=Paper=
{{Paper
|id=Vol-1706/paper4
|storemode=property
|title=On Leveraging UML/OCL for Model Synchronization
|pdfUrl=https://ceur-ws.org/Vol-1706/paper4.pdf
|volume=Vol-1706
|authors=Robert Bill,Martin Gogolla,Manuel Wimmer
|dblpUrl=https://dblp.org/rec/conf/models/BillGW16
}}
==On Leveraging UML/OCL for Model Synchronization==
On Leveraging UML/OCL for Model Synchronization Robert Bill Martin Gogolla Manuel Wimmer TU Wien, Institute for Software Universität Bremen, TU Wien, Institute for Software Technology and Interactive Department for Mathematics Technology and Interactive Systems and Computer Science Systems Favoritenstraße 9-11 PO Box 330440 Favoritenstraße 9-11 A-1110 Wien D-28334 Bremen A-1110 Wien bill@big.tuwien.ac.at gogolla@tzi.de wimmer@big.tuwien.ac.at ABSTRACT model synchronization has become an indispensable duty Modelling complex system often results in different but over- where inconsistencies between different models need to be lapping modelling artifacts which evolve independently. Thus, resolved in an efficient and correct way. inconsistencies may arise which lead to unintended effects on There are already several approaches to handle model in- the modelled system. To mitigate this situation, model syn- tegration based on synchronization [23]. However, there is a chronization is seen as a recurring and crucial maintenance recurring pattern in most of these approaches: a dedicated task which requires to restore consistency between multiple language is used to define a mix of synchronization steps models using the most suitable changes. Currently, differ- and inter-model consistency relationships. There are two ent languages and tools are used for inter-model consistency potential challenges using such approaches: (i) for consis- management than for intra-model consistency where UM- tency relationship formulation, the intermingling of consis- L/OCL is an accepted solution. Consequently, the result tency relationships and synchronization might make it diffi- of synchronizing models solely based on inter-model con- cult to specify how to realize context-dependent resolutions straints might result into inappropriately evolved models of inconsistencies in heavily constrained models, and (ii) the w.r.t. intra-model constraints. increased mental load for modelers who need to learn a new In this paper, we present a synchronization model for- synchronization language. malized in UML/OCL which covers explicit consistency and In this paper, we propose a new methodology for unifying change models including costs and which considers both, inter-model and intra-model constraints for model synchro- inter-model and intra-model constraints at the same time. nization using UML/OCL. We employ OCL in the classical Instances of this synchronization model represent success- setting for defining intra-model constraints and present a ful synchronization scenarios. In particular, models can be method how to define inter-model constraints based on dedi- synchronized, also taking into account their predecessor ver- cated UML/OCL models between two models in the spirit of sions, by finding a constraint violation-free extension of a bi-directional model transformation languages such as QVT partial model including those instances which may be op- Relations [25] or TGGs [30]. In order to define general- timized for minimal cost. We prototypically implemented purpose and domain-specific synchronization properties, we this approach using a model finder to automatically retrieve introduce a formalized change model that is the basis for ex- synchronized models and the change operations to compute plicitly modeling such properties based on our UML/OCL them by completing the partial model. approach. For instance, the use of different cost functions for changes allows the definition and usage of different synchro- nization strategies such as least-change and beyond. Hav- Keywords ing these ingredients, UML/OCL based model finders can model consistency; model synchronization; model evolution be employed to compute the model synchronizations taking into account both inter-model and intra-model constraints and the stated properties which should be fulfilled by the 1. INTRODUCTION synchronization. We show this by applying a model finder Modern systems are inherently much more complex to for UML/OCL, which has already proven to be usable for design, develop, and maintain than classical systems due transformations models [16]. to different properties such as size, heterogeneity, distribu- The remainder of this paper is structured as follows. In tion, and multi-disciplinarity. One way to cope with such Section 2 we describe the architecture of our synchroniza- complexity is by resorting on model-driven engineering ap- tion approach, the types of models we consider, and the proaches [4,5] and dividing the engineering activities accord- running example of this paper. In Section 3 we formulate ing to several areas of concerns or viewpoints, each one focus- model changes as a UML/OCL model and how to select ing on a specific aspect of the system and allowing different the synchronization strategy by associating changes with stakeholders to observe the system from different perspec- cost functions. Subsequently, in