo-

nent. Thus an external part of a component can communicates with its internal

realization, and messages travel along the connector originating in a required

interface and delivered finally to a provided interface. The interfaces provided

and required must be compatible. Delegation connectors form a hierarchical

composition of components.

In addition, thedependencyrelationships can be used to compose components.

A dependency signifies a supplier/client relationship between model elements where

the client model elements requires other supplier elements for their specification or

implementation. In particular, UMLusage, a special kind of dependency relationship,

can be used to connect provisions and requirements of components, instead of the

assembly connector.

2.6.3 Component diagram

In UML, component diagrams intuitively show the structure of a component model

at different detail levels. A component diagram depicts how components are wired

65


together to form larger components or software systems. It illustrates the architectures

of the software components and the dependencies between them. System designers

and developers find the component diagram useful, because it provides them with a

high-level, architectural view of the system that they are building.

The following artifacts are typically drawn in a component diagram: component,

interface, port, connector and usage dependency. In the diagram, a component is shown

as a rectangle with a keyword«component». Optionally, in the right hand corner a

component icon can be displayed. A component icon is a rectangle with two smaller

rectangles jutting out from the left-hand side. As a component has not only an exter-

nal view (or black-box view), but also has an internal view (white-box view) via its

private properties and operations, the information may be displayed in an additional

compartment. Moreover, the internal structure of a component can also be shown in a

compartment, or using a separate component diagram.

Usually, a provided interface is denoted as a ball, while a required interface is

denoted as socket. An interface is labeled with the name, and attached by a solid line

to the component. Although this notation is quite intuitive to read, less information,

especially the interfaces’s operations and properties, is visible. Optionally, interfaces

may be shown using a rectangle as classes. An assembly connector can be notated

as the ball of the provided interface plugging to the socket of the required interface,

or using a dashed line to link these two interfaces. Ports are shown as small squares

on border of a component. A delegation connector is drawn as an arrow from the

delegating port/interface to the handling interface/port.

2.6.4 Component interaction protocol

Components can communicate with each other only by passing messages, which rep-

resent operation calls in general. As discussed previously, a component interacts with

its environment to complete its functionality, and its interaction behavior with the en-

66


vironment is captured by a protocol state machine, which explicitly states the order of

sending and receiving messages. However, a component-based system or a composite

component realizes its functionality by a set of nested components, which coordinate

and synchronize with each other by passing messages. That is, a request for an opera-

tion in a component’s provided interface may require invoking one or more operations

in its required interfaces, and further lead to the invocations of the operations of other

components.

For these components to work correctly, they should exchange messages in the

right order. Component sequence diagrams, in which each lifeline represents a com-

ponent, can be used to specify the interactions among the group of components. If

a protocol state machine defines the behavior of a single interface, a component se-

quence diagram defines the behavior of a set of related components connected by

their interfaces. In generally, a component sequence diagram works based on therun-

to-completionsemantics. That is, a requester component invokes an operation of a

provider component and waits for the results, before the requester can starts the exe-

cution of next step.

2.6.5 Component-based development process

CBD often adopts a mixture of top-down and bottom-up development approaches.

Requirements should initially be captured and processed to construct an appropriate

system architecture. That is followed by a phase of search for existing components

that might be reusable for the given system. If such components indeed exist, they

are integrated into the existing architecture as subcomponents through composition or

assembling. According to component availability, initial requirements might be modi-

fied, as the CBD aims at reuse of existing components for faster system development.

It is unlikely that all required components are already available, more likely the exist-

ing components need to be adapted, and new components also needs to be developed.

67


After that, the final set of components is validated, composed, and deployed. The

maintenance of the system is carried by substitution of existing components.

The whole CSD process is characterized by the following steps:

1. Requirements analysis and system architecture design;

2. Search for and identification usable components;

3. Selection and adaption components; modifying initial requirements;

4. Developing missing components;

5. Validating, composing and deploying components to construct the system;

6. Maintaining system by replacing components.

68

Chapter 3

Refinement for Component and

Object Systems – rCOS

The research on therefinement of Components and Object Systems(rCOS) develops

a model-driven development method that combines object-oriented and component-

based design and analysis techniques. The rCOS method consists of two parts:

• The rCOS language: Founded on a formal semantics theory, the language pro-

vides a multi-view modeling notation with a verification andrefinement calcu-

lus [39; 82]. It defines concepts and artifacts in the domain of object-oriented

and component-based software engineering, likeclasses, objects, components,

interfaces, contractsand composition, etc. The semantic theory provides the

behavioral semantics of these concepts with high level rules for refinement and

verification; and,

• The rCOS development methodology: It prescribes an integrated, use-case based

and model-driven software development process, from requirements elicitation,

object-oriented design, logical component-based architecture design, through to

coding. Models in later developing phases are constructed from those in earlier

phases by correctness preserving model transformations based on the rCOSre-

finement calculus. Within the process, the formal techniques of modeling, analy-

sis, design, verification and model transformation can be applied, supplemented

with tool support.

The rCOS has been well studied [38; 39; 82; 97; 112; 181]. In this chapter, we give

an overview of rCOS, showing how the key concepts and artifacts of object-oriented

and component-based software engineering are formalized in the notation. It provides

69

3. rCOS

a theoretical foundation for designing and implementing the transformations for rCOS.

The discussion of this chapter is based on the above literature, and similar descriptions

have sometimes been extracted from them without explicitly citing the source.

The rest of this chapter is organized as follows. First we introduce the theoretical

background of rCOS - theUnifying Theories of Programming(UTP) in Section3.1.

In Section3.2, we discuss the object-oriented part of rCOS, its syntax, semantics and

refinement rules. Section3.3describes the component-based parts of rCOS, and Sec-

tion 3.4 presents the rCOS development process. Finally, we briefly introduce the

existing tool supports for rCOS in Section3.5.

3.1 UTP - Background of rCOS

The rCOS method is equipped with a denotational semantics defined in Hoare and He’s

Unifying Theories of Programming(UTP) [86] with extension of object-oriented and

component features, and, derived from the semantics, a set of refinement rules.

UTP presents a unified model of a number of programming idioms, such as im-

perative, nondeterministic, concurrent, reactive, higher-order, etc. Theories in UTP

are predicates over a pre-defined collection of free observation variables, which are

referred to as thealphabetof the theory, and are generally used to describe a relation

between a before-state and an after-state, the latter typically indicated by primed ver-

sions of the observation variables [67]. In UTP, there is only one domain of discourse,

rather than separate domains of syntax and semantics, and a mapping between them.

Thus programming notations like sequencing and choice are defined as operations on

predicates like composition and disjunction. The result is a simple and streamlined

framework for reasoning about programs, without the clumsiness and noise imposed

by ubiquitous semantic brackets [69].

In UTP, we denote the alphabet of a programP asαP , or simplyα when there

is no confusion. A variable inα may take different values, but from the same value

70

3.1. UTP - Background of rCOS

space called thetypeof the variable. Given an alphabetα, astateof α is a well-typed

mapping fromα to the value spaces of the variables, denoted asσ. We useS to denote

the set of all states of programP . Note that state variables include both variables used

in programs and auxiliary variables needed for defining semantics and properties of

programs.

For a sequential programP , given initial values for its variables (that form aninitial

state), the execution ofP will change them into some possible final values, called the

final stateof the program, if the execution terminates. We use abooleanvariableok

to denote whether a program is started properly and its primedversionok′ to represent

whether the execution has terminated. We define astate predicateas a predicate that

selects a subset of the statesS . For example,x > y + 1 defines the set of statesσ

such thatσ(x) > σ(y) + 1 holds. We say that a stateσ satisfies a predicateF , denoted

by σ |= F , if it is in the set defined byF .

A state relationR is a relation over the statesS as a subset of the Cartesian product

S × S . It can be specified by a predicate over the state variables and their primed

versions. We say that a pair of states(σ, σ′) satisfies a relationR(x1, ..., xk, y′1, ..., y′n) if

the following expression hold, denoted as(σ, σ′) |= R

R(σ(x1)/x1, ..., σ(xk)/xk, σ(y′1)/y′1, ..., σ(y′n)/y′n)

where the notation[e1/x1, ..., en/xn] denotes simultaneous substitution of theei, i ∈ 1...n

for any free occurrence of the correspondingxi.

A relational predicate specifies a set of possible state changes. For example,x′ ≥ x + 1

defines the possible changes from an initial state to a state inwhich x has a value not

less than the initial value plus1. Thus, state predicateF can also be interpreted as

a relational predicate such thatF holds for(σ, σ′) if σ satisfiesF . Note that a state

predicate and a relational predicate only constrain the values of variables that occur in

them, leaving the other variables to take values freely.

71

3. rCOS

3.1.1 Programs as designs

A semantic model of programs is defined based on the way we observe the execution of

programs. For an execution of a sequential program, we are interested in observing the

values of the initial state and the final states. That is, the relation between the starting

states and the final states of a terminating program execution.

Definition 1 (Design) Given an alphabetα of a programP , a state predicatep and

a relational predicateR over α, a program designis defined asD = (α, p ⊢ R), and

we definep ⊢ R , ok∧ p ⇒ ok’ ∧ R, whereok, ok’ ∈ α describe the initiation and ter-

mination of the program, respectively. The design specifies a program that starts from

a proper initial stateσ (ok=true) satisfyingp and properly terminates in a stateσ′

(ok’=true) such that(σ, σ′) |= R.

We callp thepreconditionandR thepostconditionof the design. When the alphabet

is known, we simply denote the design byp ⊢ R. In Fig. 3.1, we define the basic op-

erations on designs over the same alphabetα, whereb is a boolean expression that is a

predicate whose free variables are all unprimed, and we defineskip , true ⊢∧

x∈α(x′ = x)

that represents a program which terminates successfully, leaving all the variables un-

changed. Also we havechaos , false ⊢ true as the worst program which behavior is

unpredictably.

x := e , true ⊢ x′ = e∨

y∈α,y 6=x y′ = y assignment

D1; D2 , ∃x0 · D1[x0/x′] ∧ D2[x0/x] sequential composition

D1 ⊳ b ⊲ D2 , b ∧ D1 ∨ ¬b ∧ D2 conditional choice

D1 ⊓ D2 , D1 ∨ D2 non-deterministic choice

b ∗ D , (D; b ∗ D) ⊳ b ⊲ skip iteration

Figure 3.1: Basic operations of UTP

It is proved in [86] that the notion of designs is closed under these operations.That

is, the result of an operation is equivalent to a design of the formp ⊢ R. This ensures

72

3.1. UTP - Background of rCOS

the soundness of the semantic model.

3.1.2 Refinement of designs

In MDD, system modeling follows an incremental approach: starting from a high-

level description, a model is incrementally obtained by adding more details. The idea

of refinement, well known in the framework of formal methods, gives the approach

a precise underpinning. It allows models to become more concrete while preserving

properties that have been verified in higher-level models.

In UTP, the refinement relation between designs is defined to be logic implication.

Definition 2 (Refinement) A designDl = (α, pl ⊢ Rl) is a refinement of a design

Dh = (α, ph ⊢ Rh), denoted asDh ⊑ Dl, if ∀x, x′ · ((pl ⇒ Rl) ⇒ (ph ⇒ Rh)) hold, where

x andx′ represents all the state variables and their primed versions inDl andDh.

The refinement relation forms acomplete partial order(CPO) for the set of designsD .

It ensures that any property satisfied by the ”higher level” designDh is preserved (or

satisfied) by the ”lower level” designDl. The refinement relation can be proved using

the following theorem:

Theorem 1 Dh ⊑ Dl when

1. weakening the precondition:ph ⊢ pl , and

2. strengthening the postcondition:pl ∧ Rl ⊢ Rh.

For a designp ⊢ R, we define its weakest precondition for a given state predicate r:

wp(p ⊢ R, r) , p ∧ ¬ (R;¬ r)

The refinement relation is preserved by sequential composition, conditional choice and

non-deterministic choice. That is, ifDh ⊑ Dl then for anyD, we have

• D;Dh ⊑ D;Dl

73

3. rCOS

• Dh;D ⊑ Dl;D

• Dh ⊳ b ⊲ D ⊑ Dl ⊳ b ⊲ D

• Dh ⊓ D ⊑ Dl ⊓ D

As (D ,⊑) forms aCPO, a smallest fixed point of the iterationb ∗ D can be calculated

from the bottom elementchaos in (D ,⊑). In addition,D1 and D2 are equivalent,

denoted asD1 = D2 if they refine each other. Thus, we have

• D1 ⊓ D2 = D2 ⊓ D1

• D1 ⊳ b ⊲ D2 = D2 ⊳ ¬b ⊲ D1

• D1 ⊓ D2 = D2 iff D1 ⊑ D2

For the proof of these properties, we refer to [86]. When refining a higher level design

to a lower level design, more program variables may be introduced or types of program

variables may be changed. If the two designs do not have the same alphabet, we can

usedata refinementto relate their state spaces.

Definition 3 (Data refinement) Letρ(αl, αh) be a many to one mapping from the state

space ofαl to the state space ofαh. DesignDl = (αl, pl ⊢ Rl) is a refinement of design

Dh = (αh, ph ⊢ Rh) if there is a design(αh ∪ αl, ρ(αl, α′h))such thatρ;Dh ⊑ Dl; ρ. We

call ρ a data refinement mapping.

The relation⊑ is fundamental for the development of the refinement calculusto support

correct by design in program development, as well as for defining the semantics of

programs.

3.1.3 Reactive designs

A service provided by aconcurrentor reactiveprogram may not always available to

its environment. Because its execution requires resources that might be occupied by

74

3.2. Object-Orientation of rCOS

other processes or requires synchronization with other processes, a service will usually

engage in alternative periods of computation and periods of stability, while it iswaiting

for interaction from its environment. Then the execution is suspended in a waiting

state. We therefore introduce abooleanstate variablewait to allow the observation of

the waiting state, and we define a mappingH on designs such that

H (D) , wait′ ⊳ wait ⊲ D

meaning that execution does not proceed in a waiting state, where it leaves the state

unchanged. A designP is a reactive designif it is a fixed point of the mappingH ,

H (D) = D, that is

H (p ⊢ R) , (wait ∨ p) ⊢ wait′ ⊳ wait ⊲ R

The domain of reactive designs enjoys the same closure properties as that of sequential

designs, and refinement is defined as logical implication also.

We use aguarded designg & D to specify the designD ⊳ g ⊲ true ⊢ wait′, where

D is a design andg is a state predicate. This guarded design specifies that if theguard

conditiong holds the execution of design proceeds from the non-waiting state and the

execution is suspended otherwise. It is easy to prove that a guarded design is a reactive

design. The semantics of a reactive design ensures that a synchronization of a method

invocation by the environment and the execution of the method can only occur when

theguard is true andwait is false.

3.2 Object-Orientation of rCOS

Most, if not all, of the current component-based design and implementation techniques

rely heavily on object-oriented techniques. The rCOS provides a rich variety of object-

oriented features including subtypes, reference types, visibility, inheritance, dynamic

binding, polymorphism and local variable nested declarations. To allow the use of OO

design and programming for component-based software development, rCOS extends

the theory of designs in UTP to a theory of OO designs.

75

3. rCOS

3.2.1 Syntax of rCOS

prog ::= cdecls • Main programcdecls ::= cdecl | cdecl ; cdecls class declarationscdecl ::= [private] class C class declaration

[extends D] { ~adecl ; ~mdecl }adecl ::= visib T a = cn attribute declarationvisib ::= private | protected | public visibility

mdecl ::= visib m(~T ~x; ~T ~y){c} method declaration

c ::= commandskip | chaos

| C.new(le) object creation| ~le := ~e assignment| var T x [= e] variable declaration| end x variable undeclaration| e.m(~e; ~le) method invocation| c; c command sequencing| g & c guarded command| c ⊳ b ⊲ c conditional choice| c ⊓ c non-deterministic choice| b ∗ c iteration| pre ⊢ post design

e ::= expressionle | this | cn

| (C)e type cast

p ::= predicateb | ∃ ~le · p | ∀ ~le · p

le ::= l-expressionx

| e.a object attributeMain ::= ( ~ext ; c) main method definition

ext ::= T x = cn external variable declaration

Figure 3.2: Syntax of rCOS OO language (RCOSP)

An rCOS program is specified in a textual language, calledRCOSP. The syntax

of its OO part includes object systems (programs), class declarations, commands and

expressions. A subset of the syntax is defined in Fig.3.2. HereC denotes the set of

class names andT is the names of types defined in the object system as a union ofC

and primitive data typesB, such asInteger, BooleanandString, and collection types

76


S, such asSet, Bag. That is,T = C ∪ B ∪ S. Furthermore,m is a method name,a is a

field (or attribute) name,e is an expression andb a boolean expression;cn is a constant

literal (a constant of primitive data type or the null reference),x andy are variables,

andg, pre andpostarepredicates. Any text occurring in a pair of square brackets is

optional, and text with an arrow above denotes a sequence of elements, for example~u

representsu1, u2, ..., uk.

Class declarations Similar to Java, an OO programprog in rCOS consists of a list

of class declarationscdecls and a main methodMain. Each class incdecls is declared

with a distinct name. It may own someattributesandmethods, and can declare at

most one direct superclass denoted by the ”extends” keyword. So, there is no multiple

inheritance. We useC1 ≺ C2 to denote thatC2 is the superclass ofC1, andC1 � C2 if

C1 ≺ C2 or C1 = C2.

An attribute (or field) is declared with a name, a type and optionally initial val-

ues. The scope of its visibility is defined by the ”private”, ” protected” and ”public”

keywords. A method declarationmdecl has a list of input parameters and output pa-

rameters with their types, and a body commandc. To make sure that expressions have

no side effects, the language allows a method to have result (output) parameters instead

of returning values directly. Methods can be inherited and overridden by subclasses.

The main program bodyMain declares a list of external variables, called thepro-

gram global variables, with their types and initial values, and amain commandc. The

main command can accesses and updates the global variables. The main program can

be viewed as a classMain:

classMain { privatevars; methodmain(){c} }

wherevars is the set of global variable declarations.

Expressions Expressions include assignable expressionsle, which may appear on

the left-hand-side of an assignment, the special variableself that represents the cur-

77

3. rCOS

rently active object, and expressions of type casting(C)e, literalscn, ande.a that de-

notes the attributea of objecte, etc. Note thatb is a boolean expression we are not

concerned with the detailed structure, but simply assume it is of typeBoolean and can

be evaluated to eithertrue or false. In rCOS, evaluation of an expression does not

change the system state. Similarly we havepredicatesthat can also be evaluated to a

Boolean value. A predicate could be a boolean expression, an existential quantification

∃ ~le or a universal quantification∀ ~le.

Commands The data functionality of a method is specified by a command. It can

be simplyskip, that does not do anything, orchaos, the worst program whose behavior

is unpredictable. TheC.new(le) command creates an object of classC and attaches

it to a referencele, while the fields of the object are initialized with the initial values

declared inC. Theassignmentcommand assigns a sequence of variables (or fields of

objects) with a sequence (of the same length) of values. A variable and its scope can be

declared using thevariable declaration. Commande.m(~e; ~le) calls the methodmof the

objecte with a set of actual value parameters~e and actual result parameters~le. As de-

fined in UTP, commandsc; c, c ⊳ b ⊲ c, c ⊓ c andb ∗ c represent sequential composition,

conditional choice, non-deterministic choice and iteration, respectively.

In rCOS, the body of a method can also be specified as a UTP design :pre ⊢ post,

where the pair of predicates represents thepreconditionand thepostconditionof the

design. It means that when methodm is invoked, if the input parameters and the

current state of the program satisfy the precondition, the execution of the invocation

will terminate and the final state satisfies the postcondition. In order to support current

and reactive programming, we introduce theguarded designs. Given a design and

a predicateg over the state variables, we callg & (pre ⊢ post) a guarded design. It

specifies that if the guard conditiong holds the execution of design proceeds from non-

waiting state, otherwise the execution is suspended. Similarly, rCOS has the guarded

commandg & c, where the commandc defines the data functionality without guard

78


conditions.

Example Consider an example of a currency converter. It is defined in rCOS as:

program CurrencyConverter {

...

class CurConv {

public double rate;

public setRate (double val ) {

[⊢ rate’ = val] }

public convert (double amount; double result ) {

[⊢ result’ = amount∗ rate] }

public convertInverse (double amount; double result ) {

[rate > 0⊢ result’ = amount / rate] }

}

class Main {

...

method main() {...}

}

}

3.2.2 Semantics of rCOS

Objects, types and states An OO program operates not only on variables of primi-

tive types, but also on objects of reference types (classes). The class declaration section

cdecls of a program defines thetypes(value space) as well as thestatic structureof the

program. We assume an infinite setREF of object identities (or references), with

null ∈ REF . Let B denote the set of built-in primitive types. We define avalue as

either a member of a primitive type inB or an object identity inREF with its run-time

type in the set of class namesCNAME . Let VAL be the set of values

VAL ,⋃

B ∪ (REF × CNAME)

79

3. rCOS

For a valuev = <r,C> ∈ REF × CNAME , we useref (v) to denoter and type(v) to

denoteC.

An object has anidentity, astateand abehavior. Thus, we define an objecto by a

triple o , <r,C, σ>, where

• r is the identity ofo, denoted byref (o), r ∈ REF ,

• C is the runtime type ofo, denoted bytype(o), C ∈ CNAME ,

• σ is called the state ofo, denoted bystate(o). It is a mapping that maps each

attributea of C to a valuev in VAL, that is, eitherv ∈ B being a primitive type,

or v ∈ REF × CNAME referring to an object. We useo.a to denoteσ(a).

Therefore, an object can have a recursive structure, which may contain or refer to other

objects.

States of programs Given an OO programP = cdecls • Main, a global state ofP is

defined as a mappingΓ from the external variables to their value spaces. Taking the

Main as a class:

classMain { privatevars ; methodmain(){c} }

The state ofP is thus the state of an object of classMain and thenΓ can be defined as

Γ : vars → B ∪ (REF × CNAME)

that assigns each variablex ∈ vars a value of object or primitive types depending on

the type ofx. During the execution of the main method, the identity of an object rep-

resenting the state will never be changed, but its value will be modified in each step

of the execution. Global states are enough for defining a UTP-based denotational se-

mantics and a ”big step semantics” of the program in which executions of intermediate

execution steps and the changes of locally declared variables are hidden.

Evaluation of expressions The evaluation of an expressione under a given state

determines its typetype(e) and its valuevalue(e) that is a member oftype(e). The

80


evaluation makes use of the configuration of the system global variables. An expres-

sion e can only be evaluated under the condition that it is well defined, denoted as

D(e).

Semantics of commands An important aspect of an execution of an object-oriented

program is the attachment of objects to program variables. An attachment is made by

an assignment, the creation of an object or by passing a parameter in a method invoca-

tion. With the approach of UTP, these different cases are unified as an assignment of a

value to a program variable. The semantics[[c]] of each commandc has its well-defined

conditionD(c) as part of its precondition and thus has the formD(c) ⇒ (p ⊢ R)

• Assignments: An assignmentle := e is well defined if bothle ande are well

defined and the current type ofe matches the declared type ofle.

D(le := e) , D(le) ∧ D(e) ∧ type(e) ∈ CNAME ⇒ type(e) � type(le)

There are two cases of assignment:

– Assign a value to a variablex := e. This can be done when the type of the

object is consistent with the declared type of the variable.

[[x := e]] , D(x := e) ⊢ (x′ = value(e))

The attachment of values to other variables is not changed. Aswe do not al-

low attribute hiding or redefinition in subclasses, an assignment to a simple

variable does not have side-effects.

– Assign a value to an attribute of an object attached to a l-expressionle.a := e.

This is done by finding the attached object in the system objects and mod-

ifying its state accordingly. All variables attached to the reference of this

object are updated:

• Object creation: The commandC.new (le) creates a new object of typeC, sets

all the initial values of the attributes of the object, and attaches the object tole.

81

3. rCOS

The command is well defined if

D(C.new(le)) , C ∈ CNAME ∧ D(le) ∧ C � type(le)

• Method invocation: For a method signaturem(T1 x; T2 y), the command of

method invocatione.m(ve; re) first locates the objecto thate refers to, assigns

the values of the actual parametersve andre to the formal value and result pa-

rameters (x andy, respectively) of the methodm of objecto, and then executes

the body ofm under the environment of the class owning the method. Before

termination, the value of the result parameterre is passed back to the actual

parametery.

All other commands, such as conditional choice, non-deterministic choice and iter-

ative statements, can be defined inductively in the same way as in the UTP sequential

language.

3.2.3 Object-oriented refinements of rCOS

The rCOS refinement calculus supports object-oriented refinements at three levels :

refinement between whole programs (object systems), refinement between class dec-

larations (structure refinement), and refinement between commands. The refinement

calculus includes a set of algebraic laws expressed as equations of OO programs un-

der the UTP semantics [82], and a set of rules of graph transformations under the

graph semantics [181]. Model refactoring and design patterns are supported by these

rules/laws, and their soundness and relative completeness have been proven.

Refinement of commands The refinement relation between commands takes exactly

the same view as the UTP sequential programs that the execution of a command is a

relation between states. A commandcl is a refinement of a commandch, denoted

by ch ⊑ cl , if for any given initial stateσ, any possible final stateσ′ of cl is also a

82


possible final state ofch. Thus a refined command is not more non-deterministic than

the original command.

Refinement of programs Refinement between commands in OO programming only

makes sense under the context of a given list of class declarationscdecls. Let Pl =

cdeclsl • Main l andPh = cdeclsh • Mainh be two object programs which have the same

external variables~ext . Pl is a refinement ofPh, denoted byPh ⊑ Pl, if the following

implication holds:

∀ ~ext , ~ext′, ok , ok ′ · ([[Pl]] ⇒ [[Ph]])

In such a refinement, all non-public attributes of objects aretreated as local (or

internal) variables.

Structure refinement An essential advantage of OO programming is that classes

can be reused in different applications and thus support differentMain programs. The

classes of an application program are in fact the metamodel of the structure or organi-

zation of the application domain in terms of concepts, objects and their relations and

behavior. When the main methods in the programs are syntactically identical, the rela-

tion between their system states is determined by the relation between the structure of

these programs, i.e. their class names, attributes, sub-superclass relations, and methods

in the classes. The structure refinement in rCOS characterizes this fundamental feature

of OO programming.

Definition 4 (Structure refinement) Class declarationscdecls l is a refinement ofcdeclsh,

denoted ascdeclsh ⊑ cdecls l, if the latter can replace the former in any object system:

cdeclsh ⊑ cdecls l , ∀Main · (cdeclsh • Main ⊑ cdecls l • Main)

That means thecdecls l supports at least as many services ascdeclsh. Thus a refined list

of class declarations has capacity for providing more and better services, and supports

all functionalities that the class structurecdeclsh supports.

83

3. rCOS

The notion of structural refinement is actually an extension to the notion of data

refinement. The rCOS refinement calculus gives a full formalization of OO program

refactoring by a group of simple transformation rules, referred as ”small-step” rules,

which includeadding classes, attributes, methods, decomposition and composition of

classes, promoting methods from subclasses to super classes, from private to protected

and then to public, etc. The transformation rules are proved to be sound and relatively

complete in the sense that the rules allow us to transform the class declarations of a

program to a tree of inheritance, and with the derived transformation rules on the main

method, the program can be refined to an equivalent program that only has the main

class. Thus each OO program can be transformed to an equivalent procedural program.

OO refinements in rCOS can also be divided into three kinds:functionality delega-

tion, attribute encapsulation, andclass decomposition.

Functionality delegation It also referred asexpert pattern, which assigns a respon-

sibility to an information expert, the class that has information necessary to fulfill the

functionality. Usually, the functionality specification of method makes use of naviga-

tion paths through the class model. That is, expressions in the specification traverse

the associations (or attributes), starting from the class of the current object. According

to object-oriented design principles, a method should not use navigation paths to di-

rectly manipulate elements “owned” by other classes. This would make classes tightly

coupled: a modification in one class may require subsequent changes in other classes.

Encapsulating behavior in the expert classes alleviates this, and reduces the number of

necessary followup changes through the model.

Assume thatC andC1 are classes incdecls , C1 o is an attribute ofC andT x is an

attribute of C1. Let m(){c(o.x, o.x′)} be a method ofC that directly accesses and/or

modifies attributex of C1. We can refine the program by changing methodm() to

m(){o.n()} and add a fresh methodn(){c(x/o.x, x′/o.x′)} to classC1, while make sure

that other variables in commandc are accessible inC1,

84

3.3. Component Model of rCOS

Attribute encapsulation Suppose an attributea of classC is only directly referred

to in the methods ofC, this attribute can be madeprivate; and it can be madeprotected

if it is only directly referred in methods ofC and its subclasses.

Class decomposition This is also calledhigh cohesion pattern, which requires that

the responsibilities of a class should be strongly related and focused. To make classes

simple and highly cohesive, we therefore often need to decompose a complex class into

a number of associated classes. For example, assume a classC{T1 a1, T2 a2;m1(){c1(a1)},

m2(){c2(a2)}} that declares two attributesa1, a2, and methodm1() only involvesa1,

and methodm2() only involvesa2, we can decomposeC into two classes: class

C1{T1 a1;m1(){c1(a1)}} that only involves attributea1 and methodm1(), and class

C2{T2 a2;m2(){c2(a2)}} that only involves attributea2 and methodm2(). There are

other rules for class decomposition in rCOS.

The expert pattern and other refinement rules in rCOS are proved to be big-step

refinements, and they are repeatedly used in the design of systems [39]. However, it is

important to note that method invocation, or object interaction, takes time. Therefore,

this object-oriented refinements usually exchanges efficiency for simplicity, ease of

reuse, maintainability, and data encapsulation.

3.3 Component Model of rCOS

An essential concept in rCOS is that of components. A componentK has various

models with different details in different stages and for different purposes. There are

two kinds of components in rCOS,service components(for short,components) and

process components (processes, for short). A component provides services represented

as methods to be called by the environment. On the other hand, processes do not

provide services but make invocations to methods of components following their own

flow of control to coordinate the behavior and pass data among components. Processes

implement business work flows.

85

3. rCOS

Definition 5 (Component) A componentK is a reactive program that can be repre-

sented as a tuple:K , (init , pIF , rIF , iIF , iA,F ), where

• an initial conditioninit defines the allowable initial states of the component;

• pIF, rIF, iIF denote theprovided interface, required interfaceand internal in-

terfaceof the component, respectively. An interface is a set of method signa-

tures of the formm(in; out) with possible input and result parameters. Each

methodm() is given a body that is a guarded command. It is required that

pIF ∩ iIF ∩ rIF = ∅;

• iA is an set of internal autonomous actions. Each actiona is given a body that is

a guarded command. So an action can be seen as a method without parameters.

The execution of an atomic action changes the current state of the program to

another state.

• F is a set of variables, also calledfields.

We useK .init ,K .pIF ,K .rIF ,K .iIF ,K .iA andK .F to denote the corresponding parts

of K.

3.3.1 Close components and refinement

We first considerclosed componentsthat only provide services but do not require ex-

ternal services.

Definition 6 (Closed component)A closed component is a component without re-

quirement interfacesK .rIF = ∅.

As a reactive program, a (closed) componentK repeatedly accepts requests (invo-

cations) from the environment to invoke its enabled services (methods) inK .pIF , or

executes an enabled action inK .iA, until no more methods or actions can be executed.

86


Its semantics only concerns the interaction with the environment. Lete be aneventrep-

resenting an invocation of a method defined inK .pIF , and the execution of the method

may need to execute a sequencea1 , ..., an (possibly empty) of actions inK .iA. We

useσe→ σ′ denotean observable transition relationso thatσ e

→ σ1a1→ ...

an→ σ′, where

σ, σi(0 ≤ i ≤ n) are states overK .F ∪ {ok ,wait}.

Definition 7 (Semantics of components)The semantics of componentK is defined

by a pair of sets of failures and divergences[[K ]] , (divergence(K ), failure(K )), where

• divergence(K ) is a set of execution traces over method invocationsm(u; v), where

m() ∈ K .pIF such that there is a sequence of state transitionsσ0e1→ ...

ek→ σk and

σk (ok) = false, hereσ0 is an allowable initial state,σ0 ⊢ K .init ,

• failure(K ) is set of pairs(tr,X), wheretr is a trace andX a set of method

invocations toK .pIF that K may refuse to respond to after engaging all events

in tr.

A component needs an interaction protocol for its client to follow. We define the

provided tracesof componentK as trace(K ) = {tr |(tr , {}) ∈ failure(K )}. Therefore

the set of all its provided traces can be used as theprovided protocol of componentK,

denoted asprotocol(K ).

There is a special kind of components that have no internal actions, i.e.,K .iA = ∅.

They are calledprimitive components. It was proved in rCOS that in general every

closed component is equivalent to a primitive component. That is, the internal actions

from a state can be collapsed into the preceding transitions of the invoking method,

thus the flow of control of the component forms a finite state machine. This implies

that the interface behavior of a component can be modeled in two forms:contractand

publication.

Definition 8 (Contract) A component contractC is a tuple(init , pIF ,F ), in which the

body of each methodm() ∈ C .pIF is defined as a guarded designg & (p ⊢ R).

87

3. rCOS

Definition 9 (Publication) A component publicationB is a tuple(init , pIF , pProt ,F ),

where the body of each methodm() ∈ B .pIF is just a designp ⊢ R of the data func-

tionality andpProt is the provided protocol ofB.

The protocol can be specified in a formal language, such as regular expressions or a

restricted version of process algebra such as CSP without hiding and internal choice. It

can be easily modeled by a state machine for the purpose of model checking. However,

publications are declarative, while contracts are operational. As a closed component

is semantically equivalent to a contract, contract is thus an important notion for the

requirement specification and verification of the correct design and implementation

through refinements.

Components refinement Refinement between two components is judged by com-

paring the services they provide to the environments. A componentKh is refined by

componentKl, denoted asKh ⊑ Kl, if

• Kl offers the same provided methods,Kl .pIF = Kh .pIF

• Kl is not more likely to diverge,divergence(Kl ) ⊆ divergence(Kh), and

• Kl is not more likely to block clients,failure(Kl ) ⊆ failure(Kh).

It is easy to see that ifKh ⊑ Kl, thenprotocol(Kh ) ⊆ protocol(Kl ). Moreover, if bothKh

andKl are primitive components then for allm() ∈ pIFh , we haveguardh(m) = guardl (m)

∧bodyh(m) ⊑ bodyl (m).

3.3.2 Open components and composition

Components often need to use the services provided by another component. That

is, to deliver a servicem() ∈ K .pIF , it can request services from other components.

Moreover, the execution of an internal action inK .iA or a private method inK .iIF

may also request these services. The requests to these services are made through the

88


required interfaceK .rIF . A component with a non-empty required interface is called

an open component.

The notion of composition is essential for a component-based design. We can

compose two componentsK1 and K2 in parallel so that a client can use the provided

services of the two components in an interleaving manner.

Definition 10 (Component composition)Let K1 and K2 be two components such

that

K1 .pIF ∩ K2 .pIF = ∅, K1 .iA ∩ K2 .iA = ∅, K1 .F ∩ K2 .F = ∅

(K1 .rIF ∪ K2 .rIF ) ∩ (K1 .iIF ∪ K2 .iIF ) = ∅

We define componentK as the parallel composition ofK1 andK2, denoted byK = K1 ‖ K2,

such that

• K .init = K1 .init ∧K2 .init

• K .F = K1 .F ∪ K2 .F

• K .iA = K1 .iA ∪ K2 .iA

• K .pIF = (K1 .pIF ∪ K2 .pIF ) − (K1 .rIF ∪ K2 .rIF )

• K .rIF = (K1 .rIF ∪ K2 .rIF ) − (K1 .pIF ∪ K2 .pIF )

• K .iIF = K1 .iIF ∪ K2 .iIF ∪ (K1 .rIF ∪K2 .rIF ) ∩ (K1 .pIF ∪ K2 .pIF )

Note that a provided method that offers a service to a requiredmethod of another

component is not serving the environment anymore. However, there are several special

cases for parallel composition.

• Plugging: WhenK1 .rIF ⊆ K2 .pIF andK2 .rIF ∩ K1 .pIF = ∅, we useK1 ≪ K2

to denoteK1 ‖ K2, calledK2 plugging intoK1. Here only the provided interface

of K1 is offered to the client.

89

3. rCOS

• Disjoint union : WhenK1 and K2 have all their interfaces disjoint from each

other, (K1 .rIF ∪ K2 .rIF ) ∩ (K1 .pIF ∪ K2 .pIF ) = ∅, we useK1 ⊕ K2 to denote

K1 ‖ K2, called disjoint union. Here all the provided and required interfaces are

offered to the client in an interleaving way.

Semantics of open component The semantics of an open componentK is defined

by a functional[[K]] : C → C , whereC is a set of closed components. So given a closed

componentK1, [[K]](K1) is defined ifK1 .pIF = K .rIF and it is the closed component

K ≪ K1.

Refinement of open component Let Kh and Kl be two open components,Kh ⊑ Kl

if for all componentK such thatKh ≪ K ⊑ Kl ≪ K. Notice that ifKh ⊑ Kl then

K ≪ Kh ⊑ K ≪ Kl.

To ensure the correctness of component composition, we have to check that an

assembly is possible by checking the composability of the linked interfaces.

Definition 11 (Composability) Two componentsK1 and K2 are composable if there

exists a closed componentK such thatK .pIF = (K1 ‖ K2 ).rIF and the provided pro-

tocol of(K1 ‖ K2 ) ≪ K contains non-empty traces.

In rCOS, some other operators over components have also been defined, such as

renamingandhiding:

• Renaming: Changing the name of methods in interfaces. Renaming the methods

m() in K .pIF to mr(), denoted byK [mr/m], gets a component that has a method

mr (){m()}.

• Hiding: Hiding a method from a provided interface. LetK be a component, and

m() ∈ K .pIF , then the operationK\{m} represents the component after removal

of methodm() from its provided service.

90


These operators server asconnectorswhich provide interface adaptation capability.

They can be implemented by simple open components.

3.3.3 Processes and coordination

Components as discussed so far provide a number of methods, but themselves only

passively wait for a client to call their provided services. To implement a desired

functionality, we need active entities that coordinate the behavior of the components,

and pass data and control in and out of components. These active components are

processes.

Different from a service component, a processP only has a required interface

P .rIF , but does not have any provided interface.

Definition 12 (Processes)A process is a tupleP , (init , rIF , iA,F ), where

• init is an initial condition that defines the allowable initial states;

• rIF denotes therequired interface, which consists of a set of guarded method

invocations in the form ofg & m(u; v). We also useP .rIF to denote the set of

method signatures for the guarded method invocations.

• iA is an set of internal autonomous actions.

• F is a set of variables, also calledfields.

A process calls the required methods actively according to its own flow of control.

Similar to a closed component, we define the semantics of process as a pair of failures

and divergences. We also define the set of traces on the events inP .rIF , and the inter-

action protocol ofP is defined as the traces. Moreover, refinement between processes

is defined in the same way as refinement between closed components.

Processes do not interact with each other and the parallel composition of processes

acts likedisjoint unionof components. However, the parallel composition of processes

and components is defined ascoordination composition

91

3. rCOS

Definition 13 (Coordination) Let P be a process andK1 a closed component such

thatK1 .iA ∩ P .iA = ∅, K1 .F ∩ P .F = ∅ andP .rIF ⊆ K1 .pIF . The coordination ofK1

by P is a closed componentK = K1 ⊙ P such that

• K .init = K1 .init ∧ P .init

• K .F = K1 .F ∪ P .F

• K .pIF = K1 .pIF − P .rIF

• K .iA = {guardK1(m) ∧ guardP (m) & body(m)|m ∈ P .rIF ∪ K1 .iA},

whereguardK1(m) andguardP (m) are the guards ofm in K1 andP , respectively,

and body(m) is the body ofm defined inK1.

It is easy to see when a number of components are coordinated by a process, the com-

ponents are not aware of each other, but are controlled by the process, and exchanges

data through the process.

3.4 Development Method of rCOS

To support component-based model driven development, rCOS proposes a use-case

driven, incremental and iterative developing methodology for designers to follow. This

development methodology covers the design process of gathering requirements, spec-

ifying system components, defining system structure, describing overall system be-

haviors, performing the refinement, validation and verification, detailed designing and

coding. Within the process, formal techniques and tools of modeling, design and verifi-

cation can be applied. Models in later development phases are constructed from those

in earlier phases by correctness preserving model transformations based on a well-

studied refinement calculus [82]. One of the main advantages of the rCOS methodol-

ogy is that we can assure consistency of the multi-view specifications [111]. In brief,

92

3.4. Development Method of rCOS

rCOS provides explicit modeling notations and refinement calculus for component-

based model-driven development of software systems. A tool,rCOS modeler[40], has

been developed to support the development process. Fig.3.3 shows the concepts of

rCOS development.

Figure 3.3: rCOS development methodology

The rCOS development process is characterized by the following features:

• Each phase is based on the construction of models;

• Models are validated and verified;

• Refined models are constructed by model transformations;

• Code is generated from design models;

• Proof obligations are generated by model transformations;

• The rCOS modeler integrates UML models into rCOS.

93

3. rCOS

3.4.1 Requirements modeling

The rCOS methodology considers the development of component-based reactive soft-

ware systems from use cases. This corresponds to systems that interact with their

environment through a set of well-defined methods invocations. Data types are given

as either primitive types, or modeled as object-oriented classes with single inheritance.

Naturally the computations of the system are encapsulated within the methods.

Use cases. As the first step, understanding and analysis of the problem domain is

necessary. Based on a textual system description which is more or less complete, each

use case is identified and created separately in the model. Relationships between the

participants (actors) and the use cases, and among use cases, in particular the«include»

relationship, can be documented in the use case diagrams. Usecases group function-

ality, represent specific work flows within the software application, and indicate their

origin in the original system description.

Conceptual class diagrams. Meanwhile, domain concepts and their relationships

are derived from the system description and represented as conceptual class diagrams,

where a class has no methods, and visibility of the attributes are all public. This may

require some interpretation of the description by domain experts. We borrow the term

”conceptual” class diagram from Larman [103] to characterize the class diagram at this

stage.

Interfaces and components. In rCOS, each use case will be realized by a compo-

nent, and the functionalities of the use case are modeled as methods in the provided

interface of the component. The user defines the signature of a method, and the data

functionality of the method is given as an rCOS design:p ⊢ R. The provided interface

aggregates the relevant data of class types as its fields. In addition, we allow a lim-

ited amount of fields of primitive types on the interface for use as guard conditions in

94


related sequence- and state diagrams. Corresponding to the use case diagram, a (top-

most) component diagram illustrates all components of the use cases. Especially, if a

use caseincludessome other use cases, we design a required interface for the compo-

nent of the use case, and connect the required interface to the provided interfaces of

the components representing the other use case.

Behavior protocols. The user then encodes the so-calledinteraction protocolof a

component into the model. The protocol describes how the component is to be used

through synchronized method invocation of the operations in the component’s provided

interface. It is achieved by adding a UML sequence diagram and/or state machine to

the interface. A sequence diagram illustrates the interaction of the component with

the external environment, represented by the actors. The initial sequence diagram,

calledsystem sequence diagram[103], is restricted to two lifelines, where one life-

line represents the environment (the actor of the use case), and the other represents

the component. Messages only flow from the actor to the component and represent

invocations of methods of the interface. We allow the usual control structures such as

iteration and conditional branches in the sequence diagram. These have controlling ex-

pressions in the form of boolean expressions over the fields of primitive types defined

in the interface.

While the sequence diagram describes the possible interactions with the system the

user can have, the state diagram describes how the system internally changes state dur-

ing execution. A transition of the state machine is triggered by an invocation of method

of the interface. There is a single initial state and a single final state. Choice nodes

with a boolean expression allow if-then-else constructs, without such an expression we

treat all alternatives as non-deterministic choices.

However, the reasons for having a sequence diagram and a state diagram are dif-

ferent [39]:

• the denotational trace semantics for the sequence diagram is easy to use as the

95

3. rCOS

specification of the protocol in terms of temporal order of the method calling

events,

• the state diagram has an operational semantics which is easier to use for verifi-

cation of both safety and liveness properties.

Analysis and verification. A requirements modelconsists of ause case diagramto

define the use cases of the system, acomponent diagramin which each use case is mod-

eled as a component, aconceptual class diagramrepresenting the domain concepts,

and a set ofsequence diagramsand/or state machines defining the behavior protocols

of the components. Also, each method of the provided interface of a component has an

rCOS designp ⊢ R to specify its data functionality. The validation of the requirements

model can be checked using the automated prototyping tool, AutoPA [106]. This tool

automatically generates executable code of the use case components directly from the

requirements.

However, these different artifacts of the requirements model have to be consistent:

• Static consistency: The consistency between the class diagram and the other

model artifacts is simply that the class diagram defines the type system for the

other diagrams. For functional specification of a method, all types, classes and

fields that are used in the specification are also defined in the class model, and

the commandof its method body must be well defined in the context of the

its owning class. It is obvious that adding new classes, associations and fields

preserves consistency. We define a set of well-formedness constraints, in the

language of OCL, to check the static consistency of a model. In addition, a type

checker has been developed to ensure the consistency of method specifications.

• Dynamic consistency: As both sequence- and state diagrams talk about the pro-

tocol of the same component from two different points of view, consistency

checking between them is also needed. Dynamic consistency requires that any

96


invocation sequence from the environment should be accepted if the sequence

conforms to the protocol. That is, whenever the users follow the interaction pro-

tocol defined by the sequence diagram, the interactions will not be blocked by

the system, i.e. no deadlock should occur. The traces of the sequence diagram

are also accepted by the state machine. The consistency is checked by translating

the sequence diagram and the state diagram to CSP [85], and do the checking in

FDR2, the model checker of CSP.

3.4.2 Object-oriented design

In this stage, we apply the rCOS object-oriented refinement rules [82; 181] to the

requirements model obtained from previous stage. The refinement rules formalize

both structural transformations and functionality refinement. Basically, there are three

kinds of OO refinements involved:functionality delegation, attribute encapsulation,

andclass decomposition. The refinement rules are implemented as model transfor-

mations. By stepwise application of these rules, the requirements model is gradually

transformed into a design model.

In particular, theexpert patternis the most often used refinement rule which de-

composes the functionality specification of a method by delegating responsibilities to

other classes. Theexpert patternensures that a functionality is allocated to an ap-

propriate object which can obtain the needed data to accomplish the functionality at a

minimum cost. It refines a design in the form ofp ⊢ R into object interactions, based

on a given class diagram. Basically, if a computation is realized by obtaining the data

that is distributed in different objects through association links, then this computation

task can be delegated to a target object by using this pattern. One feature of this re-

finement is that it does not introduce more couplings into the class structure by adding

new associations between classes.

When we first write the method specifications of a classC before applying the

97

3. rCOS

expert pattern, we often need to directly refer to attributes of the classes that are as-

sociated withC. Therefore, those attributes are required to be public. After function-

alities are delegated to associated classes, the attributes that were directly referred are

now only referred locally in their owning classes. These attributes can then be encap-

sulated by changing them to protected or private through applying theencapsulation

rule, which says that if an attribute of a class is only directly referred in the methods of

the class, this attribute can be made private; and it can be made protected if it is only

directly referred in specifications of methods of this class and its subclasses.

