Home Explore Help
Sign In
yentl
/
modelverse
Watch 3
Star 3
Fork 6
Files Issues 4 Pull Requests 0 Wiki
Tree: 735fadd0c7
Branches Tags
modelverse
/
techreport
/
multi_conformance
/
2-conformance.tex

2-conformance.tex 17 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182 
  1. \section{Type/Instance Relation}
    2. 

  2. \label{sec:conformance}
    3. 

  3. A language consists of four main components: an abstract syntax, concrete syntax, semantic domain, and a semantic mapping.
    4. 

  4. Of chief interest to this paper, is the abstract syntax, which defines the set of allowed constructs in the language.
    5. 

  5. Generally, this set is described through the use of a metamodel, defining the allowable types to use, their interconnection, multiplicities, and cardinalities.
    6. 

  6. The metamodel, however, is limited to structural constraints (\textit{e.g.}, in Petrinets a place can have outgoing links only to transitions), and does not consider semantic constraints (\textit{e.g.}, in Petrinets a place cannot have a negative number of tokens).
    7. 

  7. A metamodel can therefore often be augmented with constraints, expressed using a constraint language such as the Object Constraint Language (OCL).
    8. 

  8. 

  9. \subsection{Bidirectionality}
    10. 

  10. The type/instance relation consists of two relations, in opposite directions: instantiation (creating a new model from an existing metamodel), and conformance (checking an existing model with an existing metamodel).
    11. 

  11. Both are complementary to each other: a newly instantiated model should, by construction, conform to the metamodel it was instantiated from (at least structurally).
    12. 

  12. 

  13. Going from the metamodel to the model, is called instantiation.
    14. 

  14. Through instantiation, an instance is created that conforms (structurally) to the provided metamodel.
    15. 

  15. A general instantiation method cannot be created, as it strongly depends on what the conformance relation checks, and how it expects the model to be physically represented.
    16. 

  16. For example, if the conformance relation supports subtyping, instantiation should instantiate the own attributes, but also all inherited attributes.
    17. 

  17. 

  18. From the model to the metamodel, we have the conformance relation, often called ``verify'' in tools (\textit{e.g.}, metaDepth~\cite{MetaDepth} and AToMPM~\cite{AToMPM}).
    19. 

  19. A model is said to conform to its metamodel if each element of the model is an instance of (conforms to) an element of the metamodel.
    20. 

  20. What it means for a single element to conform to another, is much more vague.
    21. 

  21. For example, if the conformance relation supports subtyping, an element might conform to types other than its own type, if there is an inheritance relation between them.
    22. 

  22. 

  23. If one wants to explicitly model the type/instance relation, as is the goal in this paper, one needs to explicitly model both the instantiation and the conformance checking functions.
    24. 

  24. 

  25. \subsection{Metamodelling Hierarchy}
    26. 

  26. The metamodelling hierarchy, as popularized by the OMG in the four-layered architecture, makes explicit use of the relation between types and their instances.
    27. 

  27. This architecture consists of four layers, as shown in Figure~\ref{fig:four_layered_architecture}: the metametamodel ($M3$), the metamodel ($M2$), the model ($M1$), and the real world ($M0$).
    28. 

  28. Each of these models is said to conform to the model at the layer above, meaning that the lower level is an instance of the higher level.
    29. 

  29. As a result, $M1$ conforms to $M2$, which conforms to $M3$.
    30. 

  30. At the top of the hierarchy, $M3$ is made to conform to itself, which is called meta-circularity.
    31. 

  31. 

  32. This four-layered architecture is used by most (meta-)modelling tools, with only two levels accessible to users: the $M2$ and $M1$ level.
    33. 

  33. $M3$ is fixed, and has a close relation to the internals of the tool, as well as the physical representation of models.
    34. 

  34. $M0$ cannot be modelled in the tool, as this represents the real world instance.
    35. 

  35. This leaves only $M2$ and $M1$ for modification.
    36. 

  36. Users can then use $M2$ to define their own custom language, specific to the domain they are interested in.
    37. 

  37. $M1$ is used to model the actual model that is to be manipulated.
    38. 

  38. 

  39. \begin{figure}
    40. 

  40.     \centering
    41. 

  41.     \includegraphics[width=0.3\columnwidth]{figures/four_layered_architecture.pdf}
    42. 