Section 4 we describe how tives [26, 27]. There are more and more approaches which inter-model constraints can be expressed using a consistency allow to define different views of a system resulting in par- model based on UML/OCL. In Section 5 we discuss the pro- tially overlapping models. Unfortunately, this separation of totypical implementation of our approach to automatically concerns by using different viewpoints, potentially expressed find model synchronizations. Finally, in Section 6 we discuss in different domain-specific modeling languages, comes with related work and conclude with an outlook in Section 7. the price of keeping those viewpoints consistent [13]. Thus, 20 2. MODEL SYNCHRONIZATION ARCHI- for synchronization, but just the declarative consistency mod- TECTURE AND RUNNING EXAMPLE els. Among others, this has the advantage that this approach is, in principle, not limited to synchronize two models, but In this section, we introduce our model synchronization any number of models, with or without circular consistency architecture by-example. dependencies between them. Since both model states are considered at the same time, the typical problem of mak- 2.1 Model Synchronization Architecture ing model A consistent with model B, thus requiring addi- A synchronization problem, as depicted in Figure 1(a) tional changes in model B which themselves require addi- and (b), occurs when two models, which were potentially tional changes in model A etc. can never occur. Also, we do consistent in their current state, are subsequently changed not use any model diffing algorithm, but again a fully declar- independently leading to potential inconsistencies. To syn- ative change model, i.e., the constraints which have to hold chronize both models, the goal is to find a suitable set of for a model explaining the difference between two model ver- changes for both models to make them consistent again. As sions. We copy left, right and consistency model two times there may be a huge amount of different change sets to re- to build former and current model while removing all con- establish consistency, the question also arises which one is straints, including multiplicity constraints. This is done to the most appropriate change set for a given situation. Be- ensure that (i) the change model actually describes changes fore we go into details on this aspect, we discuss the general between model versions and (ii) the model finder can find a architecture of our approach, in particular, how we repre- consistent model extension defining only the wanted model. sent the model synchronization problem by utilizing change For completeness reasons please note when integrating left and consistency models. models and right models into global models, name clashes may occur. This can be simply avoided by pre- or postfixing Given Wanted Former Current Reconciled names of classes and properties. Since this step is trivial but MLeftFormer MChangeFormer MLeftCurrent MChange MLeft might clutter the overall architecture and descriptions, it is MConsFormer MCons not further discussed throughout the paper. MRightFormer MRightCurrent MRight 2.2 Running Example (a) general pattern As a running example2 , let us consider two viewpoints for XLII XLI XLI remove no developing and maintaining computer networks as depicted last "I" change in Figure 2: (a) the requirements viewpoint and (b) the im- sameValue sameValue no "two" → plementation viewpoint. The metamodels realizing these change "one" two viewpoints are illustrated in Figure 3. When taking a fourty-two fourty-two fourty-one closer look on Figure 2, we see that the left model stores (b) concrete example the requirements of a computer network. There are named Figure 1: Model synchronizing using change models and consis- machines which provide a certain amount of communica- tency models: (a) general pattern and (b) concrete example. tion speed and others which consume a certain expected amount of data. The right part of Figure 2 contains a In the following, we will describe the general architecture model of the implemented system which does not only in- of our synchronization model as depicted in Figure 1. Our clude servers providing data and computers consuming data, approach synchronizes models by consistently completing a but also routers and cables needed to transfer the data from synchronization model containing the history of the models servers to computers. There are two types of cables, namely (MLeftFormer , MRightFormer , MLeftCurrent and MRightCurrent ), the GlassFiberCables for high-speed connections and Copper- previous consistency relation MConsFormer , which might not Cables for low-speed connections. There are constraints on be a valid consistency relation in the current state, the pre- the right model to ensure that (i) each server can serve the vious change set MChangeFormer , the wanted state of the cables it is connected to, (ii) each computer gets enough models MLeft and MRight with a consistency relation MCons bandwidth for its needs and (iii) each router does not pro- and changes MChange leading to a consistent state. In gen- duce any data and thus can fulfill the outgoing bandwidth eral, model finders like the USE ModelValidator1 search with the incoming