Consistency Checking of Conceptual Models via Model Merging

Mehrdad Sabetzadeh (U Toronto, Canada)Shiva Nejati (U Toronto, Canada)Sotirios Liaskos (York U, Canada)

Steve Easterbrook (U Toronto, Canada)Marsha Chechik (U Toronto, Canada)

International Requirements Engineering Conference (RE’07)

October 19, 2007

Collaborative RE

2

➜ Different teams work on separate models➥Models independent but related

➥Relationships between models described explicitly

Distributed Development

3

➜ Different teams work on separate models➥Models independent but related

➥Relationships between models described explicitly

Distributed Development

3

M1 M2

StaffMember

Nurse Doctor

MedTeamMember

Physician Technician

➜ Different teams work on separate models➥Models independent but related

➥Relationships between models described explicitly

Distributed Development

3

M1 M2

StaffMember

Nurse Doctor

MedTeamMember

Physician Technician

➜ Never entirely sure how concepts are related

Building Relationships

4

Calendar

Unit

Schedule

Ward?

➜ Never entirely sure how concepts are related

Building Relationships

4

Calendar

Unit

Schedule

Ward?

Relationships need to be validated

➜ Human-centric➥ negotiation, repertory grid, etc.

➜ Automatic➥ consistency checking, simulation, etc.

Means for Analyzing Relationships

5

➜ Human-centric➥ negotiation, repertory grid, etc.

➜ Automatic➥ consistency checking, simulation, etc.

Means for Analyzing Relationships

5

Focus of this work

Checking Consistency of Relationships: Examples

6

M1

Line

Rect

M2

Rectangle

Polygon

Checking Consistency of Relationships: Examples

6

M1

Line

Rect

M2

Rectangle

PolygonMultiple In

heritance

Checking Consistency of Relationships: Examples

6

M1

Widget

Canvas

M2

Canvas

Component

Widget

Checking Consistency of Relationships: Examples

6

M1

Widget

Canvas

M2

Canvas

Component

Widget

Cyclic Inh

eritan

ce

Challenge➜ Often faced with a system of related models

7

M2M1

M4

M3

M7

M6

M5R12

R23R34

R57R25

R67R36

R47

Is the “system” consistent?➥Consistency of individual mappings not enough!

➣ ... it does not guarantee global consistency [Van Lamsweerde et al, Nuseibeh et al]

Global Inconsistency: Examples

8

M1

Line

Rect

M2

Rectangle

Polygon

M3

Square

Box

Global Inconsistency: Examples

8

M1

Line

Rect

M2

Rectangle

Polygon

M3

Square

Box

✔ ✔

Individually Consistent

Global Inconsistency: Examples

8

M1

Line

Rect

M2

Rectangle

Polygon

M3

Square

Box

✘

Globally Inconsistent

Container

Panel

Widget

Canvas

UIObject UIContext

Global Inconsistency: Examples

9

M1

M2

M3

Container

Panel

Widget

Canvas

UIObject UIContext

Global Inconsistency: Examples

9

M1

M2

M3

✔ ✔

✔Individually Consistent

Container

Panel

Widget

Canvas

UIObject UIContext

Globally Inconsistent

Global Inconsistency: Examples

9

M1

M2

M3

✘

Existing Research

10

R

M1

Widget

Canvas

M2

Canvas

Component

Widget

!!, y, z, t · R(!, y)" R(z, t)"Re"ch(!, z)" Re"ch(t, y)

Existing Research

10

R

M1

Widget

Canvas

M2

Canvas

Component

Widgetz

x

t

y

!!, y, z, t · R(!, y)" R(z, t)"Re"ch(!, z)" Re"ch(t, y)

Existing Research

10

R

M1

Widget

Canvas

M2

Canvas

Component

Widgetz

x

t

y

!!, y, z, t · R(x,y)"R(z, t)"Re"ch(!, z)" Re"ch(t, y)

Rule coupled with mapping!

Not generalizable to global consistency checking!

Our Solution

11

Construct a merge before checking consistency!

Our Solution

11

Input Models and Mappings

Merge

Construct a merge before checking consistency!

Our Solution

11

Input Models and Mappings

Merge

+<traceinfo model="ex" diagram="Threeway">! <element uid="645">! <lineage view="Rob" uid="25"/>! </element>! <element uid="644">! <lineage view="Rob" uid="21"/>! </element>! <element uid="646">! <lineage view="Rob" uid="32"/>! <lineage view="Connector1" uid="343"/>! <lineage view="Sue" uid="12"/>! <unifier name="C1-To-Sue" srcuid="343" tgtuid="12"/>! <unifier name="C1-To-Rob" srcuid="343" tgtuid="32"/>! </element>! <element uid="647">! <lineage view="Sue" uid="2"/>! </element>! <element uid="643">! <lineage view="Rob" uid="19"/>! <lineage view="Connector1" uid="341"/>! <lineage view="Sue" uid="6"/>! <unifier name="C1-To-Sue" srcuid="341" tgtuid="6"/>! <unifier name="C1-To-Rob" srcuid="341" tgtuid="19"/>! </element>!</traceinfo>

TraceabilityData

Merged Model

Construct a merge before checking consistency!