Moreover, theclass decompositionrule can be used to decompose a complex class

into a number of associated small classes. In addition, a set of small step structure

refactoring rules, as suchrenaming a class, adding an attribute, forward an attribute

through an association, are also proved to be refinements [181] and can be used in OO

design of rCOS.

The final model produced at the end of the OO design is adesign modelin which

the sequence diagram for each use case is refined to an object sequence diagram with

inter-object interactions, but the interactions between the actors and the component

remain unchanged. The conceptual class diagram is refined to adesign class diagram

in which methods and their specifications are assigned to domain classes. However the

state diagrams and component diagrams of the requirements model are not changed in

the OO design. The correctness of this design model is guaranteed by correct use of the

refinement rules. Since the class model and the method functionality design are purely

object-oriented, we can generate program code, for example, Java class declarations,

from the design model.

3.4.3 Component-based design

For the purpose of reusability, maintenance, and more importantly, distributed and

independent deployment (third party composition), the OO model needs to be further

98


refined to component-based model [160]. It takes place in the following two steps:

• Component abstraction: In this step, we take the object-oriented design model,

identify the "permanent objects" and decide if they should be made into com-

ponents according to their features. The features include if they logically repre-

sents existing components, hardware devices, external subsystems, or they can

be reused in different models of this application and other applications. A per-

manent object that aggregates a large amount of objects and functionality is also

suggested to be made into a component.

The identification of objects as components is carried out in an object sequence

diagram. It also decides the interfaces of the new components. Then we can ab-

stract the object sequence diagram into a component sequence diagram by hiding

the object interactions inside the identified components. This abstraction is au-

tomated as a transformation that correctly refines the OO design model into a

component-based design model, in which an original component is decomposed

into a composition of a number of components, and the component diagram of

the requirements model is refined to a set of component diagrams as more hier-

archical components are introduced. Moreover, protocols for the provided- and

required interfaces of the components are also automatically generated.

• Component architecture design: The set of components generated in the pre-

vious step may need to be reorganized to get a better model architecture. For

example, small components are composed into a bigger component to ease the

deployment. We use the set of operators defined in rCOS for component compo-

sition (see Section3.3.2), includingrenaminginterface methods,hidingservices

of a component,plugging a provided interface into a required interface, and

parallel compositionof components. These operators are also implemented as

model transformations, and the composability of the protocols for the provided

and required interfaces of the inter-dependent components should be checked to

99

3. rCOS

avoid deadlock and livelock.

The final result of the component-based design is a component-based architecture

model, which includes a set of hierarchical component diagrams to express the re-

lationships between these components, and a set of component sequence diagrams

describing the interactions of these components. To define its usage, each component

has a provided- and/or required interface, attached with protocols. Meanwhile, design

class diagrams and object sequence diagrams remain unchanged in the model.

Verification. We also define a set of well-formedness rules in OCL for static check-

ing of the component-based model. For verification of deadlock freedom of component

compositions, the component sequence diagrams are transformed to the input notation

of the FDR model checker for verification of deadlock freedom. Application depen-

dent safety and liveness properties are verified by model checking the state diagrams

of the components.

3.4.4 Platform specific design and implementation

The design activities in this stage include further refinements of the component in-

terfaces with concrete and appropriate mechanisms (or middlewares) such asRMI or

CORBA. Thus the platform independent model (PIM) of the component-based archi-

tecture model is transformed to a platform specific model (PSM) with regards to the

mechanisms. Program code can be constructed for each component using templates. A

template defines the information of the flow of method invocations and the assertions

specifying the functionality of the methods of the components. Verification and valida-

tion can be applied to components before and after introducing the PSM mechanisms,

such asruntime checking, and testing (unit testing).

100

3.5. Tool Support for rCOS

3.5 Tool Support for rCOS

The rCOS modeler. The tool plans to support the rCOS method in model construc-

tion, analysis, verification and correctness preservable transformations; and it generate

verifiable code from design models. The rCOS modeler provides an UML-like multi-

view and multi-notational modeling and a design platform with the ability to add plug-

ins. The tool is implemented on top of the Eclipse platform ensuring compatibility

with other UML-based software engineering tools.Topcased[165] is used to support

graphical model design.

The current version (v1.2.6) of rCOS modeler supports graphically design an rCOS

model using use case diagrams, class diagrams, sequence diagrams, state diagrams

and component diagrams. In the rCOS modeler, we can do the work of designing the

sequence diagram and specifying interface methods at the same time. In the view of

the sequence diagram, a new method signature is first created, then the message called

the method is added to the sequence diagram, and finally the data functionality of the

method is input. Moreover, the state machine can be automatically generated from the

sequence diagram of the interface.

The consistency of these diagrams can be checked by a group of OCL rules. CSP

specifications can be automatically generated from state diagrams and sequence dia-

grams, and checked in the FDR model checking tool. Textual rCOS specifications can

be specified, compiled and semi-automatically refined in the tool.

Correctness preserving model transformations. In the work of [179; 180], correct-

ness preserving transformations for rCOS were discussed. A set of metamodels for the

model of requirements, model of logical design and model of component architecture

were proposed. Some rCOS refinement rules, such as class decomposition, and class

to component transformation, were experimentally implemented using QVT Relations

in the tool of ModelMorf [122]. More rCOS refinement rules, such as expert pattern,

were proposed to implement as OVT transformations.

101

Chapter 4

QVTR-XSLT: A Tool for Graphical

Notation of QVT Relations

Model transformation is the core of model driven development. To address the need

for a common transformation language, OMG proposed the Query/View/Transforma-

tion language (QVT) [134] standard that consists of three transformation languages:

Relations, CoreandOperational Mappings. As a user-friendly, high-level declarative

transformation language, QVT Relations (QVT-R) has two concrete syntax styles: tex-

tual and graphical. The graphical notation of QVT-R provides a concise, intuitive and

yet powerful way to define model transformations.

However, as a standard transformation language of OMG, currently there are very

few tools supporting QVT-R, and even fewer for its graphical notation [50; 101; 118].

The lack of tool support for the QVT-R graphical notation greatly hinders its applica-

tion in real settings. To address the problem, and particularly to meet our urgent need

for a model transformation tool in the development of therCOS modeler[97], in which

model transformations are the main means for system refinements and refactoring, we

decide to develop a model transformation tool based on the graphical notation of QVT-

R. Because of our limited resources, we do not intend to provide a full implementation

of QVT-R, but instead a practical, easy-to-use tool that makes use of well-known and

commonly adopted standards, CASE tools and languages.

To develop a tool for supporting model transformations, immediately two questions

arise:

1. How to represent a transformation?

2. How to execute the transformation?

102

The methodology of MDD should be applied to design MDD tools themselves. In gen-

eral, there are two fundamental methods for the implementation of QVT-R. Since the

QVT specification [134] has defined the metamodel (abstract syntax), concrete syntax

and semantics for the QVT languages, the first method is directly based on the MOF

metamodel definitions, and creates a new implementation from scratch. The advantage

of this method is that the syntax and semantics of the language can be fully supported,

but the standard UML CASE tools will not be able to deal with such a language. We

have to design its own editor and compiler. On the other hand, UML, as a standard

modeling language, is not only capable to model various aspects of systems, but also

highly scalable by adding new properties to adapt it to specific domains. Therefore, the

second method, or the so-called "lightweight" one, uses the standard UML extension

mechanism calledprofile that consists in new stereotype definitions to extend existing

UML metaclasses. By reusing the UML infrastructure both at the language level and

tool level, the method will minimize the effort of developers and meet the requirements

for standardization and interoperability.

Following these considerations, we propose a UML profile that contains the nec-

essary stereotypes to represent main QVT-R ideas with UML concepts. The profile is

formally defined and uses OCL for expressing well-formed rules of the model, thereby

avoiding an arbitrary use of the profile elements. By applying the profile, a QVT-R

transformation can be elegantly represented as a standard UML model, called a trans-

formation model [21]. The model can be manipulated in standard UML CASE tools

using normal modeling means - its model elements can be copied, moved, edited in

the model, or refactored into modules. It can also be transformed into another model

(higher-order transformations) for the purpose of analysis, optimization or implemen-

tation. Therefore, the effort required for constructing a tool to edit and analyze the

rules of QVT-R will be much smaller than that of developing the QVT graphical editor

from scratch.

Transformations aim to be automatically executed. It is thus essential to provide a

103

4. QVTR-XSLT

transformation engine in our tool. We could have developed the transformation engine

using general programming languages such as Java or C++, but since QVT-R is a

declarative language, it will be a better choice to implement it with another declarative

language. In this way, we can focus on the semantic mappings of these two languages,

rather than on realization details, such as arranging the iteration and search-order. Of

course, we need to ascertain that the necessary semantic features of QVT-R can be

adequately supported by the executable implementing language.

As models are normally stored in the form of XML Metadata Interchange (XMI)

[133], a well-studied and standardized technique for mapping graph-based models to

and from tree-based XML documents, using an XML processor to manipulate the

concrete representation of a model comes as a natural choice. Having the charac-

teristic of both declarative and imperative languages, the Extensible Stylesheet Lan-

guage for Transformations (XSLT) [178], a standard language recommended by the

W3C for transforming XML documents, is powerful in defining rules, pattern match-

ing and processing structured data [96]. Moreover, XSLT is widely supported with

many industrial-strength processors, and can run efficiently on almost any platform

and work along with any programming language. Thus, it becomes our transformation

implementation language.

As the result, QVTR-XSLT, the tool we build for the graphical notation of QVT-

R, consists of two parts: a QVT graphical editor and a code generator. Based on the

UML profile for QVT-R, the graphical editor has been built on top of a popular UML

CASE tool. With the editor, we can define the metamodels, specify a transformation

using the graphical notation, validate it, and save as a transformation model in XMI

format. The code generator reads in the transformation model, automatically translates

it into pure XSLT programs, which can be directly executed under an XSLT processor

to produce target models from the source models. The XSLT programs can also be

easily integrated into other applications and systems. Furthermore, because of the strict

corresponding between QVT-R rules and the generated XSLT programs, many XSLT

104

Figure 4.1: Overall process of using QVTR-XSLT tool

CASE tools, such as XML Spy, can be used to debug a transformation. In addition,

with the help of a collection of pre-defined transformations, the definitions of a QVT-

R transformation can be exported in textual format and then reused in other QVT

tools, or we can produceXML Schemas(XSD) [176] from the metamodel definitions

to validate the generated target models. The overall process of using the QVTR-XSLT

tool is outlined in Fig.4.1.

The tool supports unidirectional non-incremental enforcement transformations of

QVT Relations, where a set of output models is produced from a set of input models.

The features supported by the tool include:

• Definition of metamodels using EMOF syntax.

• Definition of transformations using QVT-R graphical notation.

• Support the enforcement semantics of QVT-R with some restrictions, that is,

only single direction transformations from source to target models are allowed.

The target model will be empty at the beginning of a transformation. Further-

105

4. QVTR-XSLT

more, only two non-primitive domains - one source and one target, can be de-

fined in a relation.

• Traceability of transformation executions.

• Transformation inheritance and relation overlapping.

Some transformation scenarios, such as theconformance checkingtransformations,in-

cremental bidirectional transformations, model synchronization, as well as thecheck-

before-enforcesemantics of QVT-R, are not supported by the tool.

Even so, the QVTR-XSLT tool can still be applied in various transformation sce-

narios, for examples, the platform independent model (PIM) to platform specific mod-

els (PSM) transformations, or the transformations of UML models to models of formal

languages (such as CSP) for the purpose of model validation and verification.

Data transformation in data engineering is another potential application field for

the tool. In many application domains, such as enterprise systems integration and

health informatics, complex data coming from various sources with different structures

needs to be transformed and integrated. Using our tool, the structures of the XML

data can be described concisely by the metamodels, the mappings between the data

could be specified by relations of QVT-R, and the transformations can be effectively

completed by the generated XSLT programs. In addition, the tool can be used in the

fields of semantic web and ontologies, often there is a need to convert between different

knowledge models, which are also in XML formats. Since at the present time practical

tool support for the graphical notation of QVT-R is scarce, our tool marks a useful

attempt to bring the language to practice.

In order to apply the tool in reality, there are more issues to be considered than a

simple source model to target model transformation. For example, how to precisely

control the transformations through parameters. There is also a need for querying

models with a similar graphical notation as for defining QVT-R relations. In addition, it

is important for composition and reuse of transformation definitions in order to produce

106

new and more powerful transformations in a well-organized and maintainable way.

Furthermore, in case of model refinement and refactoring, changes may only happen

in a small part of a model. Hence the in-place transformation is required to improve

the efficiency and get rid of the definitions of copy rules for each model element. Part

of our work presented in the chapter involves developing solutions for these issues and

concerns.

The remainder of the chapter is organized as follows. We discuss related model

transformation approaches and tools in Section4.1. Section4.2 introduces the techni-

cal features of QVT Relations and XSLT, and gives a simple comparison of them. As

QVT-R relies heavily on the use of OCL, in Section4.3 we discuss how a sub-set of

OCL can be mapped into XPath, a sub-language of XSLT. In Section4.4, we present

the approach to translate QVT-R into XSLT, and Section4.5discusses the semantic fea-

tures of QVT-R supported by the approach. We describe the syntax and semantics of a

graphical model query facility and the techniques to implement it in Section4.7. Our

extensions to QVT Relations are shown in Section4.6. Section4.8 presents a UML

profile for QVT-R and discusses the implementation issues of the QVTR-XSLT tool.

Section4.9 focuses on applying our approach and tool on case studies and compares

the results with another QVT-R tool. Finally, Section4.10draws some conclusions.

107

4. QVTR-XSLT

4.1 State of the Art

Model transformations play a key role in all phases of rCOS development process.

These transformations anticipate a very high demand for the transformation approaches

and supporting tools:

• Capability: it should have enough expressive power and ability to deal with very

complex transformations;

• Correctness: provide functionality for the verification and validation of the trans-

formations;

• Integratable: transformations could be easily integrated into other CASE tools

without too much burden of addition libraries or execution engines;

• Interoperability: transformations can work with different programming languages

and work on different platforms;

• Standardization: transformations should use standards proposed by OMG or

other international organizations;

• Declarative style: transformations should be defined in declarative style, and use

graphical syntax, to facilitate manual checking, reviewing and maintenance.

• In-place transformation support: transformations in rCOS focus on model re-

finement and refactoring, so the tool should effectively support in-place trans-

formation.

Many approaches have been proposed for model transformations. In the fol-

lowing, we will select some relatively well-known transformation approaches, discuss

their main features and tool supports, and assess whether they can be applied to im-

plement rCOS transformations. The discussion will be limited to approaches of graph

transformation and QVT-like (including QVT-compliant or QVT-aligned) transforma-

tions.

108

4.1. State of the Art

4.1.1 Graph transformation languages and tools

Graph transformation specifies and applies transformations between graphs by so-

called graph rewriting rules. Graph rewriting can be taken as an extension to the

well-known string rewriting technique in Chomsky grammars. A transformation is

defined by an attributed graph transformation system which consisting of an attributed

type graph and a set of transformation rules. A rule consists of two graphs : the left-

hand side (LHS) and the right-hand side (RHS). While applying the rule, nodes and

edges defined in the LHS are matched to particular nodes and edges in the host graph.

Then, the matched nodes and edges that do not exist in the RHS are removed from the

host graph. After that, the nodes and edges that are defined in the RHS but do not exist

in the host graph are created as new nodes and edges in the host graph.

Among others, VIATRA [164], Fujaba [33], MOFLON [14], AToM3 [51], and

GReAT [10] are typical representatives of graph transformation approaches. Concern-

ing the categorization we focus on AGG as a representative of graph transformation

languages.

AGG. The Attributed Graph Grammars (AGG [34]) is a visual language supporting

an algebraic approach to graph transformation. In AGG, both the source and target

models are labeled graphs owning attributes, and the attribute values are defined by

separate data nodes. The types of the attribute could be primitive or user-defined types.

In AGG, the applicability of a rule can be further restricted by additional appli-

cation conditions. Given a host graph and a set of graph rules, two kinds of non-

determinism may occur: 1) several rules might be applicable and one of them is chosen

arbitrarily; 2) given a certain rule several matches might be possible and one of them

has to be chosen. There are techniques to restrict both kinds of choices. Some kind

of control flow on rules can be defined by applying them in a certain order or using

explicit control constructs, priorities, etc [161].

AGG is open-source. The AGG tool provides a graphical editor to design graphs

109

4. QVTR-XSLT

and transformation rules. It also have a textual editor for adding JAVA expressions. An

interpreter executes an AGG transformation by resolving the graph rewriting rules as a

constraint satisfaction problem. So the transformations are executed in one step with-

out any support for incremental update propagation. In the contrast, some other graph

transformation tools, such as Fujaba, generate executable code from the rewriting rules

in order to perform model transformations [161].

Due to its formal foundation, AGG offers validation support by means of consis-

tency checking of graphs and graph transformations according to the graph constraints.

In addition, critical pair analysis is used to find conflicts between rules and check of

confluence and termination for the transformations.

Classical graph rules do not embody OCL constraints, which greatly limits their

expressive power. In the recent literature, a need for integration of graph transforma-

tion and OCL has been expressed [77; 98; 99]. The OCL expressions are employed

for updating attributes and specifying restrictions. However, these works are still not

mature enough to be used in practical applications.

In summary, the advantage of graph transformation approaches is that they are

based on a formal foundation that allows automatic verification of and reasoning about

the transformations. And most of them offer user friendly graphical editors supporting

easy and intuitive design of transformation rules. A drawback of graph transformation

is that the transformations have to be expressed operationally rather than declaratively.

Since graph transformations do not explicitly support the separation of source and

target models, they can only be used for in-place transformations. In general, because

of the lack of expressive power, they cannot handle complex model transformations.

Furthermore, no graph transformation based language has been standardized.

110


4.1.2 QVT-like languages and tools

Many approaches have been proposed for QVT model transformations. For approaches

supporting QVTOperational Mappings, we mention SmartQVT [4] and Borland To-

gether [2]. Both of them provide a front-end for Operational Mappings that can be

used to parse transformation programs and obtain a model conforming to the QVT ab-

stract syntax. But since the work of the thesis is based on QVT Relations, we focus

on the discussion of some well-known languages and tools for relational QVT in what

follows.

ATL. The Atlas Transformation Language (ATL) [93] provide a set of transforma-

tion tools on Eclipse platform. ATL is mainly a declarative language, though some im-

perative constructors are allowed to ease the coding of complex transformations. The

language has a textual concrete syntax. An ATL transformation program is composed

of rules that describe how to create and initialize the elements of the target models.

ATL transformations are always unidirectional. Source models are read only and can

be navigated, while target models are write-only and cannot be navigated. The order

of rule execution is determined automatically, with the exception of lazy rules, which

need to be explicitly called.

ATL tool provides an IDE that supports dedicated editors, debuggers, code com-

pletion, syntax highlighting, metamodel registry, etc. ATL code is compiled and then

executed by the ATL transformation engine (ATL Virtual Machine). The latest version

of the ATL tool provides with advanced capabilities, like multiple source patterns and

rule inheritance. In addition, there are many successful transformation examples in the

ATL transformation zoo.

Currently, ATL is the most technically stable and mature model-to-model transfor-

mation tool which is able to deal with complex model transformations. But it still has

its drawbacks, including:

111

4. QVTR-XSLT

• ATL is only a QVT-aligned language, not QVT-compliant. Its concrete syntax is

quite different from what is defined in the QVT specification;

• ATL aims to support exogenous (out-place) transformations. It provides only a

limited capacity, called the refining mode, for endogenous (in-place) transfor-

mations;

• ATL does not have a graphical notation;

• Execution of ATL needs its own ATL virtual machine. This may cause difficul-

ties in integrating ATL transformations into other CASE tools.

To enhance ATL, some works have been proposed to align ATL and QVT [94], and

implement QVT-R on the ATL Virtual Machine [3].

UMLX and Declarative QVT. UMLX [ 173] and Declarative QVT (Eclipse Model

to Model (M2M) QVT-Relations project) [3] are two closely related approaches intend

to support QVT Relations, both led by Ed Willink.

UMLX is a graphical transformation language to complement the OMG QVT.

UMLX attempts to provide a declarative and easy to understand notation by re-using

the familiar UML notation for defining patterns, extended semantically by a solid def-

inition of the meaning of multiplicity and sets of objects [173]. Similar to graph trans-

formations, UMLX uses standard UML class diagrams to define information schema

and their instances, and extends the class diagram to define inter-schema transforma-

tions.

UMLX provides a graphical editor as an Eclipse plug-in based upon GEF. Then

a compiler is used to generate an executableNiceXSLimplementation. NiceXSL is a

dialect of XSLT. In this sense, UMLX can be regarded as a high level language for

XSLT from which it inherits many important concepts such as referential transparency

[173].

112


One drawback of UMLX is that it uses its own graphical concrete notation which

is more like the notations of graph transformation approaches, than the notation of

QVT-R. As no OCL is adopted, the expressive power of UMLX is limited.

Declarative QVT is an Eclipse M2M subproject that aims at extending UMLX to

support standard QVT-R. The goal of Declarative QVT includes offering a graphical

editor for the graphical notation of QVT-R.

Declarative QVT is still far from practical use. However, it seems that the project

is in trouble at present. The author tried to implement it on the ATL Virtual Machine,

instead of NiceXSL, but then he claimed the attempt was ”unsuccessful”, and a new

execution engine is being planned [3]. The author also claimed that his progress on an

enhanced QVT-R graphical language is very slow since there are numerous issues with

OCL and QVT that he has to work out.

medini QVT. The medini QVT [117] was one of the first available QVT tools that

support textual notation of QVT-R. It has a remarkable compatibility with QVT and

OCL standards. Features of medini QVT include the use of traces to enable incre-

mental updates and limited support for bidirectional transformations. Although some

features, such as the collection template and the check-before-enforce semantics, are

still missing.

The medini QVT provides a powerful QVT interpreter, and a transformation editor

with syntax highlighting, code completion, and debugging facilities. It is distributed

as an Eclipse plug-in or a stand-alone system. Currently, medini QVT seems to be

the most stable, mature and state-of-art implementation of QVT-R. It is chosen as the

model transformation tool in many research papers. Our work also takes medini QVT

as the reference implementation of QVT Relations. However, medini QVT does not

support graphical notation, and it is difficult to integrate medini QVT into CASE tools

that are not based on the Eclipse platform.

113

4. QVTR-XSLT

ModelMorf. ModelMorf [162] is a commercial tool for QVT Relations developed

by Tata Consultancy Services Ltd. It supports in-place transformation, trace output,

transformation inheritance and relation overriding, incremental execution and collec-

tion template. However, not all language features are supported. For example, there is

no support for bi-direction transformation execution and graphical notation.

In contrast to products discussed so far, ModelMorf is a command-line application.

ModelMorf provides no development environment or IDE. Transformation code can

be edited in any text editor, and executed by calling the ModelMorf QVT engine with

parameters. The metamodels and instance models are constructed by the MetaModeler,

which is also developed by Tata, and exported in the format of XMI. ModelMorf also

builds up intermediate structures, for example for saving the tracing information.

However, ModelMorf seems to be an abandoned. The latest version in its web site

is Beta 1, released in the year 2009, and there is no clear sign of a forthcoming release.

Figure 4.2: Comparison of transformation approaches and tools

Comparison of transformation approaches. Although model transformations are

highly necessary in the context of model driven approaches, not even the QVT stan-

dard was able to attract sufficient interest until now [183]. A main reason for this is the

lack of adequate tool support. Fig.4.2summarizes main features of transformation ap-

proaches we have discussed so far to evaluate whether they can meet the requirements

of our work. However, we can conclude that none of these currently popular tools fully

meets the requirements for implementing the rCOS transformations.

114


4.1.3 Efforts to support graphical notation of QVT Relations

QVT-R comes with two types of concrete syntaxes: textual (like coding a program) and

graphical. Compared to the rules of graph transformation approaches, the diagrams of

QVT-R relations look more concise because they textually specify the relationships

between the source and target model elements. In [55; 58; 173], the graphical notation

of QVT-R is recognized as an intuitive, natural option to define transformation, and

the majority of transformations should be represented by the QVT graphical notation

[118].

Some efforts have been made to support the graphical notation beside the UMLX

project [173] we have discussed previously.

• Visual QVT/R: In [31], Max Bureck of the Freie University Berlin proposed to

build a graphical editor for QVT Relations in his thesis project "Development of

a visual transformation-framework for QVT". The editor looks like it is building

on the Eclipse platform. However, there is no further information about the

editor.

• UPT: A UML profile intended for QVT graphical transformation is presented

in [118]. The purpose of the profile is to represent QVT transformations using

any UML tool and send these transformations to the different tools using the

XMI standard. A tool is implemented as a web application which does not pro-

vide a graphical interface, but only translates a transformation into Java code.

However, instead of using object diagram, UPT uses a kind of class diagram to

express the transformation rules, so it is not fully QVT compatible. Furthermore,

UPT is designed as part of the WebSA tool, rather than an independent model

transformation tool.

• Enterprise Architect : Based on Enterprise Architect (EA) [155], a commercial

UML CASE tool, Oliver Alt of the BOSCH Company proposed an approach

115

4. QVTR-XSLT

to realize a graphical editor for QVT-R [137]. He first designed a UML profile

which enables EA for QVT editing and then used the EA automation interface

extensions to realize the user interface. An experimental generator was imple-

mented using C# to derive the QVT textual representation from the graphical

representation. However, this proposal is only a case study for proof of concept.

No further related work can be found.

• VMTS : is a project to provide a QVT plug-in for the Visual Modeling and Trans-

formation System (VMTS) [30]. Based on the VMTS tool, a QVT-R editor has

been defined. Transformation rules can be specified in the editor, and then trans-

lated to VMTS code. However, also this project is only a case study of VMTS.

In summary, currently tool support for the graphical notation of QVT-R is still far

away from practical use in software development.

4.1.4 XSLT related approaches

Many transformation tools, such as ATL or medini QVT, read in models as XMI files,

execute a transformation, and output the resulting target models as XMI files. Since

models are often stored as XMI documents, XSLT becomes a natural choice for im-

plementing model transformations. XSLT is one of the most successful XML tech-

nologies, because it offers a very good balance between complexity and power [91].

In addition, since XML has rapidly emerged as a dominant standard for data represen-

tation and exchange, there are already many industrial-strength implementations, such

asSaxon, Xalanand MicrosoftMSXML, which have been widely used in web appli-

cations and data-intensive applications, e.g., querying XML databases. Stored as XMI

files, even large-scale models can be efficiently processed by XSLT and translated to

target XML files. Furthermore, XSLT is now well supported by CASE tools, such as

XML Spy. These tools provide good IDEs supporting keywords highlight, auto com-

plete, grammar check, breakpoints, execution traces, etc. Not to mention that XSLT is

116

4.2. QVT Relations and XSLT

supported by almost all programming languages and platforms.

Even so, directly programming in XSLT to manipulate complex XML structures, as

those involved in model transformations, is still error prone and cumbersome, because

of its low level syntax. To address this problem, MTrans [140] proposes a language

to describe model transformations, and then XSLT is generated from the descriptions.

Bichler [23] discussed model-to-text transformations using XMI as the input format.

An intermediate XML format is used to simplify the XMI, and then XSLT operates

on this simplified XML representation of the XMI content. The UMT tool [73] sup-

ports UML-to-UML model transformation based on XMI Light and generates XSLT

as the implementing language. Willink [173] proposed a graphical transformation lan-

guage UMLX to do model-to-model transformations. In its early version, UMLX is

transformed into XSLT that executes the transformation between XMI instances.

4.2 QVT Relations and XSLT

In this section we first discuss QVT-R on an abstract level with a metamodel and a

short example, then introduce the necessary concepts of XSLT and its sub-language

XPath. Finally, we compare the concepts of QVT Relations and XSLT.

4.2.1 QVT Relations

MOF Query/View/Transformations (QVT) [134] is a language proposed by Object

Management Group (OMG) for model transformations and manipulation. The QVT

specification [134] includes three packages: two declarative packages (Relations and

Core) and one imperative package (Operational Mappings). The QVT Relations (QVT-

R) aims to provide a high-level, user friendly declarative language. It supports complex

object pattern matchings and implicitly traceability.

The QVT-R metamodel shown in Fig.4.3 is adapted from the Relations package

[134]. Since we focus on the Relations language, we eliminate several abstract classes,

117

4. QVTR-XSLT

Transformation

+type : Type

Variable

CollectionTemplateExp

+isTopLevel : Boolean

Relation

PropertyTemplateItem

+isCheckable : Boolean+isEnforceable : Boolean

Domain

OCL::OCLExpression

OCL::OCLExpression

TemplateExp

OCL::CollectionType

ObjectTemplateExp

OperationCallExp

EMOF::Operation

EMOF::Property

EMOF::Property

RelationCallExp

EMOF::Package

DomainPattern

PatternTypedModel

EMOF::Class

EMOF::Class

Key

Pattern

Predicate

Function

Variable

0..*

+queryExpression

0..1

+referredRelation

0..*

+modelParameter1..*

+typedModel

0..1

+conditionExpression

1

0..1

+bindTo0..1

+where0..1

+referredClass

+bindsTo

0..*

+identifies

+argument0..*

+rootVariable

+referredCollectionType

0..1

+variable

0..*

+referredProperty

+predicate

0..*

+rule1..*

+extends

0..1

+when

0..1+where

0..1

+ownedKey

0..*

+part

1..*

+argument *

+value

0..1

+templateExpression0..1+referredOperation0..1

+rest

+domain *

+part *

+usePackage1..*

+member 1..*

+pattern0..1

Figure 4.3: QVT Relations metamodel

such asRule, RelationDomain, RelationTransformation, andRelationImplementation,

etc. Fig.4.4depicts an example QVT-R relation between instances ofClassandTable

(ClassToTable) in graphical syntax. This example is adapted from Annex A of [134]

and will be discussed later in Section4.9.1.

In the metamodel, atransformationconsists of a set ofrelations asrules. A trans-

formation has one or moretyped models(a typed modelis a model with a metamodel as

its type) as its parameters, and may extend from another transformation. In addition,

a transformation may ownkeysthat uniquely identify instances of model elements,

and functions, which are side-effect-free operations. Arelation is defined by two or

morecheckonlyor enforced domains. As shown in Fig.4.4, the relationClassToTable

consists of two domains. Marked by therelation symbol in the middle, the

118


Figure 4.4: Example QVT-R relation in graphical notation

left-hand domain, which concerns the typed modeluml, is acheckonlydomain, while

the right-hand domain isenforcedand comes from the typed modelrdbms.

Each domain is defined by adomain patternthat is composed of a set of linked

template expressions (TemplateExp), which may beobject template expressionsor col-

lection template expressions. The former refers to the classes of the corresponding

metamodel, and the latter defines a pattern that matches a collection of elements. Note

that templateExpitself is also an OCL expression, it may be hierarchically contained

in othertemplateExps, and consist of variable bindings and optional constraints.

A domain pattern has a distinguishedroot object template expressionwith tag«do-

main». It is required to be bound to a variable called theroot variable. The root

variable serves as a formal parameter of the relation. In addition, anobject template

expressionmay own a set ofproperty template items. Each of them binds aproperty

of the typed class to avariable (e.g. "name=cn” in the box labeled with "c:Class” in

Fig. 4.4, which binds the propertynameto variablecn) or to an OCL expression (e.g.

"kind=’Persistent”’).

A relation may define a pair of optionalwhenandwhereclauses that consist of

119

4. QVTR-XSLT

predicates, which are OCL expressions separated by semicolon ";". Thewhenclause

indicates the conditions under which the relation holds, and thewhereclause provides

additional conditions, apart from the ones expressed by the domain patterns them-

selves, that must be satisfied by all pattern elements in the relation [134]. A relation

call expressionin a clause specifies an invocation of a subsequent relation.

A relation may also have someprimitive domains, which serve as additional pa-

rameters of the relation. A primitive domain is a domain that possesses a data type,

but no specification of the domain pattern. Primitive domains only have the purpose

to forward values at the call of a relation. Furthermore, a relation is either designated

as atop-levelrelation, or anon-top-levelrelation. Atop-levelrelation is invoked from

the transformation framework, while non-top-level relations are invoked throughwhen

andwhereclauses of other relations. In general, a transformation only has one top-

level relation which has nowhenclause. We call it theroot relation, as it is the first

relation to be executed in the transformation.

Variableis an important concept of QVT-R. A variable may be of a primitive type,

or of a type defined in the metamodels, and can be referenced bypredicatesin both

whenandwhereclauses. A variable can be defined either in a domain pattern as a

name beingboundto an element or a property of an element, or in thewhereclause

using an OCL expression to give it a value. In fact, it is thevariablesthat makes a

pattern different from a normal object diagram.

A QVT-R transformation can be executed incheckonlyor enforcementmode. In the

checkonlymode, it simply checks if all relations hold, no modification to the models

will take place. In theenforcementmode, one of the typed models can be selected as

the target model and the transformation executes in the direction of it, while the others

serve as the source models. Then the execution first checks whether the relations hold,

and if the check fails, enforces the relations hold by modifying the target model. In the

follows, we only discuss executions of transformations inenforcementmode.

For the example of Fig.4.4, if the relation is executed in the direction ofrdbms,

120


the source domain pattern (left part) is searched in the source model by way ofpattern

matching: here the pattern matching starts from the root variable "c" of typeclass. In

addition, the relation callPackageToSchema(p,s)in thewhenclause states that, before

executing the current relation, there must already exist an element "p" in the source

model and an element "s" in the target model, and these two elements have been

related by relationPackageToSchema. Thus all child elements of "p" are searched

in the pattern matchingto locate elements that are of typeclassand have property

kind=”Persistent”. If a match is found, the variable "c" is bound to the element, and

the value of the element’snameproperty is bound to the variable "cn" (name=cn).

The target domain pattern is searched in the target model. In case of the target

domain ischeckonly, if no match is found, an exception will be thrown. In contrast,

if the target domain isenforcedand no match is found, the target domain pattern acts

as a template to modify the target model through adding, deleting or changing model

elements to satisfy the relation. The target model may be empty at the beginning of the

transformation. In this case, model elements and their links are created from scratch

by the target domain pattern.

In Fig. 4.4, the target domain isenforced (marked asE). If the matching fails,

under the context of "s", an element "t" of typeTableis created and itsnameproperty

is assigned to the value of variable "cn". In the same way, the model elements of type

ColumnandKey are created, their properties are set, and the links (columnandkey)

among them are established as specified in the domain pattern. Finally, in thewhere

clause, the relationAttributeToColumnis invoked using variables "c", "t" and "prefix"

as the arguments.

More issues about QVT-R semantics will be discussed in next section. Detailed

syntax and semantics of QVT-R can be found in [134].

121

4. QVTR-XSLT

Element

name : String

Node

value : String

ValueAttribute

Document

ReferenceAttribute

{ordered} {ordered}

Text

0..1

text

child

0..*

parentchild

0..*

referred 1..*

attribute0..*

Figure 4.5: An excerpt of XML data model

4.2.2 XPath

In XML technical space, XPath is a suitable tool for pattern matching. As one of the

W3C’s standards, XPath (XML Path Language) [177] is a declarative language for

locating nodes in XML documents at a higher level of abstraction. Complex search

conditions, which may require tree-oriented navigation, and may involve logic, arith-

metic, string, and set operators on attributes and nodes, can be adequately expressed

using XPath [91]. Thus XPath provides a powerful and convenient way to implement

pattern matching. Furthermore, XPath path expressions are also used to assign values

to variables,argumentsandattributes.

XPath is a textual language for representing search expressions in hierarchical

XML documents. It works on an abstract, logical tree-structure data model. Fig.4.5

shows an excerpt of the data model we use. In this model, every item is aNode.

TheDocumentis the distinguished root node of the tree, denoted by a global variable

xmiXMI in our approach. Anelementowns a set of attributes, each of them either

belongs to the set ofValueAttributesdenoted asAv, or is aReferencein the setAr.

Moreover, we denote the set of parameters of the XSLTrule templateowning the path

expression asP, andV is the set of variables declared before the path expression inthe

rule template.

We require an element has an identity attributeID ∈ Av . Thus an attributeαr ∈ Ar

122


is a set ofIDs.We define a functionxmiRefs : Reference → Sequence( Element) to

obtain the referred elements. Moreover, an element has anxmi labelthat consists of the

element’s name and some particular attributes. For example, aclassin a UML model is

represented in XMI as<packagedElement xmi:type=’uml:Class’ .../>, so thexmi labelfor

it is "packagedElement[@xmi:type=’uml:Class’]". We introduce a function

xmiLabel() to get the xmi label for each model element defined in the metamodel. The

set of xmi labels for all elements in the XML tree isL.

In XPath, there is only one basic type: sequence, a ordered collection that may

contain duplicate items. That means every value in XPath is a sequence. Of course

XPath provides atomic values which are sequences of length. The types of atomic

values includexs:boolean, xs:string, xs:doubleandxs:integer.

XPath usespath expressionsto locate particular elements in XML documents. The

syntax of path expressions is defined by:

〈Expr〉 = 〈NodeExpr〉 | 〈AttributeExpr〉;

〈NodeExpr〉 = ‘$’ ( 〈ν〉 | ‘xmiXMI ’ ) ( ( ‘ /’ | ‘ //’ ) 〈Step〉 )∗;

〈Step〉 = 〈Axis〉 ( ‘ [’ 〈Predicate〉 ‘ ]’ )∗;

〈Axis〉 = 〈ℓ〉 | ‘∗’ | ‘parent()’ | ‘xmiRefs(’ 〈RefExp〉 ‘ )’;

〈AttributeExpr〉 = 〈NodeExpr〉 ‘ /’ ‘ @’ 〈αv〉;

〈RefExp〉 = 〈NodeExpr〉 ‘ /’ ‘ @’ 〈αr〉;

whereν ∈ P ∪ V represents a parameter or a variable,αr ∈ Ar a reference attribute,

αv ∈ Av a value attribute, andℓ ∈ L an xmi label. We use∗ to denote a special label

that is used to match all elements.

A path expressionExpr is either aNodeExpr which is used to select a sequence of

nodes, or anAttributeExpr that gets a set ofvalue attributes. The selection starts from

the variable representing the context node, which can either be a parameter/variableν,

or the global variablexmiXMI, and is followed by location steps (Step) separated by

a path operator ”/” or ” //”, where the ”/” selects only the direct children of the context

123

4. QVTR-XSLT

node, and the ”//” finds all its descendants at arbitrary depth. A step is used tonavigate

from one node to a sequence of related nodes along anAxis, and the resulting sequence

can be filtered by a set ofPredicates that are enclosed by the brackets ”[” and ”]”.

An axis gives the direction of navigation. Among the possible axes are thechild

axis, which is represented by an xmi label in setL, theparent axisas functionparent(),

and thereference axiswhere the functionxmiRefs() is used to get the related nodes.

The wildcard "∗" can be used to match any node. A predicate defines constraintsthat

the resulting items must satisfy. It is either a boolean expression selecting the items for

which the predicate istrue, or a numeric expression that selects the item at the position

given by the value of the expression, for example "[2]" selects the second item. To

get values of attributes, ”@” is prefixed to the names of the attributes.

4.2.3 XSLT

ApplyTemplateExp

+fileName : String

Stylesheet

+mode : String+priority : Integer

RuleTemplate

XPathExp

SelectionPattern

+name : String

WithParamExp

+name : String

FunctionExp+name : String

KeyExp

ParamExp

+name : String

ElementExp+name : String

VariableExp

+name : String

AttributeExp

+match+body

1..*

+match +select

0..*+declare

0..*

0..*0..*

+select

+referred 0..*

+select

0..*

0..*

+import

0..*

+root

+mode.

0..*

0..*

+select

+contain

0..*

0..*

1..*

Figure 4.6: XSLT metamodel

XPath acts as a sub-language within XSLT. Having the characteristic of both declar-

124


ative and imperative languages, theExtensible Stylesheet Language for Transforma-

tions (XSLT) [178], is a standard language recommended by the W3C for transform-

ing XML documents. It is powerful in defining rules, pattern matching and processing

structured data [96]. Fig. 4.6shows the XLST metamodel used in our approach, and an

example of an XSLT rule template that implements the QVT-R relationClassToTable

is depicted in Listing4.1.

An XSLT program is called astylesheetthat consists of a set ofrule templates,

keyand functiondefinitions. Thekey is an index mechanism for rapid searching of

a particular model element through its attributes. XSLT also supports user-defined

functions that can be invoked from templates and functions. Moreover, a stylesheet

canimportsother stylesheets to compose a complex XML transformation.

1 <!−− pattern matching−−>

2 <xsl:templatematch="//ownedElement[@xsi:type=’uml:Class’][@kind=’Persistent’]"

3 mode="ClassToTable">

4 <xsl:param name="_targetDom_Key"/>

5 <!−− variable binding−−>

6 <xsl:variable name="c" select="current()"/>

7 <xsl:variable name="cn" select="$c/@name"/>

8 <xsl:variable name="p" select="$c/parent()"/>

9 <xsl:variable name="prefix" select="$cn"/>

10 <xsl:variable name="s" as="item()∗">

11 <xsl:apply−templatesmode="_func_PackageToSchema" select="$p"/>

12 </xsl:variable>

13 <xsl:if test="$s and $s/@name=$_targetDom_Key">

14 <!−− create target model−−>

15 <xsl:elementname="table">

16 <xsl:attribute name="name" select="$cn"/>

17 <xsl:elementname="column">

18 <xsl:attribute name="name" select="concat($cn,’_tid’)"/>

19 <xsl:attribute name="type" select="’NUMBER’"/>

20 <xsl:attribute name="rkey" select="concat($cn,’_pk’)"/>

125

4. QVTR-XSLT

21 </xsl:element>

22 <xsl:elementname="key">

23 <xsl:attribute name="name" select="concat($cn,’_pk’)"/>

24 <xsl:attribute name="column" select="concat($cn,’_tid’)"/>

25 </xsl:element>

26 <!−− invoke rule templates−−>

27 <xsl:apply−templatesmode="AttributeToColumn" select="$c">

28 <xsl:with−param name="prefix" select="$prefix"/>

29 </xsl:apply−templates>

30 </xsl:element>

31 </xsl:if>

32 </xsl:template>

Listing 4.1: An example XSLT rule template

An XSLT rule template is endowed with amatchattribute which has aselection

patternas its value, along with amodeattribute that can be regarded as the template’s

name. A rule template may have parameters defined by the<xsl:param> instruc-

tions. Inside a rule template, a set of variables is declared and obtains values using

the<xsl:variable> instructions. A template contains also a collection of hierarchical

<xsl:element> and<xsl:attribute> instructions to construct new nodes and their at-

tributes. A template can invoke another template through the<xsl:apply-templates>

instruction, and pass arguments to it. Theselection patternis an XPathpath expression

that locates the nodes in a source model to which the template applies.

There are more constructs in XSLT. In particular, the<xsl:import> instruction is

used to import the contents of one stylesheet into another. Like inheritance in object-

oriented languages,<xsl:import> is designed to allow the creation of a library or a

set of reusable stylesheets [96]. Furthermore, thedocument() function reads in multi-

ple XML files, and the<xsl:result-document> instruction writes models into different

XML files.

Inside a stylesheet, each template matches one or more elements in the source

126


model, and defines the actions to take and how to produce the output when a match

is found. The result of processing all of the elements in the source model generates

the target model. Execution of an XSLT stylesheet is by recursive application of each

individual template to the whole source model or a selected part of the model. A

template is selected by its mode attribute and matching condition (selection pattern).

Once a template has been matched, the variables defined in the template are bound to

their values, and the<xsl:element> and<xsl:attribute> instructions are executed to

build a fragment of the target model using these variables. Finally, the successive rule

templates are invoked.

For example, the path expression in lines 2-3 of Listing4.1selects elements of type

class(as anownedElementwith anxmi:typeattribute of value "uml:Class" and akind

attribute of value "Persistent"). All matched elements will be processed by the template

one by one. Inside the template, variables "c", "cn", "p" and "prefix" are bound to

values using path expressions (lines 6-9). Especially, in lines 10-12, the variable "s"

gets its value through an<xsl:apply-templates> instruction, and the existence of the

value is checked in line 13. Then, a model element of typetableand its child elements

of typescolumnandrkeyare created, and the links between them are established (lines

15-25). Finally, in the context of thetableelement, the templateAttributeToColumnis

invoked to sequentially create fragments of the target model as the child of thetable

element.

4.2.4 Comparison of QVT Relations and XSLT

In the following, we informally compare the major concepts of QVT-R and XSLT.

Table4.1summarizes the correspondences between these two languages.

Basically, both QVT-R and XSLT are declarative languages that do not opera-

tionally describe how a transformation is executed. QVT-R bases onEMOF metamod-

els, and XSLT can useXML Schemasas a metamodel mechanism. In our approach,

127

4. QVTR-XSLT

Table 4.1: Comparison of QVT Relations and XSLT

QVT Relations XSLT

EMOF metamodel XML schemasource model input XML filetarget model result XML filemultiple source model document() functionmultiple target model <xsl:result-document>transformation stylesheettransformation extend <xsl:import>relation rule templatesource domain pattern selection patterntarget domain pattern construct instructionprimitive domain template parametersource domain source context elementtarget domain target context elementobjectTemplateExp in node expression in selection

source domain pattern pattern &<xsl:variable>propertyTemplateItem in attribute expression in selection

source domain pattern pattern &<xsl:variable>objectTemplateExp in <xsl:element>

target domain patternpropertyTemplateItem in <xsl:attribute>

target domain patternOCL expression XPath expressionpredicate in when clause path expressionpredicate in where clause <xsl:variable>function <xsl:function>key <xsl:key>not template not() function

a QVT-R transformationcorresponds to an XSLTstylesheet. Thesource modeland

target modelof the transformation correspond to the source XML file and the resulting

XML file of the XSLT stylesheet, respectively. Each relation of the QVT-R transforma-

tion maps to arule template. Theroot variableof the source or target domain pattern

correspond to the source or targetcontext elementsof XSLT.

An object template expressionin a source domain pattern can be mapped to anode

expressionof the selection pattern and an<xsl:variable> instruction. Aproperty tem-

plate itemin a source domain pattern maps to anattribute expressionof the selection

128

4.3. OCL to XPath

pattern and an<xsl:variable> instruction. For the target domain pattern, anobject

template expressioncorresponds to an<xsl:element> instruction, and aproperty tem-

plate itemto an<xsl:attribute> instruction.

Furthermore, anOCL expressionin QVT can be mapped into an XPath expression.

So a predicate in thewhenclause can be mapped as anattribute expressionin the

selection pattern, and a predicate in thewhereclause corresponds to an<xsl:variable>

instruction. Finally, for QVT-Rfunction, keyandnot template(negative application

conditions), we have<xsl:function>,<xsl:key> instructions and thenot() function in

XSLT, respectively.

4.3 OCL to XPath

QVT-R relies heavily on the use of essential OCL. In awhenclause, each OCL ex-

pression is a predicate that specify a precondition for entering the relation, and OCL

expressions in thewhereclause are used to assign values to variables. Furthermore,

property template items in the domain patterns can directly bind to OCL expressions.