bandwidth and its own processing speed. for instances of a metamodel. A model finder can syn- For the given example, the models’ consistency relation- chronize models by consistently completing synchronization ship is defined such that each provider needs a server with models consisting of former and current models with con- the same name and at least that speed and each consumer sistent change and wanted models by adding new objects, needs a computer with the same name and the same speed associations and attributes. Since a model finder may com- and vice versa. plete the model in many ways, including the application of In Figure 2, also the evolution scenario for our running ex- delete changes, in the extreme case to delete the complete ample is shown. It is assumes that the models were changed model, we also foresee to model change costs to guide the independently from each other. In the requirements model, model finder in the right direction. In the concrete example the provider p1 should be made ready for the future and shown in Figure 1, the model finder may find and add two gets a higher speed. Thus, its speed attribute was increased change objects (no change; “two” → “one”) and two consis- from 3 to 4. At the same time in the implementation model tent state objects (XLI; forty-one). changes were performed. It was discovered that the com- Summing up, in contrast to many other approaches, we puter w2 was never used and thus it was removed together do not use explicit consistency restoring transformation rules 2 A slightly simplified version of the example can 1 https://sourceforge.net/projects/useocl/files/ be downloaded from http://cosimo.big.tuwien.ac.at/ Plugins/ModelValidator/ findsync/ 21 p1:Provider p2:Provider s1:Server s2:Server speed = 3 → 4 speed = 3 speed = 3 speed = 4 name = "s1" name = "s2" name = "s1" name = "s2" source source outgoing outgoing h1:GlassFiberCable h2:GlassFiberCable bandwidth = 4 bandwidth = 4 incoming incoming target target r1:Router r2:Router speed = 4 speed = 4 name = "r1" name = "r2" source source source outgoing X outgoing l1:CopperCable X l4:CopperCable l2:CopperCable bandwidth = 2 bandwidth = 2 bandwidth = 2 incoming Xincoming incoming target target target c1:Consumer c2:Consumer c3:Consumer w1:Computer X w2:Computer w3:Computer speed = 2 speed = 2 speed = 2 speed = 2 speed = 2 speed = 2 name = "pc1" name = "pc2" name = "pc3" name = "pc1" name = "pc2" name = "pc3" (a) Requirements model (b) Implementation model Figure 2: Example synchronization scenario: a requirements model, its corresponding implementation model, and their uncoordinated evolution. source outgoing Agent Device 1 * Cable ated, there is no original object. If an object is preserved, speed: integer fixed: boolean name: string 1 * bandwidth: integer there are both original and revised objects. In the change speed: integer target incoming model, every original object must specify what happens in the future and every revised object must specify what hap- Server Computer CopperCable Provider Consumer pened to it in the past. For set-valued features, the set of Router GlassFiberCable future values must be equal to the set of past values with the (a) Requirements model (b) Implementation model deleted values removed and the created features added. For Figure 3: Metamodels of the running example: (a) requirements bag features, the number of occurrences of a future feature metamodel and (b) implementation metamodel. must be equal to the occurrence count of this feature in the past object plus the sum of all added feature counts minus the sum of all deleted feature counts. For ordered features, with its connected cable l4. Now there are two violations the sequence resulting from the deletion of all deleted ele- w.r.t. the aforementioned consistency relationship: The ments from the past object feature must be the same as the speed of server s1 is not sufficient and the consumer c2 has sequence resulting from deleting all created elements from no correspondence on the right side. Of course, one now the future object feature which is expressed by inserting val- may come up with some reconciliation actions for this small ues at specific list indexes, sorted from bottom to top, to the example. One obvious model synchronization would be to common base sequence. delete consumer c2 in the requirements model and to set A composite change builds higher level changes from lower the speed variable to 4 for server s1. For larger examples, level changes [21]. For example, type changes cannot be di- of course automation support is needed in order to reason rectly represented with atomic changes. A general cast com- about appropriate synchronizations. How this is realized by bines an atomic delete change and an atomic create change our approach following the previously described architecture to express that semantically, the object has not been deleted is the content of the following sections. and another created, but the object is still the same. Sim- ilarly, a general move combines an atomic feature delete 3. CHANGE MODEL change and an atomic feature create change for the same Our change model approach consists of an abstract part feature and the same value to specify that the feature has which is the same