Semantic Anchoring
January 30, 2008Matt McGill
Semantic Anchoring at a Glance...
• Problem: Formally specifying the behavioral semantics of DSMLs from scratch is costly
• Cost is only justified for domains with many users
• Users working in narrow domains are unsupported
• Proposed solution: Give new DSMLs a translational specification with respect to semantic units.
• A semantic unit (SU) is a formal modeling language with pre-defined semantics
• Reliance on SU specification simplifies creation of new DSMLs
• Validation
• Defined semantics of IF, UPPAAL and Kronos languages in terms of Timed Automata Semantic Unit (TASU)
• Defined a reusable HFSM semantic unit
Presentation Overview
Motivation and applicability• Benefits of DSMEs/DSMLs
• Obstacles to widespread use
• Objectives of Semantic Anchoring
• Applicability to this course
Preliminaries
Semantic anchoring in depth
Evaluation (there will be a quiz...)
DSMLs and DSMEs...bring the solution space closer to the problem space
save time and money through automation
reduce “accidental complexity”
manage “inherent complexity”
lower production costs and development time
Benefits of DSMLs/DSMEs
(Simulink)
Obstacles to DSMLs/DSMEs
DSMLs and DSMEs...are (by definition) domain-specific
are themselves very costly to build
are only available in domains with many users
(VHDL)
Semantic Anchoring Objectives
Reduce the cost of developing DSMLs with precise, formally defined semantics
Enable formal analysis capabilities for DSMLs
Bring DSMLs and DSMEs to previously excluded domains
Highlight the semantic differences between similar DSMLs
Applicability
DSMLs are developed in a model-driven fashion
DSMLs are themselves used in MDE
Technique enables the (cost-effective) creation of analyzable DSMLs for use in High-Assurance Systems
Presentation Overview
Motivation and applicability
Preliminaries• Review: Specifying traditional programming languages
• Modeling and meta-modeling
• The Generic Modeling Environment (GME)
Semantic anchoring in depth
Evaluation
Programming LanguagesHow are programming languages specified?
Syntax: What do programs look like?• Concrete syntax deals with parsing of actual program sentences such as
lexical issues, operator precedence, etc.
• Abstract syntax represents the structure of programs while abstracting away details about the actual parsing
• Both often specified in some form of BNF notation
Semantics: What does a program mean?• Many ways of specifying the meanings of programs, from informal to
rigorously formal
• Translational semantics: rules for translating programs into some other language
• Rules often based on abstract syntax
Abstract Syntax ExampleN ::= integersExpr ::= N | Expr + Expr | Expr - Expr
“1 + (2 - 3) + 4”
+
4
+1
-
32
Modeling vs. Programming
What is a model? A useful abstraction
Program(P) => Model(P)• A computer program is a model
!(Model(P) => Program(P))• A model is not necessarily a program
That’s why we like models!
The Four-Layer Architecture
define
Runtime executions
Programs Models
define
Instances
define
Grammars
defines
EBNF
define
Meta-meta-models
What about concrete syntax?
Meta-models
define
(abstract syntax)
M3
M2
M1
M0
An Example
Instance Model
An ExampleModel Meta-model
An Example
Meta-model Meta-meta-model
An Example
Meta-meta-model Meta-meta-model
The GME
A truly generic modeling environment
GME must be configured with a Paradigm (essentially, information about the abstract and concrete syntax of a DSML)
GME publishes an API, can be extended with interpreters, etc.
The meta-modeling paradigm is just another DSML (used to model DSMLs)
Presentation Overview
Motivation and applicability
Preliminaries
Semantic anchoring in depth• Specifying Semantic Units
• Specifying DSMLs
• Modeling and analysis
Preliminary evaluation
Bird’s Eye View - 3 Parts
1. Semantic Unit definition• Describe configurations with meta-model
• Specify behavior with Abstract State Machine
2. DSML specification• Describe DSML with meta-model
• Define rules for translating a model into a configuration of the semantic unit
3. Modeling and analysis• Construct models in DSML
• Use translator to produce ASMs for analysis
Running example: GREGEXP
• A graphical DSML for simple regular expressions, anchored to a finite-state automata semantic unit
• Regexps are built from nodes and links
• Each Nodes contain a letter (except the start node)
• Node cardinalities:
Match oneMatch oneor more
Match zeroor more
Semantic Units (SUs)
• Self-contained, formally specified DSMLs that can be re-used in the specification of other DSMLs
• 3 parts1. Meta-model (abstract/concrete syntax)
2. Behavioral specification (Abstract State Machine template)
3. Model ! ASM translator
SU meta-model
• Created with GME meta-modeling paradigm
• Needs to be mapped to Abstract State Machine template (more on this in a bit)
• May or may not need a concrete (i.e. graphical) syntax
FSA meta-model
• Domain concepts: states, transitions, and assertions about accepted (or not accepted) strings
StateAccepting
statePositive
assertionNegativeassertion
FSA meta-model
FSA example model Specifying behavior with ASMs
AsmL: Microsoft’s implementation of Abstract State Machines
• Formal language for specifying algorithms
• Operational in nature
• Program state is represented with well-defined mathematical structures (Sets, Integers, etc.)