  42.     \caption{Four-layered architecture, exemplified using Petri nets.}
    43. 

  43.     \label{fig:four_layered_architecture}
    44. 

  44. \end{figure}
    45. 

  45. 

  46. Having only two levels at your disposition can be limiting for several applications.
    47. 

  47. Therefore, multi-level modelling has been introduced, where the number of user-accessible layers is unrestricted.
    48. 

  48. This raises the question on how to restrict elements several layers deep, which can be done through the use of deep characterization (\textit{e.g.}, through potency~\cite{potency,UnifyingApproach}).
    49. 

  49. These techniques have an influence on instantiation and conformance semantics, and therefore require specialized tools.
    50. 

  50. For example, potency will prevent the instantiation of elements whose potency value has reached 0.
    51. 

  51. The exception being potency *, which indicates unrestricted instantiation until specified~\cite{SupportingConstructiveAndExploratoryModesOfModeling}.
    52. 

  52. 

  53. \subsection{Hardcoded Type/Instance relations}
    54. 

  54. From the previous examples, it becomes clear that instantiation and conformance are more complex than graph (or model) homomorphism.
    55. 

  55. Apart from finding whether the model structurally conforms to the provided metamodel, additional constraints are imposed on the representation.
    56. 

  56. Several of the instances of the graph even gain special semantics, deviating from their originally structural role.
    57. 

  57. For example, a \textit{cardinality} attribute will not merely be structural, but will further constrain the set of allowed instances.
    58. 

  58. Figure~\ref{fig:special_constructs} shows some more examples of additional constraints.
    59. 

  59. 

  60. \begin{figure}
    61. 

  61.     \centering
    62. 

  62.     \includegraphics[width=0.7\columnwidth]{figures/special_constructs.pdf}
    63. 

  63.     \caption{Constructs that further restrict the set of instances.}
    64. 

  64.     \label{fig:special_constructs}
    65. 

  65. \end{figure}
    66. 

  66. 

  67. Their semantics is as follows:
    68. 

  68. \begin{itemize}
    69. 

  69. \item \textit{Inheritance}.
    70. 

  70.     A special kind of link between two elements.
    71. 

  71.     It cannot be further instantiated.
    72. 

  72.     The source of the link becomes a subtype of the target during the conformance check.
    73. 

  73.     In the example, this means that any instance of $C$ will also be considered as an instance of $B$, but not the other way around.
    74. 

  74.     Additionally, when instantiation an instance of $C$, all attributes of $B$ also need to be added.
    75. 

  75. \item \textit{Potency}.
    76. 

  76.     A special attribute which indicates how many levels deep this element can still be instantiated.
    77. 

  77.     When instantiating an element, the potency value is copied and decremented by one.
    78. 

  78.     When the value reaches zero, no further instances can be made.
    79. 

  79.     In the example, this means that both $A$, $B$, and $C$ can only be instantiated once more.
    80. 

  80.     This places restrictions on both instantiation (\textit{i.e.}, refuse to instantiate) and conformance checks (\textit{i.e.}, always find them to be non-conforming).
    81. 

  81. \item \textit{Cardinalities}.
    82. 

  82.     A special attribute of an association which limits the number of instances of this association for a single element at the other side of the association.
    83. 

  83.     Both a lower and upper bound are possible.
    84. 

  84.     In the example, this means that each instance of $A$ has either $1$ or $2$ connected instances of $B$ through this association.
    85. 

  85.     For each $B$, there is exactly one connected instance of $A$.
    86. 

  86.     Instantiating additional links, when the upper limit is already reached, should be disallowed.
    87. 

  87.     Conversely, a conformance check should flag a model as non-conforming if the constraint is violated, even though it is structurally fine.
    88. 

  88. \item \textit{Multiplicities}.
    89. 

  89.     A special attribute that indicates how many instances of this element can be present at the level immediately below.
    90. 

  90.     Both a lower and upper bound are possible.
    91. 

  91.     In the example, this means that there will be exactly $2$ instances of $A$.
    92. 

  92.     Similarly to cardinalities, both the instantiation and conformance relation should be aware of these restrictions.
    93. 

  93. \item \textit{Constraints}.
    94. 

  94.     Previous constructs would limit the structure, whereas this part restricts the instances based on its semantics.
    95. 