for all modeling languages and a language- moved and was not deleted and re-added. A feature change specific part which is generated for each used metamodel in- is a composite change defined by an OCL operation which dividually. In general, we follow the ideas presented in [9] takes several parameters and has a postcondition defining to generate language specific change models to represent which changes are done to the object. The last change changes between two models. However, we also go beyond type resembles composite changes as proposed in literature the ideas presented in [9], by providing also the conditions for finding a valid change model. Thus, we do not only ex- CompositeChange plicitly model the abstract syntax of change models but also explicate their semantics in terms of OCL constraints. FeatureChange MoveChange ChangeModel 3.1 Abstract Change Types featureChanges * * moves 1 moveTo Figure 4 shows the abstract structure of our change model. original futureChange moveFrom 1 OriginalObject 0..1 1 AtomicChange * atomicChanges There are two types of changes, namely atomic changes and type: {Create,Delete,Preserve} castFrom 0..1 * casts 1 changeFrom GeneralCast composite changes [21]. An atomic change connects the 0..1 1 pastChange 1 changeTo castTo 0..1 RevisedObject revised original object to the revised object. If an object has been deleted, there is no revised object. If an object has been cre- Figure 4: Abstract change classes. 22 (e.g., [19]) while the others could also be semantically re- DelEl and Same are created in the Change class as shown garded as atomic changes, but are regarded as composite in List. 2. The feature *Same contains a base feature value changes from an implementation point of view. In principle, which is extended by inserting the values in *AddEl to get such explained changes could be derived (semi-)automatically the revised feature value and extended by inserting the val- for various postconditions [24]. If such technologies are used, ues in *DelEl to get the original feature value. The feature only the cost remains to be specified. *Same has the same type as the original feature, but *AddEl Currently, these are the only composite changes supported, and *DelEl are sequences of pairs of (Integer,T). List. 2 but others might be added in the future. Also, it is currently shows the connection between all features. not possible to let a feature change explain features of mul- List. 2: Additional change calculation for ordered features. tiple objects. context ChangeX: 3.2 Language-specific Change Language attrAddEl: Sequence(Tuple{i: Integer, v: \myvar {T}}) Beside the change model itself, the metamodel is dupli- attrDelEl: Sequence(Tuple{i: Integer, v: \myvar cated twice as well where class and feature names are changed {T}}) to avoid name clashes. In particular, all model classes and attrSame: Sequence(T) associations of the previous version might be suffixed with attrMoved: Bag(T) derived = attrAddEl.v - Prev while the metamodel to store current objects and fea- attrAdd ture values is suffixed with Ori and names do not change for attrMovedExpl: Bag(T) derived = featureChanges. attrMovedExpl->union(castChanges. the synchronized model. attrMovedExpl) Two parallel class hierarchies resembling the class hierar- chy of the original metamodel are created. In the Change- inv orderedSequence: Set{attrAddEl,attrAddEl}-> hierarchy, all classes are replicated with a Change prefixed forAll(s | s->isUnique(i) and s->sortedBy(i name inheriting from AtomicChange. For every structural ) = s) feature in the original class X , two structural features of inv addToRevised: (revised = null) or (revised. attr = attrAdd->iterate(t, full = the same type T named as the original structural feature <@attrSame | full->insertAt(t.i, t.v))) attr plus a suffix of Add and Del are created in the Change- inv delFromOriginal: (original = null) or ( class as shown in List. 1. They denote which values have original.attr = attrDel->iterate(t, full = been added or deleted by the change operation. The Add <@attrSame | full->insertAt(t.i, t.v))) attribute is derived as values which exist in the revised The sequence *Same is an auxiliary sequence that repre- model, but not the original model and the Del attribute sents a common sequence between both ordered features. is derived as values which exist in the original model, but The feature attrAddEl contains not only elements which not the revised model. Unique features generate a Set type, have been added to the revised feature from the original non-unique features generate a Bag type. The derived at- feature, but also elements which are not in the common se- tributes attrAddCostly and attrDelCostly contain unex- quence because they have changed their position. Elements plained addition and deletion changes. Associations are de- which are moved are those which are not in the common se- rived in a similar fashion. To ensure that added and deleted quence but whose value has not been added to the common classes can be derived via set difference, the change ob- bag as well. The constraints guarantee a certain order of jects have to be used instead of the original objects, i.e. insert applications and ensure that the original and revised