• Designed to look like pseudocode
• SpecExplorer can be used to run simulations, explore the state space
Really simple AsmL example
var i as Integer = 0
Add(x as Integer) require (i+x<5) i := i + x
Sub(x as Integer) require (i-x >= 0) i := i - x
Really simple AsmL Example
An AsmL template for FSA
type State = Integer
type Label = String
const R as Set of (State, Label, State) = {... }
const A as Set of State = {... }
var a as State = 0
procedure NextState(i as Label)
require (exists (s, l, _) in R where s=a and l=i)
choose unique (s, l, s') in R where s=a and l=i
a := s'
Instantiating our model
• SU developer would implement translator that instantiates AsmL template from SU model
type State = Integertype Label = String
const R as Set of (State, Label, State) = { (0, "a", 1), (1, "b", 1), (1, "a", 2)}const A as Set of State = {1, 2 }
var a as State = 0
procedure NextState(i as Label) require (exists (s, l, _) in R where s=a and l=i) choose unique (s, l, s') in R where s=a and l=i a := s'
Bird’s Eye View - 3 Parts
Semantic Unit definition• Describe configurations with meta-model
• Specify behavior with Abstract State Machine
2. DSML specification• Describe DSML with meta-model
• Define rules for translating a model into a configuration of the semantic unit
3. Modeling and analysis• Construct models in DSML
• Use translator to produce ASMs for analysis
A quick review: GREGEXP
• A graphical DSML for simple regular expressions, anchored to a finite-state automata semantic unit
• Regexps are built from nodes and links
• Each Nodes contain a letter (except the start node)
• Node cardinalities:
Match oneMatch oneor more
Match zeroor more
Gregexp meta-model Anchoring the DSML to a SU
• DSMLs are “anchored” to SUs via model transformation
• Transformations are specified in GReAT, another GME-based DSML
• Transformation rules are pattern-based, patterns refer to source and target meta-models
• Basic actions: Create, Bind, Delete
Returning to the House DSML GReAT Transformations
• Transformations may be run by an interpreter inside GME
• Transformations may also be compiled into C++ code, and loaded as plug-ins
Bird’s Eye View - 3 Parts
Semantic Unit definition• Describe configurations with meta-model
• Specify behavior with Abstract State Machine
DSML specification• Describe DSML with meta-model
• Define rules for translating a model into a configuration of the semantic unit
3. Modeling and analysis• Construct models in DSML
• Use translator to produce ASMs for analysis
Modeling and Analysis
• User creates models in the DSML using the GME
• User generates AsmL specifications from the models using the semantic anchoring transformation
• User analyses AsmL specification, runs simulations
• SpecExplorer can also be used for automated testing and automatic test case generation
Modeling and Analysis
• Note: The papers I have read do not describe in detail the types of analysis and testing a user might perform
Analyzing a model
Semanticanchoring
transformation
type State = Integertype Label = String
const R as Set of (State, Label, State) = { (0, "a", 1), (1, "b", 1), (1, "a", 2)}const A as Set of State = {1 }
var a as State = 0
procedure NextState(i as Label) require (exists (s, l, _) in R where s=a and l=i) choose unique (s, l, s') in R where s=a and l=i a := s'
SU translation
Analyzing a model
• SpecExplorer appears to be a powerful tool, but it’s also poorly documented
• I’ve got more “archeology” to do before I can check properties...
Analyzing a model
• ...But at least our state space is right.
type State = Integertype Label = String
const R as Set of (State, Label, State) = { (0, "a", 1), (1, "b", 1), (1, "a", 2)}const A as Set of State = {1}
var a as State = 0
procedure NextState(i as Label) require (exists (s, l, _) in R where s=a and l=i) choose unique (s, l, s') in R where s=a and l=i
Presentation Overview
Motivation and applicability
Preliminaries
Semantic anchoring in depth
Initial evaluation
Preliminary Evaluation
Your thoughts?
My reaction
This approach to specifying semantics is feasible
At the moment, this particular tool-chain makes it complicated
Major drawback: Where’s the “round-trip engineering”?• Can a DSML user really be expected to check properties in a twice-
translated version of her model?
• The unidirectional nature of the model transformations poses a significant problem, but there are languages for specifying bidirectional transformations
Open question: which semantic units?