  95.     Arbitrary executable models can be coupled to the metamodel, which are evaluated when determining whether the element conforms or not.
    96. 

  96.     In the example, this means that the value of the attribute $b$ of $B$ will always be greater than zero.
    97. 

  97.     The conformance check should, apart from checking the previous constraints, execute this piece of code to determine whether or not the model conforms.
    98. 

  98.     Instantiation does not need to be aware of this, as there is no way to statically know which operations are allowed to satisfy this function.
    99. 

  99. \end{itemize}
    100. 

  100. 

  101. When these constructs are only present structurally, as is the case in most modelling tools, their semantics is non-obvious.
    102. 

  102. It might even be non-obvious whether or not the attributes have any semantics (within the modelling tool) at all: why would an attribute with a specific name suddenly become part of the restrictions placed on instances?
    103. 

  103. Somewhere, semantics needs to be given to these constructs: a component of the tool needs to find the attribute, read it out, determine whether or not the model satisfies this requirement, and provide user feedback.
    104. 

  104. 

  105. While we acknowledge that these powerful constructs aid in creating a tightly constrained set of possible instances, their inclusion often creates severe problems in the modelling hierarchy.
    106. 

  106. Because each of these carries its own semantics, informally described above, there needs to be a mechanism to enforce the semantics.
    107. 

  107. As described above, this semantics is part of the type/instance relation, which is, in most current tools, implicit and hardcoded.
    108. 

  108. 

  109. More concretely, this results in the following problems:
    110. 

  110. \begin{enumerate}
    111. 

  111. \item \textit{Semantics}.
    112. 

  112.     The exact semantics of these constructs is often unclear, and only found out by reading documentation or through experimentation.
    113. 

  113.     While for some constructs the semantics doesn't vary much between tools, other constructs vary significantly.
    114. 

  114.     And even if the semantics is clearly communicated between both parties, it remains a problem as to how these semantics are applied by the instantiation and conformance checking operations.
    115. 

  115.     For example multiplicities: what if a lower bound is not reached?
    116. 

  116.     Does it become impossible to delete elements, which would cause this lower bound to be violated?
    117. 

  117.     Or would a deletion be allowed, but subsequent conformance checks do fail in case it is still violated at that point in time?
    118. 

  118.     And is it possible to save a model which violates these constraints?
    119. 

  119.     Similarly, is it possible to create additional elements if these would violate the constraints?
    120. 

  120.     Or is it only possible within some kind of a transaction?
    121. 

  121. 

  122.     This is even the case in object-oriented programming languages, where the semantics of subtyping varies.
    123. 

  123.     For example, C++ offers multiple inheritance, whereas Java only offers single inheritance.
    124. 

  124.     On the completely opposite side of the spectrum, Haskell uses structural subtyping instead of nominal subtyping~\cite{Typing}.
    125. 

  125.     While each of these has its advantages and disadvantages, it should be clear to users which semantics are used.
    126. 

  126. 

  127. \item \textit{Static}.
    128. 

  128.     Semantics, even if formally described in the documentation, still remains static.
    129. 

  129.     While this is not a significant problem in general, as a general concensus exists for these attributes, sometimes a slightly different semantics is desired.
    130. 

  130.     For example, users might want to make to temporarily violate a multiplicity constraint if the restriction is too strict.
    131. 

  131. 

  132.     Similarly, some users might prefer, or even require, different semantics than those implemented.
    133. 

  133.     For example, Java limits inheritance to single inheritance.
    134. 

  134.     Users that require multiple inheritance will have to resort to tricks to implement their models which naturally lend themselves to multiple inheritance.
    135. 

  135.     Should the semantics be modifiable at run-time, users can alter the behaviour to their liking, or just switch implementation.
    136. 

  136.     Users who prefer to be constrained to single inheritance, can then use the single inheritance semantics, whereas others can decide to opt for multiple inheritance.
    137. 

  137. 

  138. \item \textit{Special constructs at the implementation level}.
    139. 

  139.     Because some constructs gain a special semantics, there needs to be a way of identifying these constructs.
    140. 

  140.     For some this is easy (\textit{e.g.}, read out an attribute with a pre-defined name, such as \textit{potency}), but for others, this becomes more difficult.
    141. 

  141.     In particular, the inheritance relation is a special case: it is a link, and one would expect it to be implemented as such.
    142. 