revised.attr.futureChange/original.attr.pastChange feature value actually can be built as previously described. is used instead of revised.attr /original.attr . Unlike the change object above, these feature values are not necessarily directly determined by original and revised ob- List. 1: Change calculation for unordered features. jects. In fact, the sequence in the attrSame feature might context ChangeX: be too short; then too many moves are determined. How- attrAdd: [Set|Bag](T) derived = if revised = ever, a larger number of moves yields higher costs and thus null then [Set|Bag]{} else revised.attr-> a solution with less superfluous moves will be preferred. asBag() endif - if original = null then [Set |Bag]{} else original.attr->asBag() endif Each Change object also has a original and revised as- attrDel: [Set|Bag](T) derived = if original = sociation of the corresponding classes in the original and the null then [Set|Bag]{} else original.attr-> revised model which redefines the original and revised as- asBag() endif - if revised = null then [Set| sociation in AtomicChange to ensure the correct type. Bag]{} else revised.attr->asBag() endif Consider Figure 5 as example for an excerpt of the change attrAddExpl: [Set|Bag](T) derived = model for atomic changes of our running example. Since featureChanges.attrAddExpl->union( castChanges.attrExpl)->union(movedFrom. Device contains a name attribute, ChangeDevice contains attrExpl) two attributes to define which names have been added and attrDelExpl: [Set|Bag](T) derived = deleted. Also, the incoming and outgoing associations are featureChanges.attrDelExpl->union( used to connect to added and deleted cables. The class castChanges.attrExpl)->union(movedTo. ChangeRouter adds two attributes for the maxSpeed. It does attrExpl) not replicate the name attribute changes since they are avail- attrAddCostly: [Set|Bag](T) derived = attrAdd - attrAddExpl able in the superclass. attrDelCostly: [Set|Bag](T) derived = attrDel - Let us now consider another excerpt of an instance of the attrDelExpl change model as depicted in Figure 6. There are two orig- inal objects, the original cable oc1 and the original router For every ordered structural feature, three additional fea- or1. The cable has been deleted, so the speed attribute tures named as the original structural feature plus AddEl, is deleted as well as the incoming connection. The router 23 original futureChange AtomicChange pastChange revised Original Revised 0..1 1 1 1 Object Object incomingDel ChangeDevice_incomingDel ChangeDevice_incomingAdd incomingAdd «redefines» «redefines» CableOri * * ChangeDevice * * Cable DeviceOri nameAdd: Set(string) Device nameDel: Set(string) * * * * outgoingDel ChangeDevice_outgoingDel ChangeDevice_outgoingAdd outgoingAdd «redefines» «redefines» ChangeRouter original futureChange maxSpeedAdd: Set(integer) pastChange revised RouterOri Router 0..1 1 maxSpeedDel: Set(integer) 1 1 Figure 5: Change model excerpt 1 of the running example. cc1:ChangeCable oc1:CopperCableOri nc1:GlassFiberCable oc1:CopperCableOri original futureChange type = Delete speed = {4} speed = {4} speed = {4} speedAdd = {} incomingDel rc1:CastCable speedDel = {4} original revised incoming speedExpl = {4} ChangeDevice_incomingDel futureChange pastChange cc1:ChangeCopperCable castFrom castTo cc2:ChangeGlassFiberCable or1:RouterOri cr1:ChangeRouter rr1:Router futureChange pastChange revised name = {"router"} type = Preserve name = "routerOld" type = Delete type = Create maxSpeed = {4} original nameAdd = {"routerOld"} revised maxSpeed = 4 speedAdd = {} speedAdd = {4} nameDel = {"router"} speedDel = {4} changeFrom changeTo speedDel = {} maxSpeedAdd = {} speedAddExpl = {4} speedAddExpl = {4} maxSpeedDel = {} speedDelExpl = {4} speedDelExpl = {4} speedAddCostly = {} speedAddCostly = {} Figure 6: Change model excerpt 2 of the running example. speedDelCostly = {} speedDelCostly = {} Figure 7: Cast change excerpt for the running example. just has been taken out of usage, so its name was changed to routerOld from router. In terms of attribute changes, this equals the addition of routerOld to the name and the List. 4: Change calculation for moves deletion of router. The speed has not been changed, so no context MoveX: additions or deletions are defined there. The fact that all attrExpl: [Set|Bag](T) derived = moveFrom. constraints, including multiplicity constraints, are removed attrDel->intersection(moveTo.attrAdd) from all but the target model is indicated by the set-valued name and speed attributes for the original objects. In the example depicted in Figure 8, an incoming edge was moved from the Router or1 to or2. The two router Composite changes. change objects show that the edge was deleted (cr1) and In the Cast class hierarchy similarities between cast ob- added (cr2). The move object m1 connects both changes. jects are stored. For every structural feature in the original The intersection of incomingAdd for cr2 and incomingDel class, a structural feature of the same type named as the of cr1 is cc1, so this is the attribute change explained by original structural feature plus a suffix of Expl is created the move object. Thus, it is also explained in both cr1 and in the Cast class. It denotes which values are the same in cr2 