Our Solution

11

Input Models and Mappings

Merge

+<traceinfo model="ex" diagram="Threeway">! <element uid="645">! <lineage view="Rob" uid="25"/>! </element>! <element uid="644">! <lineage view="Rob" uid="21"/>! </element>! <element uid="646">! <lineage view="Rob" uid="32"/>! <lineage view="Connector1" uid="343"/>! <lineage view="Sue" uid="12"/>! <unifier name="C1-To-Sue" srcuid="343" tgtuid="12"/>! <unifier name="C1-To-Rob" srcuid="343" tgtuid="32"/>! </element>! <element uid="647">! <lineage view="Sue" uid="2"/>! </element>! <element uid="643">! <lineage view="Rob" uid="19"/>! <lineage view="Connector1" uid="341"/>! <lineage view="Sue" uid="6"/>! <unifier name="C1-To-Sue" srcuid="341" tgtuid="6"/>! <unifier name="C1-To-Rob" srcuid="341" tgtuid="19"/>! </element>!</traceinfo>

TraceabilityData

Merged Model

Construct a merge before checking consistency!

Consistency Checking

<html>! <head>! ! </head>! <body>! <h2>! Diagnostics for <a href="view://merge/none">merge</a>! </h2>! <em><font color="#FF0000">(note the filters applied)</font></em><hr><strong>Objects ! with multiple parents:</strong>!! <ul>! <li>! <a href="view://merge/258">merge/258</a>&#160;<em><font color="#FF00FF">&#160;&#160;(&#160;Parents:&#160;<a href="view://merge/257">merge/257</a>&#160;&#160;<a href="view://merge/260">merge/260</a>&#160;&#160;)</font></em>! </li>! </ul>! <hr>! </body>!</html>

Diagnostics

Our Solution

11

Inconsistency Projection

Input Models and Mappings

Merge

+<traceinfo model="ex" diagram="Threeway">! <element uid="645">! <lineage view="Rob" uid="25"/>! </element>! <element uid="644">! <lineage view="Rob" uid="21"/>! </element>! <element uid="646">! <lineage view="Rob" uid="32"/>! <lineage view="Connector1" uid="343"/>! <lineage view="Sue" uid="12"/>! <unifier name="C1-To-Sue" srcuid="343" tgtuid="12"/>! <unifier name="C1-To-Rob" srcuid="343" tgtuid="32"/>! </element>! <element uid="647">! <lineage view="Sue" uid="2"/>! </element>! <element uid="643">! <lineage view="Rob" uid="19"/>! <lineage view="Connector1" uid="341"/>! <lineage view="Sue" uid="6"/>! <unifier name="C1-To-Sue" srcuid="341" tgtuid="6"/>! <unifier name="C1-To-Rob" srcuid="341" tgtuid="19"/>! </element>!</traceinfo>

TraceabilityData

Merged Model

Construct a merge before checking consistency!

Consistency Checking

<html>! <head>! ! </head>! <body>! <h2>! Diagnostics for <a href="view://merge/none">merge</a>! </h2>! <em><font color="#FF0000">(note the filters applied)</font></em><hr><strong>Objects ! with multiple parents:</strong>!! <ul>! <li>! <a href="view://merge/258">merge/258</a>&#160;<em><font color="#FF00FF">&#160;&#160;(&#160;Parents:&#160;<a href="view://merge/257">merge/257</a>&#160;&#160;<a href="view://merge/260">merge/260</a>&#160;&#160;)</font></em>! </li>! </ul>! <hr>! </body>!</html>

Diagnostics

Our Solution

11

Inconsistency Projection

Input Models and Mappings

Merge

+<traceinfo model="ex" diagram="Threeway">! <element uid="645">! <lineage view="Rob" uid="25"/>! </element>! <element uid="644">! <lineage view="Rob" uid="21"/>! </element>! <element uid="646">! <lineage view="Rob" uid="32"/>! <lineage view="Connector1" uid="343"/>! <lineage view="Sue" uid="12"/>! <unifier name="C1-To-Sue" srcuid="343" tgtuid="12"/>! <unifier name="C1-To-Rob" srcuid="343" tgtuid="32"/>! </element>! <element uid="647">! <lineage view="Sue" uid="2"/>! </element>! <element uid="643">! <lineage view="Rob" uid="19"/>! <lineage view="Connector1" uid="341"/>! <lineage view="Sue" uid="6"/>! <unifier name="C1-To-Sue" srcuid="341" tgtuid="6"/>! <unifier name="C1-To-Rob" srcuid="341" tgtuid="19"/>! </element>!</traceinfo>

TraceabilityData

Merged Model

Construct a merge before checking consistency!