OCL is a strongly typed language used to specify constraints or queries for mod-

els. Each OCL expression evaluates to a type either predefined by the language or

defined as an element of a UML model. An OCL expression can be constructed by

using OCLoperationsand/ornavigationsthat follow links from one object to locate

other object(s) in the model. On the other hand XPath is designed for the purpose of

providing flexible and powerful query facilities to extract data from XML documents.

In XPath everything is an expression that evaluates to a value [95]. XPath has a range

of operators and functions for selecting nodes in a tree, or operating on sequences and

atomic values. What OCL can do for UML models, the XPath can do the same for

XML documents. Accordingly, a large subset of OCL can be mapped to XPath.

The mapping is defined as a functionOCLtoXPath(), which inputs an OCL ex-

pression and outputs an XPath expression. By applying regular expressions, the tex-

129

4. QVTR-XSLT

tual representation of the input OCL expression is parsed and analyzed using XSLT

xsl:analyze-string instruction. The expression is first segmented into OCL constructs

according to the delimiters, such as ".","->", "(" or ")". Then the constructs and their

relations are analyzed and mapped into semantic equivalent XPath expressions.

The abstract syntax of OCL is defined by the OCL metamodel in the UML 2.0 OCL

Specification [131] as two packages: theTypespackage defines the OCL type system,

and theExpressionspackage describes structure constructs of OCL expressions. In

addition, the specification defines a standard library that includes a set of predefined

operations. As we only support a subset of OCL, in AppendixA, we define the textual

syntax for the subset of OCL expressions and operations using EBNF.

The whole mapping process is divided into several steps that will be discussed in

detail next:

• map OCL types into XPath types;

• map OCL expressions, such asNavigationCallExps, IfExp and AttributeCall-

Exps, into XPathpath expressions;

• map OCL operations for primitive types and collect types, such asselect, includ-

ing, forAll, etc.;

• map OCL type operations, such asoclIsTypeOf, allInstances, oclIsUndefined,

etc.

4.3.1 Mapping OCL types

The OCL type system consists of predefined types as well as the types defined by the

UML model on which an OCL expression is built. All classifiers from the UML model

are types for the OCL expressions attached to the model. The predefined types can be

divided into basic types and collection types. The basic types includeBoolean, Integer,

RealandString. OCL uses collection types to specify collections of values. There are

130

4.3. OCL to XPath

four collection types:Set, OrderedSet, BagandSequence. These collection types have

the usual semantics.

In case of XPath, there is only one basic type: sequence, a ordered collection that

may contain duplicate elements. That means every value in XPath is actually a se-

quence. Atomic values are provided in XPath as sequences of length one. The types

of atomic values includexs:boolean, xs:string, xs:doubleandxs:integer. In addition,

XPath provides adistinct-values() function that removes duplicate values from the in-

put sequence. Table4.2shows the mapping from OCL types to XPath types.

Table 4.2: Mappings from OCL types to XPath types

OCL types XPath types

Boolean xs:booleanInteger xs:integerReal xs:doubleString xs:stringSet distinct-values(sequence)OrderedSet distinct-values(sequence)Bag sequenceSequence sequence

4.3.2 Mapping OCL expressions

An OCL expression is always evaluated in a given environment and based on an in-

stance of a model element as its context. The contextual instance can be explicitly

referred to by theself keyword. For example, a class invariant always takes the class

as the contextual element, and an object of the class will be the context. The envi-

ronment of an OCL expression defines what model elements are visible and can be

referred to in the expression. Typically, the metamodel of the current model serves as

the environment.

In our case, the OCL expressions work within QVT-R relations for specifying con-

ditions of the relations or calculate values for variables. To simplify the implementa-

tion, we restrict the environment for OCL expressions to the relation’s source domain

131

4. QVTR-XSLT

pattern. That means an OCL expression can only navigate along the links specified

in the domain pattern. Because it is impossible to decide which element in a relation

should be selected as the context, we don’t support theself keyword. In our approach,

an OCL expression generally starts from avariabledefined in the source domain pat-

tern or thewhereclause, and thisvariableis used as the context element. The variable

can be of a collection type that contains same kind of model elements. In this case, all

elements in the collection are evaluated individually and always return a union of the

results as a collection.

In OCL Expressionspackage, all possible kinds of expressions, such asNaviga-

tionCallExp, AttributeCallExp, IfExp andLoopExp, are specializations of the abstract

classOclExpression. We have to understand every construct ofOclExpressionin order

to intuitively map them into constructs of XPath. Due to space limit, we only discuss

some important constructs for each kind here. The goal is to demonstrate that the map-

ping of a complete OCL expression can be carried out in an inductive way from its

constructs.

NavigationCallExp: A NavigationCallExpis used to determine linked target objects

from a source object through an association between the classes of source and target

objects. For example, if there is an associationasso from classA to classB through

association endassoab , then from an objecta:A, the navigation call expressiona.assoab ,

a.asso or a.B gets a same objectb:B, or a same collection of objects of typeB if the

multiplicity of the association end is more than one.

A NavigationCallExpis mapped to an XPathpath expressionwith an axis ofchild

or parentto select a sequence of nodes. Letxa be an XML element corresponding to

typeA. Consider the kind of associationasso between classA andB in the metamodel,

there are three cases:

• If asso is a composition association, that means classA composes of classB,

the navigation call expression is directly mapped topath expressionxa+”/”+ ℓb,

132

4.3. OCL to XPath

whereℓb = xmiLabel(B) is the xmi label ofB;

• If B is the parent ofA, the expression is mapped toxa+”/”+” parent()”;

• If asso is a normal association, there must be a reference attribute with name

assoab in the XML element of typeA. In this case, we have to access objectb us-

ing thexmiRefs() function, and map the expression toxmiRefs(xa+”/@”+assoab ).

However, for the path expression starting from awherevariable, we only support the

case of composition association.

AttributeCallExp: An AttributeCallExpis a reference to an attribute of a class and

evaluates to the value of the attribute. For instance, if classC has an attributeatt , then

an attribute call expressiono.att gets the value ofatt from objecto:C.

We map the attribute call expressions intopath expressionswith axis ofattribute.

If xo is an XML element of typeC, theno.att becomesxo+”/@”+att in XPath.

I fExp: OCL has a direct representation for the conditional expressions like all other

programming languages. Meanwhile XPath has also the same kind of expressions.

Thus an OCLIfExp is directly mapped to an XPathif expression. For example, the

OCL expression "if con then exp1 elseexp2 endif " becomes the XPath expression "if

(xcon) then xexp1 else xexp2 ", wherexcon =OCLtoXPath(con), xexp1 =OCLtoXPath(exp1 ),

and xexp2 =OCLtoXPath(exp2 ).

LetExp: A LetExpis used to define new local variables with initial values, and the

variables cannot change their values. Frankly speaking, theLetExpvery often leads to

a long expression which is hard to read and debug. In QVT OCL, variables are defined

with each variable definition separated by a semicolon ’;’, and the scope of a variable

is the rest of thewhereclause from where the variable is declared. For example, we

use expression "var1 = exp1; var2 = exp2;" instead of "let var1 : Type1 = exp1 in let

var2 : Type2 = exp2 in ... ". A variables definition "var=exp;" becomes an XSLT

variable instruction:

133

4. QVTR-XSLT

<xsl:variable name="var" select="xexp"/>

where xexp =OCLtoXPath(exp). Still, a variable cannot change its value once it is

bound.

LoopExp: A LoopExpis an iteration construct over a source collection and results in

a value that depends on the specific kind and name of the loop expression. ALoopExp

can be either anIterateExpor anIteratorExp. An IteratorExpis an expression which

evaluates its body expression for each element of a collection using a set of predefined

collection operations which we are going to discuss later.

TupleExp: A TupleExpreturns a data structure of multiple values. For example,

let v1, v2 be the values of variablevar1, var2, respectively, we map the tuple expres-

sion var = Tuple{var1, var2} into a set of<xsl:element> instructions that create the

following XML node and assign it to variablevar.

<tupleExp>

<var1> v1 </var1>

<var2> v2 </var2>

</tupleExp>

After that, the expressionvar.var1 can be used to get the valuev1.

4.3.3 Mapping OCL operations

Operations for primitive types: Like most programming languages, OCL has a set

of operations for primitive types, such as arithmetic operators+, −, ∗, /, logical op-

erationsnot , and , or and comparison operations<, <=, =, >, >=, etc. On the other

hand, XPath also has this set of operations for primitive types with almost the same

syntax and semantics. So we can directly map these OCL operations into correspond-

ing XPath operations.

134

4.3. OCL to XPath

Operations for collection types: OCL has defined a set of collection operations

which are declared and informally explained in the chapter about the OCL standard li-

brary in [131]. These operations can be divided into two categories: regular operations

and loop operations. The regular operations provide common functionality over given

collections. For example, thesizeoperation computes the cardinality of a collection,

and we map it into the XPathcount function.

A loop operation iterates over each element of a given collection to perform a spe-

cific action. For instance, the OCLselectoperation: ”col -> select(bexp)”, wherecol is

an OCL expression which evaluated to a collection, andbexp is a boolean expression.

When theselectoperation is evaluated, every element of the collection is checked

against thebexp. The operation returns a subset of the original collection for which

bexp is true.

We map theselectoperation into an XPathnode expression: xcol [xbexp], wherexcol

is a sequence of nodes, andxbexp is a node test predicate which provides the ability

to filter the nodes, herexcol =OCLtoXPath(col) and xbexp =OCLtoXPath(bexp). In

a similar way, we have mapped the other collection operations. An excerpt of the

mappings from OCL collection operations to XPath expressions is shown in Table4.3.

Table 4.3: An excerpt of mappings for collect operations

OCL expression XPath expression

col->size() count(xcol)col->isEmpty() empty(xcol )col->first() xcol[1]col->asSet() distinct-values(xcol )col->including(col2 ) insert-before(xcol , 1 , xcol2 )col->includes(obj ) index-of(xcol , xobj )> 1

col->exists(bexp) exists(xcol [xbexp])col->forAll(v|bexp) every $v in xcol satisfies xbexp

col->iterate(v|exp) for $v in xcol return xexp

col->one(bexp) exactly-one(xcol [xbexp])

135

4. QVTR-XSLT

Type operations: In addition, OCL has defined a set of operations for type check

and type cast. Currently, we support the following type operations:

• oclIsTypeOf: This operation indicates if an element belongs to a specific type.

We implement it by checking thexmi:typeattribute of the element. For example,

in EMF XMI model, the expression ”obj->oclIsTypeOf(Cls )” becomes XPath

expression ”substring-after(xobj /@xmi:type,’uml:’)=’Cls”’.

• allInstances: This operation yields all existing objects of the specified class in

a model. It is implemented as an absolute path expression which checks the

xmi:typeattribute of each model element. For example, expressionCls.allInstances()

is mapped into XPath expression ”//∗[@name=’Cls’ and @xmi:type=’uml:Class’]”.

• oclIsUndefined: This operation checks whether an element is defined or not. We

implement the operation by checking the existence of the element. For example,

the expressionobj.oclIsUndefined()is mapped to XPath expressionnot(exists(xobj )).

Note that theoclIsTypeOfandallInstancesoperations support only the EMF models.

4.4 QVT Relations to XSLT

As we have seen in Section4.2.4, there are apparent similarities and analogies between

QVT-R and XSLT. Therefore, it is possible to define a mapping from QVT-R to XSLT.

Given a QVT-R transformation in the graphical notation, we can translate it into XSLT

by creating an corresponding XSLT stylesheet, defining the keys and functions for it,

and implementing each QVT-R relation as an XSLT rule template by the following

major steps:

• map the source domain pattern and thewhenclause into theselection pattern;

• create variable declarations from thesource domain patternand thewhereclause;

136

4.4. QVT Relations to XSLT

• generate element and attribute instructions from thetarget domain pattern;

• translaterelation call expressionsin the whenandwhereclause into template

invocation instructions.

Naturally, once a QVT transformation has been translated to an XSLT stylesheet, it

can be run repeatedly on different input models (conforming to the same source meta-

model). In the following, we shall focus on implementing a QVT-R relation through

an XSLT rule template, as it is the central phase of our approach, and the other steps

of our transformation approach are rather simple and straightforward.

4.4.1 Mapping source domain to selection pattern

We map the following three kinds of QVT expressions into theselection patternof an

XSLT rule template.

• Object template expressions;

• Property template items that bind a property to a literal expression

• Predicates in thewhen-clause, that impose restrictions on the object templates

and property templates.

Let Vd andVw denote all variables declared in the source domain and thewhereclause,

respectively. Using an algorithm similar to thedepth-first search, the mapping starts

from the root objectTemp, the pattern element under the tag«domain», which may

bind to aroot variablevarrt . Let expr be the path expression of the selection pattern

we are going to build. There are two situations:

• If the relation is top-level, that means the root variable is still a free variable,

and the pattern matching will search over all the source model. So we choose

the rootobjectTempas thecurrent context elemento : C , the objecto of type

137

4. QVTR-XSLT

C , and start from it to build anabstract path expressionexpr="//"+ℓc, where

ℓc = xmiLabel(C ) is the xmi label of typeC .

• If the relation is non-top-level, then the root variable is already bound to a model

element by the invoker of the relation, and the pattern matching will search under

the context of the root variable. So we select the element directly linked to the

root variable as thecurrent context elemento : C to start building arelativepath

expressionexpr=ℓc.

For example, as relationClassToTableshown in Fig.4.4 is a top-level relation,

by combining ”// ” with the xmi label for the root pattern element "c:Class", the select

pattern of its XSLT rule template starts with ”//ownedElement[@xsi:type=’uml:Class’]”

(line 2 of Listing4.1).

Now we consider thepropertyTempsof the objectTempo : C and the predicates

defined in thewhenclause. Letρ be apropertyTempreferred to a property of the class

C , there are two cases:

• if ρ is bound to a variablevarρ, and if there is a predicate in thewhenclause

that is related to the variable, we translate the OCL expression of the predicate

into an XPath boolean expressionxexp using the functionOCLtoXPath(). Then

we haveexpr = expr + ”[” + xexp + ”]". Otherwise if there is no such a predicate,

the expr will remain unchanged. Consequently an XSLT variable is defined as

<xsl:variable name=varρ select=expr+”/@”+ρ/>.

• if ρ is bound to an OCL expressionoexp, we getxexp= OCLtoXPath(oexp). Thus,

we haveexpr = expr + "[" + xexp + ”]”. In particular,oexp could be a regular

expression in our approach.

For example, in Fig.4.4, the element "c:Class" has a property template item "kind=

’Persistent’" that binds attributekind to literal expression’Persistent’, so an attribute

expression ”[@kind=’Persistent’]” is added to the select pattern (line 2 of Listing4.1).

138


As the next step, from the current elemento:C, the mapping moves to a pattern ele-

ment, for example,b:B, which directly links to the elemento. Consider the association

between classesC andB in the metamodel, three cases arise:

• If the association is composition, that’s to sayB is a child ofC, we get the xmi

label ofB by ℓb = xmiLabel(B), then we add to the path expression achild step:

expr = expr + "/" + ℓb.

• On the other hands, ifB is the parent ofC, we add to the path expression aparent

step:expr = expr + ” /” + ”parent()”.

• If the relationship is a normal association with nameasso, there must be a ref-

erence attributeαr in the XML element corresponding too, and the referred el-

ements can be gotten by functionxmiRefs(), then the path expression becomes:

expr = xmiRefs(expr + "/@" + αr).

Now, we takeb as the current element, sequentially handle its property template

items, related predicates in thewhenclause, and linked object templates in the same

way. This process continues until all object template expressions in the source domain

pattern are mapped.

4.4.2 Creating variable declarations

Variables may be declared in the source domain pattern and thewhere-clause. To in-

stantiate the variables in the source domain pattern, we adopt an algorithm similar to

the above one. We also start from the«domain» element, follow the links down to build

a path expression, and instantiate every variable (as the name of an object template

or the name binding to a property template item) we meet. For example, the object

template "c:Class" in Fig. 4.4 becomes<xsl:variable name="c" select="current()"/>

shown in line 6 of Listing 4.1, herecurrent() is an XSLT function to get thecur-

rent context element), and its property template item "name = cn" is translated to

139

4. QVTR-XSLT

<xsl:variable name="cn" select="$c/@name"/>, as shown in line 7.

For each predicate in awhere-clause that takes the formvar = oexp, wherevar

is a variable name andoexp is an OCL expression, we map the OCL expression into

an XPath expressionxexp=OCLtoXPath(oexp). Then this variable is defined through

the XSLT variable instruction<xsl:variable name="var" select="xexp"/>. For exam-

ple, the predicateprefix=cn in the whereclause of Fig.4.4 becomes<xsl:variable

name="prefix " select="$cn"/> as shown in line 9 of Listing4.1,

4.4.3 Generating construction instructions

As mentioned previously, a target domain pattern acts as a template to create corre-

sponding objects and links in the target model. If the relation is theroot relation, the

first executed relation, the creation process starts building a new target model using the

root variable as its root element. Otherwise, the creation process starts from the pattern

element directly linked to the root variable, and a new fragment of the target model is

created as the child of the root variable. In this process, an object template expression

o:C turns into an XSLTElementExp<xsl:element name="C "/>; a property template

item of the form"p=oexp", where"oexp" is an OCL expression, becomes anattribute-

Exp<xsl:attribute name="p" select="xexp"/>, wherexexp = OCLtoXPath(oexp). Other

linked object template expressions, depending on the associations in the metamodel,

become containedelements(for composition relationships) or key referencedattributes

(for normal associations).

For instance, in Fig.4.4, the "k:Key" element in the target domain is created as a

children of element"t:Table", while its nameproperty and the linkcolumnturn into

two attributeExps:

<xsl:elementname="Key">

<xsl:attribute name="name" select="concat($cn,’_pk’)"/>

<xsl:attribute name="column" select="concat($cn,’_tid’)"/>

</xsl:element>

140


4.4.4 Translating relation calls

In our approach, only two non-primitive domains are allowed, one source- and one tar-

get domain. For a relation call expressionRcall(svar,tvar,pvar1,...,pvarn), whereRcall

is the relation name, and thesvar, tvar,pvar1 to pvarn represent the source, target and

primitive domains of the relationRcall, we translate it into an XSLTApplyTemplateExp

instruction:

<xsl:apply−templatesselect="$svar" mode="Rcall">

<xsl:with−param name="pvar1" select="$pvar1"/>

...

<xsl:with−param name="pvarn" select="$pvarn"/>

</<xsl:apply−templates>

wheresvar is a variable already defined in the rule template where it is bound to an

object template expression, andpvar1 to pvarn are variables or literal expressions. This

apply-templatesinstruction will become a child of the current target domain pattern

elementtvar. This location serves as the target domain of the relationRcall, from here

the relationRcallwill subsequently create the substructures of the target model.

As an example, the relation call "AttributeToColumn(c,t,prefix)" in the whereclause

of Fig. 4.4 translates to an XSLTApplyTemplateExpin the context of"t:Table":

<xsl:elementname="Table">

...

<xsl:apply−templatesselect="$c" mode="AttributeToColumn">

<xsl:with−param name="prefix" select="$prefix"/>

</xsl:apply−templates>

...

</xsl:element>

whereselect="$c" means to select the variable "c" as the argument"c", and the current

target context"t:Table" as the argument"t" . At the same time, the variable"prefix" is

passed as the third argument.

141

4. QVTR-XSLT

4.5 Support Semantics of QVT Relations

In the previous section, we have discussed the approach to translate a QVT-R transfor-

mation into an XSLT stylesheet. However, it is not sufficient to only map constructs of

one language onto constructs of another language. The more challenging and crucial

problem is to preserve the execution semantics in the mapping. This is the focus of our

work when translating QVT-R into XSLT.

The semantics of QVT-R is defined in section 7 of the QVT specification [134].

Annex B of the specification gives a more formal definition of the semantics. In the

follows, we describe how a subset of the execution semantics of QVT-R can be sup-

ported in the approach. Particularly, we consider the support for:

• Mechanisms for reuse and extension of generic transformation definitions;

• Transformation traceability;

• Multiple source and target metamodels and models;

• In-place updates where the source and target models are the same.

The discussion tends to be informal, since a formal proof of the implementation is out

the scope of our work.

4.5.1 Transformation direction and check-before-enforce seman-

tics

QVT-R allows to specify multi-directional transformations. In the enforcement mode,

transformations can be executed in any direction by selecting one of the candidate

models as the target, and the target model may be empty or already contain model

elements at beginning of a transformation. Meanwhile, the check-before-enforce se-

mantics of QVT-R ensures that before creating a new element, it is checked whether

142

4.5. Supporting Semantics of QVT Relations

an existing one satisfying the constraints of the relation can be reused. In this way,

QVT-R supports both creating new, and modifying existing target model elements.

On the other hand, XSLT always generates new target models from the source

models. Bidirectional or check-before-enforce are not directly supported in XSLT,

even though it is possible to generate an XSLT stylesheet that performs a QVT trans-

formation in the opposite direction. Starting with empty target models, an XSLT im-

plementation always executes unidirectionally. So we must decide the source model

and the target model during the design of a transformation, instead of selecting one as

the target model at the execution time of the transformation.

4.5.2 Relation domains

In QVT Relations, a transformation is specified as a set of relations between candidate

models; each of them conforms to a metamodel. A relation is defined by two or more

domains. A domain is a distinguished typed variable which defines a domain pattern.

In the enforcement mode, a relation may contain multiple source domains, a target

domain, and some primitive domains.

By default, an XSLT stylesheet takes one XML file as input, and produces another

as the output. But XSLT also has mechanisms for supporting multiple input and output

models. Thedocument() function can be used to read a set of external XML docu-

ments, and the<xsl:result-document> instruction allows to serialize the target models

to different XML files. So it is possible to support more than two candidate models in

XSLT.

In our approach, a transformation can define more than two candidate models,

but for a relation only one source domain and one target domain are allowed, i.e., one

relation may have different source- and target domains with another relation. However,

as the template parameter, a primitive domain in our approach can be of a complex

type. It can represents a part of a model, or a whole model. Supplementing with the

143

4. QVTR-XSLT

primitive domains, more than two candidate models are able to participate in a relation.

In addition, a primitive domain can be used as an argument for a relation call, and then

becomes the source domain of the called relation. In this way, multiple source models

can be supported.

4.5.3 Rule scheduling

The most complex part of the QVT-R execution semantics is how the set of relations

is arranged in the execution of a transformation. Relations are mutually dependent

through the relation calls in thewhenandwhereclauses. The dependencies form a

dependency tree, in which two kinds of dependencies -whenandwhere, exist among

relations. The tree is rooted with a specific top-level relation, theroot relation, which

does not have any relation call in itswhenclause. A transformation starts from theroot

relation. Yet, whether a relation can be executed does not only depend on conditions

defined in its domain patterns and itswhenclause, but is also determined by its de-

pendent relations. A relation allows to define multiple relation calls in bothwhenand

whereclauses.

For example, as shown in Fig.4.4, in the whenclause of relationClassToTable,

there is awhenrelation callPackageToSchema(p,s). WhenClassToTableis invoked,

the variables "p" and "s" must already be bound to values by the relationPackage-

ToSchema, which is supposed to have already been evaluated. On the other hand,

relationClassToTablehas awhererelation callAttributeToColumn(c,t,prefix). Before

invoking that relation, the values for variables "c", "t" and "prefix" must have been

ready and then pass to the invoked relation.

As we have discussed in Section4.4.4, a where relation call can be fully imple-

mented as an XSLT template invocation instruction. It is relatively difficult to support

thewhenrelation call. One way to accomplish it is to put all top-level relations in a

waiting list, and keep checking the trace model to find the required variable bindings

144


for relations in the list, while executing the transformation. If all bindings for a relation

are found, the relation is then invoked. Obviously, an interpreter is needed to realize

this mechanism. In contrast, our approach implements QVT-R by mapping to XSLT.

However, in case of existing one target domain only, a relation is equal to a func-

tion that, given valid elements of the source domains and primitive domains as input,

produces an output of the type of the target domain, where the inputs and the output

satisfy the constraints of the relation. Thus awhenrelation call is similar to a so-called

backward where relation call[71]. Therefore we realize awhen relation call by the

following steps:

• implement a corresponding "backward"whererelation call in the called relation.

For example, if relationA calls relationB in its whenclause, then in the imple-

mentation, a relation call toA will appear in thewhereclause of relationB. If

there are severalwhenrelation calls in the relation, only the one that concerns

the context element of the target domain becomes thewhererelation call;

• generate an additional function from the definition of the called relation;

• invoke the function in the calling relation, and check its result.

For example, as shown in Fig.4.4, the relation callPackageToSchema(p,s)in the

whenclause is first implemented as a relation callClassToTable(c,t)in thewhereclause

of relationPackageToSchema. In addition, a function_func_PackageToSchemais gener-

ated from the definition of relationPackageToSchema. In the body of templateClassToTable,

the function is called and calculates a "s" from the input element "p" (lines 10-12 of

Listing 4.1), then we check: a) does the "s" exist; b) is "s" the correct context (parent)

element of target domain "t" (line 13, the key of the context element is passed as the

parameter "_targetDom_Key", and here key is thenameattribute). If the checks fail,

the execution of the relation aborts.

145

4. QVTR-XSLT

Moreover, in order to ensure the correctness of the transformation execution, we

can analyze the trace model (see Section4.5.6) for:

• all top-level relations are executed;

• all elements that have been referred in other relations are correctly created; and

• no duplicate created element.

Using the above procedures, our approach successfully simulates the rule schedul-

ing strategies of QVT-R.

4.5.4 Pattern matching

QVT-R uses pattern matching to find required elements in the source models and bind

them to the variables declared in the relation. The internal rule scheduling of Relations

is based on the pattern matching. Using theobject template expression, collection

template expressionandproperty template item, QVT-R supports definition of complex

patterns, which can involve sets of objects, non-existence of objects and ordered links.

In addition, a pattern might need to navigate and gather information from different

places of a model.

In order to handle such complex object patterns, pattern matching becomes a core

technique to implement QVT-R transformations. XPath provides a powerful and con-

venient way to implement pattern matching for QVT-R. Complex searching conditions

can be adequately expressed with XPath. The pattern matching semantics of QVT-R

can be fully supported by the path expression of XPath. In our approach, a domain

pattern of QVT-R is mapped to an XPath path expression, which is used as thematch

attribute of a rule template, and performs the searches in the source models.

146


4.5.5 Object creation using patterns

In the enforcement semantics of QVT-R, the target domain pattern acts as a template

for modifying the target model. If there does not exist a valid match for an object

template expression, a corresponding object is instanced in the target model, then the

property template items are used to assign values to the attributes of the object, and

the links to other objects are established. However, in case a required object already

exists, thekey, which is normally an identifying attribute of an object, is used to prevent

creation of a duplicate object.

In our approach, we implement an object template expression as an XSLTelement

instruction<xsl:element/>, and a property template item as an attribute instruction

<xsl:attribute/>. The complex hierarchy structure defined by the target domainpattern

can be supported by nested use of theelementinstructions.

For XSLT, the in-memory model has the same tree structure as the XML file of

the model. When a transformation starts running, the root of the tree of the target

model is first created by the root relation, and each of the other relations builds a

new fragment of the tree under the context element represented by the root object

template of the target domain of the relation. That is to say in our approach only the

elements which are direct descendants of the target root object template are going to be

created by the relation. The element of the target root object template itself may also

be created if the relation is top-level. All other non-descendant elements, which can

be thought as generated by other relations already, are only used for creating referred

links to them. A link is realized as areference attributewhose value is thekeysof the

referenced elements. Again, to ensure correctness of the transformation, the existence

of all referenced elements must be checked.

147

4. QVTR-XSLT

PrimitiveDomain

name : Stringsource : Stringtarget : String

Transformation

name : String href : String refName : String model : String op : String

TraceInstance

name : String

Relation

{ordered}

Object

0..*

0..*

Figure 4.7: Trace class model

4.5.6 Transformation traceability

Traceability has been identified as a basic requirement for model transformations. It is

important to keep a record of correspondences between source and target elements in

the execution of a transformation. The trace information can be used for incremental

updating, change propagating, or for debugging of the transformation.

QVT achieves traceability by producing a trace model during the execution of the

transformation rules. The trace model consists of trace-elements that refer to corre-

sponding model elements created by or contributed to the rules. For QVT Relations,

the requirement for outputting trace information is only "implicit". But as the executive

semantics of a transformation is given by the trace model, which establishes the rela-

tionships between elements of candidate models, we decide to support the generating

of trace models in the QVTR-XSLT tool.

Fig. 4.7 depicts the trace class model that we used to produce the trace(instance)

models. ATransformationin the class model represents an execution of a transforma-

tion as it records the name of the transformation, and names of the source and target

models. Thetransformationclass consists of an ordered set ofRelations, each of

them records an execution of a QVT-R relation whose name is specified in thename

attribute. ATraceInstancecould be anObjector aPrimitiveDomain. The former in-

dicates an object that takes part in the execution of the relation. Identified by thehref

148


property, an object belongs to a typed model indicated by themodelproperty, and may

have a name as the value of the propertyrefName. Moreover, thenameproperty keeps

the name of the corresponding object template in the relation, and theop property in-

dicates whether the object is created, or just referenced (contributed) in this execution

of the relation. For a primitive domain, its name is kept in thenameproperty, and its

value (or identifier) is stored in thehref property.

Output of the trace model is implemented by the XSLT<xsl:message> instruc-

tion that sends a constructed message to an implementation-defined destination, which

is normally different from the destination of the target model. During execution of the

stylesheet, the trace information is output to a message window, or can be captured

and saved as an independent trace file. An example of the trace model can be found at

List 4.3.

4.5.7 Transformation composition

The design and development of a complex software system using MDD means the use

of complex model transformations. However, to build a single transformation to deal

with such a complex transformation is difficult and almost impossible to maintain and

evolve. Following the principles of divide-and-conquer and separation of concerns,

a single transformation should be designed at a suitable granularity and focused only

on a specific aspect. This kind of smaller transformation is much easy to develop and

maintain. Thus a complicated model transformation can be realized by composing sev-

eral smaller transformations. Moreover, these smaller transformations can be reused

in different transformations, greatly improving the efficiency and reducing the skill

required for developing new transformations.

There are two mechanisms for the composition of model transformations [163]. An

external composition chains a set of separate model transformations, and each trans-

formation takes the output of the previous one as the input. An internal composition

149

4. QVTR-XSLT

composes two model transformation definitions into one new model transformation,

with a typically complex merge of the transformation rules [163]. Since the external

composition supports the composing of transformations written in different languages,

and usually operates in a framework that can execute different model transformation

languages, discussion of external composition is out of the scope of this thesis.

QVT-R supports the internal composition mechanism by transformation inheri-

tance and relation overriding. A transformation may extend from another transforma-

tion using theextendskeyword. The overridden relation should be indicated with the

overrideskeyword in the declaration of the overriding relation. Only single inheritance

is allowed.

This kind of inheritance mechanisms can be well supported in our approach. For

example, if transformationB extends from transformationA, then the following se-

mantics is supported:

• All relations, queriesandfunctionsdefined inA are accessible fromB;

• A relation defined inB overrides a relation with the same name defined inA.

Consequently all invocations to the relation will invoke the one defined inB;

• The same override mechanism applies toqueriesandfunctions;

• B is responsible for providing transformation arguments toA.

Obviously overriding a relation is only possible with one that has the same signature,

and the original relations will be completely replaced in the composed transformation.

We implement the transformation inheritance using<xsl:import> instruction of

XSLT, which is used to import the contents of one stylesheet into another. The dec-

larations in the imported stylesheet generated fromA are logically inserted into the

importing stylesheetB at the point where the<xsl:import> instruction appears. Since

imported declarations have lower precedence than the declarations that appear directly

in the importing stylesheet, rule templates defined in the importing stylesheetB can

150


override the templates of imported stylesheetA. Thus, all therelations, queriesand

functionsdefined inA can be used and overridden inB. While executing the XSLT

stylesheet ofB, the XSLT stylesheet ofA will be automatically imported.

4.5.8 In-place transformation

In application scenarios such as model refinement and refactoring, in-place (endoge-

nous) transformations become very popular. For an in-place transformation, the source

and target models are the same one during the execution, and the model elements can

be added, deleted and updated. Usually, only a small part of the original model is af-

fected by an in-place transformation, and most parts of the model remain unchanged.

If we address this kind of transformations as general source to target model transfor-

mations, we have to define copy rules to duplicate the preserved model elements from

the source models to the target. Since a non-trivial model could be very complex and

includes many sub-models, the number of copy rules could be huge.

QVT-R supports in-place transformations implicitly through its check-before-enforce

semantics. That is, if a relation does not hold, only the model elements affected by the

relation are modified to satisfy the relation, while the others remain untouched. In

order to support in-place transformations, we have developed a solution through the

following two steps:

1. define a relation as in a normal source-to-target transformation (both the source

and target models share the same metamodel);

2. explicitly specify the changes to the target domain pattern elements of the rela-

tion, such asinsert, remove, replace, etc.

Step 2 is particular to our approach. Instead of implicitly and automatically modifying

the model elements (of QVT-R), our approach requires that the designer explicitly

knows which elements of the target domain pattern are going to be modified, and

manually specifies the change operations on these elements.

151

4. QVTR-XSLT

<<Relation>>

PullUpAttribute

{when=clsnm=className; atnm=attributeName;}

oa : PrimitiveAttribute

{targetId = "atid" ,

xmiDiffOp = remove }

name = "atnm"

visibility = "atvs"

xmi:id = "atid"

na : PrimitiveAttribute

{targetId = "scid" ,

xmiDiffOp = insertTo }

name = "atnm"

visibility = "atvs"

xmi:id = "atid"

a : PrimitiveAttribute

<<Domain>>

: ClassModel

: Generalizationname = "clsnm"

c : Class

xmi:id = "scid"

sc : Class

<<Domain>>

: ClassModel

href = "ptp"

: Typehref = "ptp"

: Type

tsc : Class

tc : Class

general

Figure 4.8: In-place transformation example - relation PullUpAttribute.

Fig. 4.8 shows an example relation of an in-place transformation. It moves an

attribute from a class to its superclass. The name of the attribute is given by transfor-

mation parameterattributeName, and another parameterclassNamespecifies the name

of the class owning the attribute (see Fig.4.10). As described in the source domain

pattern of the relation, a classc and its primitive attributea, along with its superclass

scare located to satisfy thewhenclause. In the target domain pattern, an attributena

which duplicates all properties of attributea is insertedinto the superclasssc. This

changeof inserting is indicated as{targetid="scid", xmiDiffOp=insertTo}, wherescid is

the identifier of thescclass. Meanwhile the original attributea is deleted by theremove

operation tagged on attributeoa in the target domain pattern.

When an in-place transformation is executed, the objects marked with the change

operations will be collected into adifference modelthat records the modifications.

Then the source model is modified according to the records of thedifference model

to build a result model which then replaces the original source model. This process

is user transparent and runs automatically. In this way, the developers can focus on

developing relations concerned only with parts of a model that will be modified; there

152

4.6. Extensions to QVT Relations

is no need to deal with the other parts.

4.6 Extensions to QVT Relations

In order to improve the usability of QVT-R, we extend the language with the following

constructs : 1) transformation parameter; 2) relation alias name; 3) relation priority,

and 4) conditional relation call. Fig.4.9 shows the abstract syntax of the first three

extensions.

Transformation

Parameter +priority : Integer+alias : String

Relation

Type

parameter0..*

rule 0..*

type

1

Figure 4.9: Abstract syntax of QVT-R extensions

4.6.1 Transformation parameter

Unlike most of the graph transformation approaches, in which the execution sequence

of rules is specified with some additional control mechanisms, such as activity dia-

grams, the rule invocation order of QVT-R is implicitly defined by the relation call

expressions in thewhenandwhereclauses of the relations. In principle, the execution

unit of QVT-R is a transformation. We cannot manually select a single relation and

apply it to a specific part of the source model. To achieve a more accurate control of

the execution, external data may be needed. For example, if there is a transformation

that renames a class in a model, we need to indicate which class needs to be renamed

and pass the new name of the class to the transformation. The QVTRFP [130] also

puts forward the requirements (O5 of the optional specific requirements):

153

4. QVTR-XSLT

Submissions may support the consideration of external data that resides neither in

the source nor in the target model.

However, using transformation parameters to provide the external data is a reason-

able solution. According to the current QVT specification, a transformation only has

modelParameterswhich specify the typed models that serve as the source and target

models of the transformation. Therefore, we introduce the concept ofParameterto the

transformations. As shown in Fig.4.9, a transformation may have multiple parameters

of arbitrary types, that provide external data for a transformation.

In the light of using primitive domains as additional parameters for relations, we

consider also using primitive domains as the parameters for a transformation. Since no

primitive domain is allowed in the root relation (the first executed top level relation.

It has nowhenclause), we take the primitive domains defined in the root relation as

the transformation parameters. An example of the root relation is shown in Fig.4.10,

which defines two transformation parameters,attributeNameandclassName, of type

String. These two parameters will then be used in the relationPullUpAttribute, as

depicted in Fig.4.8.

<<Relation>>

ModeltoModel

{where=PullUpAttribute(scm,tcm);}

{isTopLevel}

<<PrimitiveDomain>>

className : String

<<PrimitiveDomain>>

attributeName : String

xmi:id = "cmid"

scm : ClassModel

xmi:id = "cmid"

tcm : ClassModel

<<Domain>>

: ModelRoot

<<Domain>>

: ModelRoot

Figure 4.10: Definition of additional transformation parameters.

In our approach, the transformation parameters are implemented as global variables

of the XSLT stylesheet, thus each relation (rule template) can access these parameters.

154

4.6. Extensions to QVT Relations

We therefore require that the name of a parameter is unique in the scope of the trans-

formation. The values of the transformation parameters are provided by aparameter

file, which we are going to discuss in Section4.8.1.

4.6.2 Relation alias name and priority

We introduce therelation alias nameto simple relation calls. As shown in Fig.4.9,

the alias attribute of the relation gives it an alias name. A group of relations can

share the same alias name if they perform similar functionalities. A relation call to the

alias name is semantically equivalent to call all relations of the group. It is required

that these relations have the same sequence of parameters and different source domain

patterns. Only the relation calls in thewhereclauses support this mechanism.

As an example, let’s look at the following relationAttributeToColumn, which is taken

from the classical UML to RDBMS transformation example [134]:

relation AttributeToColumn {

checkonly domainuml c:Class {};

enforce domainrdbms t:Table {};

primitive domain prefix:String;

where {

PrimitiveAttributeToColumn(c, t, prefix);

ComplexAttributeToColumn(c, t, prefix);

SuperAttributeToColumn(c, t, prefix);

}

}

where three relations,PrimitiveAttributeToColumn, ComplexAttributeToColumnandSuper-

AttributeToColumn, are called to convert different types of UML attributes to columns of

RDBMS tables. However, if we assign the same alias name, for exampleDoAttToCol,

to the three relations, then relationAttributeToColumncan be simplified to:

155

4. QVTR-XSLT

relation AttributeToColumn {

checkonly domainuml c:Class {};

enforce domainrdbms t:Table {};

primitive domain prefix:String;

where {

DoAttToCol(c, t, prefix);

}

}

In addition, we extend the metaclassrelation with an optionalpriority attribute

(modeled by an integer value), which is used for rule conflict resolution. In cases

where more than one relation is applicable, the one with the highest priority is actually

applied.

In our approach, we implement a relation as an XSLT rule template, while in gen-

eral the name of the relation becomes the value of themodeattribute of the template.

However, if the relation has an alias name, then we assign the alias name to themode

attribute, and the rule template is invoked through the alias name. In addition, the pri-

ority of the relation becomes thepriority attribute of the corresponding template. Simi-

larly, thepriority attribute is used to decide which template to invoke when<xsl:apply-

templates/> is called and there are several possible candidates.

However, in case of existing relation alias name and priority, a relation call to the

alias name chooses a relation from a group of relations using the following procedure:

• First select all the relations whose source domain pattern andwhenclause matches

the source model element passed by the relation call;

• If there is more than one, select those that have the numerically highest priority;

• If there are still several matching relations left, and they all have the same prior-

ity, the one that occurs last in declaration order will be chosen;

156

4.7. Model Query with QVT-R Graphical Notation

• If no relation matches the source model element, the designer can decide whether

the relation call processes each child of the source model element, or the relation

call is omitted.

4.6.3 Conditional relation call

We introduce the conditional relation call to improve the efficiency of rule selection.

As pattern matching andwhenconditions checking take a lot of time and resources, it

will be more easy to check some external conditions before invoking a relation.

As in normal programming languages, a conditional relation call takes the form:

if bexpthen RCall endif;

where thebexp is a boolean OCL expression, andRCall is a normal relation call. It

means theRCall will be invoked only if thebexpevaluates totrue.

We implement the conditional relation call as an XSLT<xsl:apply-templates/>

instruction contained in a<xsl:if/> expression:

<xsl:if test="$xexp">

<xsl:apply−templatesmode="Rcall" ...>

...

</xsl:apply−templates>

</xsl:if>

wherexexp =OCLtoXPath(bexp) is an XPath expression.

4.7 Model Query with QVT-R Graphical Notation

QVT-R only uses the graphical notation to specify transformation rules. The QVT

specification does not provide any facility to visually query models. Instead, QVT-R

heavily relies on the textual language OCL to define model queries. Of course, OCL’s

157

4. QVTR-XSLT

ability to navigate models and form collections of objects make it suitable as a query

language.

Alas, OCL suffers from several shortcomings for model querying. First, the stan-

dard OCL expressions are claimed to be too verbose, even defining simple queries

quickly leads to complex query statements [157]. One reason is the strong typing of

OCL. Type conversions are frequently used in the expressions. Secondly, OCL lacks

some features such as using wildcards likes "∗" or "?" to match textual attributes. It

also lacks basic statistical functions, such asavg(), max(). In addition, OCL expressions

are defined on the visual representations of metamodels and models, textually speci-

fying the connections between model elements and what properties they refer to are

tedious, difficult and error-prone. Overall, many users may find a visual programming

paradigm more accessible than a text-based one, as the former supports the “correct-

by-construction” editing, and only valid programs can be specified.

To overcome these limitations, supporting visual model querying is instrumental

for QVT-R to drive for success. Our query facility will help designers in the con-

structions of a query by graphically selecting model elements from the metamodels,

and give them a visual conception of the query. A graphical visualization facilitates

their intuitive comprehension of where a QVT-R rule will actually modify the models.

Meanwhile, features needed in model querying will be reinforced in the facility.

In this section, we present a graphical model query facility based on the checking

semantics and pattern matching of QVT-R. The query facility also borrows from QVT-

R the graphical notation. Thus the queries can be graphically specified, and become

executable by translation to XSLT programs.

4.7.1 Syntax of the query facility

A QVT-R transformation may contain a set ofqueries, each has an OCL expression

as the body. By evaluating the OCL expression, a query retrieves information from a

158


model. Very much like the role the source domain pattern plays in a relation, a query

uses the pattern matching mechanism to search for model elements that conform to the

structural pattern and attribute constraints given by the OCL expression. This inspires

us to see a query as a relation with only one domain pattern using the graphical nota-

tion. Naturally, our approach still depends on OCL, as the graphical notation mostly

coversstructural aspects of a query. Operations related to iteration and aggregation

will be specified textually either in OCL or XSLT-functions.

CollectionTemplateExp

Query

PropertyTemplateItem

Variable

Domain

TemplateExp

forAllSub : Boolean

ObjectTemplateExp

OclExpression

PrimitiveType

OclExpression

Property

DomainPattern

Pattern

Type

Parameter

Class

Predicate

Type

bindsTo

1

result1

referredProperty

when

0..1where

0..1

templateExp0..1

parameter0..*

bindsTo

0..1

rootVariable

0..1pattern 1

0..*

referredClass

value 1

type 1

part *

domain 0..1

predicate 0..*

conditionExp1

member 1..*

type 1

Figure 4.11: Metamodel of the model query

We define the abstract syntax of the graphical query facility using the metamodel

shown in Fig.4.11. The metamodel is adapted from the QVT Relations package [134]

by adding two metaclasses,QueryandParameter. The metaclasses in light yellow (or

light grey in black-and-white print) boxes are imported from the EMOF specification

[132]. In the metamodel, aqueryconsists of:

• a domaindefined by adomain patternthat consists of a set of linkedtemplate

159

4. QVTR-XSLT

expressions (templateExp), each of them can be anobject template expression

(objectTemp) or a collection template expression. The former specifies a pat-

tern that refers to a class of the corresponding metamodel. AnobjectTempmay

contain a collection ofproperty template items(propertyTemp) corresponding to

the properties of the referred class. A collection template expression specifies a

pattern that matches a collection of elements. Note thetemplateExpitself is also

an OCL expression, it may be hierarchically contained in othertemplateExps.

TheforAllSubattribute of theobjectTempindicates whether we want to search all

contained children at an arbitrary level of depth in the hierarchy of a model. A

templateExpor apropertyTempmay declare a variable andbind toit. We denote

all variables declared in the domain as the setVd. In addition, apropertyTemp

can be bound to an OCL expression which contains no variables.

• a whenclause is apatternthat consists of a set ofpredicatesseparated by semi-

colon ";". Here a predicate is abooleanexpression of the form of〈var〉〈op〉〈exp〉,

wherevar ∈ Vd, exp is an OCL expression which involves only variables defined

in thewhereclause or parameters, andop ∈ {=,<>,>,>=,<,<=}. These predi-

cates provide additional constraints on thetemplateExpsbound to the variables.

The relationship between the predicates is conjunction.

• a whereclause is also a set ofpredicates. Each of them defines a variable in the

form: 〈var〉 = 〈exp〉, wherevar is a free variable, andexp is an OCL expression

that only involves parameters, variables bound in the domain pattern or vari-

ables that have been defined in the preceding predicates of thewhereclause. We

denote all variables defined in thewhereclausen as a setVw.

• aset ofparametersused to pass values to the query, denoted asVp. A parameter

can be of primitive type or type of a class defined in a metamodel.

The set of all variables of the query denotes asV = Vp ∪ Vd ∪ Vw. Particularly,

160


a query may have aroot variablevarrt which binds to theroot objectTempthat ad-

heres to tag«domain», andvarrt ∈ Vd ∧ varrt ∈ Vp. Moreover, a query must define

a variablevarrst with name "result", which returns the result of the query, where

varrst ∈ Vd ∪ Vw.

<<Query>>

GetClassByName

{when=cnm=nm;}

<<Parameter>>

nm : String

name = "cnm"

result : Class

<<Domain>>

: Package

Figure 4.12: Example of the model query

Fig. 4.12 depicts a query example which acquires all classes of a UML model

that have the name given by the parameter. Following the style of QVT-R graphical

notation, a query is displayed inside a box, where its name shows in the middle top

of the box under the tag«Query», and thewhenandwhereclauses display also in

top part of the box, prefixed with "when=" and "where=", respectively. If there is

no whenclause, the "where=" prefix can be omitted. The domain pattern is shown

in the middle of the box as a special kind of object diagram, where an object or a

property may be decorated with a variable name. Note that in the diagrams a variable

bound to a property may contain additional quote-characters that are an artifact of the

visualization, not string delimiters. The small box with tag«Parameter» represents

a formal parameter and its type.