and no change of incoming is a costly change. both objects and is defined by the intersection of values be- For every operation O in a class X , a corresponding Fea- tween original and revised object and thus explains those tureX_O class is created which inherits from FeatureX . This ostensible changes. List. 3 demonstrates the structure of class contains an attribute for each operation parameter and Cast objects. An invariant ensures that the cast object is it has a bidirectional association to the change class of the connected to a single object which is deleted and an object class the operation is defined in. The postcondition of the which is added. operation X is converted into an invariant of the generated class by changing the self context of each @pre expression List. 3: Change calculation for casts to the original object of the associated change while other context CastX: self contexts are transferred to the revised object of the attrExpl: [Set|Bag](T) derived = castFrom. associated change. For features changed in the referenced attrDel->intersection(castTo.attrAdd) object, this class contains a T[Add|Del]Expl attribute for inv changeTypes: changeFrom.type = ChangeType. each attribute in the original class. Postconditions which Delete and changeTo.type = ChangeType.Create have the pattern feature = feature@pre->including([expr]) Consider Figure 7 for an example of such a cast change or feature = feature@pre->excluding([expr]) are con- for our running example. The model has only changed by verted into the invariant T[Add|Del]Expl = Set{[expr]}. retyping oo1 from CopperCable to GlassFiberCable. This is expressed as two changes, namely deleting the Copper- incomingAddExpl, incomingAdd Cable and creating a GlassFiberCable with the same values. cc1:ChangeCopperCable oc1:CopperCableOri original type = Preserve revised nc1:CopperCable Since the speed has not changed, the same value was deleted incoming futureChange incomingDel, pastChange incomingExpl for the CopperCable that was added to the GlassFiberCa- incomingDelExpl ble. Thus, the cast explains this value change and it is not or1:RouterOri original cr1:ChangeRouter revised nr1:Router futureChange type = Preserve pastChange considered for costs. moveFrom movedTo Similarly, a Move change for a certain aggregation at- m1:MoveRouter type = Update tribute connects two change objects where an association moveTo movedFrom incoming to a certain object X was deleted in one object, but created or2:RouterOri original cr2:ChangeRouter revised nr2:Router in another object. However, there is no requirement that futureChange type = Preserve pastChange any object must be deleted or created. Figure 8: Move change excerpt for the running example. 24 Additionally, invariants are generated to ensure all features a higher value instead of 1 to Delete or Create changes. not occurring in any such postcondition are empty. An in- Positive costs ensure hippocraticness [32], i.e., that the syn- variant is generated to let the cost attribute of the class be chronization does nothing for consistent models, because ev- equal the operation result. ery change would have positive cost while consistent models would require no change which has no and thus less cost. List. 5: Simple change operation defined in UML/OCL. context Router::disconnectServer(c: Cable) List. 7: Least change cost calculation. post disconnectedIncoming: incoming = ( class ChangeObject incoming@pre)->excluding(c) attributes post disconnectedOutgoing: outgoing = ( costObject: Integer derived = if type = outgoing@pre)->excluding(c) ChangeType.Create or type = ChangeType. Delete then if castTo != null then 0 else 1 This example shows a simple operation which just discon- endif else 0 endif nects a single cable from a router. The postconditions state end that after this operation has been called, the disconnected class ChangeCable cable is not connected to the server any more. attributes costCable: Integer derived = speedAddCostly-> List. 6: Translation of the change operation of List. 5 into the size() + speedDelCostly->size() + synchronization model sourceAddCostly->size() + sourceDelCostly-> class FeatureRouter size() + targetAddCostly->size() + attributes targetDelCostly->size() ... end end class CostSummer class FeatureRouter_disconnectServer < attributes FeatureRouter cost = ChangeObject.allInstances().costObject-> sum() + ChangeCable.allInstances(). constraints costObject->sum() + ... inv disconnectedIncoming: incomingDelExpl = Set end {c} inv disconnectedOutgoing: outgoingDelExpl = Set List. 7 shows an excerpt of the implementation of the {c} least cost strategy for the running example. The cost of inv noChange: incomingAddExpl = Set{} and ... deleting or adding objects is defined as attribute of the end ChangeObject class. If an object is casted to another object, association the cost is not accounted. The ChangeCable class calculates assoc_FeatureRouter_disconnectServer_c the cost by summing up the costs of its direct attributes. between The CostSummer calculates the total costs by summing over FeatureRouter_disconnectServer[*] role all cost attributes. FeatureRouter_disconnectServer_c ChangeCable[1] role c end Real costs. Models might be representations of the real world where This example