Consistency Checking

<html>! <head>! ! </head>! <body>! <h2>! Diagnostics for <a href="view://merge/none">merge</a>! </h2>! <em><font color="#FF0000">(note the filters applied)</font></em><hr><strong>Objects ! with multiple parents:</strong>!! <ul>! <li>! <a href="view://merge/258">merge/258</a>&#160;<em><font color="#FF00FF">&#160;&#160;(&#160;Parents:&#160;<a href="view://merge/257">merge/257</a>&#160;&#160;<a href="view://merge/260">merge/260</a>&#160;&#160;)</font></em>! </li>! </ul>! <hr>! </body>!</html>

Diagnostics

Key Benefit:

Can detect global inconsistencies

without coupling the rules with

the mappings!

Approach in Action

12

M1

Line

Rect

M2

Rectangle

Polygon

M3

Square

Box

http://www.cs.toronto.edu/~mehrdad/tremer/re07demoDemo:

12

http://www.cs.toronto.edu/~mehrdad/tremer/re07demoDemo:

12

Core Idea:

Check inter-model constraints via

checking intra-model constraints

of a merged model

Building Blocks

13

Model Merging

Consistency Checking

Rules

Diagnostics Generation

➜ Builds on [RE’05]

➜ Highlights➥Concentrates on conceptual models

➥Customizable to different graph-based notations

➥Tolerates incompleteness and inconsistency

➥Can merge several models at a time

14

Model Merging [ICSE’01, ASE’03, FSE’04, RE’05, ICSE’07]

➜ Builds on [RE’05]

➜ Highlights➥Concentrates on conceptual models

➥Customizable to different graph-based notations

➥Tolerates incompleteness and inconsistency

➥Can merge several models at a time

14

Model Merging [ICSE’01, ASE’03, FSE’04, RE’05, ICSE’07]

Key for global

consistency

checking

Consistency Rules in Conceptual Modelling: Some Patterns

➜ Endpoint Compatibility

➜ Multiplicity

➜ Reachability

15

!

!

...

! ...! !

!

!

...

!! !

What Logic ?➜ (Standard) First Order Logic ?

➥Can’t express transitive closure➣ hence, doesn’t capture the reachability pattern

➥No counting operator➣ leads to complex formulas for the multiplicity pattern

➜ Temporal Logic (CTL / LTL) ?➥Unnatural for structural models

➥ Limited quantification power and no counting operator➣ can’t capture the multiplicity pattern at all

16

Language for Consistency Checking➜ We use FO + transitive closure + counting

➥ Implementation: CrocoPat [Beyer et al]

➜ CrocoPat Examples➥ Let E(x,y) denote x → y

# of predecessors of “A” ?

nodes reachable from “D”?

17

A

B C

D

Language for Consistency Checking➜ We use FO + transitive closure + counting

➥ Implementation: CrocoPat [Beyer et al]

➜ CrocoPat Examples➥ Let E(x,y) denote x → y

# of predecessors of “A” ?

nodes reachable from “D”?

17

A

B C

D

A

B C

D

Language for Consistency Checking➜ We use FO + transitive closure + counting

➥ Implementation: CrocoPat [Beyer et al]

➜ CrocoPat Examples➥ Let E(x,y) denote x → y

# of predecessors of “A” ?

nodes reachable from “D”?

17

n := #(E(x,“A”));

A

B C

D

Language for Consistency Checking➜ We use FO + transitive closure + counting

➥ Implementation: CrocoPat [Beyer et al]

➜ CrocoPat Examples➥ Let E(x,y) denote x → y

# of predecessors of “A” ?

nodes reachable from “D”?

17

n := #(E(x,“A”));

Reach(x,y):= TC(E(x,y));FromD(x):= Reach(“D”,x);

➜ Generated by instrumenting consistency rules➥Example diagnostics:

➣ Multiple inheritance

➣ Cyclic inheritance

Inconsistency Diagnostics

18

...FOR n IN MultipleParents(x) { ParentOfN(y) := EX(e, Src(e,n) & Tgt(e,y)); PRINT n, "Parents: ", ParentOfN(y); }

➜ Generated by instrumenting consistency rules➥Example diagnostics:

➣ Multiple inheritance

➣ Cyclic inheritance

Inconsistency Diagnostics

18

...FOR n IN MultipleParents(x) { ParentOfN(y) := EX(e, Src(e,n) & Tgt(e,y)); PRINT n, "Parents: ", ParentOfN(y); }

➜ Generated by instrumenting consistency rules➥Example diagnostics:

➣ Multiple inheritance

➣ Cyclic inheritance

Inconsistency Diagnostics

18

...FOR n IN MultipleParents(x) { ParentOfN(y) := EX(e, Src(e,n) & Tgt(e,y)); PRINT n, "Parents: ", ParentOfN(y); }

➜ Generated by instrumenting consistency rules➥Example diagnostics:

➣ Multiple inheritance

➣ Cyclic inheritance

Inconsistency Diagnostics

18

...FOR n IN MultipleParents(x) { ParentOfN(y) := EX(e, Src(e,n) & Tgt(e,y)); PRINT n, "Parents: ", ParentOfN(y); }

➜ Generated by instrumenting consistency rules➥Example diagnostics:

➣ Multiple inheritance

➣ Cyclic inheritance

Inconsistency Diagnostics

18

Preliminary Evaluation

19

Case StudyPerformance

Performance

20

020406080

100120140160180200

500 1000 5000 10000

Dangling Edges Parallel EdgesMultiple Inheritance Cyclic Inheritance

Number of Elements

Tim

e (s

eco

nd

s)

Case Study➜ Goal: Study the practical utility of global checking

➜ Models: 5 domain models for a healthcare system➥ developed independently by 5 individual students

➥models small (50-70 elements) but realistic

➜ Experiment1.Build preliminary relationships between models

2.Apply global consistency checking to improve these relationships

21

Observations

22

➜ Global checking ... ➥ ... useful for exploring design conflicts

=!StaffMember

Schedule

belo

ngs to

has

M1 M2 M3 Merge

StaffMember

Schedule

belo

ngs to

StaffMember

Schedule

has

StaffMember

Schedule

Observations

22

➜ Global checking ... ➥ ... useful for exploring design conflicts

=!StaffMember

Schedule

belo

ngs to

has

M1 M2 M3 Merge

StaffMember

Schedule

belo

ngs to

StaffMember

Schedule

has

StaffMember

Schedule

➥ ... collapses several pairwise checks into a single check

=!M1 M2 M3 Merge

Schedule ScheduleScheduleSchedule Schedule Schedule

➥ ... useful for hypothetical reasoning➣ Example question: What happens if I delete node X?

Observations

22

➜ Global checking ... ➥ ... useful for exploring design conflicts

=!StaffMember

Schedule

belo

ngs to

has

M1 M2 M3 Merge

StaffMember

Schedule

belo

ngs to

StaffMember

Schedule

has

StaffMember

Schedule

➥ ... collapses several pairwise checks into a single check

=!M1 M2 M3 Merge

Schedule ScheduleScheduleSchedule Schedule Schedule

Tool Support➜ TReMer+

➥Extended version of TReMer

➣Tool for Relationship-Driven Model Merging

➥New features:➣ Structural consistency checking

➠ for UML domain models, ERD’s, and hierarchical state machines➣ Traceability link generation and navigation➣ Usability enhancements

23

http://www.cs.toronto.edu/~mehrdad/tremer/

Related Work

24

Consistency Checking as Model Checking➥ Input: a model M and

a set of properties P

M inconsistent if M P

➥Examples ➣ Temporal property checking,

e.g. Spin [Holzmann] ➣ FO-based constraint checking,

e.g. OCL [OMG], xlinkit [Nentwich et al]

Consistency Checking as Model Finding➥ Input: a set of properties P

P inconsistent if there is no M s.t. M P

➥Examples➣ Proving logical consistency in Z

[Spivey], Alloy [Jackson], etc.

➣ Property-based synthesis [Pnueli]

|=!|=

Related Work

24

Consistency Checking as Model Checking➥ Input: a model M and

a set of properties P

M inconsistent if M P

➥Examples ➣ Temporal property checking,

e.g. Spin [Holzmann] ➣ FO-based constraint checking,

e.g. OCL [OMG], xlinkit [Nentwich et al]

Our approach falls here!

!|=

Related Work

24

Consistency Checking as Model Checking➥ Input: a model M and

a set of properties P

M inconsistent if M P

➥Examples ➣ Temporal property checking,

e.g. Spin [Holzmann] ➣ FO-based constraint checking,

e.g. OCL [OMG], xlinkit [Nentwich et al]

Our approach falls here!

➜ Main differences➥Detection of global

inconsistencies

➥Built with early RE in mind

!|=

Future Work

➥Handling heterogeneous models➣ ... through metamodel-based transformations and logical model

merging

➥ Integration with a model matcher➣ Work in progress! Stay tuned ...

➥Resolution of global inconsistencies

25

Summary➜ Developed a tool-supported technique for global

consistency checking➥Based on model merging

➜ Identified patterns for consistency rules in conceptual modelling➥Compatability, multiplicity, reachability

➜ Did a preliminary evaluation of our work➥ Performance, small case study

26

Thank You!Questions?

27