4.7.2 Semantics of the query facility

A query can be called from QVT-R relations, queries and functions. It finds parts

of models that fulfill given constraints specified in the query. We adapt the QVT-R

161

4. QVTR-XSLT

checking semantics and define the semantics of a query as: for each valid binding

of variables of the domain and the parameters, that satisfy thewhencondition, there

exists a valid binding of the result variablevarrst that satisfies the domain pattern and

thewherecondition.

The execution of a query starts from pattern matching. In a similar way as for a

QVT-R relation, the matching begins with the rootobjectTemp. If it has been bound

to an input parameter, that is to say∃ varrt · varrt ∈ Vp, then the search will start from

the model element specified by the parameter, otherwise the search will start from the

root of whole model. In the matching process, predicates specified in thewhenclause

act as additional constraints. If matching model elements are found, variables bound

in the domain pattern are instantiated, and then variables defined in thewhereclause

calculate their values. Finally, the value ofvarrst returns the result of the query.

4.7.3 Mapping domain patterns to XPath path expressions

As we have discussed previously, the graphical query facility supports complex object

patterns. In order to deal with such patterns, pattern matching becomes a core tech-

nique to implement the query facility. As XPath provides a powerful and convenient

way for pattern matching, to support the query facility, we map the domain pattern into

XPath path expressions

The mapping starts from theroot objectTemp, which may bind to aroot variable

varrt. We support two kinds of queries:

• A global model querymatches the entire model to retrieve all results fulfilling

the query. Ifvarrt 6∈ Vp ∨ ∄ varrt, that means theroot objectTempis not bound to

an input parameter, the pattern matching will search over the full model. So the

path expressionexpr begins asexpr="$"+"xmiXMI"+"//"+ℓe, whereℓe is the xmi

label of theobjectTemp’s referred class type, andxmiXMI is the global variable

representing the whole model.

162


• A local model query retrieves information from a given input model element.

In the case,varrt ∈ Vp, the pattern matching will search under the context of the

root variable. Thus we build the path expressionexpr starting from the variable

as expr="$"+varrt.

Then from the rootobjectTemp, say,o:C, whereC is the referenced type ofo, we

go down along the links to obtain otherobjectTemps, for example,b:B. Considering

the association between classC andB in the metamodel, three cases arise:

• Querying down the containment hierarchy: If the association is composition,

that’s to sayB is a child ofC, we get the label ofB by ℓb = xmiLabel(B), then

we add to the path expression achild step:expr = expr + "/" + ℓb. In case of the

forAllSub feature ofb is true, we want to query all descendant nodes, and then

the path expression becomes :expr = expr + "//" + ℓb.

• Querying up the containment hierarchy: On the other hands, ifB is the parent

of C, we add to the path expression aparentstep:expr = expr + ” /” + ”parent()”.

• Querying the normal references: If the relationship is a normal association

with nameasso, there must be a reference attributeαr with the same name

assoin the corresponding XML element ofo, and the referred elements can

be gotten by functionxmiRefs(), and then the path expression becomes:expr =

xmiRefs(expr + "/@" + asso).

If the objectTemp bis bound to a variablevarb, we construct an XSLT variable decla-

ration as<xsl:variable name=varb select=expr/>.

Now we consider thepropertyTempsof theobjectTemp b:Band the predicates de-

fined in thewhenclause. Letρ be apropertyTempreferred to a property of the classB,

there are two situations:

• if ρ is bound to a variablevarρ, and if there is a predicate in thewhenclause

that is related to the variable, we translate the OCL expression of the predicate

163

4. QVTR-XSLT

into an XPath boolean expressionxexp by the functionOCLtoXPath(), which is

specifically designed to map an OCL expression to an XPath expression. Then

we haveexpr = expr + ”[” + xexp + ”]". Otherwise if there is no such a predicate,

the expr will remain unchanged. Consequently an XSLT variable is defined as

<xsl:variable name=varρ select=expr+”/@”+ρ/>.

• if ρ is bound to an OCL expressionoexp, we getxexp= OCLtoXPath(oexp).

Thus, we haveexpr = expr + "[" + xexp + ”]”. In particular,oexp could be a

regular expression in our approach.

In this way, we traverse all linkedtemplateExpsand theirpropertyTempsto con-

struct path expressions, and instantiate every variable we meet on the way.

4.7.4 Generating XSLT functions for queries

We create an XSLT user-defined function for a query using the<xsl:function> instruc-

tion. For each parameter of the query, we generate a corresponding XSLT parameter

using the<xsl:param> construct. Inside the function body, we collect all variabledef-

initions instantiated from the domain pattern. Then, for each predicate in thewhere

clause that takes the form of〈var〉 = 〈oexp〉, wherevar is a free variable, andoexp is

an OCL expression, we map theoexp into an XPath expressionxexp using the func-

tion OCLtoXPath(), and generate an XSLT variable declaration for the predicateas

<xsl:variable name=var select=xexp/>. Finally, a<xsl:sequence> instruction will

return the value of theresultvariable. Furthermore, an OCLTupleexpression can be

used to return multiple values.

As an example, the following XSLT function is generated from the example query

shown in Fig.4.12. Here "my:" is the name space we give to XSLT user-defined

functions:

<xsl:function name="my:GetClassByName">

<xsl:param name="nm"/>

164

4.8. Tool Design and Implementation

<xsl:variable name="result" select="$xmiXMI//packagedElement

[@xmi:type=’uml:Class’][@name=$nm]"/>

<xsl:variable name="cnm" select="$result/@name"/>

<xsl:sequenceselect="$result"/>

</xsl:function>

4.8 Tool Design and Implementation

Our tool to support the graphical notation of QVT-R and the model query facility,

namely QVTR-XSLT, is designed as two parts: a QVT-R graphical editor and an XSLT

code generator. In addition, we have developed a collection of pre-defined transforma-

tions as part of the tool for the purpose of improving the interoperability of the tool,

and for transformation verification and validation. To implement the tool in a standard,

model-driven way, we first define a UML profile for QVT-R model.

4.8.1 A UML profile for QVT Relations

We adopt the "lightweight" method to implement the abstract syntax of QVT-R by

defining a UML profile. The QVT-R profile is designed based on the QVT-R meta-

model presented in Section4.2.1and the QVT-R semantics we intend to support. We

also consider supporting the graphical query facility. Following the standard UML pro-

file notation, the stereotype definition part of the profile is presented as a UML profile

diagram shown in Fig.4.13.

The root of the profile diagram is the stereotypeQVTRModel, which is extended

from UML model, to represent a QVT-R transformation model. In UML,modeland

packageserve as grouping units to contain and organize other model elements in a

hierarchy structure. A QVT-R model consists of a set ofMetaModels andTransforma-

tions. A transformation is a UML package that comprises ofFunctions, Relations and

Queries. The transformation stereotype has attributessourceNameand targetName

165

4. QVTR-XSLT

+sourceName : String [1..*]+sourceKey : String [1..*]+targetName : String [1..*]+targetKey : String [1..*]+isInPlace : Boolean+parameterFile : String+extends : String+output : TransforOutput+makeTrace : Boolean

<<stereotype>>

Transformation

[Package]

<<stereotype>>

QVTRModel

[Model]

+language : Language = OCL

<<stereotype>>

Function

[FunctionBehavior]

+position : Integer+typedModel : String

<<stereotype>>

Object

[InstanceSpecification]

<<stereotype>>

Where

[Constraint]

<<stereotype>>

When

[Constraint]

+kind : DomainKind

<<stereotype>>

Domain


+sNumber : Integer

<<stereotype>>

Parameter


+sNumber : Integer

<<stereotype>>

PrimitiveDomain


+isTopLevel : Boolean+relName : String+priority : Integer

<<stereotype>>

Relation

[Package]

sourcetarget

<<enumeration>>

DomainKind

htmlxml

<<enumeration>>

TransforOutput

<<stereotype>>

Query

[Package]

+value : String

<<stereotype>>

PropertyItem

[Slot]

<<stereotype>>

MetaModel

[Package]

XSLTOCL

<<enumeration>>

Language

{ordered}

{ordered}

0..10..1

0..10..1

1..* 0..*

1..*

0..*0..*

0..*

target 1..*

source1..*

0..12

0..*0..*

0..*+slot

1..*

Figure 4.13: The UML profile for QVT-R

that record a set of source and target typed models, each of them corresponds to a

metamodel. In addition, we can define akeyfor a typed model to indicate its identity

property. In the case of EMF models, the key is usually thexmi:id attribute.

There are also other attributes in the transformation stereotype that play different

roles. In order to support a model-to-text (actually, to HTML) transformation, we can

set theoutputattribute to "html", otherwise, the output of the transformation will be

models in XML format. Theextendsattribute indicates from which transformation the

166


current transformation inherits, and theparameterFileattribute is used to specify the

name of the parameter XML file. If themakeTraceattribute is set totrue, the code

generator produces an XSLT stylesheet that will generate trace information. To define

an in-place transformation, we have to set theIsInPlaceattribute totrue.

We map QVT-R relation to stereotypeRelation, which is also extended from UML

package. The stereotype has a boolean attributeisTopLevelto indicate if it is a top-level

relation, and an integer attributepriority to record the relation’s priority, which is 0 by

default. In addition, attributerelNamecan be used to assign an alias to the relation. In

our approach, a group of relations can share the same alias and have different matching

patterns. An alias can be used in relation calls. In this case, which concrete relation

will be actually invoked depends on whose source domain pattern is matched, and the

value of priority if there are more than one matched relations.

A relations owns twoDomains, and may contain somePrimitiveDomains, aWhen-

and aWhere clause. Thewhenandwherestereotypes are defined as extensions of UML

constraintto store OCL expressions. For the primitive domain stereotype, the attribute

sNumberindicates the order of this primitive domain appeared in the parameters of the

relation.

In the QVT-R metamodel shown in Fig.4.3, the DomainPatternmetaclass rep-

resents a special object diagram defined as nested object templates and/or collection

templates, along with their links for pattern matching and instantiation. We map the

metaclassTemplateExpinto stereotypeObject which is extended from UMLInstance-

Specification. In order to provide some support for thecollection template, the object

stereotype has apositionattribute to point out which element we want to match in

an ordered collection, and we define arest function to get the other members of the

collection except the one at thatposition. Furthermore, theobject stereotype has a

typedModelattribute to indicate which typed model this object belonges to, for the

purpose of supporting multiple models.

The root object template of a domain pattern is an instance of theDomain stereo-

167

4. QVTR-XSLT

type, which is a subclass of theobjectstereotype. Its attributekinddecides whether the

domain is the source or the target. Naturally, extended from UMLslot, the stereotype

PropertyItem represents thePropertyTemplateItemclass of the QVT-R metamodel. Its

valueattribute contains an OCL expression that assigns a value to the variable declared

as the name of the property item.

To support the graphical query facility, we define the stereotypeQuery. A query

may also include a domain pattern, awhenand awhereclauses, and someParame-

ters. Similar to the primitive domain stereotype, the parameter stereotype also has an

attributesNumberthat decides the order of the parameter when calling the query.

In the profile, aMetaModel is used to collect a set of simple class diagrams to define

the metamodel for a typed model. As shown in Fig.4.14, we use the most essential

fragments of the UML class model (approximately equivalent to EMOF metamodel)

as the meta-metamodel to define the metamodels. We support onlyClass, Property,

Generalizations andAssociation. Regarding the links among the objects, we define the

stereotypeLink, which represents an instance of an association.

Mapping UML to XMI

As discussed previously, a model is normally stored as an XML file in EMF UML,

Ecore or other XMI formats. For example, in EMF UML, aClassis serialized to an

XML fragment <packagedElement xmi:type="uml:Class"/>, which represents a

packagedElementnode with anxmi:typeattribute of value "uml:Class". As XSLT di-

rectly deals with XML fragments, it does not have any ”in-memory” model different

from the XML document itself. On the other hand, we specify QVT-R relations using

UML model elements defined in the metamodels, such as theClass. In order to gen-

erate correct XSLT code, there must be a way to specify the correspondences between

UML concepts and their XML presentations. It is called thexmi labelfor the UML ele-

ment. An xmi label consists of the node’s name and some particular attributes. For ex-

ample, the xmi label for theClassis "packagedElement[@xmi:type=’uml:Class’]".

168


+aggregation : AggregationKind

AssociationEnd

Property

isAbstract : Boolean

Class

Boolean

IntegerString

Real

<<enumeration>>

PrimitiveType

<<stereotype>>

PropertyItem

[Slot]

<<stereotype>>

Link


<<stereotype>>

Object


<<stereotype>>

MetaModel

[Package]

Association

+href : PrimitiveType

Type

compositenone

<<enumeration>>

AggregationKind

Generalization

+value : String

UpperValue

+value : String

LowerValue

+classifier

0..*

+classifier

+definingFeature

+memberEnd 2

+ownedAttribute0..*

+general

+association

+type

0..*

+linkEnd

2

0..1

1..*

Figure 4.14: TheMetaModelpackage of QVT-R profile.

We define a functionxmiLabel()to get the xmi labels of model elements. For a

standard format such as EMF UML, the correspondences are already defined in the

specification of the standard. It is possible to calculate xmi labels with a standard

library. But for the other formats, the designers have to define the mappings for the

xmiLabelfunction themselves.

+node : String+xmiType : String+stereoType : String+xsiType : String

<<stereotype>>

XMIClass

[Class]

Figure 4.15: The stereotype for mapping UML to XMI

As shown in Fig.4.15, we introduce a stereotypeXMIClass to facilitate the defi-

nitions of the mapping. By applying the stereotype to a class in the metamodel, we

can input the corresponding XMI information. For instance, for the UMLClass,

169

4. QVTR-XSLT

its node attribute is set to "packagedElement", and the xmiType attribute is set to

"uml:Class". Thus, it is easy for thexmiLabel() function to generate the xmi label

for the element. Meanwhile, the class diagram is kept concise by hiding the XMI

information.

Supporting in-place transformations

+xmiDiffOp : xmiDiffType+targetId : String+resetAttName : String+resetAttValue : String

<<stereotype>>

XMIDiff


insertBefore

insertNextinsertTo

resetAtt

replaceremove

<<enumeration>>

xmiDiffType

Figure 4.16: A stereotype for in-place transformation.

Instead of implicitly and automatically modifying the model elements (of QVT-R),

our approach requires that the designer explicitly knows which elements of the target

domain pattern are going to be modified, and manually defines the changes applied on

these elements.

The definition of the changes is carried out by applying a stereotypeXMIDiff to

the objectsof the target domain patterns. As shown in Fig.4.16, the stereotype has

an attributexmiDiffOp that specifies the kind of the changing operations, and atargetId

attribute to indicate the identity of the referred element. Since sometimes the order of

elements inside a model has semantic meaning, we define three kinds of operations for

creating an element:insertBefore, insertToand insertNext. They are used to insert a

new element before thetargetId element, insert into as the child element of thetar-

getIdelement, or next to thetargetIdelement, respectively. We also define thereplace

andremoveoperations, to replace or delete the corresponding model element. If the

operation isresetAtt, then the attribute of the model element with name specified in the

resetAttNamewill be set to the value given byresetAttValue.

170


Defining the parameter file

Thetransformationstereotype has attributes to record the typed models that participate

in the transformation as model parameters. In our extensions to QVT-R, we also define

that the primitive domains specified in the root relation serve as additional transforma-

tion parameters. However, these parameters are formal parameters of the transforma-

tion. To provide the transformation with actual parameters, we use aparameter file,

whose name should be designated by theparameterFileattribute of thetransformation

stereotype.

For example, we can use the following XML file to provide actual parameters for

the transformation that owns the relations shown in Figs.4.8and4.10:

<?xml version="1.0" encoding="UTF−8"?>

<parameterRoot>

<className>Book</className>

<attributeName>volume</attributeName>

<TypedModel name=’xmiXMI’ file=’Library.uml’/>

<TypedModel name=’digDIG’ file=’Library.di’/>

</parameterRoot>

where we provide values for parametersclassNameandattributeName, which are de-

clared as primitive domains in root relationModeltoModel(see Fig.4.10).

In the Topcased [165] framework, a complete model consists of two models: a

UML model that contains the abstract syntax information, and a DI (diagram inter-

change) [75] model contains the concrete syntax (visual representation) information.

These two are technically different models because they conform to different meta-

models, and store in separate XML files. So in the parameter file, we declare two

typed models,xmiXMI anddigDIG, to represent the two XML files of a library model.

Thus, we can input the same string "xmiXMI, digDIG" to thesourceNameandtarget-

Nameattributes of thetransformationstereotype, as the transformation is an in-place

one.

171

4. QVTR-XSLT

Well-formedness constraints for the profile

In order to guarantee the generation of correct XSLT stylesheet, it is essential that

the transformation models can be checked for well-formedness. As an important part

of a profile, the well-formedness constraints provide a model with the static seman-

tics. In our profiles, we have defined more than twenty well-formedness constraints

using OCL. All these constraints fall into two categories: stereotype conformance con-

straints, which require a model element of the stereotype to have some properties,

and model consistency constraints, where different parts of a model must be mutually

consistent. Moreover, according to the seriousness of the problems they find, we cat-

egorize the constraints into two levels:error or warning. In the following, we discuss

some of the OCL constraints as examples:

• A relation has one source domain and one target domain (error).

contextRelationinv DomDiffKinds:

let doms:Set(QVTR::Domain)=self.ownedMember→select(oclIsTypeOf(QVTR::Domain))

→collect(oclAsType(QVTR::Domain))

in doms→one(kind=QVTR::DomainKind::source)

and doms→one(kind=QVTR::DomainKind::target)

• A QVT-R model should have at least one metamodel and one transformation (error).

contextQVTRModelinv QmodelhasMetaAndTrans:

self.ownedElement→exists(p|p.oclIsKindOf(QVTR::MetaModel))

and self.ownedElement→exists(p|p.oclIsKindOf(QVTR::Transformation))

• A transformation should have top-level relations (error).

contextTransformationinv TransHasTopRe:

self.ownedElement→select(oclIsKindOf(QVTR::Relation))

→exists(r|r.oclAsType(QVTR::Relation).isTopLevel)

• An object or link should be an instance of a classifier in the metamodels (error).

contextRelationinv RelObjHasClz:

self.ownedElement→select(oclIsTypeOf(InstanceSpecification))

172


→collect(d|d.oclAsType(InstanceSpecification))

→forAll(ins|not ins.classifier.OCLUndefined())

• A non-abstract class of a metamodel is not referenced by any relation (warning).

contextClassinv ClsHasNoInstance:

not self.isAbstractimplies InstanceSpecification::allInstances().classifier→

asSet()→includes(self.oclAsType(Classifier))

The last constraint can be used to check whether every element of a metamodel has

been handled by at least one relation. If the check fails, some elements may be ignored

by the designers. With the help of CASE tools that have OCL execution environments,

we can validate these constraints against a transformation model at any time during

its design process. It is very important to guide the designers to achieve a correct and

complete transformation model.

4.8.2 QVT-R graphical editor

The concrete (graphical) syntax of QVT-R is supported by a QVT-R editor. Since we

have realized the abstract syntax of QVT-R with a UML profile, this editor can be

implemented in a UML CASE tool to minimize the effort needed to develop a new

tool from scratch, and meet the requirements for standardization and interoperabil-

ity. Theoretically, the editor can be based on any UML CASE tool, if it can: 1) edit

class diagrams and corresponding object diagrams, 2) support standard UML profiles

and the well-formedness checking of OCL constraints, and 3) output a model in XMI

format.

The current implementation of the QVT-R graphical editor builds on the top of

theMagicDraw UML [126], a popular UML modeling and CASE tool. So the users’

burden to get familiar with a new tool environment can be reduced. MagicDraw is

a commercial tool, but a free community edition is also available. It supports the

editing of all kinds of UML diagrams, definition of UML profiles, and validating of

173

4. QVTR-XSLT

Figure 4.17: The toolbar for the QVT-R graphical editor

OCL constraints. In addition, it provides a mechanism to allow quickly designing and

maintaining a new full features modeling language, through customized UML profiles

and diagrams.

Based on the QVT-R UML profile, we design a particular "QVT Relation Diagram"

and its toolbar using the MagicDraw diagram custom engine. As shown in Fig.4.17,

the toolbar contains the necessary buttons to graphically design relations and queries,

such asDomain, Object, Parameterfor query,Link, etc. Using these buttons, we can

select an element from a user-defined metamodel or the UML standard metamodel

though a pop-up window, and drop it into the diagram. Then we can set attributes and

tagged values for the element. When we draw a link between two objects, the corre-

sponding associations defined in the metamodels will show up in a pop-up window, so

we can select the one we want. With a text input box, we can edit and check the syntax

of the OCL expressions for thewhenandwhereclauses.

Furthermore, we can validate the design at any time during the design process by

just pressing the "check" button in the graphical editor. Then each constraint defined in

the profile will be evaluated against parts or the whole of the transformation model. El-

ements that violate the constraints (evaluating tofalse) are reported in a results window,

and also shown in diagrams surrounded by red boxes. Fig.4.18shows a screenshot of

the popup window for validation.

Using this graphical editor, we can define metamodels as simple class diagrams,

specify relations and queries using QVT-R graphical notation, edit functions in textual

174


Figure 4.18: Validating the transformation model

style using OCL or XSLT, and finally save them as a transformation model in XMI

format. We feel that it is quite easy and user-friendly to design QVT-R rules in the

editor, because all objects and links are restricted by selecting from the source and

target metamodels, effectively providing a graphical domain-specific language. Such

syntax-directed editing should reduce the number of errors, as it only permits mostly

well-typed models.

Evaluating the syntax conformance As shown in the examples of Fig.4.23-4.29,

in our tool, a relation is displayed inside a UMLpackagebox, where its name is in the

middle top of the box with tag«Relation», and thewhenandwhereclauses are in the

top part of the box, prefixed with "when=" and "where=", respectively. Then the label

[isToplevel] follows if the relation is a top-level one. A domain patterns is displayed

as a special kind of object diagram, where the root object template is labeled with

tag«Domain». Note that a property variable in the diagrams may contain additional

quote-characters that are an artifact of the visualization, and not string delimiters. The

relation symbol is put between the two domain patterns, and the primitive

domains decorated with tag«PrimitiveDomain» are located just above the symbol.

The concrete graphical syntax of QVT-R is defined in page 39-46 of the specifi-

cation [134] through examples followed by explanations. It is said on page 40: "we

propose to use object diagrams with some extensions to specify patterns within a rela-

175

4. QVTR-XSLT

tion specification". In addition, page 46 states:

• Name of the relation. The name of the relation may appear anywhere in the

drawing page.

• where and when clause. These may appear as shown or may be hidden and

shown optionally or shown in a separate frame.

So even if at first glance our diagrammatic representation for relations looks a

little different from the example drawings given in the specification, we consider our

graphical representation conforming to the QVT-R standard.

4.8.3 XSLT code generator

Figure 4.19: The XSLT code generator

We developed the code generator using XSLT itself to realize the design ideas

described in the previous sections. The code generator reads in the XMI file of the

QVT-R transformation model produced by the graphical editor, traverses and analyzes

the model structure to collect information, parses the OCL expressions, and generates

176


an XSLT stylesheet that implements the QVT-R transformation. The generated XSLT

stylesheet contains only pure XSLT code without extensions, so it can be directly exe-

cuted by any XSLT processor.

As shown in Fig.4.19, we have designed an user interface for the code generator.

It is programmed with Java and uses a Saxon 9 XSLT processor to execute the XSLT

programs of the code generator. Using the interface, we can load a transformation

model, select the transformation we want to generate XSLT stylesheet for, and indicate

if we like to produce a trace model.

In addition, we have developed atransformation runner, also in the form of a Java

program invoking the Saxon 9 XSLT processor, to facilitate the execution and analysis

of generated XSLT stylesheet. The transformation runner loads and executes an XSLT

transformation, displays the execution time, and generates the trace model if required.

4.8.4 A collection of predefined transformations

In particular, we developed a number of transformations and higher-order transforma-

tions as part of the tool, for the purpose of transformation validation and verification,

as well as for helping to exchange QVT-R rule and metamodel definitions with other

QVT tools. These transformations are defined using the QVTR-XSLT tool itself. They

can also sever as examples for the end user to learn how to use the tool. The following

transformations are included the collection:

• QVT-R graphical notation to textual notation: generates the textual representa-

tion from a transformation model designed in the QVT-R graphical editor. The

textual representation can be used for manually checking the transformation, or

as the input for other QVT-R engines, for example, medini QVT;

• Metamodel to XML Schema: generates XML Schemas from the metamodels

defined in a transformation model. XML tools can validate the source and target

models as XMI files against the XML Schemas;

177

4. QVTR-XSLT

• UML sequence diagram, state diagram, activity diagram to CSP: generates CSP

specifications to check trace equivalence or deadlock freedom of the UML dia-

grams.

• UML metamodel to Ecore, and Ecore to UML metamodel: facilitate the model

exchange between our tool and other QVT-R tools.

• Multiplicity to OCL: the generated OCL expressions can be used to check the

multiplicity conformance of a UML class model.

4.9 Case Studies

We have tested the viability of our approach and the practicability of the implementa-

tion tool with a set of case studies. A simple evaluation of the tool is given in the first

case study by comparing with medini QVT [117]. In the second case study, we use a

suite of popular queries to query the model of UML Superstructure.

4.9.1 Simple UML to simple RDBMS transformation

This case study is a slight variation of the well-known UML model to RDBMS trans-

formation taken from [134]. Also this example is relative simple, it is well suited to

demonstrate ideas and technical details of a transformation language [21]. For com-

parison purposes, we take themedini QVTas a reference implementation of QVT-R,

and execute the same transformation with it.

Using the QVTR-XSLT tool, we provide the transformation with appropriate meta-

models: we use the UML metamodel depicted in Fig.4.20as the source metamodel,

and a RDBMS metamodel shown in Fig.4.21as the target metamodel. In order to com-

pare with medini QVT, the metamodels are configured to support ecore models. For

the RDBMS metamodel, thenameproperty is the identifier (key), and eachforeignKey

refers to atable. Theid property is the identifier for the UML metamodel.

178

4.9. Case Studies

As shown in Fig.4.23-4.29, we design the UML to RDBMS transformation as

seven QVT-R relations:

• PackageToSchema: a package in the UML model corresponds to a schema in the

RDBMS model.

• ClassToTable: each persistent class of the package maps to a table with a primary

key and an identifying column in the corresponding schema.

• AttributeToColumn: deals with different kinds of attributes by invoking corre-

sponding relations.

• PrimitiveAttributeToColumn: attributes of primitive data types are translated into

columns of the corresponding table.

• SuperAttributeToColumn: invokes the relationAttributeToColumnto translate

attributes inherited from the class hierarchy.

• ComplexAttributeToColumn: an attribute of a complex data type maps to a set

of columns corresponding to all attributes of the class, which the complex data

type referred to, prefix the names of the columns with the name of the referred

class.

• AssocToFKey: an association between two persistent classes is mapped to a for-

eign key in the table corresponding to thesourceclass of the association, and the

foreign key refers to the table corresponding to thetargetclass of the association.

where the top-level relationPackageToSchema(Fig. 4.23) is the start point of the

transformation. It provides the context necessary to apply the subsequent relations.

Fig. 4.22depicts a screenshot of the transformation model.

The XSLT code generator of our tool reads in the transformation model, and pro-

duces an output XSLT stylesheet. As an example, the generated XSLT rule template

179

4. QVTR-XSLT

PrimitiveDataType

kind : String

Class

PackageElement

Association

Package

Attribute

name : Stringid : String

ModelElement

Classifier type

1

destination

1

forward0..*

general 0..1

source1

reverse

0..*

ownedElement 0..*

namespace 1

attribute

0..*

type : String

Column

name : String

ModelElementSchema

ForeignKey

Table

Key

1..*

column

1

rkey 0..1

refersTo11rkey 0..*

1..*

Figure 4.20: Simple UML metamodel Figure 4.21: Simple RDBMS metamodel

<<Relation>>

PackageToSchema

{isTopLevel}

name = "pn"

<<Domain>>

s : Schema

name = "pn"

<<Domain>>

p : Package

Figure 4.22: The transformation model Figure 4.23: The root relation

for relationClassToTableis illustrated in Listing4.1. The seven QVT relations of the

case study, along with a user-defined function that converts the UML primitive types

to the data types of RDBMS, and anxmiRefsfunction which retrieves elements of the

UML XMI model through the keys, translate to an XSLT stylesheet about 210 lines of

code (without producing trace information).

Transformation execution and evaluation. To test the transformation, we borrowed

the source model from theUML2RDBMScase study of the medini QVT tool package.

This simple ecore model describes the structure of a tiny library system with 6 classes

180

4.9. Case Studies

<<Relation>>

ClassToTable

{when=PackageToSchema(p,s);,where=prefix=cn; AttributeToColumn(c,t,prefix);}

{isTopLevel}

kind = "’Persistent’"

name = "cn"

<<Domain>>

c : Class

name = "cn+’_tid’"

type = "’NUMBER’"

cl : Column

name = "cn+’_pk’"

k : Key

name = "cn"

<<Domain>>

t : Table

p : Package s : Schema

rkey

namespace

column

rkey

<<Relation>>

AttributeToColumn

{where=PrimitiveAttributeToColumn(c, t, prefix);ComplexAttributeToColumn(c, t, prefix);

SuperAttributeToColumn(c, t, prefix);}

<<PrimitiveDomain>>

prefix : String

<<Domain>>

t : Table

<<Domain>>

c : Class

Figure 4.24: Class to table Figure 4.25: Attribute to column

<<Relation>>

AssocToFKey

{when=PackageToSchema(p,s);ClassToTable(sc,srcTbl); ClassToTable(dc,destTbl);,

where=fkn = scn+’_’+an+’_’+dcn;}{isTopLevel}


name = "dcn"

dc : Class


name = "scn"

sc : Class

name = "an"

<<Domain>>

a : Association

name = "fkn"

<<Domain>>

fk : ForeignKey

destTbl : Table

srcTbl : Table

p : Package s : Schema

source destination

refersTo

namespace

<<Relation>>

PrimitiveAttributeToColumn

{where=cln = if prefix = ’’ then an else prefix + ’_’ + an endif;sqltype = PrimitiveTypToSqlType(pn) ;}

name = "pn"

p : PrimitiveDataType

<<PrimitiveDomain>>

prefix : String

name = "cln"

type = "sqltype"

cl : Column

name = "an"

a : Attribute

<<Domain>>

t : Table

<<Domain>>

c : Class

type

attribute

Figure 4.26: Association to foreign key Figure 4.27: Primitive attribute to column

and 59 features in total. It conforms to our UML metamodel. Using the transformation

runner, we executed the generated XSLT stylesheets, both with and without producing

trace information, in a laptop of Intel M330 2.13 GHz CPU, 3 GB memory, and running

a Windows 7 home version. Table4.4shows the execution times, which include times

for loading and saving model files from/to disk.

In order to test the transformation in medini QVT, we first exported the definitions

of both source and target metamodels from the transformation model using the prede-

fined UML metamodel to Ecore transformation. Then theQVT-R graphical notation to

181

4. QVTR-XSLT

<<Relation>>

ComplexAttributeToColumn

{where=newprefix = prefix + ’_’ + an; AttributeToColumn(tc, t, newprefix);}

<<PrimitiveDomain>>

prefix : String

name = "an"

a : Attribute

<<Domain>>

t : Table

<<Domain>>

c : Class

tc : Class

type

attribute

<<Relation>>

SuperAttributeToColumn

{where=AttributeToColumn(sc,t,prefix); }

<<PrimitiveDomain>>

prefix : String

<<Domain>>

t : Table

<<Domain>>

c : Class

sc : Class

general

Figure 4.28: Complex attribute to columnFigure 4.29: Attribute in super class to col-umn

Table 4.4: Comparison of execution time (ms)

QVTR-XSLT medini QVT

with trace 22 90without trace 7

textual notationtransformation was used to generate the textual representation of the

transformation. Finally the ecore metamodels and the transformation in textual format

were imported into medini QVT tool, and executed on the same source model with an

empty target model in the same laptop. As shown in Table4.4, the execution taken

in total about 90 ms, of which 40 ms was used to evaluate the transformation, and

the other time was for parsing and analyzing the transformation, loading and saving

source, target and trace models.

The results from the QVTR-XSLT tool and the medini QVT were compared both

manually and automatically with an XSLT program. The generated target models from

both tools are identical. Furthermore, both trace models are semantically equivalent in

the sense that for each trace instance of relation in the medini QVT trace model, there

exists one relation instance in the QVTR-XSLT trace model, that both of them contain

same object references, and vice versa. List4.2 shows an excerpt of the medini QVT

trace model, and List4.3 for the QVTR-XSLT trace model. We find that our trace

182

4.9. Case Studies

<xmi:XMI xmlns:umlTOrdbms="urn:umlTOrdbms .ecore"><umlTOrdbms :PackageToSchema>

<p href="source.xmi#_pXZ9wKS6EduN8Krm−aC8vQ"/><s href="target.xmi#myPackage"/>

</umlTOrdbms :PackageToSchema><umlTOrdbms :ClassToTable>

<c href="source.xmi#_pXZ9waS6EduN8Krm−aC8vQ"/><t href="target.xmi#Library"/><p href="source.xmi#_pXZ9wKS6EduN8Krm−aC8vQ"/><s href="target.xmi#myPackage"/><cl href="target.xmi#Library_tid"/><k href="target.xmi#Library_pk"/>

</umlTOrdbms :ClassToTable><umlTOrdbms :AttributeToColumn prefix="Library">

<c href="source.xmi#_pXZ9waS6EduN8Krm−aC8vQ"/><t href="target.xmi#Library"/>

</umlTOrdbms :AttributeToColumn>......

</xmi:XMI>

Listing 4.2: Excerpt of medini QVT trace model

<Transformation name="umlTOrdbms" source="uml" target="rdbms"><relation name="PackageToSchema">

<obj name="p" href="_pXZ9wKS6EduN8Krm−aC8vQ"refname="myPackage" model="uml"/>

<obj name="s" href="myPackage" model="rdbms" op="c"/></relation><relation name="ClassToTable">

<obj name="c" href="_pXZ9waS6EduN8Krm−aC8vQ"refname="Library" model="uml"/>

<obj name="p" href="_pXZ9wKS6EduN8Krm−aC8vQ"refname="myPackage" model="uml"/>

<obj name="t" href="Library" model="rdbms" op="c"/><obj name="cl" href="Library_tid" model="rdbms" op="c"/><obj name="k" href="Library_pk" model="rdbms" op="c"/><obj name="s" href="myPackage" model="rdbms"/>

</relation><relation name="AttributeToColumn">

<primitiveDomain name="prefix" href="Library"/><obj name="c" href="_pXZ9waS6EduN8Krm−aC8vQ"

refname="Library" model="uml"/><obj name="t" href="Library" model="rdbms"/>

</relation>......

</Transformation>

Listing 4.3: Excerpt of the QVTR-XSLT trace model

model misses the information about names of model files, but theop="c" expressions

in our trace model indicate at which relation instance the particular object is created.

183

4. QVTR-XSLT

This feature could be helpful in debugging.

Since medini QVT is known as one of the two tools that faithfully implement the

standard of QVT Relations, the comparison results provide favorable evidence that the

QVTR-XSLT tool supports the basic semantics of QVT-R.

Regarding the performance issues, even though the source model is too small to

give sufficient evidence, we can still judge that our transformation runs faster than

medini QVT, especially in case of outputting no trace information. That is partly due

to the XSLT processor (Saxon 9.2) we used must be more powerful than the interpreter

of medini QVT. Another possible reason is that XSLT don’t need to build a different

in-memory model, and saving the time for converting between in-memory and storage

models.

4.9.2 Model querying examples

Basically, a query in the QVTR-XSLT tool consists of two parts: the diagram represen-

tation and the textual area, where the OCL expressions can be imput as thewhenand

whereclauses. So this tool allows us to run arbitrary queries with only OCL expres-

sions, that means QVT-R graphical queries are at least as expressive as the pure OCL

queries defined by the QVT specification. Now, the crucial question is, whether creat-

ing and/or understanding the QVT-R graphical queries is easier than using only OCL.

In order to find out, we have tested the graphical query tool with a suite of popular

queries discussed in [42; 159].

The queries are tested on the model of UML superstructure version 2.41. The

model is a typical EMOF model that includes 11 packages, 341 classes, and in total

about 9500 model elements stored in an XMI file of about 1.7 MB in size. We design a

QVT-R transformation to collect and execute these queries. This transformation takes

the UML superstructure model as the source model, and outputs a html file to show the

query results.

184

4.9. Case Studies

+#title : String

Head

+#td : String

TrTable

Html

Body

1..*

1

1..*

1

Figure 4.30: Target metamodel

<<Relation>>

QueryUML

{where=clsNum=CountClass();Display(uml,tb,’Number of classes’,clsNum);}

{isTopLevel}

#title = "’Queries on UML superstructure model’"

: Head

<<Domain>>

uml : UMLModel

<<Domain>>

htm : Html

tb : Table

: Body

Figure 4.31: Top-level relation

Figure 4.32: Display query result

Using the QVTR-XSLT tool, we configure the transformation with appropriate

metamodels: we use a slight variant of EMOF model as the source metamodel, and

a simple HTML metamodel shown in Fig.4.30as the target metamodel. The transfor-

mation includes two relations: the top-level relationQueryUML(Fig. 4.31) that starts

the transformation, and relationDisplay (Fig. 4.32) puts the result of a query into the

html model. The relationQueryUMLalso creates an empty html model, invokes the

queries from thewhereclause, and sends the results to relationDisplay. After the

queries are specified in the editor, we generate an XSLT stylesheet for the transforma-

tion using the code generator. The stylesheet is executed in thetransformation runner

that reads in the source model, and outputs the result html file, meanwhile it shows the

execution time.

185

4. QVTR-XSLT

4.9.2.1 The set of queries

The queries we discuss here are frequently used for model analysis and are of different

complexity and structure. The first three search the entire model to retrieve the results,

while the following three are local queries, which starts the matching from a context

model elements. The simple queries return a single value by element counting, more

complex ones require recursive query calls.

<<Query>>

CountClass

{result=cls->size();}

<<Domain>>

: Package

{forAllSub}

cls : Class

Figure 4.33: Count number ofclasses

<<Query>>

GetClsWithAssoNum

{result=cls->select(ownedAttribute.association ->size()=assoNum);}

<<Parameter>>

assoNum : Integer

<<Domain>>

: Package

{forAllSub}

: Association : Attributecls : Class

ownedAttribute

Figure 4.34: Classes with number of associations

Count elements of a given type: The first query is to retrieve the number of over-

all elements of a given type, say, classes, in a model. The queryCountClassshown

in Fig. 4.33 counts the number of classes contained in all packages. We setthe

forAllsub feature of thePackage to true. The OCL functionsize() is used to

count the number, then the result is returned by variableresult. The code generator

produces the following XSLT function for the query:

<xsl:function name="my:CountClass">

<xsl:variable name="cls" select="$xmiXMI//packagedElement[@xmi:type=’uml:Class’]"/>

<xsl:variable name="result" select="count($cls)"/>


</xsl:function>

186

4.9. Case Studies

where$xmiXMI is the global variable representing the whole model. If the query is

defined in pure textual OCL, we have to use theallInstances construct, such asClass.all

Instances()->size().

All classes with a given number of associations: The queryGetClsWithAssoNum

shown in Fig.4.34obtains a list of classes with a given number of associations.The

parameterassoNum passes the number to the query. The OCL expression in thewhere

clause uses theselectoperation to choose the classes which have that number of out-

going associations. The OCL expression is implemented by the following XPath ex-

pression:

<xsl:variable name="result"

select="$cls[count(ownedAttribute[@xmi:type=’uml:Property’]/@association)=$assoNum]"/>

This query can be used to check if modeling guidelines are adhered to. With such

a query one could find the classes which have too many or too few associations. A

reference definition for the query using OCL is given in [42]:

contextClass

def:getAssociationsFromClass():Set(Association)=

self.ownedElement→asSet()→select(a|a.oclIsTypeOf(Property)).

oclAsType(Property).association→select(a|not(a=null))→asSet()

contextPackage

def:getAllClasses():Set(Class)=

self.packagedElement→asSet()→select(t|t.oclIsKindOf(Class)).oclAsType(Class)→asSet()

def:getClassesWithNumberOfAssociations(NoA:Integer):Set(Class)=

self.getAllClasses()→asSet()→select(c|c.getAssociationsFromClass()→size()=NoA)

It is obvious that the OCL specification is more complicated, and relatively difficult to

understand, comparing to its graphical representation in our query facility.

Maximal depth of class inheritance: Similar to the previous one, this query can

also be used to check if modeling guidelines are followed. The depth of the class

187

4. QVTR-XSLT

<<Query>>

GetMaxDepth

{depths=cls-> iterate(c|CountSuper(c,0));

result=max(depths);}

<<Domain>>

: Package

{forAllSub}

cls : Class

Figure 4.35: Maximal depth of inheritance

<<Query>>

CountSuper

{cnum=num+1;supers=if sc.oclIsUndefined() then cnum else

sc->iterate(s|CountSuper(s,cnum)) endif;result=max(supers);}

: Generalization

<<Domain>>

c : Class

<<Parameter>>

num : Integer

<<Parameter>>

c : Class

sc : Class

general

Figure 4.36: Number of super classes

inheritance is a typical metric in object oriented modeling or programming. Fig.4.35

shows the queryGetMaxDepthspecified in the graphical notation. For each classc in

the setcls, the queryCountSuper(see Fig.4.36) is iteratively called to get a collect

of depth numbers. The queryCountSuperagain recursively calls itself to count the

number of super classes. A notable feature of our query facility is that a set of standard

functions defined in XPath can be mixed with OCL operations. As an illustration, we

directly use XPath functionmax here to get the maximal one in a collection instead of

its OCL counterpart.

The OCL specification for this query given in [42] consists of three user-defined

operations, in total 26 lines of complex OCL code. However, Dr. Ed Willink of the

GMT Consortium provides a more concise reference implementation for the query:

contextClass

def: depth() : Integer =

if superClass→notEmpty()then superClass.depth()→max()+1 else 0endif

def:GetMaxDepth(): Integer =

let allPackages : Set(Package) = self→closure(nestedPackage)in

let allClasses : Set(Class) = allPackages.ownedType→

select(oclIsKindOf(Class)).oclAsType(Class)in allClasses.depth()→max()

Textual pattern matching: One of the most frequent queries is to do a text search

for a given string over a model. However, regular expressions are still not supported

188

4.9. Case Studies

<<Query>>

FindName

name = "’Action*’"

result : NamedElement

{forAllSub}

<<Domain>>

p : Package

<<Parameter>>

p : Package

Figure 4.37: Find elements by name

<<Query>>

GetAttributeName

{not} : Association

name = "result"

visibility = "’public’"

: Attribute

<<Parameter>>

c : Class

<<Domain>>

c : Class

: Type

association

ownedAttribute

Figure 4.38: Getting attribute names

in the OCL specification. An example query might be "find all model elements whose

names begins with ”Action” in a package". Fig.4.37depicts this query. In the EMOF

model, theNamedElement is an abstract class. It is the superclass for all elements that

have names. In the corresponding path expression, we put a wildcard ”∗” just after the

”//” operator to match all elements. Since there is also a ”∗” in the string’Action*’

that is bound to thepropertyTempname, we take the string as a regular expression.

In the implementation, XPath functionmatches() is used to test whether the names

matches the regular expression:

<xsl:function name="my:FindName">

<xsl:param name="p"/>

<xsl:variable name="result" select="$p//∗[matches(@name,’Action∗’)]"/>


</xsl:function>

More complicated regular expressions can also be used in the queries for textual pattern

matching, either bound to thepropertyTemps, or as the arguments of thematches()

functions appearing in thewhereclauses.

Structural matching for existing and non-existing elements: The queryGetAt-

tributeNameshown in Fig.4.38gets a set of names of primitive attributes in a given

189

4. QVTR-XSLT

class. The query selects a primitive attribute by (1) it owns an element ofType; (2) it

does not have anassociationlink; (3) its visibility is public.

4.9.2.2 Experiments

Table 4.5: Results of the first three queries

Name Explanation Result Time

CountClass count all classes of the model 331 78msGetClsWithAssoNum(3) classes with a given number of asso. 30 65msGetMaxDepth maximal depth of class inheritance 10 15s

Using ourtransformation runner, we execute the queries on the model of the UML

superstructure in a laptop of Intel M330 2.13 GHz CPU, 3 GB memory, and run-

ning a Windows 7 home version. The results of the first three queries are shown in

Table4.5. For the queryGetClsWithAssoNum, we use 3 as the value for the parame-

ter, and the table only shows the number of classes found. As depicted in the table,

there are in total 331 classes in the model, 30 of them have 3 associations to other

classes. The maximal depth of class inheritance is 10. One of the inheritance paths is

Device�Node�Class�EncapsulatedClassifier�StructuredClassifier

�Classifier�Type�PackageableElement�NamedElement�Element. Inci-

dentally, this example illustrates the complexity of the UML metamodel.

The execution time includes loading and saving model files from/to the hard disk.

The performance and the memory needed are much dependent on the XSLT proces-

sor used. We can see from the results that the first two queries works well, and the

straightforward algorithm of the third query needs to be optimized.

4.10 Summary

Despite the fact that the QVT Relations offers graphical notation, most of the current

work on QVT model transformations adopt textual style languages. It is somehow

190

4.10. Summary

surprising because they operate on MOF metamodels that are graphically specified as

UML class diagrams. With the widespread use of UML, people are already used to

visually view software systems and software models as diagrams. Transformations

based on UML-like metamodels might be expected to continue the graphical tradition

of class diagrams and favor a graphical notation [173].

We believe that a good transformation language should take the advantage of both

textual and graphical notations, and keep a balance between these two presentation

styles. In view of this, the graphical notation of QVT-R provides a good candidate.

Complemented with textual OCL expressions, the graphical notation of QVT Relations

provides a concise, intuitive, and yet expressive way to define model transformations.

In this chapter we present our work on a practical model transformation approach

and tool to support the graphical syntax of QVT-R. In our approach, a QVT-R transfor-

mation is implemented as an XSLT stylesheet, where every relation maps to an XSLT

rule template. We support unidirectional non-incremental enforcement transformations

of QVT Relations. The features supported by the approach include transformation in-

heritance through rule overriding, traceability of transformation executions, multiple

input and output models, and in-place transformations. In addition, to improve the

usability of QVT-R, we extend the language with additional transformation parameter,

relation alias name and priority, as well as conditional relation call. We also pro-

pose a novel graphical model query facility, which is based on the checking semantics

and pattern matching of QVT Relations, and also borrows its graphical notation. The

model query facility can work seamlessly within the QVT-R transformations. How-

ever, we still cannot support all features of QVT-R, especially itscheck-before-enforce

semantics.