  142.     Many frameworks~\cite{VMTS,ModelBasedDSLFrameworks,AToMPM}, however, rely on this (or similar relations) to be a special kind of link, unrelated to a normal association.
    143. 

  143.     And while their underlying model storage hugely mimics existing structures, such as graphs, exceptions need to be made throughout to cope with these constructs.
    144. 

  144.     Furthermore, this additional type causes further problems in the checking of conformance: how is it typed?
    145. 

  145.     Resolving these elements should not be done through hardcoded types at the lowest level.
    146. 

  146.     This prevents the reuse of existing libraries, as a wrapper needs to be written to cope with the special types.
    147. 

  147. 

  148. \item \textit{Special constructs at the metamodel level}.
    149. 

  149.     Even if special constructs at the implementation level are avoided, special constructs at the metamodel level are sometimes still used.
    150. 

  150.     This hardcodes the identity of some parts of the metamodel in the instantiation and conformance checking functions.
    151. 

  151.     The metamodel will therefore simply be a normal metamodel, though some associations will gain special importance which are not apparant from the metamodel alone.
    152. 

  152.     It is only the type/instance relation which adds this additional semantics to the link.
    153. 

  153. 

  154.     Apart from the confusion this might cause to users, it prevents users from using a different metamodel, and even prevents multi-level modelling completely.
    155. 

  155.     This was one of the problems that prevents AToMPM~\cite{AToMPM} from having multi-level metamodelling, or just more than two metametamodels: the inheritance semantics is hardcoded in the core, and only applies to the provided metametamodels.
    156. 

  156. 

  157.     Similarly, models cannot simply have attributes if their metamodel does not allow for it.
    158. 

  158.     While this is not a problem in the traditional four-level architecture, multi-level modelling quickly runs into this problem: users can only specify a potency if their metamodel explicitly calls for it.
    159. 

  159.     Instead of modifying the metamodel for this, it is possible to encode these \textit{special} constructs as ``explicitly allowed'' in the conformance relation, as was done in the previous (unrelated) version of our tool~\cite{MULTI_modelverse}.
    160. 

  160.     The instantiation algorithm should also be aware of this, as it should, for whatever model, always add in these attributes by default, and furthermore make them mandatory, such that they cannot be removed.
    161. 

  161. 

  162. \item \textit{Inflexible type mapping}.
    163. 

  163.     Type mappings store the types of elements.
    164. 

  164.     While they have previously been identified theoretically, most current approaches hide away this important piece of information in the implementation.
    165. 

  165.     Apart from reading out the type, and possibly altering it through some programming interface, no modifications are possible as they reside in the internal data structures of the tool.
    166. 

  166. 

  167.     By making these type mappings explicit, as an ordinary model, it can be modified as any other model, and in particular through the use of model transformations.
    168. 

  168.     This is one of the limitations of model transformations: the right-hand side cannot create an instances of a metamodel that is only known at run-time.
    169. 

  169.     This problem is currently solved by using model transformation templates~\cite{GenericModelTransformations}, which is still more constraining than our approach, as it doesn't allow for retyping operations.
    170. 

  170. 

  171. \item \textit{Single type}.
    172. 

  172.     Finally, as the conformance function and typing information is hardcoded, only a single such relation is possible for a given element.
    173. 

  173.     Sometimes, however, an element can be typed by multiple, possibly unrelated, elements.
    174. 

  174.     An example has already been given in~\cite{APosterioriTyping}, where a model is created with a single (constructive) type, but additional types can be found during execution.
    175. 

  175.     This could however also be related to the use of multiple very similar metamodels.
    176. 

  176.     For example, consider a petri nets metamodel, and a seperate, but identical, petri nets metamodel with inhibitor arcs.
    177. 

  177.     Every petri net instance without inhibitor arc, also conforms to the petri nets metamodel with inhibitor arcs.
    178. 

  178.     Similarly, every petri net without inhibitor arcs, even if it was constructed as an instance of the metamodel with inhibitor arcs, will conform to the original metamodel.
    179. 

  179.     Even though these are unrelated, a model can easily be said to be typed by both of them, depending on the situation in which it is used.
    180. 

  180.     This can have further repercussions in model evolution, where models frequently need to be retyped to slightly different metamodels.
    181. 

  181. \end{enumerate}
    182. 

  182.