is translated as shown in List. 6. For each changes induce real costs, e.g., working time for switching postcondition with the specified pattern, an invariant is gen- cables or the costs of a new server. Then, it is natural to erated which explains the according changes. The third in- use a cost function resembling real costs. These costs will variant guarantees that all other attributes are not changed typically occur as operation costs. due to this operation call. The operation parameter is trans- lated as association. Like for atomic changes, a parameter List. 8: Domain-specific cost calculation. of type Cable is translated to a ChangeCable. context Router::disconnectServer(c: Cable) body: if c.isKindOf(CopperCable) then 5 else 10 3.3 Change Costs endif While the change model describes what has changed, for ==> class FeatureRouter_disconnectServer synchronization purposes, the severity of changes should be attributes known. To describe this aspect as well, a cost function is cost: Integer derived = if (c.revised.isKindOf( added to each Change-class. The specification of the ex- CopperCable)) then 5 else 10 endif ... act cost function depends on the synchronization strategy. In we following, we discuss how different synchronization List. 8 shows a simple example of operation costs. It strategies can be implemented with our approach. might be more difficult to disconnect glass fiber cables than to disconnect copper cables, so the costs could be twice as Least change. high. Such costs are transformed into an invariant as ex- The least change [22] strategy cost function sums up the plained in the previous section. size of all unexplained add and deletion collections in the Change objects and adds 1 if the change type is Delete or Organizational asymmetry. Create. If objects have been casted, one change should not If model A is considered more important than another be counted. This function can be easily changed to sup- model B, changes in model A should be avoided. By assign- port a least creation or least deletion strategy by adding ing much higher costs to changes in the model A, changes in 25 model A are avoided but enforced in model B. For instance, inv avoidRedo: if original.pastChange.type = this strategy may be also of relevance for the running exam- ChangeType.Create then type <> ChangeType. ple of this paper. Delete and if original.pastChange.type = ChangeType.Delete then type <> ChangeType. Create endif Avoiding undos. end Usually, a model was modified for a good reason. Thus, the synchronization step should not return to the previous model version. To achieve that, additional costs can be in- troduced if some attributes in the target re-appear: (i) if 4. CONSISTENCY MODEL they were deleted before or vice versa using the sum of sym- In this section, we will show how inter-model consistency metric difference sizes of attrAdd and attrDelete of future concerns are modeled with UML/OCL. In general, we fol- and past change objects in the current model, (ii) if objects low the main idea of triple graph grammars (TGGs) [30] and are deleted when they were created before by counting cre- triple patterns [10] to build an explicitly modeled structure ate/delete pairs, and (iii) if objects are created when they between two models. If the models are defined with UM- were deleted by counting created objects in the target model L/OCL we end up with an unified representation for intra- which are similar to deleted objects in the former model. and inter-model concerns. List. 9 shows a simple example for avoiding undos. Each As we now show in this section, by using UML/OCL it is attribute which is reassigned to the same value as before will possible to describe the interconnection between models by induce a cost of 10 because both the old value is added which additional associations, constraints and possibly even addi- should not be the case and the newly set value is deleted. If tional other elements such as classes and attributes. an attribute whose value was changed has its value changed Since we aim for a non-intrusive addition of synchroniza- again the cost would only be 5. If an object is deleted which tion logic, we assume open models or some form of mod- was created before, the cost increases by 100. Likewise, if ule import, at least for defining new associations. In the an object is recreated which has the same name as an object following, @override denotes the extension of the speci- which was deleted, the cost is increased by 200. fied class with attributes and associations contained by the consistency model. We now show several examples how to List. 9: Costs for avoiding undos. employ UML/OCL to define consistency models in terms of class ChangeRouter correspondences. attributes avoidRedoCosts: Integer derived = if original. One-to-one correspondences. pastChange.type = ChangeType.Create then 5* One-to-one correspondences are easily defined in UML/OCL original.pastChange.speedDel->intersection( by adding an association between the corresponding classes speedAdd)->union(original.pastChange. speedAdd->intersection(speedDel))->size() having as lower and upper bounds 1 on both ends. Figure 9 +... shows an example where classes correspond based on name else if type = ChangeType.Delete