We have developed a tool, named QVTR-XSLT, for supporting the approach. Based

on a UML profile that implements the abstract syntax of QVT-R, the graphical editor of

the tool supports the definition of metamodels, specification of QVT-R transformations

and queries using the graphical notation. The code generator of the tool automatically

191

4. QVTR-XSLT

translates the QVT-R transformations into executable XSLT programs.

Our approach and tool are founded on the standards introduced by OMG and W3C,

and make use of well-known and commonly adopted CASE tools and languages. The

generated XSLT programs for the transformations can be directly executed under any

XSLT processor on any platform, and can be easily integrated into other applications

and systems. As there are already many industrial-strength XSLT processors, such as

SaxonandXalan, our transformations can efficiently process large-scale models.

The benefits of our tool are two-fold: provide QVT users with a practical tool

to specify and execute transformations in graphical notation, and meanwhile provide

XSLT users with a high-level, declarative method to design XSLT stylesheet. Using

the tool, we have successfully designed a set of complicated model transformations

to meet the development requirements of therCOS modeler, as we will discuss in the

next chapter.

192

Chapter 5

A UML Profile for rCOS

Integrating the rCOS method into UML opens up a powerful way to support CB-MDD.

The rCOS supplies UML with a precise semantics, additional modeling concepts for

component composition, formal consistency verification and refinement techniques,

and a design methodology based on correctness preserving model transformations. On

the other hand, the advantage of combining with UML is the possibility to specify

a system with a unified, standardized graphical notation, which improves common

understanding of models between developers and stakeholder involved in the develop-

ment of the system. Thus rCOS could potentially reach a wider user-base.

In addition, representing rCOS in UML opens the way to use many available UML

tools for rCOS, saving development effort and time. By using XMI, an rCOS model

can be seamlessly linked to other development tools. Thus the rCOS method can be

fully integrated into the whole development process of a software system, and enables

the interoperation and data exchange with other notations and tools, therefore facilitat-

ing and improving the reusability of models.

There are several mechanisms to integrate a formal method into UML. Because of

the crucial requirement for standardization in software development, we adopt a strat-

egy of customizing UML using its built-in extension mechanism. This mechanism is

carried out by using UML profiles [64] which describe how UML model elements are

extended to support a particular modeling method. The main concepts of UML profile

and the approach we use to define UML profile have been discussed in Section2.3.2.

In this chapter, we present a UML profile for rCOS, through which the rCOS tech-

niques and methodology can be applied to component-based software development in

a standard, model-driven way. We first briefly review the major concepts of rCOS us-

ing a metamodel in Section5.1. On the basis of the metamodel, Section5.2presents a

193

5. A UML Profile for rCOS

UML profile for rCOS, and defines the UML artifacts used in rCOS. In Section5.3, we

discuss implementation of the profile in a CASE tool and how the rCOS development

process is supported by the tool. We mention some related work in Section5.4 and

outline some conclusions in Section5.5.

5.1 A Metamodel of rCOS

As rCOS has been introduced in Chapter3, here we review only the major concepts and

features of the rCOS language using a MOF compliant metamodel, so as to facilitate

the definition of the rCOS profile. The description focuses on the syntactic aspects.

Using the standard metamodeling language MOF, we can represent each concept of the

rCOS language as a MOF element and enhance it with OCL constraints that preserve

its original semantical meanings in rCOS.

The rCOS metamodel consists of four packages:Type, Class, ComponentandRCOSP.

The latter three have dependencies on theTypepackage. TheRCOSPpackage defines a

Java-like textually specification language, which has been presented in BNF format in

Section3.2.1. We will not discuss this package in this section. To keep the metamodel

at an abstract level and not overpopulate it with unnecessary details, most attributes of

the meta-classes are hidden, for example, thenameof each model element.

5.1.1 Types and classes of rCOS

Types As illustrated in Fig.5.1, theTypespackage contains data types used in rCOS.

A typemay be aclass, which is the type of an object in a system, or may be aprimitive

type, such asBoolean, Integer, or String. A collective type, such asSet, is a collection

of elements whose type is already defined in the package. For example,Set(T)is the

type of sets of typeT. We define a set of operations, such asadd, containsandremove,

for thecollective typewith their standard semantics. For example, for a variables of

typeSet(T), the operations.add(a)equalss′ = s ∪ {a}, ands.contains(a)equalsa ∈ s.

194

5.1. A Metamodel of rCOS

add( a : Type )remove( a : Type )contains( a : Type ) : Booleanempty() : Booleansize() : Integer

CollectiveType

UnlimitedNatural

PrimitiveType

find( a : String )

Set

Type

Boolean

Integer

Double

String

Class

Char

Void

baseType

Figure 5.1: Types package of rCOS metamodel

For aSet swhere each element has an identifierid, the operations.find(a)denotes the

function that returns the element whoseid equals toa if there is one, or returnsnull

otherwise.

new()

Class

protectedprivatepublic

<<enumeration>>

Visibility

visibility : Visibility

Field

visibility : Visibility

Method

Expression

Parameter

Command

Type

body

0..1

init 0..1

1

type

extends

0..1

0..*out0..*in1 type

attribute 0..* 0..*

Figure 5.2: Class package of rCOS metamodel

Classes Like most OO languages, rCOS has its class model with the notions of

classes, associations or attributes, and inheritance, to represent the application domain

concepts. Fig.5.2 depicts the rCOS class metamodel. Aclasshas a distinct name,

195


and it can beextendedfrom a super class, so, there is no multiple inheritance. The

operationnew() creates a new object of the class.

A classdeclaration consists of two parts: a set offields (attributes) and a set of

methods. Fields define the static attributes of the class. They have avisibility annotation

(private, protected, or public), and their types are defined in the type package. A field

may have aninitial expressiondefining the allowable initial values. The language

neither offers attribute overriding nor multiplicity. Multiplicities can be modeled by

using thecollection types.

A method declaration consists of the method name, its value (in) parameters, re-

sult (out) parameters and the body. We can have different scopes of visibility for the

methods, by default they are public. Because rCOS is used as a specification language,

it allows a method to return a number of outputs. A methods can be inherited by a

subclass, and a method is allowed to be overridden in a subclass, but its signature,

i.e. types of parameters, should be preserved. The body of a method defines its data

functionality at different levels of abstraction, from apredicatespecified in the form

of UTP designpre ⊢ post to program code.

5.1.2 Components of rCOS

Thecomponentspackage, as shown in Fig.5.3, defines the component-based modeling

concepts of rCOS. An rCOSinterface, which is a syntactic notion providing an interac-

tion point for a component, is a declaration of a set offieldsandmethods. Particularly,

we define internal autonomousactions. An action, which likes a method without pa-

rameters, can be executed atomically in a state in which its guard condition holds. In

addition, an interactionprotocolof the interface is a set of finitetracesover theeventsof

method calls. In principle, regular expressions, finite state machines, or finite CSP pro-

cesses can be used to describe the traces. A protocol defines the permissible sequences

of method invocations from the environment when interacting through the interface.

196

5.1. A Metamodel of rCOS

Component

Interface

kind : ConnectorKind

Connector

rename

parallel

hideplug

<<enumeration>>

ConnectorKind

Protocol

Method

Action

Trace

Predicate

Field

Event

{sequence}

ProcessService

init 0..1

calls

1

interaction

1

compose

1..*

provided 0..*

implement 0..1

required 0..* internal0..*

1..*

1..* 0..*0..*

Figure 5.3: Components package of rCOS metamodel

Moreover, theinitial predicate specifies the allowable initial states of the interface.

A component may provide services that are defined by theprovided interfaces. The

component is responsible for implementing its provided interfaces, either by the com-

ponent itself or through some (interface) classes. On the other side, a component may

need to use the services provided by other components. These services are called re-

quired services and are represented asrequired interfaces. Similarly, the protocol of the

required interface specifies the requirements on how the required component should

provide the services. Obviously, the required protocol is determined by the protocol

of the provided interfaces. A component can also haveinternal interfacesthat declare

methods private to the component, and thus they can only be called from the provided

methods, the private methods themselves and the actions.

In rCOS, there are two kinds of components. Aservice component, component for

short, has provided interfaces, and optionally required interface. It is externally passive

and only interacts with its environment when a provided service is requested. On the

other hand, aprocess component, process for short, is active and has its own control

thread. A process has required interfaces only and it actively invokes services of other

components following its own flow of control so as to coordinate the behavior and pass

data among components.

197


The notion ofcomponent compositionis essential for a component-based design. A

new component can be composed hierarchically by usingconnectorsto connect exist-

ing components. In rCOS, we define the basic composition connectors forrenaming

interface methods,hiding interface methods to restrict environment access to provided

methods,pluggingthe provided interface of one component to the required interface

of another component, andparallel compositionof components.

Additionally, rCOS defines a set of notions to support component-based design.

A component without required interface is called aclosed component, otherwise an

open component. If there is no internal action in a component, it is called aprimitive

component. Thus, acomponent contractis just like aprimitive componentin which the

method bodies of the provided interfaces areguarded designs.

Contracts are important for the requirement specification and verification of the

correct design and implementation through refinements. In rCOS, each closed com-

ponent is semantically equivalent to a contract. In contrary, acomponent publication

defines as a component in which the body of each method is just a design of the data

functionality and there is a protocol defined for the provided interface. Publications

are declarative. They are more suitable for specification of components in system syn-

thesis [97].

5.2 A UML Profile for rCOS

In this section, we first briefly introduce the mapping from rCOS concepts to UML

model elements, then we discuss the models of class and interface, sequence diagram,

state machine and component, followed by presentation of the rCOS modeling archi-

tecture. In addition, we define the constraints of the profile using OCL. Here we de-

scribe the abstract syntax of the rCOS model using a mixture of EMOF class diagrams

and profile diagrams. In the following UML profile diagrams, an element in the light

yellow box represents a stereotype of rCOS, and the ones in the dark yellow boxes are

198

5.2. A UML Profile for rCOS

standard UML metamodel elements.

5.2.1 Mapping rCOS Concepts to UML

UseCaseComponent

UML

rCOS

InterfaceField Protocol

<<metaclass>>

StateMachine

<<metaclass>>

Property

<<metaclass>>

Operation

<<metaclass>>

Interface

<<metaclass>>

Component

<<metaclass>>

Constraint

<<metaclass>>

Interaction

<<metaclass>>

Class

<<metaclass>>

UseCase

Method

<<metaclass>>

Package

Class Command

body

Figure 5.4: Mapping from rCOS concepts to UML

As rCOS is a language for object-oriented and component based systems, by design

it shares a lot of features with UML. To define the rCOS profile, we first go through the

full set of rCOS concepts, and identify the most suitable UML model elements as their

base metaclasses. The selected UML model elements should have semantics which are

closest to the semantics of the domain concepts in order to get support from existing

UML tools and meet developer’s expectations on the semantics.

In fact, many rCOS concepts can be represented by UML model elements without

changing their original semantics. At most, we need to impose some additional con-

straints. For these rCOS concepts, we directly use UML concepts without introducing

stereotypes. Fig.5.4 illustrates the mapping from rCOS concepts (below the dashed

line) to UML metaclasses. The mapping is intuitive and straightforward, and we are

going to discuss the corresponding stereotypes later in this section. These stereotypes

are used throughout the entire model design and refinement process. For many of

the UML concepts mentioned here, analogous description may be extracted from the

OMG UML specification [135].

Representing rCOS views with UML diagrams. The rCOS itself does not define

any graphical notation for representing the model. The multiple viewpoints of rCOS

199


can be graphical represented using different UML diagrams. These diagrams not only

provide designers with a high-level intuitive understanding of the entire system, but

also can serve as a working platform to add new model elements, or refine the existing

elements selected from diagrams. That is the idea of "design by drawing".

The following diagram types are supported in the rCOS modeling. We reuses sev-

eral diagrams types from UML without any extension, and extend some of them.

• A UML use case diagram describes the business processes and services pro-

vided by the system, and their possible users - theactors.

• A UML class diagram displays the class definitions in the application domain,

and their relationships such as inheritance, association and containment. Fur-

thermore, for each (non-trivial) interface, we may also have a class diagram

to represent the interface’s main attributes and methods, its implementingcon-

troller class, and the relationships of the controller class with the domain classes.

We reuse the UML class diagrams without modification.

• For each rCOS protocol, a UMLsequence diagram can be adopted to present

the interactions between the external environment and an interface, or between

the interface and the other model elements, such as objects of domain classes,

or internal components. We define two kinds of sequence diagrams to support

both the OO and component-based design activities of rCOS. Moreover, a UML

protocol state diagram is used to present the dynamic behaviors of the inter-

face, here each transition is trigged by a method call to a method defined in the

interface.

• For each rCOS component that has sub-components, we use a UMLcomponent

diagram to describe the organization and the dependencies between the set of

sub-components, and how these sub-components are connected to the container

component. At the top-most level, a component diagram shows all the compo-

200


nents representing the use cases, and the possible relationship between them.

5.2.2 rCOS modeling architecture

The model-driven paradigm focuses on constructing of models instead of program-

ming code. While designing a large hierarchical application model, a fundamental

necessity is specifying its structure. A sound structure makes models more readable

and preserves their integrity easier over time.

UML defines the concepts ofmodel andpackage, which serve as grouping units

for other model elements. Since we need to serialize a model into an XMI file, a root

element for the model is necessary. A UMLmodel is the top level root element of a

model, and below it, thepackages. A package is used to group and organize model

elements and diagrams, and provides aname space for the grouped elements.

<<stereotype>>

ComponentModel<<stereotype>>

UsecaseModel

<<stereotype>>

ClassModel

<<stereotype>>

RCOSModel

<<metaclass>>

Package

<<metaclass>>

Model

classModel1usecaseModel 1 componentModel1

Figure 5.5: Overall structure of rCOS model

Fig. 5.5 depicts the overall structure of an rCOS model. We introduce the stereo-

type «RCOSModel» extending from UMLmodel to represent the root of an rCOS

model, and we define the stereotypes«ClassModel», «UseCaseModel» and«Component-

Model», all as extensions of UMLpackage. Thus an rCOS model consists of three

sub-models to specify different aspects of a system:

201


• Use case model, contains allactors, use cases and their relationships, along

with use case diagrams.

• Class model, contains all class definitions and their relationships, represented as

a set of class diagrams.

• Component model, contains a collection of components and their interfaces. It

also includes component diagrams to describe the relationships between compo-

nents, and sequence diagrams and state diagrams to specify the behaviors of the

components. At the top level, each component relates to a use case of theuse

case model. As a component itself can own other model elements, it may also

contain a set of internal components.

The rCOS model architecture also provides a basis for implementing an rCOS model

as aModel-View-Controller(MVC) style application. The MVC design pattern solves

the problems arising when applications contain a mixture of data access code, business

logic code, and presentation code. We can develop theclass modelinto a Model of

MVC, which is the domain-specific representation of the data upon which the applica-

tion operates. Thecomponent modelis implemented as theControllerof MVC, which

represents the application domain logic. Finally theuse case modelbecomes theView

of MVC, which typically forms a set of user interfaces. Similar to the basic idea of the

rCOS method, the MVC pattern isolates thedomain logic, domain datafrom input and

presentation(GUI), permitting independent development, testing and maintenance of

each [172].

5.2.3 Class and interface modeling

Like most OO program languages, rCOS has its concepts of class, method and field.

All the features have standard representations in UML. As one of the most impor-

tant UML diagrams, a class diagram is used to model the static structure of a system.

202


aggregation : AggregationKind

Association

<<stereotype>>

ObjectSequenceDiagram

Interface

isQuery : Booleanvisibility : VisibilityKind

Operation

Class

href : PrimitiveType [0..1]

Type

Classifierspecification : String

Constraint

<<stereotype>>

DesignOperation

[Operation ]

Property

<<stereotype>>

ContractInterface

[Interface]

compositenone

<<enumeration>>

AggregationKind

<<stereotype>>

ControllerCLass

Boolean

IntegerDouble

String

<<enumeration>>

PrimitiveType

protectedprivatepublic

<<enumeration>>

VisibilityKind

<<stereotype>>

ClassModel

<<stereotype>>

Protocol

[Package]

<<stereotype>>

Action

Parameter

type0..1

interface

end

2

guard

0..1

method

0..*

1

design

0..1

general 0..1

init

attribute

protocol 0..1

post 0..1pre 0..1

interaction0..1

1

Figure 5.6:ClassandInterfacemodels

Within the class diagram, we can define domain concepts asclassesand their rela-

tionships. The relationship can begeneralization, normal association, or composition.

Meanwhile, a UMLinterfacedefines a contract that represents a declaration of a set

of coherent public features and obligations. As shown in Fig.5.6, both class and

interface, as sub-classes of UMLclassifier, have similar structure, which includes:

• a set ofpropertiesthat present the structural features of a class/interface. A class

can only own properties of primitive types, and the properties of an interface can

be primitive types, or of types of classes defined in the model. Particularly, we

allow a limited amount of properties of primitive types on the interface for use

as guard conditions in related sequence diagrams.

• a set ofoperationsthat define the offered methods. An operation may own some

parameters, and its functionality can be specified by a pair of constraints aspre-

andpostconditions. In UML, a constraintis a conditional expression that can

be evaluated to aBooleanvalue. The pair of constraints specifies that if the

input parameters and the current state of the (instance of)classifiersatisfy the

precondition, then the invocation of the operation will make the postcondition

203


hold. An operation can be aquery(if its isQueryfeature sets totrue) that does

not change the system state. Thevisibility feature defines whether the operation

can be offered to the environment.

• a set ofinitial constraintsthat specify the allowable initial states when an in-

stance of a class is created.

As an interface is not instantiable, it can be realized by an instance of a class

through a UML interface realization. Such a class must fulfill thecontract of the

interface. That is, it must provide a public facade (attributes, operations, externally

observable behavior) that conforms to the interface [135]. In rCOS, we implement an

interface as acontroller class(use case controller) in OO design. A controller class is

a special class that initializes a system, creates permanent objects of the system, and

keeps the main flow of control of the system [12]. An rCOS«ObjectSequenceDiagram»

(will be discussed later) may be attached to a controller class to specify its behaviors.

This is the sequence diagram that is really used in the OO design of applying expert

pattern.

For supporting rCOS, we define stereotype«DesignOperation» as an extension of

UML operation to represent rCOSmethod. An additional constraint is introduced with

the namedesignto specify the static functionality of the method, and aguard con-

straint specifies the guard condition if the method has aguarded design. Meanwhile,

we introduce stereotype«Action» as a subclass ofdesign operationto support rCOS

actionsthat can be executed atomically in a state in which its guards holds, and change

the system states. Moreover, we define stereotype«ContractInterface» to represent an

interface with an behaviorprotocol.

5.2.4 Component modeling

The rCOS employs components to specify hierarchical structuring, reuse, and evolu-

tion of large and complex models. Supported by required and provided interfaces,

204


<<stereotype>>

RCOSSequenceDiagram

[Interaction]

<<stereotype>>

ServiceComponent

<<stereotype>>

ProcessComponent

InterfaceRealization

<<stereotype>>

RCOSComponent

[Component]

<<stereotype>>

ComponentModel

<<stereotype>>

ContractInterface

<<stereotype>>

ContractInterface

<<stereotype>>

ControllerCLass

Usage

<<stereotype>>

RCOSUseCase

[UseCase]

StateMachine Collaboration

<<stereotype>>

Protocol

[Package]

CallEvent

0..1

0..*

0..1

interaction 0..1

0..*

component

provided 0..1

client

realizingClassifier0..1

0..*

0..1

required

0..1

supplier

protocol

0..*

supplier client

0..1

1

contract

Figure 5.7: Modeling rCOS component

components are composed together via the composition operators, and can be visual-

ized using component diagrams.

UML offers more complex concepts than rCOS to specify components, their con-

necting and realization. A detailed discussion of UML components is out of the scope

of this thesis. In order to encode rCOScomponentsandcompositionin a compact

way, while supporting the semantics of rCOS, we define the rCOS component model,

shown in the UML profile diagram of Fig.5.7, which consists of:

• ContractInterface: Mapped from rCOSinterface, a contract interface provides

an interaction point for a component, and defines the static portion of an rCOS

interface contract. For ease of layout of the diagram, the samecontract interface

element appears twice in Fig.5.7.

• Protocol: A contract interface has aprotocol that specifies the traces of invoca-

tions to the methods of the interface. A protocol is a UML package that contains

a state machine, a collaborationand a set ofcall events. A call event is an in-

vocation to an operation of the contract interface, resulting in the execution of

205


the called operation. Especially, a collaboration owns a UMLinteractionde-

fined as anRCOSSequenceDiagram. The rCOS defines separate protocols for

the provided and required interface of a component. For a provided interface,

we usually have both a sequence diagram and a state machine as its protocol,

but only a state machine is attached to a required interface in order to calculate

interface composability.

• RCOSComponent: We map an rCOScomponentto the abstract stereotype

«RCOSComponent» as an extension of UML meta-class component, and we de-

fine the stereotypes«ServiceComponent» and«ProcessComponent» to represent the

two kind of components in rCOS. A component itself may also have an rCOS se-

quence diagram to specify the interactions between its internal sub-components.

Moreover, we define stereotype«RCOSUseCase» to represent use cases in rCOS,

each of them is modeled by an rCOS component.

In the component model, we realize the connection between a component and its pro-

vided interface using a UMLinterface realization. A UML usage, a specializedde-

pendencyrelationship, is used to link a required interface to its owner component.

Meanwhile, theinternal interfaceis directly owned by a component.

<<stereotype>>

Delegation

[Dependency]

<<stereotype>>

Composition

[Dependency]

<<stereotype>>

ComponentModel

<<stereotype>>

RCOSComponent

<<stereotype>>

ContractInterface

<<stereotype>>

ContractInterface

Port

0..*

supplier

1

0..*

provided 0..1

client 1

supplier

1

required

0..1

client

1

0..2

0..*

Figure 5.8: Realizing component composition

206


Component composition As shown in Fig5.8, extended from UMLdependency,

we define two stereotypes«Composition» and «Delegation» to support the following

two kinds of component compositions:

• Horizontal assembly: A provided interface from one component is plugged to

a required interface of another component using a«Composition». The requests

from the required interface are passed to the provided interface. The two compo-

nents are composed at the same level of the hierarchical structure. One required

interface may need several provided interfaces, and one provided interface can

be plugged into multiple required interfaces. The rCOSconnectors, if they are

implemented as simpleopen components, compose components horizontally.

• Hierarchical assembly: If a component has internal sub-components, we use

UML port as the interaction points to the internal parts. Using the stereotype

«Delegation», an interface of a sub-component can be associated to a port of

the container component. A request to the provided interface of the owning

component reaches the port first, and it is then forwarded to a provided interface

of a sub-component. Requests originating from a sub-component pass through

its required interface to a port of the owning component, and then pass to the

required interface of the owning component. The composition process can reach

arbitrary depth. The hierarchical assembly also providesname spacefor the sub-

components, that means the full name of a sub-component is decided by all its

hierarchical owning components.

In both cases, the composability between the components must be checked to ensure

thestatic(types) anddynamic(behavior) correctness of the composition.

Component realization Realization of a component means realization of the ser-

vices provided by the component through its provided interfaces. In UML, there are

207


three ways to realize the provisions of a component, either using methods of the com-

ponent itself, or by its sub-components or using a realizing classifier.

In the rCOS component model, for a component that does not own any sub-component

(called anatomic component), its provided interface is realized by acontroller classif

it is a closed component, or realized by the methods of the component if the component

is open. For a composed component, all requests will be forwarded and realized by the

provided interfaces of the internal sub-components. Each method call is processed

according to therun-to-completionsemantics. The component that sends a call event

through its required interface has to wait until the component owning the provided in-

terface is ready to receive the call, and then delegate it to an implementing object or a

sub-component. Only one method call is processed at a time.

Figure 5.9: An example of component composition

componentProcessSale {provided interface SaleP

by CashDesk.CashDeskP {...}required interface BankR

by Payment.PaymentR {...}

composition : CashDesk | Payment[(CashDesk.CashDeskR

<< Payment.PaymentP)]

componentCashDesk{provided interface CashDeskP {...}required interface CashDeskR {...}

}

componentPayment {provided interface PaymentP {...}required interface PaymentR {...}

}}

Listing 5.10: Textual de-scription in RCOSP

Fig. 5.9 depicts an example component diagram, and its RCOSP counterpart is

shown for comparison in Listing5.10. The componentProcessSalecontains two inter-

nal components,CashDeskandPayment, and the provided interface ofPaymentplugs

into the required interface ofCashDesk. Through theports anddelegations, all in-

vocations to the provided interfaceSalePare forwarded to the provided interface of

componentCashDesk, and the required services of interfacePaymentRare delegated

208


to BankR, the required interface of componentProcessSale. In this example, compo-

nentProcessSalerealizes the rCOSparallel compositionof CashdeskandPayment, with

CashDeskR = PaymentP andCashDeskP ∩ PaymentR = ∅. In other words, compo-

nent ProcessSaleis the result of componentPaymentplugged intoCashDesk, denoted

asCashDesk ≪ Payment , through thehierarchical assembly.

5.2.5 rCOS sequence diagram

interactionOperator : OperatorKind

CombinedFragment

<<stereotype>>

ComponentSequenceDigram

<<stereotype>>

RCOSSequenceDiagram

<<stereotype>>

ObjectSequenceDiagram

Interaction

critical

breakloop

seqnegpar

optalt

<<enumeration>>

OperatorKind

InteractionFragment

ConnectableElementMessageOccurrence

InteractionOperand

MessageLifeline

InteractionUse

Constraint

Interface

Component

Operation

{ordered}

{ordered}

CallEvent

Actor

Class

refersTo

1

coveredBy 1..*

covered1..*

operation

message

1..*

fragment 1..*

fragment 1..*

lifeline

2..*

guard 0..1

sendEvent

message

receiveEvent

message.

operand 1..*

represents

event

Figure 5.11: rCOS sequence diagram

UML sequence diagram provides powerful and well-defined constructs to rigor-

ously model complex flows of control. It has become one of the most important tools

in scenario-based requirements engineering, as it can be used to capture and elicit dy-

namic and functional behaviors of a system in a very readable but also quite formal

way. As shown in Fig.5.11, a sequence diagram is defined as a UMLInteraction

which includes:

• a set oflifelines, each representing a participant taking part in the interaction. A

participant could be anactor, an object (of a particularclass), an interface, or

209


a component. When a lifeline represents an object or a component, we call it

object lifelineor component lifeline, respectively.

• a set ofmessages, each specifying a communication from a sender lifeline to

a receiver lifeline through a pair ofsendand receive events. The send event

occurs before the receive event. These events correspond to the invocation of an

operation. In our model, we allow onlysynchronous message callsto operations

defined in an interface or a class.

• an ordered set ofinteraction fragments, each representing a piece of the interac-

tion. The fragments cover lifelines from top to bottom in a time sequence. There

are three kinds of interaction fragments:

– message occurrence: specifies the occurrence of the pair of events caused

by an operation call.

– combined fragment: expresses varied kinds of conditional control flows. A

combined fragment consists of one or moreinteraction operands, which

may also contain message occurrences and combined fragments. An inter-

action operand can owns a constraint as itsguard condition. The type of

a combined fragment is decided by itsinteraction operatorfeature. In to-

tal there are 12 different types of interaction operators defined in the UML

specification. The operators considered in our model arealt, loop, opt,

par, critical, break, negandseq. Discussions about the meaning of these

operators can be found at Section6.1.1.2.

– interaction use: a shorthand for copying the contents of the referred inter-

action to where the interaction use is. The referred interaction is usually

defined in its own sequence diagram. Interaction uses allow reuse of exist-

ing sequence diagrams, and decomposition of a complex sequence diagram

into simpler ones.

210


In order to combine both OO design and component-based design, rCOS has de-

fined two kinds of sequence diagrams,object sequence diagramsandcomponent se-

quence diagrams. As shown in Fig.5.11, the abstract stereotype«RCOSSequenceDi-

agram» has subtypes of«ObjectSequenceDiagram» and«ComponentSequenceDiagram»,

that satisfy the following well-formed conditions, respectively.

1. Object sequence diagram:

• There is one lifeline representing anactor, and all other lifelines represent

objects or (interfaces of) components.

• Messages aresynchronous callsto an operation provided by the type of the

target lifeline, or a constructor/create messages.

• A message flow starts with a message from the actor to a single component,

from components to components or objects, or from objects to objects, but

never from objects to components.

Therefore, an object-sequence diagram can contain both component and object

lifelines.

2. Component sequence diagram:

• One lifeline represents anactor, and all other lifelines represent (interfaces

of) components.

• All receive events occur on the lifelines representing components.

• Each message is a method call to an operation defined in the provided in-

terfaces of the component represented by the target lifeline.

• There should be acompositionrelation between two components if there is

a message between them in a sequence diagram.

• No create messages exists in the diagram.

211


The static semantics, i.e. well-formedness of the rCOS sequence diagrams, including

the above conditions, is defined by a set of OCL rules. These rules are used to auto-

matically check the well-formedness conditions and the structural consistency of the

UML model: for example, the object creation event on a lifeline must precede all other

events on the lifeline, and a fragment must include both the sender and the receiver of

any event occurring in the fragment.

The behavior semantics of UML sequence diagram can be described as a set of

positive traces and a set of negative traces. Positive traces define valid behaviors and

negative traces define invalid behaviors (see Sec. 14.3.11 of [135]). Here a trace is a

sequence of event occurrences. In our model, a trace can be simplified to a sequence

of calls to the operations defined in the classifier.

5.2.6 State machine diagram

Figure 5.12: Protocol state machine

The reactive behaviors of rCOS components are specified by state machines which

are represented as UML state diagrams. In our model, we use the UML protocol state

machine (PSM) that covers all the basic concepts of state machine, such as states, tran-

sitions, events, etc., which are used in rCOS modeling. As a variant of state machine, a

212


PSM is always defined in the context of a classifier (interface or class). It is used to de-

fine the usage protocol, expressing the allowed call sequences on the operations of an

interface. A distinctive feature ofPSM is that a transition is associated with a precon-

dition (guard) and a postcondition, but not with any action, and the internal transition

triggers cannot be used any more [135]. Thus a protocol state machine describes the

offered services and not the way they could be implemented.

As shown in the metamodel of Fig.5.12, aPSM includes:

• a set ofverticeswhich are abstraction of nodes in a state machine. A vertex

hasincomingandoutgoingtransitions, and it may either be apseudostateor a

state. If a state containsregions, it is called acompositestate, otherwise it is

a simplestate. In our case, a composite states is always anorthogonalstate,

which means there are more than one regions inside the state. These regions

are calledorthogonalregions, and they execute concurrently with interleaving

semantics. For pseudostates, we support thejunction, which is used to chain

together multiple incoming transitions and produce an outgoing transition, and

the choice, which results in the splitting of the multiple outgoing transitions

according to the dynamic evaluation of the transition’s guard conditions. Since

UML allows a model element to be associated with a set of constraints, we use

this to addstateandcritical constraints to a vertex for the purpose of labeling it.

For convenience, if vertexA has an outgoing transition to vertexB, we callB

theoutgoingvertex ofA, conversely,A is theincomingvertex ofB.

• aset ofprotocol transitions, each representing a directed relationship between a

source vertex and a target vertex. A transition represents a single atomic com-

munication event. It may have apre- and apostcondition, and it may trigger

a referred operation that isobservableand changes the system state. A transi-

tion is enabled if its precondition evaluates totrue and its source state is active.

Then the target state must reached under the postcondition by the execution of

213


the referred operation. Note that there can be transitions without referred oper-

ation calls and without any guards, as well as transitions that only have a guard

specified, but no operation calls. In addition, a transition without precondition,

post-condition and referred operation is atau transition, which can be executed

automatically and does not change the system state.

• a set ofregionswhich containverticesandtransitions. For each region, aninitial

pseudostate defines its starting point, and afinal statesignifies the completion of

the region. Note that the first transition referred to by an operation cannot start

from the initial pseudostate. A transition to a composite state means a transition

to the initial pseudostates in each of its regions, all theorthogonalregions are

active at the same time, and each region has its own thread of execution. Comple-

tion of the orthogonal regions represents completion of the enclosing composite

state. Afinal statein the region directly owned by the state machine signifies the

completion of the state machine.

The semantics forPSM, as described in the UML specification, isrun-to-completion:

a transition completes only after its referred operation completed. Thus, while exe-

cuting an operation, no other operation calls can be processed by thePSM. Thereby,

ignoring the execution of the transitions which do not call operations, the semantics is

captured by a set of traces of operation calls, each starting from theinitial state, going

along the outgoing transitions, and finally reaching thefinal state of thePSM.

5.2.7 Visual diagram modeling

The multiple viewpoints of rCOS can be graphically represented using different UML

diagrams. The graphical representations are essential parts of an rCOS model. At im-

plementation level, currently an rCOS model is built on top of Topcased [165], that

is an open-source toolkit and runs on the Eclipse platform as a plug-in. Supported by

Topcased, a complete rCOS model consists of two parts: a UML model that contains

214


the abstract syntax information we have described previously in this section, and aDI

(diagram interchange) [75] model that contains the concrete syntax (visual representa-

tion) information.

+presentation : String

SemanticModelBridge

+id : String+offset : String

EdgeObjectOffset

+position : String

GraphConnector

+viewport : String

Diagram

+position : String+size : String

GraphElement

+key : String+value : String

GraphProperty

UMLElement

+text : String

Waypoints

GraphNode

SubDigram

DIModel

ElementRef

GraphEdge

modelRef

0..1

0..*+semanticModel 0..1

+model

+anchor 2

+graphEdge

+property

0..*

+model

0..* +href

+anchorage0..*

+element

1..*

0..*

+href

1..*

1..*

Figure 5.13: Metamodel of diagram interchange (DI)

UML 2.0 Diagram Interchange (DI) [75] is a standard proposed by OMG for dis-

playing models on a two-dimensional canvas such as a monitor. Fig.5.13 depicts

the DI metamodel used in rCOS modeling. Here, a DI model may contains several

subDiagrams, which are mechanisms to collectDiagrams. The main concepts of the

metamodel areDiagram, GraphNode, GraphEdge, and their superclass -GraphElement.

The last one includes information such aspositionandsizeof the element. ADiagram

is the topmost graph element for an independent graph or diagram, and it can recur-

sively contains all other graphic elements. TheGraphNodesandGraphEdgesare linked

by theGraphConnectors. A graph connector is the connection point owned by a graph

node and defines the position for graph edges to link. A graph connector may be served

for more than one graph edges, while every graph edge exactly anchors to two graph

connectors.

A graph element is related to an element in the UML model through theElementRef

of a SemanticModelBridge. The appearance of the graph element is decided by the

215


presentationproperty of theSemanticModelBridge. TheDIModel andSubDiagramcan

also relate to their semantic correspondences.

In case of rCOS model, each sub-model, such as rCOS use case model, class model

or component model, is represented as aSubDiagram. Inside a diagram, UML model

elements are represented intuitively. For example, in a component diagram, compo-

nents and interfaces are represented by graph nodes, while interface realization, usage

and composition are represented as graph edges. For a sequence diagram, lifelines are

represented by graph nodes and messages are graph edges. Meanwhile the Topcased

tool is responsible for the concrete representation of a graph element. For instance,

the tool has to know that a node representing a component should be visualized as a

rectangle with its name in the upper compartment.

5.2.8 Profile constraints

An important part of a profile is the static semantics that is defines as the well-formedness

constraints. These rules are used to automatically check the well-formedness and the

structural consistency of a model. The constraints are typically specified by OCL and

embodied as a set of OCL rules to theconstraintsproperty of the owner stereotype.

This allows treating constraints as other model elements. They can be handled using

usual modeling mechanisms, such as copying, moving around in the model, or refac-

toring into a separate module etc.

All these constraints can be divided into two categories: profile conformance con-

straints, that require a model conforming to the profile, and model consistency con-

straints, where different viewpoints of a model must be mutually consistent. For static

consistency of an rCOS model, we at least check the follows:

• all types used in the fields, method parameters, and method bodies are correctly

defined in rCOSTypespackage;

• all method invocations occurred in the state machines, sequence diagrams, and

216


method bodies only callmethodsdefined in the correspondinginterfaceor class,

with matched in & out arguments and types.

A conformance constraint is evaluated between an rCOS model and the stereotypes

of the profile. For example, an rCOS sequence diagram can only have synchronous

method calls. In the following, we discuss some of the profile conformance constraints

as examples.

• An rCOS model consists of ause case model, a class model and acomponent

model.

contextRCOSModelinv modelHs3Pt:

self.usecaseModel→size()=1and self.classModel→size()=1and self.componentModel→size()=1

• An rCOS component sequence diagramhas at most one lifeline representing an

actor, and the others represent component interfaces.

contextComponentSequenceDiagraminv comSeq1Act:

lifeline.represents.type→select(oclIsTypeOf(uml::Actor))→size()<=1

and lifeline.represents.type→select(not oclIsTypeOf(uml::Actor))

→forAll (oclIsTypeOf(uml::Interface))

• An event of rCOS sequence diagram must be a call event.

contextMessageinv eventIsCall:

owner.getAppliedStereotype(’rCOS::RCOSSequenceDiagram’)→notEmpty()

implies receiveEvent.oclAsType(uml::OccurrenceSpecification).event

→forAll (oclIsTypeOf(uml::CallEvent))

5.2.9 Profile implementation

We have developed a CASE tool, calledrCOS modeler[97], which provides a de-

velopment environment for rCOS, and we implemented the rCOS profile in the tool.

The tool supports rCOS methodology with user friendly interfaces and integrated re-

finement and verification facilities. It also realizes the well-formedness and structural

217


consistency checking using an OCL engine. The tool is based onTopcased[165] and

developed in Java as a plug-in to Eclipse IDE. Topcased provides a graphical environ-

ment for designing UML diagrams, editing metamodels, specifying OCL constraints,

and model verification and validation. The following steps are included in the process

of developing the rCOS profile:

Figure 5.14: Definitions of rCOS profile

Defining the profile. In theUML Editor of the Eclipse platform, it is straightforward

to use the design decisions made previously to design the rCOS UML profile as a stan-

dard EMF model. The screenshot of Fig.5.14shows a part of the profile definitions.

218


It includes a set of admitted constructs and other restrictions, a set of stereotypes and

tag values that can be used. In addition, we define a library model that realizes all

rCOS primitive and collective types. Thus, using the XMI interchange mechanism, the

profile and library model, together with models to which the profile have been applied,

can be output as XMI files and reused (imported) by other tools.

Customizing user interfaces. However, additional functionality may need to be de-

veloped in the process of implementing a profile in practice. This comes from the

fact that it is more efficient for end-users to work in a user-friendly graphical interface

when dealing with complex models and developing steps.

Specifically, modeling elements applied with an rCOS stereotype will be shown

with the name of the stereotype in the UML diagrams, such as«RCOSUseCase» in

use case diagrams, or«ServiceComponent» in component diagrams. The menu icons

in the editing palette of the diagrams have to be restricted to the allowable items for

rCOS modeling. For example, the icon used to draw an asynchronous message will

not show in the edit panel of the sequence diagrams. Moreover, we need additional

items in the popup menus to navigate among different views of a complex model,

and to support stepwise and incremental design by invoking model transformations in

different development stages. The customized user interface clarifies the usability of

the rCOS modeler by enabling the user to drag and drop the correct model elements to

appropriate views, and offering a convenient way to guide the user to do the designs.

This work of customizing user interfaces is done by developing a set of Java classes

and descriptive XML files. Deployed as Eclipse plug-ins, these artifacts extend and

customize UML diagram editors of Topcased. The plug-ins limit and/or add menu

items in editing palettes and popup menus of various views. They also contribute to

OCL well-formedness checking by indicating the elements that failed in the validation

and pointing out the causes.

219


Implementing well-formedness constraints. Theoretically, a stereotype can also

contains constraints written in OCL. A tool can read out these constraints and check

the target model. But actually it is quite difficult to perform complex checking in

a controlled series of steps using this approach. In the current version of the rCOS

modeler, a part of the constraints is embodied in Java classes, and the checking of the

OCL constraints is also invoked and controlled by the Java code. The user only needs

to click on the "Validate the model" button in the main control toolbar of the tool.

The validation of an rCOS model has proven useful in finding errors in the model.

All problems and possible inconsistencies will have to be checked and resolved before

other tasks such as refinements or transformations are performed on a model.

5.3 Supporting rCOS Development

The rCOS methodology supports the model-driven development process from require-

ments model through object-oriented design to a component-based model. In this sec-

tion, we discuss how the rCOS methodology can be supported by the rCOS modeler

that implements the rCOS profile.


As shown in Fig.5.15, the rCOS modeling process starts from creation of an empty

rCOS model. Then we capture the business domain concepts with aconceptual class

diagram, and the business processes are described as a set ofuse cases. For each

use case, a component is created, along with an empty sequence diagram (for short,

SeqDin the figure) that has only two lifelines representing the actor and the provided

interface of the component. Through adding a message to the sequence diagram, a

corresponding method of the interface is automatically produced. Then, we can specify

the data functionality of the method usingRCOSP.

220

5.3. Supporting rCOS Development

Create empty rCOS model

Design domain class diagram

Create use case

Specify data functionality

Generate state diagram

Add message to SeqD

Validate model

Create empty usecase diagram

Create top component diagram

Add an operation to interface

Create empty usecase SeqD

Create component

Run FDR2 model checker

Check OCL rules

Generate CSP

User Modeler

more usecases

more messages

Figure 5.15: Requirements modeling in the rCOS modeler

After that, a state machine can be automatically generated from the sequence dia-

gram of the interface using the sequence diagram to state machine transformation. At

the end of this stage, we get a requirements model that includes aconceptual class

diagramin which classes do not have methods, ause case diagramto depict the use

cases of the system, a top-levelcomponent diagramwhere each use case is modeled

as a component, and a set ofsequence diagramsto describe the interactions of the

use cases. Also, each method of a provided interface has an rCOS designpre ⊢ post

that describes the computations on the domain classes. Through checking the OCL

well-formedness rules defined in the profile, along with type checking of the method

specifications, the static consistency of the requirements model can be ensured. More-

over, we can generate CSP specifications for the sequence diagrams, state diagrams (if

they had been manually modified) and the functionality specifications, and then check

the dynamic consistency of the model in the FDR2 model checker [41].

221



Start OO design Generate controller class

Generate object SeqD

create new method in domain class

Generate new lifleline and message in object

SeqD

Check validity

User Modeler

Select part of method design to apply expert

pattern

Open object SeqD

Apply structural

refinement rules

Open class diagram

moremore

Figure 5.16: OO design in rCOS modeler

From acorrect requirements model, we start the object-oriented design in which

the rCOS object-oriented refinement rules are applied to optimize the model’s data

structures and functionality specifications. First, a controller class is generated for

each provided interface, and then from its use case sequence diagram, an initial object

sequence diagram is created by replacing the interface lifeline with a lifeline represent-

ing the controller class.

Then the expert pattern of responsibility assignments is used interactively to re-

fine the model. From a message of the object sequence diagram, we open the design

specification of the corresponding method, and select a fragment of it to delegate to an

object of a domain class. After checking the validity of the selection, the tool provides

candidate target objects for user to choose, and creates a new method in the domain

class, replaces the selected fragment with a method call to the new method, and up-

dates the sequence diagram by adding a corresponding lifeline and a message. This

design process is depicted in Fig.5.16. For class diagrams, we can apply the set of

222

5.3. Supporting rCOS Development

rCOS structural refinement rules [82]. However, the expert pattern can be also ap-

plied on a class in the class diagrams. In this case, it automatically refines all method

specifications of the class by replacing navigation paths with method calls.

At the end of the OO design, we get an OO design model which includes a set of

refinedobject sequence diagramsand adesign class diagram.

5.3.3 Component-based model design

Figure 5.17: Component-based design in the rCOS modeler

From the object sequence diagram of a component’s controller class, a set of ob-

ject lifelines is selected and translated into a new component, which becomes a sub-

component of the original component. Meanwhile, the original sequence diagram and

component diagram are updated accordingly, and a new sequence diagram and a state

machine (SDin the figure) are generated for the new component. By repeating this pro-

cess, a component is decomposed into a composition of a number of sub-components

within the component, and the connection and interaction of these sub-components are

illustrated by a component diagram and a component sequence diagram, respectively

223


[107]. After that, by applying the rCOS component composition operators, the com-

ponents of the system can be hidden, renamed, plugged or composed to optimize the

architecture of the component model for better implementation and deployment. The

component-based design process is depicted in Fig.5.17.

Through two stages of interactive, stepwise refinements, we get a component archi-

tecture model which refines (implements) the requirements model. The final component-

based model still contains all artifacts of the requirements model (except that the do-

main class diagram now becomes the design class diagram), and all the object sequence

diagrams of the OO design model. Thus the modeling architecture itself provides a

certain degree of traceability for the developing process.

5.3.4 Code generation

After finally all constructs in the model have been refined, the model can then be used

for code generation. We have established the principal mapping from rCOS to the Java

programming language, and with the help of a few annotations (mostly on the libraries

supplied by the tool), we can generate the Java packages automatically. The code

generator can easily be adapted to generate code for other object-oriented languages.

5.4 Related Work

UML profiles provide a standard extension mechanism for defining modeling lan-

guages. A certain number of UML profiles have already been defined, either for

generic purposes, or to deal with specific technologies. Among the others, OMG has

proposed a set of standard UML profiles, such as SysML [128], which is for speci-

fying, analyzing and designing complex systems; and MARTE [129], which supports

specification of real-time and embedded systems. In the field of requirements engineer-

ing, a profile [83] is designed to allows the KAOS model to be represented in UML.

Moreover the authors of [146] try to combine the power of SysML and Modelica [146]

224

5.4. Related Work

to enable an integrated modeling and simulation of system requirements and design.

In [11], a UML profile is proposed to describe distributed and asynchronous software

components using UML 2 diagrams for both architectural and behavioral specifica-

tions.

A UML profile should provide all the semantic expressiveness and precision of the

modeling language in order to use UML to describe the needed conceptual models, and

the profile must be easily adapted to meet the continuous changes in order to introduce

new features [151]. Unfortunately, many UML profiles in the literature cannot entirely

fulfill these two requirements. To improve this situation, Selic in [151] proposed a

systematic approach that establishes some guidelines to ensure a correct domain meta-

model definition and suggests how a correct mapping between the domain metamodel

and the UML metamodel can be defined. The authors of [64] also propose some sim-

ilar guidelines for the UML profile definition. In [102], a set of design patterns for

defining profile was proposed. These works provide the foundation for the approach

we use in defining the rCOS profile.

Many works have been done on the integration of formal methods and MDD [53;

68; 123]. Modeling languages must have formally defined semantics, and the multiple

views of a complex model need to ensure their consistency. In this perspective, most

of the works focus on translating modeling views into a formal specification, thus the

formal semantics of the model is defined, and existing analysis tools of the formal

language, such as type-checkers, theorem provers, and model checkers, can be used

in the proof of the desired properties. Among the others,Z, B, CSP, Petri netsare

the most often chosen target languages. We cite the work of [88] that proposed a

metamodel-based transformation of UML models to B constructs. Similarly, there

is an MDE based transformation approach for generatingAlloy specifications from

UML class diagrams and backwards [17]. Different from those, our work is mainly

concerned with the integrated tool supports for the stepwise, incremental development

of models by applying the formal refinement calculus of rCOS. In other words, we are

225


more interested in development and evolution of models, than just formally checking

and verifying of models.

