Relational model transformation (MTr) is one of the main paradigms used in model transformation (MT). It has a \mapping" style, and aims at producing a declarative transformation speci cation that documents what the model transformation intends to do. Graph transformation (GT) is another model transformation paradigm. It has a rewriting style, and usually represents model transformation graphically (e.g. UML-related models) and at a high level of abstraction. Thus, it is well suited to describe scenarios such as distributed systems or behaviours of structure-changing systems (e.g. mobile networks). The two paradigms share some similarities (e.g. they are both declarative in nature). However, they are fundamentally di erent in their execution semantics.

In this work, we will focus on GTs. SimpleGT is a textual GT language based on double push-out semantics [ 17 ]. A SimpleGT program is a declarative speci cation that documents what the SimpleGT transformation intends to do. It is expressed in terms of a list of rewrite rules, using the Object Constraint Language (OCL) for both its data types and its declarative expressions. Then, the SimpleGT program is compiled into an EMFTVM implementation to be executed.

Verifying the correctness of a SimpleGT transformation means proving assumptions about the SimpleGT program. These assumptions can be made explicitly by transformation developers via annotations, so-called contracts. The contracts are usually expressed in OCL because of its declarative and logical nature.

To allow automatic correctness veri cation for MTr, we have designed the VeriMTLr development framework to provide rapid veri er construction [ 7 ]. At the core of our framework is the Boogie intermediate veri cation language (Boogie) which enables Hoare-logic-based automatic theorem proving [ 4 ]. Boogie provides imperative statements (such as assignment, if and while statements) to implement procedures, and supports rst-order-logic (FOL) contracts (i.e. pre/postconditions) to specify procedures. It allows type, constant, function and axiom declarations, which are mainly used to encode libraries that de ne data structures, background theories and language properties. A Boogie procedure is veri ed if its implementation satis es its contracts. The veri cation of Boogie procedures is performed by the Boogie veri er, which uses the Z3 SMT solver1 as its underlying theorem prover.

Our framework encapsulates the semantics of the EMF metamodel library (based on the Burstall-Bornat memory model [ 6 ]) and a subset of OCL (i.e. OCLAny, OCLType, Primitive and collections) as Boogie libraries. The two libraries provide a foundation to encode the execution semantics of MTr languages. The unique feature of VeriMTLr is its ability to ensure sound veri er design through a translation validation approach. That is, it automatically veries that each encoded execution semantics of an MTr speci cation is sound with respect to its corresponding runtime behaviour of the MTr implementation [ 9 ].

Our main contribution in this work is to articulate how to adapt VeriMTLr to soundly design the VeriGT system, which is used to verify the correctness of SimpleGT transformations. In particular: { We demonstrate the di erence between the execution semantics of relational and graph transformations, and quantify how the di erence would a ect their veri er design (Section 3). { We demonstrate VeriGT on the wellknown Pacman game, and share our experience on verifying three contracts for the Pacman game (Section 4). One interesting observation is that by carefully designing the Pacman metamodel, we do not require explicit tool-support or formalisms (e.g. CTL) to handle temporal constraints.

We use the Pacman game adapted from [ 15 ] to introduce the SimpleGT language. The game is based on the Pacman metamodel as shown in Fig. 1. The game consists of a single P acman, a ghost and zero or more gems on a game board (consisting more than zero grids). Each grid can hold Pacman, a ghost and a gem at the same time. The Pacman game is controlled by the GameState, which records important attributes such as ST AT E, SCORE and F RAM E. It also contains a list of actions. Each action de nes the moves to be done by either Pacman or the ghost, and is executed when it has the same frame as the GameState.

We have de ned the semantics of a Pacman game via 13 GT rules in SimpleGT (Fig. 2). Each rule includes an input pattern (f rom section), a correspon

We evaluate VeriGT on the Pacman game, previously presented by [ 15 ]. Our evaluation runs on an Intel 2.93 GHz machine with 4 GB of memory running on Windows OS. Veri cation times are recorded in seconds. Table. 1 shows the performance of our transformation correctness veri cation. The second column shows the size of the Boogie code generated to verify each of the transformation contracts that are speci ed in Fig. 3 (including Boogie encoding for the Pacman metamodel, transformation contract and execution semantics of Pacman game in SimpleGT). Corresponding veri cation times are shown in the third column.