There are also some integrated modeling frameworks which are based on formal

methods. In [109], a development methodology applying the SOFL formal language in

industrial software practice was proposed. The system development process consists

of three separate activities: requirements specification, design, and implementation.

A SOFL specification is first constructed in a structured way usingCondition Data

Flow Diagram(CDFD) with formal textual constraints, and then the specification is

transformed to an object-oriented design and finally to the implementation. CDFD

is an intuitive and powerful graphical notation, but it is not an OMG standard. In

the IFAD VDM++ (an object-oriented extension of VDM-SL) toolbox [9], UML is

used to provide the structural, diagrammatic overview of a model while VDM++ is

used for specifying the detailed functional behavior of the model. However most of

these frameworks lack automatic support for transformations from high-level models

to low-level models, and component-based design is not explicitly addressed.

In [40], a previous version of the rCOS profile was proposed as the center part

of the rCOS modeler. The rCOS profile described in this chapter is a refinement and

improvement of the previous one. In the current rCOS profile, we clearly separate

the rCOS concepts from UML metamodel concepts, and explicitly define rCOS com-

ponents composition in both horizontal and vertical ways. In addition, we define the

sequence diagrams and protocol state machines used in rCOS modeling, present the

architecture and other artifacts of rCOS models, and add more OCL well-formedness

constraints. We hope these changes facilitate rCOS model refinements and transforma-

tions, and achieve interoperability and exchangeable among different UML tools for

rCOS modeling.

226

5.5. Summary

5.5 Summary

This chapter reflects part of our efforts to move rCOS from a formal theory to a practi-

cal domain-specific modeling language in the field of component-based model driven

software development. We present our UML profile with necessary stereotypes, tagged

values and constraints in order to represent the main concepts of rCOS in UML and

support the development methodology of rCOS. We adopt a systematic approach in the

design of the profiles, starting from building a domain metamodel to capture the basic

concepts of rCOS, and then mapping them into stereotypes, attributes and constraints

of the profile in a traceable way. Linking with UML gives rCOS the power of the stan-

dardized graphical notation and tool support for system and software modeling, thus

increases the usefulness of rCOS; while integration with rCOS supplies UML models

with a precise semantics, additional modeling concepts for components composition,

formal consistency verification and refinement techniques, and a development method-

ology in the application domain of the component-based model-driven development.

We implement the profile in the rCOS modeler, a CASE tool for rCOS. Based on

the rCOS profile, the tool focuses on supporting the rCOS development methodology

with a user friendly interface. We describe the concrete steps of how a model is de-

veloped in the rCOS modeler. The tool implements the rCOS refinement rules, such

as expert pattern and structural refinements, as correctness preserving model transfor-

mations. Some of these transformations will be discussed in detail in the following

chapter.

However, a method can be really successful only if a great number of users are

convinced of its capability to perform in industrial software projects. Use of UML to

support rCOS may help achieve this object.

227

Chapter 6

Enabling Model Transformations of

rCOS

The rCOS prompts an iterative and incremental development methodology that com-

bines object-oriented and component-based design and analysis techniques. The de-

velopment process goes through the stages of requirements elicitation, object-oriented

design, logical component-based design, and through to coding. This process leads to

a sequence of models, evolving in their levels of details, and models in later develop-

ing phases are constructed from those in earlier phases. The development process is

driven by model transformations: producing anobject-oriented design modelfrom the

requirements model, acomponent-based design modelfrom the object-oriented design

model, and finally aplatform specific modelor runtime model. Moreover, models of

other formal languages may need to be generated in order to verify the original designs

in the tools of these formal languages.

However, the only way to get a full return of MDD promises of faster, less costly

software development, is automating any model-driven software development proposal

[19]. In this sense, implementing the rCOS model transformations in CASE tools is

considered as one of the keys for the success of rCOS method. The work of this

chapter focuses on the following four transformations that are repeatedly used in the

development process of rCOS:

Requirements model to OO design model Starting from a requirements model in

which a set of component interfaces represents use cases, and a set of system sequence

diagrams specifies the scenarios of the use cases, the transformation automatically

transforms such a model into an initial design model by generating a protocol state

228

machine for each interface from its sequence diagrams, deriving a controller class as

an implementation of the interface, and converting adesignp ⊢ R of an interface

method into aguarded designg&p ⊢ R for the corresponding method in the controller

class. Thus the method specifications of the controller class ensure that the behavior

defined by the sequence diagrams is fully complied with. The transformation takes

into account the concurrency and critical area of the respective diagrams. The gener-

ated model can sever as the starting point for the detailed object-oriented design, such

as applying the expert pattern. Therefore the transformation helps to bridge the gap

between requirement models and detailed OO design models.

Functionality delegation (expert pattern) The functionality delegation is offered

as the expert pattern transformation. However, it is quite a challenge to automate the

expert pattern. One reason is that the data functionalities are textually specified, and

they are attached to a model which consists of both a UML semantic model and its

graphical representation model. Execution of the transformation means three of them

have to be synchronously modified. Currently, we implement the core algorithm of the

transformation in Java.

In rCOS modeler, this work of applying expert pattern is done interactively in the

view of sequence diagram. We choose a message, open the corresponding method

specification, and select from it a consistent fragment that may contain a number of

navigation paths. The tool checks the validity of the selection, calculates the possible

classes that the selected fragment can be delegated to, and allows the user to pick one

as the target class. A new method is then created in the target class, while the selected

fragment, after appropriate alteration to the navigation paths, becomes the specification

of the new method. The selected fragment in the original specification is replaced by a

single method call to the new method. Any necessary variables, which are not local to

the fragment, are passed as parameters to the new method.

In addition a message is newly created in the sequence diagram to represent a call

229

6. Enabling Model Transformations of rCOS

to the new method. The new message is inserted immediately after the reception of the

chosen message, going from the original receiver to the lifeline represented the target

class. This lifeline may already exist in the sequence diagram, or have to be newly

introduced.

The rCOS modeler allows stepwise incremental application of the expert pattern

transformation. As a result, the original system sequence diagram, which consists of

only two lifelines, is refined into an object sequence diagram that has additional object

lifelines and messages. Meanwhile, the conceptual class diagram is refined to a design

class diagram by adding methods to classes of the expert objects. The component

diagrams and the state machine diagrams are not changed by the OO refinement.

OO design model to component-based modelStarting from a detailed OO design

model, this work is carried out by the object sequence diagram to component sequence

diagram transformation. The user selects a number of objects lifelines from an object

sequence diagram to transform into a new component by applying the transformation.

In the sequence diagram these selected lifelines are collapsed to a new lifeline rep-

resented the new component, and messages within these lifeline are internalized and

hidden. Only the messages from other components to the newly formed entity remain.

The composition (plugging) relationships of the new component with other existing

components will be illustrated in a component diagram, and a new sequence diagram

and a state machine are generated for the new component as its protocol.

Repeating this process until all of the object lifelines turn into components, the

object sequence diagram becomes a component sequence diagram. As the result, a

component-based model is generated, consisting of a set of component diagrams and

component sequence diagrams. In the model a component represented a use case is

refined into composition of a number of (sub-)components.

230

Component composition The transformation realizes the basic composition oper-

ators that we have discussed in Section3.3.2. In the rCOS modeler, we invoke the

transformation in the view of component diagram after selecting one or several com-

ponents.

• Rename method: rename interface methods of componentK . A new component

Kn will be created as a container ofK . All the method signatures,SDs (sequence

diagrams),PSMs (protocol state machines) ofK .pIF andK .rIF will copy to Kn

after accordingly adjustment to the new names. Requests to the interface ofKn

will be delegated toK , as specified in the method body ofKn .

• Hide method: restriction on the environment to access the provided methods of

componentK . We also create a container componentKn , and copy all method

signatures,SDs, PSMs of K to Kn after filtering out the hidden methods. Sim-

ilarly, the specification of a method inKn defines as a method call to the corre-

sponding method inK .

• Parallel composition: We realize the algorithm defined in Definition10 for par-

allel composition of components, for example,K1 and K2 . First the provided

and required interfaces ofK1 and K2 may plug to each other if some of their

methods have the same signatures. Then a new container componentKn is gen-

erated, and method signatures ofK1 and K2 are copied toKn after hiding the

plugged methods. In addition, we generate the protocol forKn . TheSDof the

protocol includes apar combination fragment, in which there are two operands

that respectively contain theSDs fromK1 andK2 . Similarly, thePSMof proto-

col comprises of a composition state in which each orthogonal region contains a

PSMfrom one of the composed components.

• Plug components: plugging the provided interfacepIF of one component to the

required interfacerIF of another components. The composability of these two

231


interfaces will be checked:

1. Signature: TherIF has at least one of the same method signatures aspIF .

Let pIFs denote the union of the provided interfaces plugged to therIF ,

then for each method inrIF , there is not more than one method with the

same signature inpIFs .

2. Protocol: Let PSMp be the protocol state machine of a suppositional inter-

face asdisjoint unionof thepIFs, we generate the execution traces from the

PSM of therIF , and execute the traces in thePSMp. The execution should

not be blocked. Moreover, we can also translate the two state machines to

CSP, and check the dynamic consistency of them in the FDR2.

The transformation will update the component diagram, generateSDs andPSMs

for the new interfaces.

These transformations are defined in the graphical notation of QVT-R using the

QVTR-XSLT tool, and integrated into the rCOS modeler. The design and implemen-

tation details of therequirements model to OO design modeland theOO design model

to component modeltransformations are discussed in Section6.1and6.2, respectively.

That is followed by a case study of a sale management system in Section6.3. We

discuss related work in Section6.4and give some conclusions in Section6.5.

6.1 From Requirements Models to Design Models

Capturing and specifying requirements has been recognized as the first step of rCOS

development. In the resulting model of requirements,domain class diagramsare used

to represent structural concepts and their relationships, anduse casesdescribe the ser-

vices provided by the system. Typically, we model a use case as acomponent, where

its interfaceprovides the methods through which the actors of the use case interact

232

6.1. From Requirements Models to Design Models

with, and the interactions are specified as system sequence diagrams. The data func-

tionality of a method is specified as an rCOS design that describes the computations

on the domain classes.

In the subsequent analysis and design stage, UML state machines are defined as

part of the protocols for modeling the reactive behaviors of the components. A state

machine is essentially executable, and can be validated and tested through simulated

executions. Furthermore, a component interface, along with its protocol, is imple-

mented by acontroller classthat is responsible for receiving or handling system events.

The controller class is then used for thedetailed object-oriented design, and translated

to executable program code, or taken as an input for the succeedingcomponent-based

design. Thus, it is important that the controller class fully complies with the semantics

introduced by the original system sequence diagrams. One way to achieve this is to

provide guarded designs to methods of the controller class as in general a class does

not have a behavior protocol.

Manually designing state machines and the implementation classes, especially for

complex systems, is a difficult and error-prone task. Automation of this process pro-

vides considerable help for the users. It allows the designers who are not very technical

to concentrate on using sequence diagrams to express behavioural requirements, and

automatically get other artifacts to begin the work of the next stage.

The following transformations are included in the process:

1. Synthesis a protocol state machine (PSM) for an interface from its system se-

quence diagrams (SD);

2. Labeling the protocol state machine by attaching every vertex withstateand

critical tokens;

3. Generation of a controller class as an implementation of the interface.

The controller class contains attributes of primitive types and their initial values, as-

233


sociations to the domain classes, invariants, and a set of methods duplicated from the

interface. In addition, a pair of pre- & post-conditions, for example,pren and postn ,

is generated for each method that triggers transitions in the state machine. These con-

ditions are used to ensure that the behavior defined by the corresponding sequence

diagrams is fully complied with. After merge with the designpre ⊢ post of the same

method of the interface, a guarded designg & (p ⊢ R) can be produced for the method

of the controller class, whereg = pren , p = pre andR = post ∧ postn .

A range of interaction operators of UML sequence diagram, such asalt, opt, seq,

neg, loopandbreak, are considered in the transformations. In particular, we support

par and critical, which provide the ability to specify concurrent and safety critical

requirements. Usinginteraction usesthat refer to other sequence diagrams, we can

describe complex interactions in the limited space of a single sequence diagram.

6.1.1 From sequence diagrams to protocol state machines

The transformation requires that: given a system sequence diagramSD, and a generated

PSM, a call event to an operation of the interface in theSD becomes a transition of

thePSM that is triggered by the same operation, and all valid traces of theSD, after

restriction to the calling ofnon-queryoperations, are the traces of thePSM.

The transformation is specified as anin-placeQVT-R transformation in which the

metamodels forSD andPSM are defined in Section5.2.5and Section5.2.6, respec-

tively. The transformation starts from relationInteractionToVertexshown in Fig.6.1.

The source domain pattern (left) of the relation matches an interactionseq, and locates

the corresponding lifelinelfl through the predicatelflnm=transLife lineName

in thewhenclause, wheretransLifelineName is the name of the interface lifeline.

Then the target domain pattern (right) creates a new protocol state machinesm with a

topmost regionreg, an initial pseudostateinitS and a final statelastS. Since in a

UML protocol state machine, the first transition referred to by an operation can’t start

234


Figure 6.1: Starting theSD to PSMtransformation

from the initial pseudostate, we add a state calledfirstS with name "Init", as well

as a transitionfirstTr leading to the state from the initial pseudostate. One concrete

example of theInit state is shown in Fig.6.3.

In thewhereclause of the relation, we assign values to all item names and iden-

tifiers. The queryGetRecFragretrieves all receivingmessage occurrencesandcom-

bined fragmentscovered by thelfl in a top-down order along the lifeline. Relation

FragmentToStateconstructs corresponding states and transitions in the regionreg.

In the following, we discuss how the transformation deals with different kinds of

interaction fragments. We mostly use examples to illustrate the translation of each

construct. The left-hand side of each figure shows the inputSD, and the generatedPSM

is shown on the right.

6.1.1.1 Message occurrences

For the message occurrence of a receiving event, the relationReceiveEventToState

shown in Fig.6.2is applied. The source domain pattern (left) of the relation matches a

235


Figure 6.2: Rule formessage occurrenceFigure 6.3: Applying rule formes-sage occurrence

message occurrencefr with a call event and a connected operationop. As parameters

of the relation, theprimitive domainscondi andupperS are theguard conditionand

the name of the parent state, respectively. In thewhereclause, a unique namestnm is

defined asupperS + cpos, wherecpos is the position of thefr in the list of all current

fragments. Then the target domain pattern (right) constructs a new statest, assigns its

name tostnm, and adds a transitiontran that starts from the previous state and goes to

the statest. The transition refers to operationop. By invoking relationSetConstrain

from thewhereclause, a precondition is attached to the transition if there is one. This

straightforward strategy ensures that all traces of aSDare also traces of the generated

PSM. Fig.6.3shows the transformation of a simple sequence diagram by applying this

relation.

6.1.1.2 Combined fragments

A combined fragment contains one or more interaction operands, which in turn may in-

clude more message occurrences and combined fragments. For most of the combined

fragments, we generate for each a pair of pseudostates (kinds ofjunction or choice)

representing the starting and finishing of the construct, along with the transitions be-

tween these two pseudostates to represent the control flows of the combined fragment.

One of the exceptions is thepar, which results in orthogonal regions enclosed with a

236


composite state. After transforming the combined fragment itself, the contents of each

operand need to be recursively processed.

• alt: The interaction operatoralt is used to designate choice between two or more

operands. It allows modeling of the classic "if-then-else” logic. Each operand

is given a guard constraint that if it is evaluated totrue, then that operand is the

operand to follow. Note that, in general, there will be an "else" alternative where

its guard is evaluated totrue when none of the guards in the other operands

is evaluated totrue. If no guard is given, one of the operands will be non-

deterministically chosen to execute.

As shown in Fig.6.4, an alt fragment is handled simply by introducing a

sequential branch for each operand in the generatedPSM, starting with achoice

pseudostate. The guard constraint of an operand becomes the precondition of

the corresponding transition outgoing from thechoice. By introducing anot()

function, the precondition of the "else" branch is the negation of the disjunction

of all other guards in the enclosingalt fragment. After the contents contained in

the operands are translated, all sequential branches end in ajunctionpseudostate.

In the generated state machine diagrams, a larger solid circle represents a

junctionpseudostate, a smaller solid circle represents aninitial pseudostate, and

achoiceis represented as a diamond-shaped box.

Figure 6.4: Applying rule foralt Figure 6.5: Applying rule forbreak

237


• break: The breakcombination fragment is used to model a scenario that if its

guard istrue, its operand is chosen to execute, and then the remainder of the

enclosing interaction will be ignored. Otherwise the break operand is ignored

and the rest of the enclosing interaction will be chosen. The model in Fig.6.5

shows the result after applying the rule forbreak. The construction starts with a

choicepseudostate, and a transition from the content of the operand to the final

state is added.

• loop: A loop combination fragment represents the iterative application of its

operand, and it is executed until the guard evaluates tofalse. The loop in the

SD of Fig. 6.6 is transformed into thePSM which first starts with ajunction

pseudostate, and goes along atau transition to achoicepseudostate where the

guard is evaluated. Note that as we defined in Section5.2.6, a protocol transition

may not have a referred operation, or a postcondition.

Figure 6.6: Applying rule forloop Figure 6.7: Applying rule foropt

• opt: Theopt operator is used to model a sequence that, when a certain condition

is satisfied, will occur; otherwise, the sequence does not occur. It represents a

simple ”if-then” statement. For anopt fragment (see Fig.6.7), two branches are

created, one includes the optional fragments in the operand and one skips them.

• par andcritical: Thepar combination fragment is used to model a parallel com-

position of the fragments of its operands. The behavior of the operands can be

238


interleaved in any order as long as the ordering imposed within each operand

is preserved. Each operand in thepar represents a thread of execution done in

parallel. Thepar and thealt operators are quite similar in nature. Both have

more than one operands to represent branches of control flows. The difference

is that thepar branches are executed simultaneously whereas only one of thealt

branches is executed.

Thecritical operator is closely related topar fragment. It defines a critical area

in which the traces of execution cannot be interleaved by other messages, and

that can only happen when thecritical fragment and the other messages belong

to different operands of the samepar fragment. Thecritical operator is important

in modeling a sequence of behaviors that must be contiguously handled.

Fig. 6.8 gives an example of apar fragment with acritical fragment. A

par fragment leads to a composition state containing two or moreorthogonal

regions. This preserves the traces of thepar because the UML semantics for or-

thogonal regions is interleaving of events from different regions. Inside a region,

we generate a state machine for each operand of thepar. These state machines

each have aninitial pseudostate and afinalpseudostate. All state machines of the

orthogonal regions arriving at thefinal states activates the transition leaving the

composite state. For acritical fragment, we generate twojunctionpseudostates

to mark the start and end of the critical area. These two pseudostates will be

labeled with critical tokens in the subsequent steps to ensure their semantics are

preserved.

• neg: The neg fragment is used to model the negative traces that are defined to

be invalid. We simple removes thenegoperator and its content. This is because

negative behavior shall not be implemented by the state machine. We only map

the positive behaviors of a sequence diagram to the protocol state machine.

• seq: Theseqoperator introduces a weak behaviors of the operand. Since we only

239


Figure 6.8: Applying rules forpar andcrit-ical Figure 6.9: Applying rule forref

generatePSMfor one lifeline, and the sequence is already decided by the order

of the messages along the lifeline, this operator do not bring any new semantics.

We simply add twojunctionpseudostates to indicate the start and the end of the

combined fragment in the generatedPSM. Fig.6.9depicts an example using the

weak sequencing operator.

6.1.1.3 Interaction uses

An interaction use is shown as a combined fragment where the operator is calledref.

It can refer to an interaction which in turn contains other interaction uses, and this

process can be recursive. However, aref cannot contains an interaction use which

refers to the interaction itself to avoid infinite loops. As shown in Fig.6.9, a pair of

junctionpseudostates is generated to indicate the start and end of the interaction use,

and then the referred interaction is subsequently processed.

Redundant constructs of the generatedPSM, e.g., the two adjacentjunctionpseu-

dostates in Fig.6.9, can be optimized to make thePSMmore concise (and better read-

able for humans).

240


6.1.2 Labeling protocol state machines

From the generatedPSM, we are going to construct the specification for the controller

class. Therefore we have to calculate the conditions for triggering a transition, in-

cluding its source state, precondition, and thecritical constraints. Since UML allows

a model element to be associated with a set of constraints, we use this to attach this

information to the vertices.

We introduce astate variableof type, for simplicity,string, for each region of the

PSM to represent the current state of the region. The state variable of the upper-most

region by default is named as "state" (actually "_state" in the model). In addition,

We introduce acritical variable that holds a boolean value{ON,OFF} for each region

generated from apar fragment withcritical areas.

This labeling process is carried out by traversing thePSMto label each vertex with

tokens referred to the state- and critical variables. In the following, we discuss the rules

for labeling constructs of thePSMusing examples.

• Labeling simple states: A simple state is labeled with a token that sets its re-

gion’s state variable to the name of the state. For example, the stateS_1_1 in

Fig. 6.10is labeled withstate="S_1_1".

• Labeling pseudostates: If all its incoming vertices are labeled, we give a pseu-

dostate a state token that is a disjunction of thepredicatesfrom the incoming

vertices. Eachpredicateis a conjunction of the incoming transition’s precondi-

tion and the incoming vertex’s state label. As shown in Fig.6.10, the junction

state is labeled as(state="Init" and not(c)) or state="S_1_1", wherec

is the guard condition of theopt fragment in Fig.6.7.

• Labeling composite states: A composite state is provided with aprestatetoken

that represents the enter condition, and astatetoken which represents the exit

condition. Theprestatetoken is labeled in the same way as the pseudostates, and

241


Figure 6.10: LabeledPSM fromFig. 6.7 Figure 6.11: LabeledPSMfrom Fig.6.8

thestatetoken indicates all its contained regions reach the final states. Fig.6.11

shows an example of the labeled composite state.

• Critical labeling : If a composition state is generated from apar fragment with

critical areas, critical tokens are given to the regions and related states:

– Region labeling: Each region is given a critical label that indicates the

critical variables of all other orthogonal regions should beOFF. For exam-

ple, as shown in Fig.6.11, theregion_1_1 is labeled with a critical token

critical_1_2=OFF.

– State labeling: Recall that a critical area in aSDbecomes a pair ofjunc-

tion pseudostates in thePSM. We label the outgoing vertex of the start-

ing junction pseudostate with a token to turn on the critical variable of

the region, and the incoming vertex of the endingjunction pseudostate a

token to turn off the critical variable. As shown in Fig.6.11, the state

S_1_1_1_1 is labeled withcritical_1_1=ON, and the stateS_1_1_1_2

with critical_1_1=OFF.

242


• Final state labeling: If there is atau transition from a vertex to thefinal state,

we label the vertex withstate="Final", cf. stateS_2 in Fig. 6.10.

By recursively applying the above rules, aPSMis gradually transformed into a labeled

protocol state machine. The transformation completes when no more rules can be

applied.

6.1.3 Generation of controller classes

Given an interfaceI and itsPSM, an implementing controller classC meets the follow-

ing requirements:

• an operation ofI becomes an operation ofC, with the same signature and func-

tionality definition (if any), and the operation ofC may contain additional guard

and post conditions;

• a property of primitive type becomes a property of same type inC;

• a property of class type becomes an association fromC to that class, and the

name of the association is the same as the property’s;

• all initial constraints andinvariantsof I become those ofC;

• all traces of thePSMcan be executed inC without being blocked by the guards

and preconditions of called operations.

Implementing the structure of the interface in the controller class is straightforward.

In the subsection, we focus on the implementation of the dynamic behavior defined in

the protocols. Taken as input an interface with a labeled protocol state machine, we

generate initial constraints, add pre- and postconditions to the operations, and create

actions that can be automatically executed.

243


6.1.3.1 Adding initial constraints

The state and critical variables introduced in the labeling process become attributes of

the controller class, and they have to be initialized when the class is instantiated. For

example, the following initial constraints derived from Fig.6.11are added to the class

declaration

state ="Init " ∧ state_1_1="Init"∧ state_1_2="Init"∧ critical_1_2=OFF ∧ critical_1_1=OFF

6.1.3.2 Deriving comprehensive pre- and postconditions for transitions

A transition may already hold a precondition representing the guard of the correspond-

ing operand. In order to get the comprehensive pre- and postconditions for a transition,

we have to consider the source and target vertices of the transition. For the precondi-

tion, we include the state tokens on the source vertex and all its parent states, as well

as the critical tokens for the source vertex and all its parent regions. For deriving post-

condition from the target vertex, we consider only the tokens on the vertex itself, since

we assume that the execution of the referred operation will not change the state and

critical variables. For example, the following pre- and post-conditions are generated

for transitionm in Fig. 6.11:

pre: (state_1_1="Init"∧ critical_1_2=OFF)∧ state="Init"

post: state_1_1’="S_1_1_1_1"∧ critical_1_1’=ON

While the pre- and post-conditions for transitionf are:

pre: (state_1_2 ="Init "∧ critical_1_1 =OFF) ∧ state ="Init "

post: state_1_2 ’="Final "

It is obvious that the invocation off cannot immediately follow the invocation ofm, as

the variablecritical_1_1 has been turned on in the postcondition ofm. This preserves

the semantics of thecritical fragment defined in the sequence diagram of Fig.6.8.

244


6.1.3.3 Generating guards and postconditions for operations

In this step, we compose the individual pre- and postconditions of transitions referred

to the same operation together to obtain a complete guarded design for the operation.

The guard of the operation is the disjunction of all transition’s preconditions, and we

use "if-then-else" expressions to compose the transition’s postconditions. For example,

let m1 andm2 be two transitions of interface operationm, pr1, pr2 andpst1, pst2 are the

pre- and postconditions of the two transitions, respectively, and[p ⊢ R] be the design

of them. We get the following specification for operationm of the controller class:

m(){ (pr1 ∨ pr2) & [p ⊢ R]; pst1 � pr1 � (pst2 � pr2 � skip) }

or we write it as:

m(){ guard: pr1 ∨ pr2

design: [p ⊢ R];

if pr1 then pst1 else if pr2 then pst2 else skip }

6.1.3.4 Creating actions

Additionally, we create actions to simulate the entry of a composite state, and the

completion of a state machine. An action may need to be generated to activate each

region of a composite state, i.e., if the system is in theprestateof the composite state,

then the state variables of its regions will be set to "Init". For instance, we create the

following action for Fig.6.11:

action_1 (){ guard: state ="Init "

design: [⊢ state_1_1’="Init "∧ state_1_2 ’="Init "] }

If there is a transition from a vertex to thefinal state, and the transition has only a

precondition and does not refer to an operation, we generate an action to complete the

state machine (or region) under this precondition. Consider thePSM in Fig. 6.6, it

needs the following action:

action_1_2(){ guard: (state ="Init " ∨ state="S_1_1")∧ not(c)

design: [⊢ state’="Final"] }

245


6.1.4 An example : clinic reception

The example describes the patient reception process at a clinic. A patient arrives at

the clinic and stops first at the reception desk. The staff here welcomes the patient and

checks if he has been recorded in the clinic’s system (with key information such as

name). For a new patient, the staff creates a unique patient ID. Then the staff creates

a patient ID card, and a label showing the waiting number. Both the card and the

label need to be printed out, and printing of the ID card must immediately follow the

creation of the card. With the ID card and the label, the patient is sent to a specific

doctor’s waiting queue. If the patient had visited the clinic before, the staff only needs

to produce a label, print it out, and send the patient to the waiting queue.

Figure 6.12: Use case and component for clinic reception

Figure 6.13: Interface and controller class for componentReception

246


Figure 6.14: System sequence diagram for interfaceReceptDesk

As shown in Fig.6.12, the case study is represented as use caseReceptionand

modeled by a component with interfaceReceptDesk. The left hand side of Fig.6.13

defines the properties and operation signatures of the interface, where we also specify

the functionality. For example, the methodwelcomeis specified as:

public welcome(string name) {

if found(name)then isNew’=false else isNew’=true }

where found is an abstract function to check whether the patient is in the clinic’s

database. We omit all other functionality definitions to save space.

The system sequence diagram shown in Fig.6.14describes the scenario of the use

case. TheisNew condition of thealt fragment determines whether the patient is a

247


Figure 6.15: Protocol state machine for interfaceReceptDesk

newcomer. We use apar fragment to express that the staff can creates either the ID

card or the label first; both of them need to be printed. Acritical operator is used to

ensure that the ID card is printed immediately after its creation.

Applying the transformations discussed previously, we first transform the sequence

diagram into aPSM, as illustrated in Fig.6.15. After labeling it, we generate the con-

troller classReception_Ctr. The right hand side of Fig.6.13depicts the structure of

the class, while the class initializing constraints and the operation specifications are

listed below. Note that in the specification of operationwelcome, part of the function-

ality definition is copied from the interface method. Noaction is generated for the

example.

initial : _state ="Init " ∧ _state_2_2_1="Init "∧ _state_2_2_2="Init "

∧ _critical_2_2_2 =OFF∧ _critical_2_2_1 =OFF

248


public welcome(string name) {

guard: _state ="Init "

design: if found(name)then isNew’=false else isNew’=true;

if _state ="Init " then _state ’="S_1"else skip }

public createID (string name) {

guard: ( isNew)∧ (_state ="S_1")

design: if ( isNew)∧ (_state ="S_1")then (_state ’="S_2_1")∧

_state_2_2_1’="Init "∧ _state_2_2_2’="Init "else skip }

public createIDcard (int id ) {

guard: (( _state_2_2_1="Init ")∧ _critical_2_2_2 =OFF) ∧ _state ="S_2_1"

design: if (( _state_2_2_1="Init ")∧ _critical_2_2_2 =OFF) ∧ _state ="S_2_1"

then _state_2_2_1’="S_2_2_1_1"∧ _critical_2_2_1 ’=ON else skip }

public createLabel (int id ) {

guard: ((( _state_2_2_2="Init ")∧ _critical_2_2_1 =OFF) ∧

_state ="S_2_1")∨ ((not(isNew))∧ (_state ="S_1"))

design: if (( _state_2_2_2="Init ")∧ _critical_2_2_1 =OFF) ∧ _state ="S_2_1"

then _state_2_2_2’="S_2_2_2_1"else

if (not( isNew)) ∧ (_state ="S_1")then _state ’="S−2_1"else skip }

public printIDcard (int id ) {

guard: (( _state_2_2_1="S_2_2_1_1")∧ _critical_2_2_2 =OFF) ∧ _state ="S_2_1"

design: if (( _state_2_2_1="S_2_2_1_1")∧ _critical_2_2_2 =OFF) ∧ _state ="S_2_1"

then _state_2_2_1’="Final "∧ _critical_2_2_1 ’=OFF else skip }

public printLabel (int labno) {

guard: ((( _state_2_2_2="S_2_2_2_1")∧ _critical_2_2_1 =OFF) ∧ _state ="S_2_1")

∨ (_state="S−2_1")

design: if (( _state_2_2_2="S_2_2_2_1")∧ _critical_2_2_1 =OFF) ∧ _state ="S_2_1"

then _state_2_2_2’="Final "

else if _state ="S−2_1" then _state’="S−2_2"else skip }

public waitQueue(int labno) {

guard: (_state_2_2_1="Final "∧ _state_2_2_2="Final ")∨ _state="S−2_2"

design: if (_state_2_2_1="Final "∧ _state_2_2_2="Final ")∨ _state="S−2_2"

then _state ’="Final " else skip }

249


Validation : We focus on the specifications concerning the parallel and critical areas.

Let S be a software system that implements the controller class, then:

• after the execution ofcreateID, S is in a state where both the guards ofcreateI-

Dcard andcreateLabelare satisfied, and each of them may be invoked;

• if the createIDcardis executed,S is in state ofcritical_2_2_1=ON, where nei-

ther thecreateLabelnor theprintLabel can be invoked until the execution of

printIDcard, which turns the critical variablecritical_2_2_1 to OFF;

• if the createLabelis executed first,S is in a state where either thecreateIDcard

or theprintLabelcan be performed;

• the guard ofwaitQueuerequiresS in a state ofstate_2_2_1="Final" and

state_2_2_2="Final", that can only be met after both theprintLabelandprint-

IDcard are executed.

Thus we can say that the behavior introduced by thepar and critical fragments of

Fig. 6.14is followed by the systemS.

6.2 From OO Design- to Component-Based Models

In the stage of OO design, the functionality specification of the methods is refined by

decomposition and assignment of responsibilities to corresponding objects, obtaining

a detailed OO model of object interactions represented by object sequence diagrams.

This object sequence diagram refines the sequence diagram of the component (use

case) in the requirements model. For the purpose of reusability, maintenance, and

more importantly, distributed and independent deployment, the OO model needs to be

abstracted to a model ofinteractions of a number of components, that is graphically

represented as acomponent sequence diagramdefined in the UML profile for rCOS.

250

6.2. From OO Design- to Component-Based Models

This section presents the design and implementation of a transformation from a

model of object interaction to a model of component interaction. It requires user inter-

actions. In each step of interaction, the user decides which objects will be turned into

a component, then the transformation is automatically performed. During the transfor-

mation process, a new component is generated, interfaces of the component are iden-

tified from the messages of the object sequence diagram, and a component sequence

diagram is also abstracted from the object sequence diagram by hiding the messages

inside the generated component. Meanwhile, protocols for the new component are

also produced, and component diagrams are modified to represent the relationship of

the components.

Through a finite number of transformation steps with valid selections on the OO

model, the object sequence diagram is entirely transformed to a component sequence

diagram in which the lifelines represent only components. Also, a complete compo-

nent diagram is generated. The transformations of the OO design of all components

thus, one by one, obtain a correct refinement of the initial model of requirements ar-

chitecture to a component-based design architecture in which each component in the

requirements model becomes a composition of a number of components.

However, we need to define the criteria for the selection of objects to form a com-

ponent as the validity conditions of the selection. The tool will check the validity

conditions. We describe the principles of the selection and the validity of selection,

as well as the generation of a component from the selected lifelines below. For the

corresponding algorithms and their explanation, we refer to AppendixB.

6.2.1 Selection of object lifelines

The transformations start with an object sequence diagram and a design class diagram.

First, from the object sequence diagrams, the user selects a set of object lifelines that

she intends to make into a component, and one object lifeline is designated as the

251


controller objectof the selection by the user. This lifeline is also called thekey lifeline

in the rCOS modeler. The principles for picking such a control object not only depend

on checkable conditions of the object but also on design considerations of reusability,

maintainability, and organization of the system being modeled. The major checkable

condition is that this object should be apermanent objectin the sequence diagram. This

means it should have existed before the start of the execution of the sequence diagram

(specified by the precondition of the first message), and it should not be destroyed

during the execution (rCOS does not have destructor methods). This also includes

software objects representing the control of physical devices, such as barcode readers,

controllers of printers, lights, and operating system objects, such as the system clock.

Then the selection of further objects should be made by the user with consideration

of the following conditions and principles:

1. any object lifeline that is a receive end of a creation event from an lifeline that is

already included in the selection must be selected;

2. the objects in the selection must bestrongly connected, i.e. for any lifelineℓ in

the selection there is at least one message path from the controller object toℓ;

3. consider the low coupling and high cohesion principle so that the selected life-

lines have more intensive interaction with each other than with lifelines outside

the selection;

4. lifelines that represent objects which will be deployed on different nodes of a

distributed system should not be included in the same selection.

The first two conditions are must condition and can be easily checked. The third

condition is a desirable principle, and the fourth is a platform dependent condition.

Correspondingly, the first two can be used to automatically extend a selection. The

latter two can never lead to an inconsistent model, but to a model that does not capture

the intentions correctly.

252


6.2.2 Validating the lifeline selection

Given an object sequence diagramD, we define some notation for describing the vali-

dation of a selection. We useD.linesto denote the set of all lifelines ofD, D.messages

the set of messages, and messages inD.messagesare represented bym[ℓi, ℓj ] for an

message fromℓi to ℓj . That means the object ofℓi invokes a methodm defined in the

object ofℓj . Create-messages indicate constructor invocations.

Let D.selection⊆ D.linesbe a selection, andℓc the designated controller object,

and defineD.rest= D.lines− D.selection. Further, we define

IntraM = {m[ℓi, ℓj ] : ℓi, ℓj ∈ D.selection} Intra-messages among

the selected lifelines

InM = {m[ℓi, ℓj ] : ℓi ∈ D.rest∧ ℓj ∈ D.selection} Incoming messages to


OutM = {m[ℓi, ℓj ] : ℓi ∈ D.selection∧ ℓj ∈ D.rest} Outgoing messages from


OutsideM = {m[ℓi, ℓj ] : ℓi, ℓj ∈ D.rest} Messages outside


A lifeline ℓ in sequence diagramD can be either an object lifeline, denoted bytype(ℓ) =

Class, or a component lifeline, denoted bytype(ℓ) = Component. Now we define the

conditions below for checking the validity of a selection.

1. All lifelines selected must be object lifelines

∀ℓ ∈ D.selection· type(ℓ) = Class

2. The controller objectℓc must be a permanent object. This is done by checking it

is not on the receive end of an object creation message.

∀ℓ ∈ D.lines· (create[ℓ, ℓc] 6∈ D.messages)

253


3. The transformation starts with those lifelines that directly interact with the actor,

then those directly receiving message from the lifelines that have been made into

component lifelines. Therefore any incoming message to the currently selected

ℓc should be from either the actor or a component lifeline

∀m[ℓ, ℓc] ∈ InM · (type(ℓ) = Actor∨ type(ℓ) = Component)

4. Creation messages can only be sent between lifeline inside the selection or be-

tween objects outside the selection

∀ℓi, ℓj ∈ D.lines· (create[ℓi, ℓj] ∈ IntraM ∨ create[ℓi, ℓj] ∈ OutsideM)

5. Any incoming message to the selection is received either by the controller object

or by a lifeline which has a direct path of messages from the controller object

∀m[ℓi, ℓj] ∈ InM · (ℓj = ℓc ∨ ∃m[ℓc, ℓj] ∈ IntraM)

6. The lifelines of the selection must be strongly connected, meaning that for any

selected lifelineℓ, there must be a path of messages from the controller object

m[ℓc, ℓ1], m1[ℓ1, ℓ2], . . . , mi[ℓi, ℓ]

The algorithm to calculate the set of strongly connected lifelines from the con-

troller object can be found at AppendixB.1.

Notice that Conditions 4&6 are closure properties required of the selection, and that the

initial object-sequence diagram of a use case in rCOS always has a use case controller

object that satisfies Conditions 2,3&5. Using induction on the number of lifelines,

these conditions all together ensures existence of a valid selection for any well-formed

sequence diagram that contains object lifelines. Every OO sequence diagram can be

translated into the trivial component sequence diagram which internalizesall object

lifelines into the controller.

254


6.2.3 Generating a component from selected lifelines

If the selection passes the validity checking, the transformation will be executed to

generate the target models, otherwise an error message is fed back to the tool user. The

transformation is specified in the QVT relational notation. For ease of understanding,

we describe the specification in terms of the relation between the source model and the

target model, similar to the pre- and postcondition specification of a program.

Given a source sequence diagramD, that is an object sequence diagram, and a

valid selectionD.selection, letD’ denote the target sequence diagram of one step of the

transformation. For a lifelineℓ in D (or D’ ), we useop(ℓ, D) (respectivelyop(ℓ, D’)) to

denote the set of method names of the type class ofℓ in D (respectivelyD’ ), type(ℓ, D)

the type of the lifelineℓ in D (respectivelytype(ℓ, D’) in D’ ), andpIF the provided

interface of the component thatℓ represents if the type ofℓ is a component. For a

component lifelineℓ in D (or D’ ), rIF denotes the its required interface. We now

describe the relation betweenD andD’ as the conjunction of the following predicates.

1. The controller objectℓc in D is changed to a component lifeline inD’

ℓc ∈ D.selection∧ type(ℓc, D) = Class

∧ ℓc ∈ D′.lines∧ type(ℓc, D′) = Component

2. An incoming message to the selection inD becomes an invocation to the inter-

face methods ofℓc in D’

∀m[ℓi, ℓc] ∈ InM · (m[ℓi, ℓc] ∈ D’.messages∧ m ∈ pIF(ℓc))

Notice that the order of the messages and fragments are not to be changed.

3. All the intra-object interactions in the selection inD are collapsed, more pre-

cisely hidden inside the componentℓc

∀m[ℓi, ℓj] ∈ IntraM · (ℓi, ℓj 6∈ D’.lines∧ m[ℓi, ℓj] 6∈ D’.messages)

255


4. All the outgoing messages from the selection become outgoing messages from

the component thatℓc represents inD′, with the order and fragments preserved,

and they become the required methods of the component

∀m[ℓi, ℓj] ∈ OutM · (m[ℓc, ℓi] ∈ D’.messages∧ m ∈ rIF(ℓc))

5. No lifelines and messages outside the selection are changed

∀m[ℓi, ℓj] ∈ OutsideM· (m[ℓi, ℓj] ∈ D’.messages)

From the definition of the resulting sequence diagramD’ , its static counterparts, the

components can be defined. The change for the component diagram can be specified

in a similar way. The protocols of the provided interfacepIF(ℓc) and the required

interfacerIF(ℓc) of the newly constructed componentℓc in D’ will be generated.

Next, we give an intuition into how the relations defined above can be directly put

to use through QVT-Relations.

6.2.4 Implementation

Using the QVTR-XSLT tool, the transformation is specified as three transformation

models to do the following work:

1. validate the lifeline selection;

2. generate a component from the selected object lifelines with provided/required

interfaces and corresponding operation signatures, plug the new component to

other existing components;

3. update the corresponding sequence diagrams, component diagrams, state dia-

grams and class diagrams in light of the above changes;

4. generate a new sequence diagram and a new state diagram as the protocol for the

new component;

256


5. update the corresponding visual representations of the above diagrams.

In total, the transformation contain 105 relations, and 45 functions and queries.

About 6300 lines of XSLT code are generated for implementation of the transforma-

tion.

<<Relation>>

ObjToComLifeline

{when=LifelineToCom(lfl,com);}

<<Domain>>

seq : Interaction

com : Component

name = "propnm"

xmi:id = "propid"

: Property

name = "propnm"

xmi:id = "propid"

: Property

<<Domain>>

tseq : Interaction

name = "lflnm"

xmi:id = "lflid"

: Lifeline

name = "lflnm"

xmi:id = "lflid"

lfl : Lifeline

lifeline

ownedAttribute

represents

represents

lifeline

type

Figure 6.16: A relation to generate a component lifeline

Fig. 6.16illustrates a QVT-R relation which converts an object lifeline to a com-

ponent lifeline. Under the root objectseq tagged with label«Domain», the source

domain pattern of the relation includes aLifeline lfl with its representingProperty.

And the target domain pattern has a similar structure.

When the relation is executed, the source domain pattern is searched in the source

model. If a match is found, thelifelineand thepropertyare bound to instances of source

model elements, and the variables defined within them are instantiated with values

coming from the attributes of the instances. The target domain pattern of the relation

acts as a template to create objects and links in the target model. In this example, the

target domain pattern creates alifelineobject and apropertyobject. Both objects own a

nameand anxmi:id attributes. These two attributes get values from the variables bound

to the corresponding elements of the source domain pattern. Moreover, theproperty

257


object of the target model now has an associationtype that is set to the component

com, which is bound (and possible created) by the relationLifelineToComin thewhen

clause.

6.3 Case Study

The Common Component Modelling Example (CoCoME) [5; 39] describes a trading

system that is typically used in supermarkets. Similar to the example used in Sec-

tion 2.3, this case study originated from Larman’s book [103]. It deals with the various

business processes, such as processing sales at cash desks, handling payments, and

updating the inventory. The system maintains a catalog of product items and records

the amount of each item available. It also keeps the historical records of sales, each of

them consists of a number of line items with the product item and the amount sold.

In this section, we use the rCOS modeler to design a simplified version of this sys-

tem, focusing on stepwise application of the transformations described in the previous

sections to refine an initial requirements model into a component architecture design.


Using the rCOS modeler, we first abstract the domain concepts of the system and their

relationships into a domain class diagram, as shown in Fig.6.17.

In this case study, there can be many use cases, depending on what business pro-

cesses the client wants the system to support. One of the use cases,process sale(see

Fig. 6.18), describes the check out process: a customer takes the products she wants

to buy to a cash desk, the cashier records each product item, and finally the customer

makes the payment. The use case is modeled by a componentProcessSalewith the

interfaceCInter, depicted in Fig.6.19.

The scenario of the use case is described by a system sequence diagram that is

then created for interfaceCInter. To model the check out process, we add combined

258

6.3. Case Study

Figure 6.17: Domain class diagram of CoCoME example

Figure 6.18: Use caseProcessSale Figure 6.19: ComponentProcessSale

fragments and messages to the sequence diagram, while the corresponding method

signatures will be automatically generated in the interface. In addition, we input the

RCOSPspecification for each method in a textual window below the diagram editor.

The completed sequence diagram is shown in Fig.6.20, and the method signatures and

properties of the interfaceCInter are depicted in Fig.6.21.

The followingrCOSP code is input for the methods of interfaceCInter:

public startSale () {

var Date date = clock. date ();

[ ⊢ sale’ = Sale. new(false, date )]

}

259


Figure 6.20: Sequence diagram forCInter Figure 6.21: Interface ofProcessSale

public enterItem (Barcode code,int qty) {

[ qty > 0 ⊢ true];

[ ∃Item i: store . catalog . contains ( i )∧ i.barcode = code⊢ true];

[ ⊢ line’ = LineItem.new(code, qty)];

[ ⊢ ∃Item j: store.catalog. contains ( j )∧ j.barcode = code∧ line.subtotal ’ = j . price ∗ qty];

[ ⊢ sale.lines . add(line )]

}

public finishSale () {

var double sum;

sum:=0;

for (LineItem l : sale . lines ) {

[ ⊢ sum’ = sum + l.subtotal]

};

[ ⊢ sale.total ’ = sum]

endsum;

[ ⊢ sale.complete’ =true]

}

public cashPay(double a; double c) {

[ a >= sale . total ⊢ sale.pay.makePay(a, (a− sale . total ))];

[ ⊢ store.sales . add(sale )];

260

6.3. Case Study

[ ⊢ ∀ LineItem l:∀ Item p: sale.lines . contains ( l )⇒ store.catalog. contains (p)⇒

(p. barcode = l . barcode⇒ p.stock’ = p.stock− l. quantity )];

[ ⊢ c’ = a − sale. total] }

whereaddandcontainsare functions defined for the collection types.

Applying thesequence diagram to state diagram transformationdiscussed in Sec-

tion 6.1.1, we generate a protocol state machine for interfaceCInter, as illustrated in

Fig. 6.22.

Figure 6.22: Protocol state machine forCInter

Through checking the OCL well-formedness rules defined in the rCOS profile and

type checking the interface method specifications, we can ensure the static consistency

of the model. In addition, we can check the dynamic consistency of the model by

generating a CSP specification for the model, and do the checking in the FDR2 model

checker. Thus, we get a ”correct” requirements model that consists of aconceptual

class diagram, a use case diagramwhere a use case is modeled as a component with

a provided interface, asequence diagramand aprotocol state machineto describe the

261


behavior of the use case. Also, each method of the interface has an rCOS design to

specify its data functionality.


Figure 6.23: The controller class for interfaceCInter

To start the object-oriented design, we must first transform the requirements model

into an initial design model. This is done by first labeling the protocol state machine,

and then generate a controller classProcessSale_Ctrwhich implements the interface

CInter, as shown in Fig.6.23. As we will continue to the component-based design

stage, we don’t generate guarded designs for methods of the controller class, but just

copy the method specifications from the interface. Meanwhile, from the sequence

diagram of the interface, an initial object sequence diagram for the controller class

is created by replacing the interface lifeline with a lifeline representing the controller

class.

Then we apply theexpert pattern transformationinteractively to refine the object-

262

6.3. Case Study

Figure 6.24: Interactively applying expert pattern

oriented design of the model. From the view of the object sequence diagram, we open

the rCOS specification of a message’s corresponding method, select a fragment of it,

and delegate to an object of another class. For example, as shown in Fig.6.24, we select

the fragment ”[∃Item i : store.catalog .contains(i) ∧ i .barcode = code ⊢ true];” from the

specification of messageenterItem, and choose ”Design delegation...” from the popup

menu. The tool analyzes the selection, and provides a candidate target object to assign

the responsibility, e.g.store in the figure. After we input the name of the method

that will be created to perform the delegated responsibility, e.g.findItemhere, the

execution of the transformation replaces the selection part with ”store.findItem(code);”,

and creates a methodfindItemin classStoreas follows:

public findItem (Barcode x3) {

[ ∃ Item i: catalog . contains ( i )∧ i.barcode = x3⊢ true] }

Accordingly, the object sequence diagram is changed into the one shown in Fig.6.25.

263


Note that a new lifelinestoreof typeStoreis created, and a new message that invokes

methodfindItemis also added to the diagram.

Figure 6.25: The object sequence diagram after applying expert pattern

As another example, for messagefinishSale, we select the following fragment from

its method specification:

var double sum;

sum:=0;

for (LineItem l : sale . lines ) {


};

[ ⊢ sale.total ’ = sum]

endsum;

We delegate the selection to objectsaleof classSaleas a methodupdateTotalthat will

be generated to calculate the total value of a sale. Now, the specification for method

finishSaleis refined to :


sale . updateTotal ();

[ ⊢ sale.complete’ =true] }

264

6.3. Case Study

Figure 6.26: The object sequence diagram after OO refinement

Figure 6.27: Design class diagram of CoCoME example

Finally, after applying the expert pattern to each of the messages, the object se-

265


quence diagram of classProcessSale_Ctris refined to Fig.6.26, and the domain class

diagram of Fig.6.17is therefore changed to a design class diagram shown in Fig.6.27.

Meanwhile, the method specifications for classProcessSale_Ctrare refined to:

public startSale () {

var Date date = clock. date ();

[ ⊢ sale’ = Sale. new(false, date )]

}

public enterItem (Barcode code,int qty) {

[ qty > 0 ⊢ true];

store . findItem (code);

[ ⊢ line’ = LineItem.new(code, qty)];

line . setSubTotal (store , qty, code);

sale . addLine(line )

}


sale . updateTotal ();

sale . setComplete()

}

public cashPay(double a; double c){

sale . makePay(a);

store . addSale(sale );

store . updateStock(sale );

[ ⊢ c’ = a − sale . total]

}

Accordingly, in total 8 methods are newly created in the class model:

public Store :: addSale(Sale x1) {

[ ⊢ sales.add(x1)]

}

public Store :: upDateStock(Sale x2) {

[ ⊢ ∀ LineItem l:∀ Item p: x2.lines. contains ( l )⇒ catalog.contains(p)⇒

(p. barcode = l . barcode⇒ p.stock’ = p.stock− l. quantity )]

}

266

6.3. Case Study

public Store :: findItem (Barcode x3) {

[ ∃Item i: catalog . contains ( i )∧ i.barcode = x3⊢ true]

}

public Sale:: updateTotal () {

var double sum;

sum:=0;

for (LineItem l : lines ) {


};

[ ⊢ total’ = sum];

endsum

}

public Sale:: setComplete() {

[ ⊢ complete’ =true]

}

public Sale:: addLine(LineItem x5) {

[ ⊢ lines. add(x5)]

}

public Sale:: makePay(double x1) {

[ x1 >= total ⊢ pay.makePay(x1, x1− total)]

}

public LineItem:: setSubTotal (Store x1,int x3, Barcode x2) {

[ ⊢ ∃Item j: x1.catalog.contains( j )∧ j.barcode = x2∧ subtotal’ = j . price ∗ x3]

}

6.3.3 Component-based design

Based on the object-oriented design model which contains a set of object sequence

diagrams, we start to produce a component-based model by using theobject sequence

diagram to component sequence diagram transformationin a stepwise, incremental

manner.

We work on an object sequence diagram similar to the one shown in Fig.6.26.

267


It consists of six lifelines. The leftmost one represents theactor, and followed by

lifelines proce, sale, line, storeandpay, representing respectively the objects of class

ProcessSale_Ctr, Sale, LineItem, StoreandPayment. Based on our understanding of

the case study, and the sequence- and class diagram, we decide to apply the object- to

component sequence diagram transformation three times.

Figure 6.28: Select lifelines to become a component

In the first we deal with the lifelineproce, which is directly interacting with the

actor. Since lifelinessaleand line are created by theproce, three of them have to be

in the same component. As shown in Fig.6.28, we select these three lifelines from

the sequence diagram, click on the ”Lifelines to Component (single component)” from

the popup menu. As we mentioned before, the tool will check whether the selected

lifelines can be transformed to a component, and try to decide thekey (controller)

lifeline itself. Here theproceservers as the key lifeline. If it can’t decide the key

lifeline, a popup window will appear to ask the user to choose one. By the way, if

we select all the lifelines of the diagram, and click on the ”Lifelines to Component (by

partition)” from the menu, these lifelines will be automatically divided into several

groups, and each group is translated into a component.

However, if the selection is not valid, an error message will be displayed. For

268

6.3. Case Study

Figure 6.29: Validation error message

instance, if we choose lifelinessale, line andstore to become a component, the tool

will pop up an error message, as shown in Fig.6.29.

The first execution of the transformation translates the three selected lifelines into

a service componentCOM_proce, and changes the sequence diagram to the one shown

in Fig.6.30, where lifelineprocenow represents the new component, and lifelinessale

andline, along with their internal messages, are removed from the diagram.

The resulting componentCOM_proce, as shown in the component diagram of

Fig.6.31, is a sub-component ofProcessSale, and connects to the latter through a port.

This diagram is therefore a ”child” component diagram of Fig.6.19, for the purpose

of showing the internal structure of componentProcessSale. ComponentCOM_proce

has a provided interfaceConInter_proceand a required interfaceRInter_proce. The

definitions for the component, including the operation signatures of the interfaces, is

shown in Fig.6.32. In here, the two removed lifelines,saleandline, become properties

(rCOSfields) inside the componentCOM_proce.

For the second and third transformations, we select the lifelinesstoreandpayfrom

the sequence diagram of Fig.6.30, and turn them into componentCOM_storeand

COM_pay, respectively. As the result, we obtain the component sequence diagram

shown in Fig.6.33, in which all lifelines represent components, except the onerep-

resenting the actor. Accordingly, the component diagram is changed to the one de-

269


Figure 6.30: The sequence diagram after the first transformation

Figure 6.31: Component diagram after first transformation

picted in Fig.6.34, in which the provided interfaces of componentsCOM_storeand

COM_payare plugged to the required interface of componentCOM_proce, and the last

270

6.3. Case Study

Figure 6.32: Definitions of componentCOM_proce

component realizes the functionality of componentProcessSale. TheRCOSPcounter-

part of the component diagram is shown for comparison in Listing6.35.

Figure 6.33: Component sequence diagram for componentProcessSale

271


Figure 6.34: Component diagram forProcessSale

componentProcessSale {provided interface CInter

by COM_proce.ConInter_proce {/∗Method∗/...protocol {...}

}composition : COM_proce|COM_store|COM_pay

[(COM_proce.RInter_proce<< COM_store.ConInter_store),

(COM_proce.RInter_proce<< COM_pay.ConInter_pay)]

componentCOM_proce {public LineItem line;public Sale sale;provided interface ConInter_proce {...}required interface RInter_proce {...}

}componentCOM_store {

provided interface ConInter_store {...}}componentCOM_pay {

provided interface ConInter_pay {...}}

}

Listing 6.35: ComponentProcess-Salein RCOSP

Protocols of components. We also automatically generate rCOS protocols for the

interfaces of the newly created components. For a provided interface, the protocol

consists of a sequence diagram and a protocol state diagram. For example, theprovided

protocolfor componentCOM_storeis shown in Figs.6.36& 6.37. But for a required

interface, we usually provide it with a protocol state machine, as the one shown in

Fig. 6.38 for the required interfaceRInter_proceof componentCOM_proce. This

state machine defines the possible sequence of method invocations.

Through applying the object sequence diagram to component sequence diagram

transformation three times, we have successfully developed the OO design model of

CoCoME into a component model. In the model, a component of use case is decom-

posed into, and realized by a composition of a number of sub-components within the

component, and the connections and interactions of these sub-components are illus-

trated by a component diagram and a component sequence diagram, respectively. In

addition, each component in the model has its provided/required interfaces, as well

272

6.3. Case Study

Figure 6.36: SD ofCOM_store Figure 6.37: PSM ofCOM_store

Figure 6.38: PSM for the required interface of componentCOM_proce

as protocols, each consists of a sequence diagram and a state diagram, to define the

behaviors of the component.

273


6.3.3.1 Applying rCOS component operators

Starting from the component model, rCOS component composition operators, such as

renaming, plugging, andparallel composition, can be applied to optimize the structure

of the model, or build new components from the existing ones.

For the component diagram of Fig.6.34, we contemplate combining the compo-

nentsCOM_storeand COM_payinto a single component for the purpose of better

deployment. First we remove the«Composition» connections between the required

and provided interfaces, then select these two components, and choose the ”Compose

components” from the rCOS popup menu, as shown in Fig.6.39.

Figure 6.39: Apply component composition

Applying the composing operation generates a new componentCOM_pay_SHde-

picted in Fig.6.40. It has a single provided interface. As the interfaces ofCOM_store

andCOM_payare disjoint from each other,COM_pay_SHis the result of thedisjoint

unionof that two components. Its provided protocol is shown in Fig.6.41& 6.42.

In the next step, selecting the ”Plug components” from the rCOS popup menu, we

274

6.3. Case Study

Figure 6.40: Result of component composition

Figure 6.41: Sequence diagram for componentCOM_pay_SH

plug the provided interface ofCOM_pay_SHinto the required interface ofCOM_proce.

The tool will check the composability of these two interfaces:

• Method signatures: Both interfaces have at least one identical method signature.

It is obvious that all the method signatures of the two interfaces are identical.

• Behavior protocols: We generate the following CSP processPR from the PSM

275


Figure 6.42: PSM for componentCOM_pay_SH

of the required interfaceRInter_proceshown in Fig.6.38:

PR = (findItem!→ PR) � moreItem� (makePay!→ addSale!→ updateStock!→ SKIP)

From the PSM shown in Fig.6.42, also we produce the CSP processPC for the

provided interfaceConInter_pay_SHof componentCOM_pay_SHas follows:

PC = (PC1 ‖| PC2); SKIP

PC1 = (findItem?→ PC1) � moreItem� (addSale?→ updateStock?→ PC )

PC2 = makePay?→ PC

It can be proved in FDR that the parallel composition of these two processes

PC ‖ PR is deadlock free. Thus, the method invocation traces specified in the

protocol of interfaceRInter_proceare accepted by the provided protocol of

COM_pay_SH, and the interactions of the two components will not be blocked.

Fig. 6.43shows the resulting component diagram for theProcessSale. We also list

its RCOSPcounterpart in List6.44.

276

6.4. Related Work

Figure 6.43: Optimized component diagram forProcessSale

componentProcessSale {provided interface CInter

by COM_proce.ConInter_proce {...}

composition : COM_proce|COM_pay_SH[(COM_proce.RInter_proce

<< COM_pay_SH.ConInter_pay_SH)]

componentCOM_proce {...provided interface ConInter_proce {...}required interface RInter_proce {...}

}componentCOM_pay_SH {

provided interface CInter_pay_SHby COM_store.ConInter_store,

COM_pay.ConInter_pay {...}composition : COM_proce|COM_pay

[(COM_store || COM_pay)]

componentCOM_store {provided interface ConInter_store {...}

}componentCOM_pay {

provided interface ConInter_pay {...}}

}}

Listing 6.44: Optimized compo-nent model inRCOSP

However, starting from a verified requirements model shown in Fig.6.18-6.21, we

have, step by step, developed a model of component architecture as depicted in the

component diagram of Fig.6.43, through incremental applying the rCOS transforma-

tions of requirements model to OO model, functionality delegation, object sequence

diagram to component sequence diagramandcomponent compositions. The correct-

ness of the component model is ensured as these transformations implement rCOS

refinement principles. Based on the component model, one can generate program code

for the components and accordingly deploy them to form a software system.

6.4 Related Work

The transformation from scenario-based interaction diagrams to state-based models is

one of the key activities in OOAD [169]. It allows designers to concentrate on model-

ing requirements, and automatically get executable and simulatable state models which

277


are required in design processes. Algorithms that transform scenarios into state ma-

chines are often called synthesis algorithms. Many approaches have been proposed to

address the algorithms. Amyot and Eberlein [16], and Liang et al. [108] have evaluated

more than twenty of them. However, most of the works date back before UML 2.0.

The scenario languages they used lack control constructs, such as combined fragments

and interaction uses introduced in UML 2.0 sequence diagrams. Scenarios are writ-

ten in isolation and their relationships are not specified [170]. Therefore, the problem

that mainly captured researchers’ attention is how to decide the relationships between

different scenarios. These approaches require a significant additional modeling effort

from the user [170].

The work of [72] deals with most combined fragments of UML 2.0, such asalt, opt,

loopandpar, but leaves out theinteraction uses. The transformation is defined through

graph transformations based on concrete syntax. In [182], an algebraic framework for

synthesizing statecharts from UML 2.0 sequence diagrams was proposed. Only three

operators (seq, alt andloop) are supported, and the approach takes sequence diagrams

in textual format as inputs. The aforementioned [170] usesinteraction overview di-

agrams, instead ofinteraction uses, to specify relationships between scenarios. This

is the only work we have seen that supports the interaction overview diagrams. Most

work in this area focus on the synthesis algorithms, whereas the integration in indus-

trial practice remains implicit [70; 79].

Our SD to PSMtransformation is similar to the ones described at [72; 170] in that

we support most of the combined fragments of UML 2.0, including theinteraction

uses. Particularly we translateparallel into PSM’s orthogonal regions, and we support

critical fragments. We integrate multiple scenarios of a single interface throughinter-

action uses, and our transformation generates UML protocol state machines suitable

for the definition of contract protocols.

Our approach to label the state machines is similar to the techniques used in [81],

where state variables are introduced to represent the current configuration. The system

278

6.4. Related Work

controls a single variable which represents the message sent by a system object in the

current step. Then the current state of the system automaton can be represented by the

variable, ranging over its states. In our approach, we define a state variable for each

region of thePSM, and simply use the name of a state as the value of the state variable.

However, the algorithm we used to label the state machines is unique as we consider

hierarchical state- and critical variables. Elkoutbi et al. [56] proposed a way to label a

state machine with pre- and postconditions of the underlying class, and [48] proposed

atechnique to construct state models from contract specifications, i.e. operations spec-

ified with pre- and postconditions, for the purpose of contract inspection, animation

and simulation. We consider these two works as the inverse of our approach, since we

generate contract specifications from state machines. In addition, the work of [143]

also generates class contracts, as a pre- and post-condition for each operation, from a

protocol state machine with state invariants. The invariants are manually added to each

state of the state machine. Our approach uses labeledPSMsto generate the contracts,

and the labels are automatically produced from the sequence diagrams.

As a natural step of model driven development, object-oriented models are further

evolved to component-based models to get the benefits of reusability, maintenance,

as well as distributed and independent deployment. Surveys of approaches and tech-

niques for identifying reusable components from object-oriented models can be found

in [25; 167]. Based on the principle of “high cohesion and low coupling”,researchers

try to cluster classes into components. The basic ideas are: calculate the strength of

semantic dependencies between classes and transform them into the form of weighted

directional graph, then cluster the graph using graph clustering or matrix analysis tech-

niques [167]. Using clustering analysis, components with high cohesionand low cou-

pling are expected to be obtained in order to reduce composition cost.

Particularly, since use cases are applied to describe the functionality of a system,

the work of [153] focuses on applying various clustering methods to cluster use cases

into several components. In [59], the static and dynamic relationships between classes

279


are used for clustering related classes in components, where static relationship mea-

sures the relationship strength, and dynamic relationship measures the frequency of

message exchange at runtime. COMO [105] proposed a method which measures inter-

class relationships in terms ofcreate, retrieve, updateanddelete(CRUD) operations

of model elements. It uses a dynamic coupling metric between objects to measure

the potential number of messages exchanged. All the above approaches are based on

clustering algorithms, which makes them much different from our approach, where

transformations are applied at thedesign stageby a human.

Identifying reusable components from object-oriented models is considered to be

one of the most difficult tasks in the software development process [59]. Most existing

approaches just provide general guidelines for component identification. They lack

more precise criteria and methods [44]. Because of the complexity of source infor-

mation and the component model itself, it is not advisable for component designers to

manually develop component-based models from object-oriented models [167]. Alas,

there are almost no (semi)-automatic tools to help designers in the development pro-

cess [153].

Sequence diagrams have of course already been used informally in UML-based

modeling since their conception. Recently, [80] presents a rigorously defined variant

called “Life Sequence Charts” with tool support to use them for system design. The

focus there is however not on component modeling, but giving a formal semantics to

sequence charts for synthesis.

The rCOS approach of refinement driven development has long been studied in the

rCOS group. In [39], we have studied this top-down development process, carried out

by hand, for the CoCoME case study. Our process is motivated by an industrial CASE

tool, MASTERCRAFT [111]. There, the focus is on the design and refinement of the

relational method specifications using the rCOS language. In [180], we have discussed

an informal approach to using transformations for rCOS, and a variant of treating se-

quence diagrams in particular. Apart from general discussion, QVT Relations trans-

280

6.5. Summary

formations for the MODELMORF engine using custom metamodels for sequence- and

class diagrams were given as a proof of concept. Based on this experience, we set out

on a more formal quest forprovably correctmodel transformations.

In the work of [37], the functionality specification of a transition is specified in

terms of a design as a pair of pre-/postconditions, and an integrated specification of

methodm is defined as disjunction of the functionality specifications of all transitions

that may react to invocation ofm. The approach integrates the state machine with a

class and gives complete behavior definitions for the methods. In [41] we provide full

model- and code generation for the approach. The transformation for the generation

of method bodies presented in this chapter is also based on this approach, but with an

extension to support concurrency and critical constructs.

Application of the expert pattern in the rCOS modeler was also discussed in [158].

The work is carried out in the view of class diagrams with a similar algorithm, but

updating of the corresponding sequence diagrams is not considered.

In this chapter, we have formalized the desired outcome in the style of OCL formu-

las on input- and output models, and the transformations themselves are also syntacti-

cally checked using OCL. However, the correctness of the formulation with respect to

the logically defined refinement relation between the input- and output models still re-

quires a formal proof. To this end, our colleagues have already studied the automated

generation of proof obligations for object-oriented refinements [113]. For transfor-

mations on the component level, we do not expect proofs to be dynamic, but rather

that a transformation can be proved correct once, and then just checking a syntactic

precondition on the input for input validation.

6.5 Summary

The purpose of our work in the thesis is automating the rCOS correctness preserv-

ing transformations and integrated them into tool support. We present four of them

281


in this chapter. These transformations are not isolated. They sequentially cover all

phases of component-based, model-driven development of rCOS. We discuss in detail

two of the transformations which bridge the gap between requirements models and

OO design model, and between the OO design model and component-based model.

The first transformation automatically processes system sequence diagrams into con-

troller classes with method guards which enforce the semantics of sequence diagrams,

through an intermediate step of generating protocol state machines. The second one,

the object sequence diagram to component sequence diagram transformation, improves

the component-based model-driven software design in practice by allowing the seam-

less combination of object-oriented and component-based techniques.

These transformations are defined in the graphical notation of QVT Relations us-

ing the QVTR-XSLT tool. The QVT-R specifications are then automatically trans-

formed to executable XSLT programs, and integrated into the rCOS modeler. Many

new features found in sequence diagrams and protocol state machines of UML 2.0 are

supported by the transformations. The rCOS modeler that implements the transforma-

tions discussed here can be downloaded with examples fromhttp://rcos.iist.

unu.edu/.

282

http://rcos.iist.unu.edu/

http://rcos.iist.unu.edu/

Chapter 7

Conclusions and Future Work

This chapter summarizes the work of the thesis, discusses the limitations and proposes

future work.

7.1 Conclusions

MDA is current a mainstream approach to component-based software design through

raising the level of abstraction, separation of concerns and software reuse. In MDA, a

software system is developed based on model construction, validation/verification, and

composition in a development process, either top down waterfall or bottom up synthe-

sis. Model transformations play the key role in the process. In the top down process,

a transformation refines the source model by adding more design and implementation

details, and in the bottom up process a transformation composes a number of source

models for architecture refinement. Model transformations can also be used to abstract

models for the purpose of formal verification.

However, for correct construction of a software system, model transformations

should be semantic preserving. To support incremental development, model trans-

formations have to be compositional. This requires that models, model compositions

and transformations are precisely defined using formal modeling languages. Further-

more, the MDA approach can be effectively useful only when automated tool support

is available, especially the automation of the model transformations.

The work presented in this thesis is on supporting a MDA development process

using automated model transformations. To complement MDA with a precise seman-

tics and a meticulous development methodology, we adopt the rCOS in the research.

It provides a precise multi-view modeling notation for object and component systems,

283

7. Conclusions and Future Work

a formal semantics for model verification and validation, and a comprehensive refine-

ment calculus that implements as correctness preserving model transformations. The

rCOS development process is driven by applying these model transformations.

It is challenging and important to investigate these transformations on both theo-

retical and practical grounds, and automate them into software tools. Development of

such a tool requires understanding of formal methods to correctly encode the require-

ments and algorithms, such as applications of different design patterns. It is not enough

to only provide a library of the transformation implementations, more importantly, the

tool should provide guidance on which rule is most suitable in current state. It is also

difficult to support consistent and correct checking of the transformations.

In this thesis, we tackled this challenge by developing a novel model transforma-

tion approach and its implementation tool to support the graphical syntax of QVT

Relations, the OMG’s standard high-level declarative model transformation language.

With the help of this tool, we designed and implemented a set of model transformations

proposed in rCOS refinement calculus, and integrated them into the rCOS modeler, a

CASE tool for rCOS development. In particular, we presented an approach to automat

the transformation from object-oriented models to component models, so the object-

oriented design and component-based techniques can be seamlessly combined in the

development process. We also support the transformations of requirements model to

OO design model, functionality delegation, and component composition. To standard-

ize rCOS method and facilitate the application of these transformations, we defined a

UML profile with necessary stereotypes, tagged values and constraints to represent the

concepts of rCOS in UML, and to support the development methodology of rCOS.

In the following, we summarize the works we consider as the major contributions

of the thesis:

A model transformation approach and tool. In Chapter4, we presented a practi-

cal model transformation approach to support the graphical syntax of QVT-R through

284

7.1. Conclusions

mapping to XSLT. In our approach, we specify a transformation as a set of QVT-R

relations between the elements of source and target metamodels using the graphical

notation of QVT-R. Then the transformation is implemented as an XSLT stylesheet,

where every relation maps to an XSLT rule template. Since QVT-R relies heavily on

the use of OCL, we designed a way to map OCL into XPath, a sub-language of XSLT,

by mapping OCL’s types, expressions and operations into semantic equivalent XPath

constructs.

We support unidirectional non-incremental enforcement transformations of QVT-

R. The features of our approach include transformation inheritance through rule over-

riding, traceability of transformation executions, multiple input and output models,

and in-place transformations. To improve the usability of QVT-R, we extended the

language with additional transformation parameter, relation alias name and priority,

as well as conditional relation call. We also proposed a novel graphical model query

facility, which is based on the checking semantics and pattern matching mechanism of

QVT-R, and also uses the graphical notation. The model query facility can work seam-

lessly within QVT-R transformations. In addition, we have developed a collection of

pre-defined transformations for improving the interoperability of the tool, as well as

for transformation verification and validation.

The tool for supporting the graphical notation of QVT-R and the model query fa-

cility, named QVTR-XSLT, is designed as two parts: a QVT-R graphical editor and

an XSLT code generator. To build the tool in a standard, model-driven way, we pro-

posed a UML profile to represent the abstract syntax of QVT-R. With a user-friendly

user interface, the graphical editor of the tool supports the definition of metamodels as

simple UML class diagrams, the specification of QVT-R transformations and queries

using the graphical notation. The code generator can automatically translate a QVT-R

transformation into executable XSLT programs. To evaluate our approach and tool, we

presented a case study and compared the transformation execution traces and results

with a popular QVT-R tool known as a faithful implementation of the QVT-R standard.

285


Our approach is founded on the OMG and W3C standards, and makes use of well-

known and commonly adopted languages and CASE tools. It is quite easy and user-

friendly to design QVT-R rules in the editor, because all objects and links are restricted

by selecting from the source and target metamodels, effectively providing a graphical

domain-specific language. Such syntax-directed editing can reduce the number of er-

rors, as it only permits mostly well-typed models. The generated XSLT programs

for the transformations can be directly executed under any XSLT processor on any

platform, and can be easily integrated into other applications and systems. As there

are already many industrial-strength XSLT processors, such asSaxonandXalan, our

transformations can run fast and efficiently process large-scale models.

The QVTR-XSLT tool can be applied to a wide variety of source-to-target and

in-place model transformations. Many transformation scenarios, such as platform in-

dependent model (PIM) to platform specific models (PSM) transformations, or the

transformations of UML models to models of formal languages (such as CSP), are

well supported. Data transformation in data engineering is another potential applica-

tion field for the tool. Using the tool, the structures of the XML data can be described

concisely by metamodels, and the mappings between the data can be specified by re-

lations of QVT-R using the high-level graphical notation. In addition, the tool can

be used in the fields of semantic web and ontologies, often there is a need to convert

between different knowledge models, which are also in XML formats.

Since at the present time practical tool supports for the graphical notation of QVT-

R is scarce, our approach and tool mark a useful attempt to bring the language to

practice. Most importantly for the work of the thesis, the tool is able to meet the high

demands for the implementation of rCOS model transformations, and thus has been

used in design of these transformations.

A UML profile for supporting rCOS method and development methodology. In

Chapter5, we proposed a UML profile with which the rCOS techniques and method-

286

7.1. Conclusions

ology can be applied to component-based software development in a standard model-

driven way. The rCOS profile provides rCOS with the power of the OMG UML stan-

dardized graphical notation and tool supports for system and software modeling, while

it supplies UML with a precise semantics, additional modeling concepts for compo-

nents composition, formal consistency verification and refinement techniques, and a

design methodology based on correctness preserving model transformations in the ap-

plication domain of the component-based model-driven development. Linking with

UML increases the usefulness of rCOS, and thus greatly helps the end users to model

a syntactic correct rCOS application.

We use a systematic approach to design the rCOS profile, starting from building

the domain metamodel to capture the basic concepts of rCOS, then mapping them

into stereotypes and their attributes, and adding the OCL well-formedness constraints,

while considering the support of rCOS development. In addition, we defined the ar-

chitecture and parts of an rCOS model, such as class, interface, component, sequence

diagram and state machine diagram, to model the views of reactive behavior, inter-

action, class structure and component composition, and to facilitate the definition of

rCOS model transformations.

We implemented the profile in a CASE tool –rCOS modeler. Based on the rCOS

profile, the tool focuses on supporting the rCOS development process with a user

friendly interface. It integrates the rCOS refinement rules, such as expert pattern and

structural refinements, as correctness preserving model transformations. We also pro-

posed an interactive, stepwise procedure to develop rCOS models in the rCOS modeler

through applying the refinement transformations.

Design and implementation of a set of rCOS model transformations. The rCOS

has a rather comprehensive refinement calculus. We design and implement a set of

the refinement rules as model transformations using the QVTR-XSLT tool, and in-

tegrate the transformations into the rCOS modeler. In Chapter6, we presented four

287


of the refinement transformations that are frequently used in different stages of rCOS

development:

• Requirements model to OO design model:This transformation converts a re-

quirements model into an initial OO design model by synthesizing a protocol

state machine from the system sequence diagrams of a use case component, and

deriving a controller class as an implementation of the component. We translate

the rCOSdesignsof the component methods intoguarded designsfor the meth-

ods of the controller class, thus the semantics introduced by the sequence dia-

grams are faithfully preserved by the controller class. The transformation takes

into account the concurrency and critical area of the respective diagrams. The

generated model can sever as the starting point for the detailed object-oriented

design, such as applying the expert pattern. Therefore the transformation helps

to bridge the gap between requirement models and OO design models.

• Functionality delegation:This is also called theexpert patternof responsibility

assignment, one of the most important rCOS OO refinement rules. It refines a

functionality specification into object interactions, based on a given class struc-

ture, thus a particular responsibility is assigned to an appropriate object that

knows the required data. In this transformation, first a fragment of a method

specification is selected, either manually by the user or automatically by the tool,

and then the selected part is evaluated to find a suitable target object to delegate

to. Execution of the transformation synchronously modifies the model by creat-

ing a new method in the class of the target object to compute the delegated task,

replacing the selected fragment with a method call to the new method. Mean-

while, the corresponding sequence diagram is accordingly updated by adding

a new lifeline representing the target object, and a new message representing

the method call. Through stepwise incremental applying the expert pattern, the

sequence diagrams of use cases are gradually refined into object sequence dia-

288

7.1. Conclusions

grams, and the concept class diagram of the requirements model is accordingly

refined into a design class diagram.

• OO design model to component-based model:Through using the object se-

quence diagram to component sequence diagram transformation, an OO design

model can be automatically transformed into a component-based model for the

purpose of reusability, maintenance, and more importantly, distributed and inde-

pendent deployment. In the transformation, a number of objects selected from

an object sequence diagram is turned into a new component. The interfaces of

the component are identified from the messages of the sequence diagram, and

a component sequence diagram is abstracted from the object sequence diagram

by hiding the messages and lifelines inside the generated component. Mean-

while, a protocol for the new component, which consists of a sequence diagram

and a state machine, is also produced, and component diagrams are modified to

represent the relationships of the components.

Through a finite number of transformation steps with valid selections on the

OO model, the object sequence diagram is entirely transformed to a component

sequence diagram in which the lifelines represent only components. Also, a

complete component diagram is generated. Thus, we obtain a correct refinement

of an OO design model to a component-based architecture model in which each

component of the requirements model becomes a composition of a number of

components.

• Component composition:The transformation realizes the basic rCOS composi-

tion operators, includingrenaminginterface methods,hiding services of a com-

ponent,plugging a provided interface into a required interface, andparallel

compositionof components. The transformation will check the composability

of components, create a new component, update the corresponding component

diagram, and generate protocols for the newly created components.

289


Particularly, we discussed the design and implementation details of therequire-

ments model to OO design model transformationand theOO design model to component-

based model transformation.

7.2 Limitations of Current Study

However, our approaches and tools are still not perfect. Some of the problems and

limitations are as follows:

Not all features of QVT-R standard are supported. We still cannot support all fea-

tures of QVT-R, especially itscheck-before-enforcesemantics. One reason is the com-

plex requirements covered by the QVT specification, such as incremental transforma-

tions, bidirectional transformations, model synchronization, and many of the features

that are implicit in a declarative language. Because of our limited resources, a full im-

plementation of the QVT-R is certainly an ambitious undertaking. As far as we know,

no existing QVT tool supports all these features.

Another reason is that our approach is based on XSLT techniques by mapping

constructs of QVT-R into constructs of XSLT. One advantage of this approach is to

provide a clear correspondence between a QVT-R transformation and its XSLT im-

plementation, so it is possible to debug the XSLT code, find errors, and easily trace

back to where the errors occurred in the QVT-R specification. But compared to other

approaches such as using a QVT-R interpreter, the ability to support the semantics of

QVT Relations is somehow weaker. Some of the restrictions are listed in the following:

• Relation domains: QVT-R supports multiple domains in a relation, that means,

it can have multiple source and target models. In our approach, we can define

multiple typed models for a transformation, but restrict to one source model and

one target model in a relation;

290

7.2. Limitations of Current Study

• Transformation directions: As one of its key features, QVT-R allows to specify

bidirectional transformations. Transformations can be executed in any direction

by selecting one of the typed models as the target in the running time. In our

approach, the generated XSLT stylesheet is unidirectional, and the source and

target models are decided at the design stage;

• Check-before-enforce semantics and in-place transformation: The semantics

of QVT-R ensures that before creating a new object, it is checked whether an ex-

isting one that satisfies the constraints of the relation can be reused. In this way,

QVT-R supports creating new, and modifying existing, target model elements.

Thus the in-place transformation is implicitly supported by the semantics, and

no additional definition is needed. In our approach, we create all target model

elements in a transformation, and we have to explicitly define an in-place trans-

formation as a set ofchangesto the source model.

• OCL support : In QVT-R, thewhen- andwhere-clauses can contain arbitrary

expressions of extended essential OCL. Our approach supports a subset of OCL.

An OCL expressions is evaluated in the context of a QVT relation, allowing

source domain pattern elements, properties, links and variables to be navigated

and referenced.

Correctness of the QVT-R implementation is not formally proven. Both the QVT

standard and our implementation are extremely complicated. In addition, as many

other OMG standards, the QVT specification fails to provide a precise semantics for

its languages, not even with a reference implementation. All these make the formal

proof another ambitious undertaking. As we focus on the design and implementation

of a practical model transformation approach and tool support, we consider this task

of formal proof beyond the scope of the thesis.

Alternatively, we validate our implementation through testing. We take themedini

291


QVT as a reference implementation of QVT-R, execute a set of transformations in our

tool and the medini QVT, and compare the trace models and resulting models. The

comparison results show that the basic semantics of QVT-R is correctly supported by

our tool. However, more systematic testing is desirable.

The rCOS profile does not fully support rCOS component model. In rCOS,coor-

dination compositionis defined as parallel composition of processes and components.

The composition operators include not only theconnectorsthat we have already de-

fined in the rCOS profile, but also thecoordinators(coordinating processes), which are

used to coordinate a number of components, and exchange data between them. How-

ever, the support for coordinators is not considered in the current version of the rCOS

profile. It is because we lack the experience of using the coordinators in case studies,

and the definition of coordination composition itself is still improving intermittently.

Moreover, in the rCOS profile, we realize theconnectors(except theplugging) using

only hierarchical assemblythat results in composite components. However, the rCOS

connectors can be also implemented as simple open components that connect to the

original components through thehorizontal assembly.

Generation of proof obligations is not supported. The rCOS development is driven

by applying refinement rules in a stepwise way. This process produces a succession

of models with increasing complexity and details as they approximate the implemen-

tation system. It must be ensured that there exists refinement relationships between

these models, i.e. a more concrete model satisfies its more abstract ancestor. The

use of proof obligations is an effective way to enhance the confidence. As the rCOS

refinement calculus is implemented as model transformations, application of such a

transformation can also generate proof obligations to verify properties of the models.

However, the transformations discussed in the thesis do not include the generation of

the proof obligations. In fact, the problem was explored by our colleagues in [113]

292

7.3. Perspectives for Future Work

using the theorem prover Isabelle/HOL, and has been partially automated in the rCOS

modeler [158].

7.3 Perspectives for Future Work

There is still a long way to fulfill our vision on the design and implementation of the

rCOS tool set out in [111]. A main challenge is still in the automation of the model

transformations of rCOS [97]. We already have a set of transformations for users

to invoke from the menus of the rCOS modeler, and have proposed a development

procedure for using these transformations. But more rCOS model transformations

need to be developed to support the full development process.

For example, we can improve the low level design by using more design patterns

[65], such as theattribute encapsulationand class decomposition (high cohesionand

low coupling). The rCOS refinement calculus also includes a group of simple struc-

tural refinement rules [110], referred as ”small-step” refinements, e.g. adding classes,

attributes, methods, decomposition and composition of classes, promoting methods

from subclasses to super classes, etc. These rules are worth implementing in the rCOS

modeler. In addition, we are going to do more work on transforming the component-

based models into particular platform specific models, such as web applications.

To ensure correctness of these model transformations, we plan to explore the possi-

bility to generate proof obligations from the transformation specifications using higher-

order model transformations. The proof obligations are expressed in the form of OCL

expressions, which can be verified in the framework of rCOS modeler, along with other

OCL constraints defined in the rCOS profile. Future work also includes applying the

rCOS modeler to more middle and large scale case studies, for the purpose of promot-

ing the usefulness and ease of use of the tool, and evaluating its practical applicability

in real software projects.

Of the possible topics for continuing the work on QVTR-XSLT tool, we consider

293


to migrate the QVT-R graphical editor to an open source UML CASE tool. The cur-

rent editor is built on the top of MagicDraw UML, a commercial CASE tool. Based

on an open source platform, our tool could reach a broader user base. Interestingly,

after boot-strapping our approach, we could now also use the tool to rewrite the code

generator in QVT-R, instead of directly implementing it in XSLT. Moreover, we want

to explore more possible usages of the tool, such as for model conformance checking,

in which, given a source and a target model, a QVT-R relation can also be used to

check if it holds between the two models.

Nowadays, we are still far away from a widespread adoption of model-driven ap-

proaches for general software development, but the paradigm has gradually attracted

the attention of the public and the industry [63]. As methodologies and tools are get-

ting matured, more and more research and development projects will appear in the

field. Hopefully, the ideas and techniques presented in this thesis will stimulate and

help further research in the domain of component-based and model driven develop-

ment. And we will continue working in this direction.

294

References

[1] AndroMDA.org. http://www.andromda.org/.55

[2] Borland Together, Visual Modeling for Software Architecture Design.

http://www.borland.com/us/products/together/index.html.111

[3] Eclipse Model To Model (M2M) project. http://www.eclipse.org/m2m/. 16,

112, 113

[4] SmartQVT - A QVT implementation. http://sourceforge.net/

projects/smartqvt/. 111

[5] The Common Component Modeling Example, volume 5153 ofLNCS. Springer,

2008.258

[6] J. Abrial. The B-book: assigning programs to meanings. Cambridge University

Press, 2005.8

[7] J. Abrial. Modeling in Event-B: system and software engineering. Cambridge

University Press, 2010.8, 12

[8] J. Abrial, M. Butler, S. Hallerstede, T. Hoang, F. Mehta, and L. Voisin. Rodin:

an open toolset for modelling and reasoning in Event-B.International Journal

on Software Tools for Technology Transfer (STTT), 12(6):447–466, 2010.10

[9] S. Agerholm and P. G. Larsen. The IFAD VDM Tools: Lightweight Formal

Methods. InProceedings of Applied Formal Methods - FM-Trends 98, volume

1641 ofLNCS, pages 326–329. Springer, 1999.226

[10] A. Agrawal. Graph rewriting and transformation (GReAT): A solution for the

model integrated computing (MIC) bottleneck. 2003.13, 109

[11] S. Ahumada, L. Apvrille, T. Barros, A. Cansado, E. Madelaine, and

E. Salageanu. Specifying Fractal and GCM Components with UML. InPro-

ceedings of the XXVI International Conference of the Chilean Society of Com-

puter Science, pages 53–62. IEEE, 2007.225

[12] J. Ali and J. Tanaka. Implementing the Dynamic Behavior Represented as Mul-

tiple State Diagrams and Activity Diagrams.Journal of Computer Science and

Information Management (JCSIM), 2(1):22–34, 2001.204

295

http://sourceforge.net/projects/smartqvt/

http://sourceforge.net/projects/smartqvt/

REFERENCES

[13] N. Amálio, F. Polack, and S. Stepney.Software Specification Methods, chapter

UML+ Z: Augmenting UML with Z, pages 81–102. Wiley Online Library,

2010.9

[14] C. Amelunxen, A. Konigs, T. Rotschke, and A. Schurr. MOFLON: A standard-

compliant metamodeling framework with graph transformations. InModel

Driven Architecture–Foundations and Applications, pages 361–375. Springer,

2006.13, 56, 109

[15] B. B. Ammar, M. T. Bhiri, and J. Souquières. Incremental development of uml

specifications using operation refinements.ISSE, 4(3):259–266, 2008.13

[16] D. Amyot and A. Eberlein. An evaluation of scenario notations and construction

approaches for telecom-munication systems development. InTelecommunica-

tion Systems, volume 24(1), September 2003.278

[17] K. Anastasakis, B. Bordbar, G. Georg, and I. Ray. Uml2alloy: A challenging

model transformation. InModel Driven Engineering Languages and Systems,

10th International Conference (MoDELS 2007), volume 4735 ofLNCS, pages

436–450. Springer, 2007.225

[18] M. Asadi and R. Ramsin. MDA-based methodologies: an analytical survey.

In Proceedings of the 4th European conference on Model Driven Architec-

ture: Foundations and Applications (ECMDA-FA 08), pages 419–431. Springer,

2008.6

[19] C. Atkinson and T. Kuhne. Model-driven development: a metamodeling foun-

dation. IEEE software, 20(5):36–41, 2003.228

[20] R. Back and J. Wright. Refinement Calculus: A Systematic Introduction.

Springer Verlag, 1998.10, 12

[21] J. Bézivin, F. Búttner, M. Gogolla, F. Jouault, I. Kurtev, and A. Lindow. Model

transformations? Transformation models!Model Driven Engineering Lan-

guages and Systems, pages 440–453, 2006.103, 178

[22] J. Bicarregui, J. Fitzgerald, P. Larsen, and J. Woodcock. Industrial practice

in formal methods: A review. InFM 2009: Formal Methods, Second World

Congress, volume 5850 ofLNCS, pages 810–813. Springer, 2009.8

296

REFERENCES

[23] L. Bichler. A flexible code generator for MOF-based modeling languages.2nd

OOPSLA Workshop on Generative Techniques in the context of Model Driven

Architecture, 2003.117

[24] E. Biermann, K. Ehrig, C. Köhler, G. Kuhns, G. Taentzer, and E. Weiss. EMF

model refactoring based on graph transformation concepts. InProc. Third In-

ternational Workshop on Software Evolution through Transformations (SETra

2006), volume 3. Citeseer.39

[25] D. Birkmeier and S. Overhage. On Component Identification Approaches -

Classification, State of the Art, and Comparison. InCBSE’09, pages 1–18,

2009.7, 279

[26] E. Börger and R. Stärk.Abstract state machines: a method for high-level system

design and analysis. Springer Verlag, 2003.8

[27] J. Bowen. Formal specification and documentation using Z: A case study ap-

proach, volume 66. International Thomson Computer Press, 2003.8

[28] M. Bräuer. Design and Prototypical Implementation of a Pivot Model as Ex-

change Format for Models and Metamodels in a QVT/OCL Development Envi-

ronment. PhD thesis, Technische Universität Dresden, 2008.30

[29] E. Bruneton, T. Coupaye, M. Leclercq, V. Quéma, and J.-B.Stefani. The FRAC-

TAL component model and its support in Java.Software: Practice and Experi-

ence, 36(11-12):1257–1284, 2006.61

[30] Budapest University of Technology and Economics. VMTS Web site.

http://www.aut.bme.hu/Portal/Vmts.aspx.16, 116

[31] M. Bureck. Visual QVT/R, A concrete graphical syntax forQVT/R.

http://www.randomice.net/ les/2009/06/7_bureck_visual_qvtr.pdf., 2009.115

[32] T. Bures, P. Hnetynka, and F. Plasil. SOFA 2.0: BalancingAdvanced Features

in a Hierarchical Component Model. InSERA, pages 40–48. IEEE Computer

Society, 2006.61

[33] S. Burmester, H. Giese, J. Niere, M. Tichy, J. Wadsack, R.Wagner, L. Wende-

hals, and A. Zundorf. Tool integration at the meta-model level: the Fujaba

approach. International Journal on Software Tools for Technology Transfer

(STTT), 6(3):203–218, 2004.13, 56, 109

297

REFERENCES

[34] F. Buttner and M. Gogolla. Realizing UML metamodel transformations with

AGG. Electronic Notes in Theoretical Computer Science, 109:31–42, 2004.13,

56, 109

[35] A. Cavalcanti and D. Naumann. A weakest precondition semantics for refine-

ment of object-oriented programs.IEEE Transactions on Software Engineering,

26(8):713–728, 2000.12

[36] X. Chen, J. He, Z. Liu, and N. Zhan. A Model of Component-Based Program-

ming. In Proc. Fundamentals of Software Engineering (FSEN 2007), volume


[37] X. Chen, Z. Liu, and V. Mencl. Separation of Concerns and Consistent Inte-

gration in Requirements Modelling. InSOFSEM 2007: 33rd Conference on

Current Trends in Theory and Practice of Computer Science, volume 4362 of

LNCS, pages 819–831. Springer, Jan. 2007.281

[38] Z. Chen, A. H. Hannousse, D. V. Hung, I. Knoll, X. Li, Z. Liu, Y. Liu, Q. Nan,

J. C. Okika, A. P. Ravn, V. Stolz, L. Yang, and N. Zhan. Modelling with Rela-

tional Calculus of Object and Component Systems - rCOS. InCoCoME, volume

5153 ofLNCS, pages 116–145. Springer, 2007.i, 69

[39] Z. Chen, Z. Liu, A. P. Ravn, V. Stolz, and N. Zhan. Refinement and verification

in component-based model driven design.Sci. Comput. Program., 74(4):168–

196, Feb. 2009.i, 17, 69, 85, 95, 258, 280

[40] Z. Chen, Z. Liu, and V. Stolz. The rCOS tool. In J. Fitzgerald, P. G. Larsen,

and S. Sahara, editors,Modelling and Analysis in VDM: Proceedings of the

Fourth VDM/Overture Workshop, number CS-TR-1099 in Technical Report Se-

ries. Newcastle University, May 2008.93, 226

[41] Z. Chen, C. Morisset, and V. Stolz. Specification and Validation of Behavioural

Protocols in the rCOS Modeler. In3rd Intl. Symp. on Fundamentals of Software

Engineering (FSEN 2009), volume 5961 ofLNCS, pages 387–401. Springer,

2010.221, 281

[42] J. Chimia-Opoka, M. Felderer, C. Lenz, and C. Lange. Querying UML models

using OCL and Prolog: A performance study. InSoftware Testing Verification

and Validation Workshop, 2008. ICSTW’08. IEEE International Conference on,

pages 81–88. IEEE, 2008.184, 187, 188

298

REFERENCES

[43] F. Chitforoush, M. Yazdandoost, and R. Ramsin. Methodology support for the

model driven architecture. In14th Asia-Pacific Software Engineering Confer-

ence (APSEC 2007)., pages 454–461. IEEE, 2007.6

[44] M. Choi and E. Cho. Component Identification Methods Applying Method Call

Types between Classes.J. Inf. Sci. Eng, 22:247–267, 2006.7, 280

[45] K. Czarnecki and S. Helsen. Feature-based survey of model transformation

approaches.IBM Systems Journal, 45(3):621–646, 2006.2, 13, 55

[46] D. Dang. On Integrating Triple Graph Grammars and OCL for Model-Driven

Development. PhD thesis, Staats-und Universitätsbibliothek Bremen, 2009.i,

31

[47] J. Davies.The Scientific Approach, second edition. New York:Academic Press,

1973.21

[48] G. de Caso, V. A. Braberman, D. Garbervetsky, and S. Uchitel. Automated Ab-

stractions for Contract Validation.IEEE Transactions on Software Engineering,

38(1):141–162, 2012.279

[49] R. De Giorgis and M. Joui. Towards a UML Profile for Modeling WAP Appli-

cations.Journal of Computer Science and Technology, 5(4), 2005.49

[50] J. de Lara and E. Guerra. Formal Support for QVT-Relations with Coloured

Petri Nets. InMoDELS, volume 5795 ofLNCS, pages 256–270. Springer, 2009.