The rst contract (gemReachable) we veri ed is that all grid nodes containing a gem must be reachable by the Pacman. The key to this task is to de ne the reachable relation on grids. We de ne two grids to be reachable if they are adjacent to each other. The reachable relation is also re exive, symmetric and transitive. Recall that to ensure no grid is isolated on the game board, we require that any two grids are reachable (including all the grids that contain the gem, and Pacman) as a precondition of the Pacman game. Since there are no rules that modify the layout of the grid, the rst contract can be automatically veri ed with ease. 10 1 procedure main ( ) ; 2 /* inv : PacmanSurvive */ 3 requires ( 8 gs1 : ref ( gs12f i n d ( srcHeap , pacman$GameState ) ^ read ( srcHeap , gs1 , pacman$GameState .STATE)=STATE. GhostMove ) =) 4 ( 8 g r i d 1 : ref g r i d 12f i n d ( srcHeap , pacman$Grid ) ^ dtype ( read ( srcHeap , grid1 , pacman$Grid . hasEnemy))<: pacman$Ghost =) :( dtype ( read ( srcHeap , grid1 , pacman$Grid . hasPlayer ))<: pacman$Pacman ) ) ) ; 5 6 . . . 7 modifies srcHeap ; 8 /* inv : PacmanSurvive */ 9 ensures ( 8 gs1 : ref ( gs12f i n d ( srcHeap , pacman$GameState ) ^ read ( srcHeap , gs1 , pacman$GameState .STATE)=STATE. GhostMove ) =) ( 8 g r i d 1 : ref g r i d 12f i n d ( srcHeap , pacman$Grid ) ^ dtype ( read ( srcHeap , grid1 , pacman$Grid . hasEnemy))<: pacman$Ghost =) :( dtype ( read ( srcHeap , grid1 , pacman$Grid . hasPlayer ))<: pacman$Pacman ) ) ) ; The second contract (P acmanSurvive) we veri ed is that there exists a path where the ghost never kills Pacman. Our veri cation strategy is to provide a path that witnesses the existence of such a path. First, we consider the state when the ghost starts to move. Then, under such a state, our goal is to verify that the ghost and Pacman do not share the same grid. Thus, the path where the ghost stays at the Pacman-free grid is our witness (recall that the move strategy of Pacman is not to commit suicide as shown in Fig. 2).

The third contract (P acmanM oved) we veri ed is that Pacman must move within a time interval I. We use a contract-only variable (also known as a model eld or a ghost variable [ 12 ]) for this task. Contract-only variables do not participate in the runtime execution of a program, they are simply used to make the contract easier to express. In particular, we introduce the contract-only variable acts, which is a set of actions of Pacman that move toward any direction. We need to explicitly update the contract-only variable acts when the action of Pacman is updated (e.g. delete an action as in the PlayerMoveLeft rule in Fig. 2), since it is not part of the runtime execution of a SimpleGT program. After that, we can automatically verify the third contract. This is due to the fact that if we assume that all the actions in acts will perform within a time interval I as a precondition of the Pacman game, then after we remove an action from acts, the remaining actions should not be changed and they will still be performed within a time interval I.

We also use our EMFTVM library in the VeriMTLr framework to encode the runtime behaviour of SimpleGT in Boogie. Consequently, we can verify that our encoding of the execution semantics of SimpleGT soundly represents its corresponding runtime behaviour using the translation validation approach. Due to space limitations, we are unable to explain the details of our veri cation for the sound encoding of the execution semantics of SimpleGT. We refer to our previous work for how to do this [ 9 ]. The generated Boogie programs for the Pacman game (including the soundness encoding veri cation and OCL transformation contracts veri cation) can be found in our online repository [ 8 ]. 5

Model transformation veri cation is an active research area [ 1 ]. In this section, we will focus on GT veri cation. Syriani and Vangheluwe propose an input-driven simulation approach using the Discrete EVent system Speci cation (DEVS) formalism [ 15 ]. Bill et al. extend OCL with CTL-based temporal operators to express properties over the lifetime of a graph [ 5 ]. Both of these approaches are bounded, which means the GT is veri ed against its contracts within a given search space (i.e. using nite ranges for the number of models, associations and attribute values). Bounded approaches are usually automatic, but no conclusion can be drawn outside the search space. Our approach is based on automatic theorem proving, which is unbounded to ensure the contracts hold for the GT over an in nite domain. However, VeriGT is based on FOL, and thus su ers from the same expressibility issue as any other FOL-based veri er. Nevertheless, we show that by carefully designing the Pacman metamodel, we can use FOL to verify temporal constraints without using formalisms such as DEVS or CTL.

There are also interactive theorem proving approaches for GT veri cation. Asztalos et al. use category theory to describe graph rewriting systems [ 2 ]. This approach is implemented in the VMTS veri cation framework, but it is not targeted to a speci c graph rewriting-based model transformation language. Schatz presents an approach to verify structural contracts of GT [ 14 ]. The transformation rules are given as a textual description based on a relational calculus. The formalizations of model, metamodel and transformation rules are based on declarative relations in a Prolog style, and target the Isabelle/HOL theorem prover. These approaches rely on encoding the execution semantics of the GT language. In addition to this, we are able to address a di erent challenge. That is we also verify that the execution semantics of GT encoded in Boogie faithfully represents its corresponding runtime behaviour (i.e. GT implementation), which makes our approach complementary to the existing approaches. Our approach is inspired by the translation validation approach used in compiler veri cation [ 13 ]. An earlier proposal to adapt translation validation approach in GT veri cation was also made by Horvath [ 11 ].

Finally, the two most widely used intermediate veri cation languages are Boogie, and Why3 [ 10 ]. Both languages have mature implementations and frameworks to parse, type-check, and analyse programs. We concentrate on Boogie in this paper, but all results can be carried over to Why3, or to other veri cation languages with similar functionality.

Our future work will concentrate on automating the compilation from SimpleGT to Boogie, and its integration into Eclipse with a user interface.