102

[51] J. de Lara and H. Vangheluwe. AToM3: A Tool for Multi-formalism and Meta-

modelling. InFundamental Approaches to Software Engineering, 5th Interna-

tional Conference, FASE 2002, volume 2306 ofLNCS, pages 174–188. Springer,

2002.13, 56, 109

[52] E. Dijkstra. A constructive approach to the problem of program correctness.

BIT Numerical Mathematics, 8(3):174–186, 1968.11

[53] S. Dupuy, Y. Ledru, and M. Chabre-Peccoud. An Overview ofRoZ: A Tool for

Integrating UML and Z Specifications. InProceedings in Advanced Informa-

tion Systems Engineering, 12th International Conference (CAiSE 2000), volume


299

REFERENCES

[54] Eclipse Foundation. Eclipse Modelling Framework.

http://www.eclipse.org/modeling/emf/.38

[55] K. Ehrig, C. Ermel, and S. Hansgen. Towards Model Transformation in Gener-

ated Eclipse Editor Plug-Ins.Electronic Notes in Theoretical Computer Science,

152:39–52, 2006.16, 115

[56] M. Elkoutbi, I. Khriss, and R. Keller. Automated Prototyping of User Interfaces

Based on UML Scenarios.Automated Software Engineering, 13(1):5–40, 2006.

279

[57] G. Engels, M. Lohmann, S. Sauer, and R. Heckel. Model-Driven Monitoring:

An Application of Graph Transformation for Design by Contract. InProc. Third

Intl. Conf. on Graph Transformations, volume 4178 ofLNCS, pages 336–350.

Springer, 2006.31

[58] A. Etien, C. Dumoulin, and E. Renaux. Towards a unified notation to represent

model transformation. Research Report RR-6187, INRIA, 2007.16, 115

[59] M. Fan-Chao, Z. Den-Chen, and X. Xiao-Fei. Business Component Identifi-

cation of Enterprise Information System: A Hierarchical Clustering Method.

Proc. of the 2005 IEEE Intl. Conf. on e-Business Engineering, 2005. 7, 279,

280

[60] H. Fecher, J. Schönborn, M. Kyas, and W. P. de Roever. 29 New Unclarities in

the Semantics of UML 2.0 State Machines. InICFEM 2005, 7th International

Conference on Formal Engineering Methods, volume 3785 ofLNCS, pages 52–

65. Springer, 2005.40

[61] M. Fowler, K. Beck, J. Brant, W. Opdyke, and D. Roberts.Refactoring: Im-

proving the Design of Existing Code. Addison-Wesley, 1999.18

[62] R. France, S. Ghosh, T. Dinh-Trong, and A. Solberg. Model-driven development

using UML 2.0: promises and pitfalls.Computer, 39(2):59–66, 2006.5

[63] R. France and B. Rumpe. Model-driven development of complex software: A

research roadmap. InInternational Conference on Software Engineering, pages

37–54. IEEE Computer Society Washington, DC, USA, 2007.1, 30, 53, 294

[64] L. Fuentes-Fernández and A. Vallecillo-Moreno. An introduction to UML pro-

files. UML and Model Engineering, UPGRADE, Vol.V, No. 2:6–13, 2004.193,

225

300

REFERENCES

[65] E. Gamma, R. Helm, R. Johnson, and J. Vlissides.Design Patterns: Elements

of Reusable Object-Oriented Software. Addison-Wesley, 1995.18, 293

[66] P. Gancarski and A. Butterfield. Connecting UML and VDM++with Open Tool

Support. InFM 2009: Formal Methods, Second World Congress, volume 5850

of LNCS, pages 563–578. Springer, 2009.9

[67] P. Gancarski and A. Butterfield. The denotational semantics of slotted-circus.

In FM 2009: Formal Methods, Second World Congress, volume 5850 ofLNCS,

pages 451–466. Springer, 2009.70

[68] A. Gargantini, E. Riccobene, and P. Scandurra. Combining Formal Methods and

MDE Techniques for Model-Driven System Design and Analysis.International

Journal On Advances in Software, 3(1 and 2):1–18, 2010.225

[69] J. Gibbons. Unifying Theories of Programming with Monads. In 4th Inter-

national Symposium on Unifying Theories of Programming (UTP 2012), Paris,

Proceedings, 2012.70

[70] B. Graaf and A. van Deursen. Model-driven Consistency Checking of Be-

havioural Specifications. InModel-Based Methodologies for Pervasive and Em-

bedded Software, 2007. MOMPES’07. Fourth International Workshop on, pages

115–126. IEEE, 2007.278

[71] J. Greenyer and E. Kindler. Reconciling TGGs with QVT. InModel Driven

Engineering Languages and Systems, 10th International Conference ( MoDELS

2007), volume 4735 ofLNCS, pages 16–30. Springer, 2007.145

[72] R. Grønmo and B. Møller-Pedersen. From UML 2 Sequence Diagrams to State

Machines by Graph Transformation.Journal of Object Technology, 10, 2011.

278

[73] R. Grønmo and J. Oldevik. An empirical study of the UML model transfor-

mation tool (UMT). Proc. First Interoperability of Enterprise Software and

Applications, Geneva, Switzerland, 2005.117

[74] H. Gross.Component-Based Software Testing with UML. Springer-Verlag New

York Inc, 2005.i, 31

[75] O. M. Group. UML 2.0 Diagram Interchange Specification, September 2003.

171, 215

301

REFERENCES

[76] O. M. Group. Unified Modeling Language: Infrastructure, version 2.4.1, August

2011.39

[77] E. Guerra and J. De Lara. Model view management with triple graph transfor-

mation systems.Graph Transformations, pages 351–366, 2006.14, 110

[78] B. Hailpern and P. Tarr. Model-driven development: The good, the bad, and the

ugly. IBM Systems Journal, 45(3):451–461, 2006.2, 3

[79] D. Harel, H. Kugler, and A. Pnueli. Synthesis revisited:Generating statechart

models from scenario-based requirements.Formal Methods in Software and

Systems Modeling, pages 309–324, 2005.278

[80] D. Harel and R. Marelly. Come, Let’s Play: Scenario-Based Programming

Using LSC’s and the Play-Engine. Springer-Verlag, 2003.280

[81] D. Harel and I. Segall. Synthesis from Scenario-based Specifications.Journal

of Computer and System Sciences, 78(3):970–980, 2012.278

[82] J. He, X. Li, and Z. Liu. rCOS: A refinement calculus of object systems.Theor.

Comput. Sci., 365(1-2):109–142, 2006.i, 17, 18, 69, 82, 92, 97, 223

[83] W. Heaven and A. Finkelstein. UML profile to support requirements engineering

with KAOS. IEE Proceedings-Software, 151(1):10, 2004.224

[84] G. Heineman and W. Councill.Component-based software engineering: putting

the pieces together, volume 17. Addison-Wesley USA, 2001.1

[85] C. Hoare. Communicating sequential processes, Prentice-Hall international

series in computer science. Prentice/Hall International, 1985.8, 97

[86] C. Hoare and J. He.Unifying theories of programming. Prentice-Hall Interna-

tional, 1998.17, 70, 72, 74

[87] P. Höfner and G. Struth. Can refinement be automated?Electronic Notes in

Theoretical Computer Science, 201:197–222, 2008.13

[88] A. Idani, J.-L. Boulanger, and L. Philippe. A generic process and its tool support

towards combining uml and b for safety critical systems. InProceedings of the

ISCA 20th International Conference on Computer Applications in Industry and

Engineering (CAINE 2007), pages 185–192. ISCA, 2007.225

302

REFERENCES

[89] A. Iliasov, E. Troubitsyna, L. Laibinis, and A. Romanovsky. Patterns for re-

finement automation. InFormal Methods for Components and Objects - 8th

International Symposium (FMCO 2009), volume 6286 ofLNCS, pages 70–88.

Springer, 2010.10, 12

[90] I. J. James Rumbaugh and G. Booch.The Unified Modeling Language Reference

Manual Second Edition. Addison-Wesley, July 2004.39

[91] W. Janssen, A. Korlyukov, and J. Van den Bussche. On the tree-transformation

power of XSLT.Acta Informatica, 43(6):371–393, 2007.116, 122

[92] C. Jones. Systematic Software Development using VDM. Prentice Hall, 2nd

edition, 1990.8

[93] F. Jouault, F. Allilaire, J. Bézivin, and I. Kurtev. ATL:A model transformation

tool. Science of Computer Programming, 72(1-2):31–39, 2008.14, 111

[94] F. Jouault and I. Kurtev. On the Architectural Alignmentof ATL and QVT. In

Proceedings of the 2006 ACM symposium on Applied computing, pages 1188–

1195. ACM, 2006.112

[95] M. Kay. XPath 2.0 programmer’s reference. Wrox Press, 2004.129

[96] M. Kay. XSLT 2.0 Programmer’s Reference, Third Edition. Wrox Press, 2004.

104, 125, 126

[97] W. Ke, X. Li, Z. Liu, and V. Stolz. rCOS: a formal model-driven engineering

method for component-based software.Frontiers of Computer Science in China,

6(1):17–39, 2012.i, 17, 18, 69, 102, 198, 217, 293

[98] A. Königs and A. Schürr. Multi-Domain Integration with MOF and extended

Triple Graph Grammars.Language Engineering for Model-Driven Software

Development, 4101, 2004.14, 110

[99] A. Königs and A. Schürr. Tool Integration with Triple Graph Grammars-A

Survey. Electronic Notes in Theoretical Computer Science, 148(1):113–150,

2006.14, 110

[100] P. Kruchten.The Rational Unified Process—An Introduction. Addison-Wesly,

2000.6

303

REFERENCES

[101] I. Kurtev. State of the Art of QVT: A Model Transformation Language Standard.

In Applications of Graph Transformations with Industrial Relevance, Third In-

ternational Symposium ( AGTIVE 2007), volume 5088 ofLNCS, pages 377–393.

Springer, 2007.15, 102

[102] F. Lagarde, H. Espinoza, F. Terrier, and S. Gérard. Improving UML Pro-

file Design Practices by Leveraging Conceptual Domain Models. In22nd

IEEE/ACM International Conference on Automated Software Engineering (ASE

2007), pages 445–448, 2007.49, 225

[103] C. Larman.Applying UML and Patterns: An Introduction to Object-Oriented

Analysis and Design and the Unified Process. Prentice-Hall, 3rd edition, 2005.

18, 34, 40, 94, 95, 258

[104] G. Leavens, J. Abrial, D. Batory, M. Butler, A. Coglio, K. Fisler, E. Hehner,

C. Jones, D. Miller, S. Peyton-Jones, et al. Roadmap for enhanced languages

and methods to aid verification. InProceedings of the 5th international confer-

ence on Generative programming and component engineering, pages 221–236.

ACM, 2006.10

[105] S. Lee, Y. Yang, F. Cho, S. Kim, and S. Rhew. COMO: A UML-based com-

ponent development methodology. In6th Asia Pacific Softw. Eng. Conf., pages

54–61. IEEE, 1999.280

[106] D. Li, X. Li, J. Liu, and Z. Liu. Validation of requirement models by automatic

prototyping. Innovations in Systems and Software Engineering, 4(3):241–248,

2008.96

[107] D. Li, X. Li, Z. Liu, and V. Stolz. Interactive Transformations from Object-

Oriented Models to Component-Based Models. InProc. of Formal Aspects

of Component Software (FACS’11), volume 7253 ofLNCS, pages 97–114.

Springer, 2012.17, 224

[108] H. Liang, J. Dingel, and Z. Diskin. A Comparative Surveyof Scenario-based

to State-based Model Synthesis Approaches. InProceedings of the 2006 inter-

national workshop on Scenarios and state machines: models, algorithms, and

tools, pages 5–12. ACM, 2006.278

[109] S. Liu. Formal engineering for industrial software development: using the

SOFL method. Springer, 2004.8, 226

304

REFERENCES

[110] X. Liu, Z. Liu, and L. Zhao. Object-oriented structure refinement - a graph

transformational approach.Electr. Notes Theor. Comput. Sci., 187:145–159,

2007. UNU-IIST TR 340.293

[111] Z. Liu, V. Mencl, A. P. Ravn, and L. Yang. Harnessing Theories for Tool Sup-

port. In Proc. of the Second Intl. Symp. on Leveraging Applications of Formal

Methods, Verification and Validation (isola 2006), pages 371–382. IEEE Com-

puter Society, Aug. 2006. Full version as UNU-IIST Technical Report 343.18,

92, 280, 293

[112] Z. Liu, C. Morisset, and V. Stolz. rCOS: Theory and Tool for Component-Based

Model Driven Development. In3rd Intl. Symp. on Fundamentals of Software

Engineering (FSEN 2009), volume 5961 ofLNCS, pages 62–80. Springer, 2010.

i, 3, 17, 18, 69

[113] Z. Liu, C. Morisset, and S. Wang. A Graph-Based Implementation for Mecha-

nized Refinement Calculus of OO Programs. InSBMF, volume 6527 ofLNCS,

pages 258–273. Springer, 2010.281, 292

[114] Q. Long, Z. Qiu, and Z. Liu. Formal use of design patternsand refactoring. In

T. Margaria and B. Steffen, editors,International Symposium on Leveraging Ap-

plications of Formal Methods, Verification and Validation, volume 17 ofCom-

munications in Computer and Information Science, pages 323–338. Springer,

Nov. 2008.17, 18

[115] F. Lucas, F. Molina, and A. Toval. A systematic review ofUML model consis-

tency management.Information and Software technology, 51(12):1631–1645,

2009.58

[116] S. Markovic and T. Baar. Refactoring OCL annotated UML class diagrams.

Software and System Modeling, 7(1):25–47, 2008.58

[117] medini QVT, ikv++ Technologies,http://projects.ikv.de/qvt. 15,

113, 178

[118] S. Meliá, J. Gómez, and J. Serrano. UPT: A Graphical Transformation Lan-

guage based on a UML Profile1. InProceedings of European Workshop on

Milestones, Models and Mappings for Model-Driven Architecture (3M4MDA),

Bilbao, Spain, 2006.16, 102, 115

305

http://projects.ikv.de/qvt

REFERENCES

[119] S. Mellor, A. Clark, and T. Futagami. Model-driven development.IEEE soft-

ware, 20(5):14–18, 2003.30

[120] T. Mens and P. Van Gorp. A Taxonomy of Model Transformation. Electronic

Notes in Theoretical Computer Science, 152:125–142, 2006.2, 13, 55, 56

[121] J. Miller, J. Mukerji, et al. MDA Guide Version 1.0. 1.Object Management

Group, 234, 2003.31, 32, 33

[122] ModelMorf, A Model Transformer,http://www.tcs-trddc.com/. 15,

101

[123] M. Möller, E.-R. Olderog, H. Rasch, and H. Wehrheim. Integrating a formal

method into a software engineering process with UML and Java.Formal Aspects

of Computing, 20(2):161–204, Mar. 2008.9, 225

[124] C. Morgan.Programming from specifications. Prentice-Hall, Inc., 1990.11

[125] J. Morris. A theoretical basis for stepwise refinement and the programming

calculus.Science of Computer Programming, 9(3):287–306, 1987.10, 11

[126] No Magic Inc. MagicDraw UML User’s Manual. http://www.magicdraw.com/,

2010.39, 173

[127] J. Nunamaker Jr and M. Chen. Systems Development in Information Systems

Research. InProceedings of the Twenty-Third Annual Hawaii International

Conference on System Sciences, volume 3, pages 631–640. IEEE, 1990.x, 22

[128] Object Management Group. Systems Modeling Language SysML V1.0. 224

[129] Object Management Group. UML Profile for MARTE: Modeling and Analysis

of Real-Time Embedded systems, Beta 2.224

[130] Object Management Group. Request for Proposal: MOF 2.0Query/Views/-

Transformations RFP, October 2003.57, 153

[131] Object Management Group. UML 2.0 OCL Specification, October 2003.4, 51,

52, 53, 130, 135

[132] Object Management Group. Meta Object Facility (MOF) Core Specification.

http://www.omg.org/spec/MOF/2.0/PDF, Jan. 2006.4, 35, 159

[133] Object Management Group. MOF 2.0/XMI Mapping, v2.1.1.

http://www.omg.org/spec/XMI/2.1.1/PDF, 2007.4, 38, 104

306

http://www.tcs-trddc.com/

REFERENCES

[134] Object Management Group. Meta Object Facility (MOF) 2.0 Query/View/-

Transformation Specification, Version 1.1, January 2011.i, x, 2, 4, 31, 56,

57, 58, 102, 103, 117, 118, 120, 121, 142, 155, 159, 175, 178

[135] Object Management Group. Unified Modeling Language: Superstructure, ver-

sion 2.4.1, August 2011.i, 4, 31, 39, 49, 62, 199, 204, 212, 213

[136] Object Management Group. Model Driven Architecture (MDA) FAQ.

http://www.omg.org/spec/mda/faq_mda.htm, Jan. 2012.6

[137] Oliver Alt. Model transformation with the QVT Relations language - Fallstudie

einer werkzeug spezifischen Realisierung. In W.-G. Bleek, H. Schwentner, and

H. Züllighoven, editors,Software Engineering (Workshops), volume 106 ofLNI,

pages 255–260. GI, 2007.116

[138] R. Paige and J. Ostroff. ERC–An object-oriented refinement calculus for Eiffel.

Formal Aspects of Computing, 16(1):51–79, 2004.12

[139] D. Parnas. Really Rethinking "’Formal Methods".Computer, 43(1):28–34,

2010.10

[140] M. Peltier, J. Bézivin, and G. Guillaume. MTRANS: A general framework,

based on XSLT, for model transformations. InWorkshop on Transformations in

UML (WTUML), Genova, Italy, April, 2001.117

[141] C. Pons. Heuristics on the Definition of UML Refinement Patterns. InTheory

and Practice of Computer Science, 32nd Conference on Current Trends in The-

ory and Practice of Computer Science (SOFSEM 2006), volume 3831 ofLNCS,

pages 461–470. Springer, 2006.13

[142] J. Poole. Model-driven architecture: Vision, standards and emerging technolo-

gies. InWorkshop on Metamodeling and Adaptive Object Models, ECOOP.

Citeseer, 2001.4

[143] I. Porres and I. Rauf. Generating Class Contracts from UML Protocol Statema-

chines. InProceedings of the 6th International Workshop on Model-Driven

Engineering, Verification and Validation, Denver, CO, USA, 2009. ACM.279

[144] W. Reisig and G. Rozenberg.Lectures on Petri Nets: Basic Models. Number

1491. Springer, 1998.8

307

REFERENCES

[145] M. Said, M. Butler, and C. Snook. Language and tool support for class and state

machine refinement in UML-B. InFM 2009: Formal Methods, Second World

Congress, volume 5850 ofLNCS, pages 579–595. Springer, 2009.12

[146] W. Schamai, P. Fritzson, C. Paredis, and A. Pop. TowardsUnified System Mod-

eling and Simulation with ModelicaML. InProc. 7th Intl. Modelica Conference,

2009.224

[147] D. Schmidt. Model-driven engineering.IEEE computer, 39(2):25–31, 2006.2

[148] D. Schreiner. Component Based Communication Middleware for AUTOSAR.

PhD thesis, Vienna Univ. of Technol., Vienna, Austria, 2009.i, 31, 34

[149] A. Schurr. Specification of graph translators with triple graph grammars.

In Graph-Theoretic Concepts in Computer Science, pages 151–163. Springer,

1995.13, 56

[150] B. Selic. The pragmatics of model-driven development.IEEE software,

20(5):19–25, 2003.30

[151] B. Selic. A Systematic Approach to Domain-Specific Language Design Us-

ing UML. In Proc. Tenth IEEE Intl. Symp. on Object-Oriented Real-Time Dis-

tributed Computing (ISORC 2007), pages 2–9. IEEE, 2007.49, 225

[152] S. Sendall and W. Kozaczynski. Model transformation: The heart and soul of

model-driven software development.Software, IEEE, 20(5):42–45, 2003.2

[153] G. Shahmohammadi, S. Jalili, and S. M. H. Hasheminejad.Identification of

System Software Components Using Clustering Approach.Journal of Object

Technology, 9(6):77–98, 2010.7, 279, 280

[154] C. Snook and M. Butler. UML-B: Formal modeling and design aided by

UML. ACM Transactions on Software Engineering and Methodology (TOSEM),

15(1):92–122, 2006.10, 12

[155] Sparx Systems Pty Ltd. Enterprise Architect, A Visual Modeling Platform.

http://www.sparxsystems.com/, 2010.115

[156] C. Sprenger and D. Basin. Developing security protocols by refinement. In

Proceedings of the 17th ACM conference on Computer and communications

security, pages 361–374. ACM, 2010.10

308

REFERENCES

[157] D. Stein, S. Hanenberg, and R. Unland. A Graphical Notation to Specify Model

Queries for MDA Transformations on UML Models. InModel Driven Architec-

ture, European MDA Workshops: Foundations and Applications ( MDAFA 2003

and 2004), volume 3599 ofLNCS, pages 77–92. Springer, 2004.52, 158

[158] V. Stolz. An integrated multi-view model evolution framework. Innovations in

Systems and Software Engineering, 6(1–2):13–20, 2010.281, 293

[159] H. Störrle. A Logical Model Query Interface.In Proceedings of the VLL

2009 workshop on Visual Languages and Logic, Dalhousie, Canada, Septem-

ber, pages 18–36, 2009.184

[160] C. Szyperski, D. Gruntz, and S. Murer.Component software: beyond object-

oriented programming. Addison-Wesley Professional, 2002.1, 99

[161] G. Taentzer, K. Ehrig, E. Guerra, J. De Lara, L. Lengyel,T. Levendovszky,

U. Prange, D. Varro, and S. Varro-Gyapay. Model transformation by graph

transformation: A comparative study. InProc. Workshop Model Transformation

in Practice, Montego Bay, Jamaica. Citeseer, 2005.109, 110

[162] Tata Consultancy Services. Modelmorf. http://www.tcs-

trddc.com/ModelMorf/ModelMorf.htm.114

[163] M. Tisi, F. Jouault, P. Fraternali, S. Ceri, and J. Bézivin. On the use of higher-

order model transformations. InModel Driven Architecture-Foundations and

Applications, pages 18–33. Springer, 2009.149, 150

[164] D. Varró and A. Balogh. The model transformation language of the VIATRA2

framework.Science of Computer Programming, 68(3):214–234, 2007.109

[165] F. Vernadat, C. Percebois, P. Farail, R. Vingerhoeds, A. Rossignol, J. Talpin,

and D. Chemouil. The Topcased project-a toolkit in open-source for critical ap-

plication and system development. InInternational Space System Engineering

Conference-Data Systems in Aerospace. Eurospace, 2006. 39, 101, 171, 214,

218

[166] VMTS tutorials. The QVT Plug-in of the Visual Modeling and Transformation

System - Realizing QVT with Visual Modeling and Transformation System.

http://avalon.aut.bme.hu/ tihamer/.16

309

REFERENCES

[167] Z. Wang, X. Xu, and D. Zhan. A survey of business component identification

methods and related techniques.International Journal of Information Technol-

ogy, 2(4):229–238, 2005.7, 279, 280

[168] J. Warmer and A. Kleppe.The Object Constraint Language: Getting Your Mod-

els Ready for MDA,Second Edition. Addison-Wesley Professional, 2003.51

[169] J. Whittle and P. Jayaraman. Generating Hierarchical State Machines from Use

Case Charts. InRequirements Engineering, 14th IEEE International Confer-

ence, pages 19–28. IEEE, 2006.277

[170] J. Whittle and P. Jayaraman. Synthesizing hierarchical state machines from

expressive scenario descriptions.ACM Transactions on Software Engineering

and Methodology (TOSEM), 19(3):8, 2010.278

[171] I. Wikimedia Foundation. Wikipedia, the free encyclopedia.

http://en.wikipedia.org/. http://en.wikipedia.org/.32

[172] Wikipedia. Model/view/controller. http://en.wikipedia.org/wiki/Model202

[173] E. Willink. On Challenges for a Graphical Transformation Notation and the

UMLX Approach.Electronic Notes in Theoretical Computer Science, 211:171–

179, 2008.16, 112, 115, 117, 191

[174] N. Wirth. Program development by stepwise refinement.Communications of

the ACM, 14(4):221–227, 1971.11

[175] J. Woodcock, P. Larsen, J. Bicarregui, and J. Fitzgerald. Formal methods: Prac-

tice and experience.ACM Computing Surveys (CSUR), 41(4):19, 2009.8, 13

[176] WWW Consortium. XML Schema, W3C Recommendation.

http://www.w3.org/XML/Schema.105

[177] WWW Consortium. XML Path Language (XPath) 2.0, W3C Recommendation.

http://www.w3.org/TR/2007/REC-xpath20-20070123/, January 2007.122

[178] WWW Consortium. XSL Transformations (XSLT) Version 2.0, W3C Recom-

mendation, January 2007.20, 104, 125

[179] L. Yang, V. Mencl, V. Stolz, and Z. Liu. Automating Correctness Preserving

Model-to-Model Transformation in MDA. Number 348, pages 85–101, 2006.

101

310

REFERENCES

[180] L. Yang and V. Stolz. Integrating refinement into software development tools. In

G. Pu and V. Stolz, editors,1st Intl. Workshop on Harnessing Theories for Tool

Support in Software, volume 207 ofElectr. Notes in Theor. Comp. Sci., pages

69–88. Elsevier, Apr. 2008. UNU-IIST TR 385.101, 280

[181] L. Zhao, X. Liu, Z. Liu, and Z. Qiu. Graph transformations for object-oriented

refinement.Formal Aspects of Computing, 21(1–2):103–131, Feb. 2009.i, 17,

18, 69, 82, 97, 98

[182] T. Ziadi, L. Helouet, and J. Jezequel. Revisiting Statechart Synthesis with an

Algebraic Approach. InProceedings of the 26th International Conference on

Software Engineering, pages 242–251, Los Alamitos, CA, USA, 2004. IEEE

Computer Society.278

[183] P. Zwickl. Graphical Debugging of QVT Relations using Transformation Nets.

GRIN Verlag, 2010.114

311

Appendix A

EBNF for OCL used in QVTR-XSLT

tool

A.1 Basic definitions〈LName〉 ::= ( ‘a’ .. ‘ z’ ) ( ‘ a’ .. ‘ z’ | ‘A’ .. ‘ Z’ | ‘−’ | ‘ :’ | ‘_’ | ‘0’ .. ‘9’ )∗;

〈CName〉 ::= (‘A’ .. ‘ Z’) ( ‘ a’ .. ‘ z’ | ‘A’ .. ‘ Z’ | ‘_’ | ‘0’ .. ‘ 9’ )∗ ;

〈VarName〉 ::= 〈LName〉 ;

〈Variable〉 ::= 〈LName〉 ;

〈RelationName〉 ::= 〈CName〉 ;

〈QueryName〉 ::= 〈CName〉 ;

〈AssoEndName〉 ::= 〈LName〉 ;

〈AssoName〉 ::= 〈LName〉 ;

〈ClassName〉 ::= 〈CName〉 ;

〈AttributeName〉 ::= 〈LName〉 ;

〈Literal〉 ::= ( ‘ ’ ’ 〈String〉 ‘ ’ ’ ) | 〈Number〉 | ‘ true’ | ‘ false’ | ‘null ’;

〈ArithmeticOp〉 ::= ‘+’ | ‘ − ’ | ‘∗’ | ‘ / ’ ;

〈LogicalOp〉 ::= ‘>’ | ‘>=’ | ‘<’ | ‘<=’ | ‘=’ | ‘and’ | ‘or’ | ‘<>’ | ‘ ! =’;

〈OperationName〉 ::= ‘size’ | ‘ isEmpty’ | ‘notEmpty’ | ‘oclIsUndefined’ | ‘oclIsTypeOf’| ‘first’ | ‘at’ | ‘ last’ | ‘asSet’ | ‘asOrderedSet’ | ‘ indexOf’| ‘union’ | ‘ includes’ | ‘excludes’ | ‘ including’ | ‘excluding’ ;

〈LoopOpName〉 ::= ‘any’ | ‘select’ | ‘exists’ | ‘one’ | ‘ forAll ’ | ‘collect’ | ‘ iterate’;

〈FunctionName〉 ::= 〈LName〉| ‘compare’ | ‘contains’ | ‘count’ | ‘empty’ | ‘upper-case’| ‘ lower-case’ | ‘max’ | ‘min’ | ‘not’ | ‘number’ | ‘exists’ | ‘string ’| ‘substring’ | ‘ rest’ | ‘starts-with ’ | ‘string-join ’ | ‘string-length ’| ‘substring-after ’ | ‘substring-before’;

312

A.2 Expression definitions

〈OCLExpression〉 ::= 〈WhenExp〉 | 〈WhereExp〉;

〈WhenExp〉 ::= ( 〈Predicate〉 )∗;

〈WhereExp〉 ::= ( 〈VariableDef〉 | 〈RelationInvocation〉 )∗;

〈Predicate〉 ::= ( 〈OCLExp〉 | 〈IfExp〉 ) ‘ ;’;

〈VariableDef〉 ::= 〈VarName〉 ‘=’ 〈Expression〉 ‘ ;’;

〈RelationInvocation〉 ::= ( 〈RelationCall〉 | 〈IFRelationCall〉 ) ‘ ;’ ;

〈IFRelationCall〉 ::= ‘ if ’ 〈OCLExp〉 ‘ then’ 〈RelationCall〉 ‘endif’;

〈RelationCall〉 ::= 〈RelationName〉 ‘ (’ 〈Variable〉 ‘ ,’ 〈Variable〉 [ ‘ ,’ 〈Arguments〉 ] ‘ )’;

〈Expression〉 ::= 〈IfExp〉 | 〈TupleExp〉 | 〈OCLExp〉| ( 〈ClassName〉 ‘ :: ’ ‘ allInstances()’ [ ‘ ->’ 〈OCLExp〉 ] ) ;

〈IfExp〉 ::= ‘ if ’ 〈OCLExp〉 ‘ then’ 〈OCLExp〉 ‘else’ 〈OCLExp〉 ‘endif’ ;

〈TupleExp〉 ::= ‘Tuple’ ‘ {’ 〈Arguments〉 ‘ }’ ;

〈OCLExp〉 ::= 〈Variable〉 | 〈Literal〉 | 〈OperationCall〉 | 〈NavigationCall〉| 〈AttributeCall〉 | 〈LoopExp〉 | ( ‘ (’ 〈OCLExp〉 ‘ )’ ) ;

〈NavigationCall〉 ::= 〈OCLExp〉 ‘ .’ ( 〈AssoEndName〉 | 〈AssoName〉 | 〈ClassName〉 );

〈AttributeCall〉 ::= 〈OCLExp〉 ‘ .’ 〈AttributeName〉;

〈OperationCall〉 ::= ( 〈OCLExp〉 ( ‘ .’ | ‘ ->’ ) 〈OperationName〉 ‘ (’ [ 〈Arguments〉 ] ‘ )’ )| 〈FunctionCall〉 | 〈QueryCall〉| ( 〈OCLExp〉〈ArithmeticOp〉〈OCLExp〉 )| ( 〈OCLExp〉〈LogicalOp〉〈OCLExp〉 ) | ( ‘not’ 〈OCLExp〉 ) ;

〈Arguments〉 ::= ( 〈Variable〉 | 〈Literal〉 | 〈Variable〉 ‘ :: ’ 〈VarName〉 )[ ‘ ,’ 〈Arguments〉 ];

〈LoopExp〉 ::= 〈OCLExp〉 ‘ ->’ 〈LoopOpName〉 ‘ (’ [ 〈VarName〉 ‘ |’ ] 〈OCLExp〉 ‘ )’;

〈FunctionCall〉 ::= 〈FunctionName〉 ‘ (’ [ 〈Arguments〉 ] ‘ )’;

〈QueryCall〉 ::= 〈QueryName〉 ‘ (’ [ 〈Arguments〉 ] ‘ )’;

313

Appendix B

Algorithms for OO- to component

sequence diagram transformation

All algorithms here are expressed in a simple pseudocode with OCL-like navigation in

the context of the rCOS metamodel. For example, ifm is an object of typeMessage, as

shown in Fig.5.11, the expressionm.receiveEvent .event .operation gets the operation

invoked messagem.

B.1 Calculate strongly connected lifelines

Algorithm 1 defines a functionGetReachableLifelines which returns a set of lifelines,

to each of them there is path of messages from the controller objectℓc.

Algorithm 1 GetReachableLifelinesInput: ℓc, IntraM

Output: L : {Lifeline}

1: L := ∅;2: for all m(ℓi ,ℓj ) ∈ IntraM do3: if ℓc = ℓi then4: L := L ∪ {ℓj } ∪ GetReachableLifelines(ℓj , IntraM );5: end if6: end for7: return L;

B.2 Generate component from selected object lifelines

Algorithm 2 describes the creation of a component with its provided and required

interface, and the composition of the resulting component with other entities in the

model, whereLs = D .lines − {ℓc} is a selection of lifelines except the controller ob-

ject. We first create a new componentcom with a new contract interfaceconif (lines

1–2). Then an empty setLcomr is initialized to collect the existing component lifelines

which send messages to the new component (line 3).

For each messagem(ℓi ,ℓj ) received by the selected lifelines, we create a design

operationdop with a signature that is copied from the calling operation ofm(ℓi ,ℓj ), and

adddop to the contract interfaceconif (lines 4–8). We turn each selected lifeline inLs

314

B.2. Generate component from selected object lifelines

Algorithm 2 LifelineToComInput: ℓc,Ls,OutM , InM

Output: com : ServiceComponent

1: com := ServiceComponent .new(); com.name := ”COM _” + ℓc.name;2: conif := ContractInterface.new(); conif.name = ”ConInter_” + ℓc.name;3: Lcomr := ∅;4: for all m(ℓi ,ℓj ) ∈ InM do5: op : Operation := m(ℓi ,ℓj ).receiveEvent .event .operation ;6: dop := DesignOperation.new(); dop.name := op.name;

7: copyall op.Ownedparameter to dop.Ownedparameter ;8: add dop to conif ;9: if ℓi.represents.type = Component then

10: Lcomr := Lcomr ∪ {ℓi};11: end if12: end for13: for all ℓ ∈ Ls do14: fld := Field .new(); fld .name := ℓ.name; fld .type = ℓ.represents.type ;15: add fld to conif ;16: end for17: intr := InterfaceRealization.new(); intr .client := com;18: intr .contract := conif ; intr .supplier := conif ;19: add intr to com;20: for all ℓ ∈ Lcomr do21: orif : ContractInterface := ℓ.represents.type.required ;22: cpos := Composition.new();23: cpos.client := orif ; cpos.supplier := conif ;24: end for25: if OutM 6= ∅ then26: com := GenRequiredInterface(ℓc ,OutM , com);27: end if28: return com;

into a property (field) which has the same name and type as the represented class of

the lifeline (lines 13–16). Then an interface realizationintr is created and itsclient,

supplierandcontractare set, andconif becomes the provided interface of component

com (lines 17–19).

For each component lifelineℓ in Lcomr which have already been collected in lines

9–11, we connect the required interfaceorif of the component represented byℓ to conif

using an rCOScomposition(lines 20–24). Finally, if there are messages inOutM , we

construct a required interface for componentcom using algorithmGenRequiredInter-

face(lines 25–27).

315

B. Algorithms for OO- to component sequence diagram transformation

B.3 Generate required interface

Algorithm 3 GenRequiredInterfaceInput: ℓc,OutM , com

Output: com : ServiceComponent

1: rif := ContractInterface.new(); rif.name = ”RInter_” + ℓc.name;2: Lcomp := ∅;3: for all m(ℓi ,ℓj ) ∈ OutM do4: op : Operation := m(ℓi ,ℓj ).receiveEvent .event .operation ;5: dop := DesignOperation.new(); dop.name := op.name;

6: copyall op.Ownedparameter to dop.Ownedparameter ;7: add dop to rif ;8: if ℓj .represents.type = Component then9: Lcomp := Lcomp ∪ {ℓj};

10: end if11: end for12: usg := Usage.new(); usg .client := com; usg .supplier := rif ;13: add usg to com;14: for all ℓ ∈ Lcomp do15: opif : ContractInterface := ℓ.represents.type.provided ;16: cpos := Composition.new();17: cpos.client := rif ; cpos.supplier := opif ;18: end for19: return com;

The process of constructing a required interface is similar to the way a provided in-

terface is generated. In Algorithm3, we first build a new required interfacerif (line 1),

and copy the operation signatures from corresponding operations defined in the class

(line 3–7). A UML usageis used to link the required interface to its owner component

(line 12). In the last, if there are components that provide the required operations (line

8–10), we plug the provided interfaces of these components into required interfacerif

(line 14–18).

316

Curriculum Vitae

CONTACT INFORMATION

Name: Li Dan

Address: No. 1, Shanxi Road, Guiyang, Guizhou, China 550001

Tel.: +86 851 5928853(h) Mobile: 13885169969

E-mail: [email protected], [email protected]

RESEARCH INTERESTS

Model-driven development and model transformations; Formal techniques and sup-

porting tools; Information system development

EDUCATION

1. University of Macau, China, Phd Student in Software Engineering, 2008–2013

2. East China University of Science and Technology, China, B.S. in Chemical En-

gineering, 1980–1984

RELATED TRAINING

1. International Institute for Software Technology, United Nation University, Macau,

Fellow, March 2002–Nov. 2002

2. Okinawa International Center, Japan, Senior System Analyst/Designer, Nov.1997–

May 1998

PROFESSIONAL EXPERIENCE

1. Associate Researcher, Guizhou Academy of Sciences, China, 2007–2008

2. Assistant Researcher, Guizhou Academy of Sciences, China, 1984–2006

RESEARCH PROJECTS

1. A Framework of Diagnosing and Correcting for Software Errors under Confi-

dence Constraints, granted by the National Natural Science Foundation of China

(NSFC) (approved No. 90718009) as the major research plan on the basic re-

search of trustworthy software, Jan. 2008–Dec. 2010, as principal investigator.

2. Design and Development of eTechCMS: A Personalized & Intelligent Enter-

prise Content Management System, 2007 high-tech industrialization demonstra-

tion projects of Guizhou Province, granted by the Guizhou Province Develop-

ment and Reform Commission and the Department of Science & Technology of

Guizhou Province, May 2007–Dec. 2008, as project leader.

317

3. Research and Design of the B2 Level Security Database Based on the Logic SQL,

granted by the Special Governor Fund of Guizhou Province for Outstanding Sci-

entific and Educational Talents (2005-88), Dec. 2004–Dec. 2006, as principal

investigator.

4. Comprehensive Criminal Information System Based on Security Database for

Municipal Police Bureau, 2005 high-tech industrialization demonstration projects

of Guizhou Province, granted by the Guizhou Province Development and Re-

form Commission and the Department of Science & Technology of Guizhou

Province(2004-JN057), Dec. 2004–Dec.2005, as principal investigator.

5. Research on the Data Sharing Model of "Digital Guizhou", granted by the De-

partment of Science & Technology of Guizhou Province (2003GGY010), May.

2003–Dec.2004, as principal investigator

6. Application of the Formal Methods in Software Development, granted by the

Department of Science & Technology of Guizhou Province (2001-3010), Sept.

2001–June 2003, as project leader

7. Comprehensive Energy-saving Computer monitoring System, granted by the De-

partment of Science & Technology of Guizhou Province (1997-1058), May.

1997–April 1999, as principal investigator.

PATENTS

1. A Keywords-Based Personalized Document Processing System, Chinese inven-

tion patent ( No. 2007102001028), Aug. 2007, as second inventor.

PUBLICATIONS

Journal Papers

1. Dan Li , Xiaoshan Li, Volker Stolz,Model Querying with Graphical Notation of

QVT Relations, ACM SIGSOFT Software Engineering Notes, Vol. 37, No. 4,

pp. 1-8, July 2012.

2. Dan Li , Xiaoshan Li, Volker Stolz,QVT-Based Model Transformation Using

XSLT, ACM SIGSOFT Software Engineering Notes, Vol. 36, No. 1, pp. 1-8,

January 2011.

3. Dan Li , Xiaoshan Li, Jicong Liu, Zhiming Liu,Validation of Requirement Mod-

els by Automatic Prototyping, Innovations in Systems and Software Engineering,

Vol. 4, No. 3, pp. 241-248, October 2008.

318

4. Li Dan , Li Danning, Chris George,The Research and Design of a Web-Based

Formal Methods Tool: RRTChecker, Computer Sciences, Vol. 35, July 2008 (in

Chinese)

5. Li Dan , Li Danning,A Lightweight J2EE Web Framework Based on Open Source

Software, Guizhou Science, Vol. 25, No. 4, pp. 18-25, Dec. 2007. (in Chinese)

6. WANG Baohua, MA Xinqiang,LI Dan , LI Danning and ZHANG Heng,Re-

search and Design of the B2 Level Security Mechanism Based on the Logic SQL,

Guizhou Science, Vol. 25, No. 1, pp. 27-30, Mar. 2007. (in Chinese)

7. WANG Baohua, MA Xinqiang, LI Danning,LI Dan , ZHANG Heng and ZHAO

Zhenyong,Logo Technology and Analysis Examples of Security Database Covert

Channel, Computer Technology and Development, No. 2, pp. 233-235+238,

2007. (in Chinese)

8. WANG Baohua, MA Xinqiang,LI Dan , LI Danning, ZHANG Heng and ZHAO

Zhenyong ,Covert Channel Analysis in Security Database with High Security

Levels, Journal of Computer Research and Development, Vol.43(Suppl.II), pp.

168-172, Aug. 2006. (in Chinese)

9. Li Danning,Li Dan , Understanding Based Intelligent Interface Design, Guizhou

Science, Vol. 9, No. 4, pp. 314-321, Dec. 1991.

10. Li Danning,Li Dan , A Method of Chinese Character Frequency Adjustment with

Gradual Sequence Alternation, Guizhou Science, Vol. 8, No. 2, pp. 55-59, June

1990. (in Chinese)

11. Li Dan , Li Danning,An Interrupt Subroutine for Graphics Output on Printers,

The Journal of Chinese Computer Users, No. 10, 1989. (in Chinese)

12. Li Danning,Li Dan , A Chinese Word Input System of Following Text Situation.

Guizhou Science, Vol. 7, No. 2, pp. 64-69, June 1989. (in Chinese)

13. Li Dan , Li Danning, A General Subroutine for Outputting High Resolution

Graphics on Dot Matrix Printers, Machinery and Electronics, No. 5, pp. 16-

19, 1988. (in Chinese)

Conference Papers

1. Dan Li, Xiaoshan Li, Zhiming Liu, Volker Stolz,Support Formal Component-

based Development with UML Profile, In Proceedings 22nd Australasian Soft-

ware Engineering Conference (ASWEC 2013), Melbourne, Australia, IEEE, pp.

191-200, June 2013.

319

2. Dan Li , Xiaoshan Li, Zhiming Liu, and Volker Stolz,Interactive Transforma-

tions from Object-Oriented Models to Component-Based Models, In Proceed-

ings of International Symposium on Formal Aspects of Component Software

(FACS2011), Vol. 7253 of LNCS, pp. 97-114, Springer Verlag, 2012.

3. Dan Li , Xiaoshan Li, and Volker Stolz,Solving the TTC 2011 Compiler Op-

timization Case with QVTR-XSLT, In Proceedings Fifth Transformation Tool

Contest (TTC 2011), June 2011, Electronic Proceedings in Theoretical Com-

puter Science (EPTCS), Vol. 74, pp. 54-69.

4. Dan Li , Xiaoshan Li, and Volker Stolz, Saying HelloWorld with QVTR-XSLT –

A Solution to the TTC 2011 Instructive Case, In Proceedings Fifth Transforma-

tion Tool Contest (TTC 2011), June 2011, Electronic Proceedings in Theoretical

Computer Science (EPTCS), Vol. 74, pp. 223-236.

5. Dan Li , Danning Li,Towards a Formal Behavioral Semantics for UML Inter-

actions, In Proceedings International Symposium on Information Science and

Engineering (ISISE 2010), pp. 213-218, Dec. 2010.

6. Dan Li , QVT Based Model Transformation from Sequence Diagram to CSP, In

Proceedings of the 15th International Conference on Engineering of Complex

Computer Systems (ICECCS 2010), pp. 349-354, March 2010.

7. LI Dan , LI Danning, WANG Baohua, MA Xinqiang,The Optimization Princi-

ple of Chinese Word Segmentation Algorithm Based on Dictionary, In Proceed-

ings of the 2007 Symposium of Search Engine and WebMining (SEWM2007),

Haikou, Hainan, China, March 2007. Journal of Guangxi Normal University

(Natural Science Edition), Vol.24(2), pp. 95-98, Dec. 2006. (in Chinese)

8. Li Dan , Bernhard K. Aichernig,Combining Algebraic and Model-based Test

Case Generation, In Proceedings of First International Colloquium on Theoret-

ical Aspects of Computing, LNCS 3407, pp. 250-264, Springer-Verlag, 2005.

9. Li Danning,Li Dan , A User Adapting and Text Situation Following Chinese

Word Input System, In Proceedings of the ’91 Beijing International Conference

on Chinese Word Inputting From Keyboard, Beijing, Oct., 1991.

10. Li Dan , Li Danning, Xia Jianfang,A Method of Size Amplification and Shape

Smoothness for Dot Matrix Chinese Characters, In Proceedings of the Seventh

CMS National conference, Xi’an, China, Sept. 1990. (in Chinese)

11. Li Danning,Li Dan , An Intelligent User Interface Based on Understanding the

Process of Interaction, In Proceedings of the 3-th National Knowledge Engi-

neering Symposium, Chengdu, China, Aug. 1990. (in Chinese)

320

University of Macaulibrary.umac.mo/etheses/b3086480x_ft.pdfAcknowledgements Firstly, I would like to express my sincere gratitude to my supervisors, Prof. Xi-aoshan Li and Dr. Zhiming

Documents