then 100 else equality. Such constraints can either be added to a class (as 0 endif endif + if type = ChangeType.Create shown in graphical syntax) or added to the association (as and ChangeRouterOri.allInstances()->select shown in textual syntax) as preferred. (c | c.type = ChangeType.Delete).original-> select(r | r.name = revised.name) then 200 1 1 association LRCon between else 0 endif @override leftcon rightcon @override Consumer[1] role leftcon Consumer Computer Computer[1] role rightcon end constraints inv: leftcon.name = rightcon.name end name = rightcon.name Retaining existing traces. Figure 9: One-to-one correspondence between consumer and com- puter in graphical and textual syntax. A consistency model might be just descriptive or prescrip- tive. In the former case, changes in the consistency model One-to-many correspondences. should have no cost, while in the latter case, consistency One-to-many correspondences can also be expressed by model changes, especially deletions, might have high costs if associations. Figure 10 shows an example where a server in the associated objects were not deleted. the requirements model might correspond to a whole cluster Please note that there are design decisions to take which in the implementation model. In particular, the constraint synchronization properties to define as constraints and which inv1 specifies that a single cluster provider corresponds to via costs. For example, undos could not only be avoided us- many nodes if all servers have exactly one router and nothing ing costs as described in List. 9, but also by just using a else as target of their outgoing cables. Then, all servers con- constraint like in List. 10. However, then no synchroniza- nected to this router constitute the cluster, else a provider tion would be possible at all if conflicting model changes corresponds to a single cluster. would have been performed which could only be resolved by undoing a change. This also holds in the case of asymmetric @override 1 @override association LRSrv between 1..* changes. If a model should never change, this model can just Provider cluster node Server Provider[1] role cluster Server[1..*] role node be used as target models with additional constraints that all constraints attributes and associations should remain equal. inv:let router = cluster.node.outgoing.target in end if router->one(true) and router->one(r | r.oclIsTypeOf(Router)) then List. 10: Constraints for avoiding undos. cluster.node = router.incoming.source else cluster.node->one(true) endif inv1 class ChangeRouter Figure 10: One-to-many correspondences between provider and constraints server in graphical and textual syntax. 26 Many-to-many correspondences. Solver Time (FS) Costs (FS) Time (OS) Many-to-many can also be expressed either by using n- lingeling3 4 min 52 sec 21 38 min ary associations of UML or by introducing additional classes plingeling3 6 min 26 sec 17 77 min which connect more than one class on both sides by asso- ciations. Figure 11 shows a more complex correspondence MiniSat4 8 min 49 sec 46 OOM between provider and server. Servers may be either part Sat4J5 65 min 3 85 min of a typical cluster where a service is provided by multi- Table 1: Execution times and costs for the running example (FS: first solution, OS: optimal solution, the cost for producing the ple servers or part of a virtual cluster, where services may optimal solution is 2, OOM: out of memory). be assigned to many servers and each server might handle multiple services. Table 1 shows the average runtime of three runs to find any @override 1..* 1 ClusterAssoc 1 1..* @override node solution and a cost-minimal solution with different solvers. Provider service cluster cluster Server The runtimes vary greatly with each run, but still some * backupprovision trends can be observed. The runtimes also indicate that TypicalCluster VirtualCluster service->one(true) inv1 1 backup with the current state of the USE model validator, the ap- proach cannot be directly used to find a good synchronized backup != self and backup.service-> includesAll(service) instances within a reasonable time frame for large models. inv2 Figure 11: Many-to-many correspondences between provider and Still, we see a huge difference between solvers. While lin- server in graphical syntax. geling and plingeling are quite fast finding the first solution which already provide a good quality, Sat4J requires a longer Correspondence dependencies. time to find any solution, but this first solution is nearly A full consistency model may also contain dependencies the optimal one. MiniSat had quite some problems for the between correspondences modeled as associations. Figure 11 studied scenario. It produced did not produce appropriate shows that each virtual cluster requires a second virtual clus- solutions and went out of memory without finding the best ter as backup which must provide the all services. solution. In addition to computing synchronizations, we see also an 5. TOOL SUPPORT BASED ON THE USE alternative usage scenario for the presented approach. It can be also used to validate whether an existing synchronization MODEL VALIDATOR found by another tool is a valid synchronization by using The presented synchronization approach has been proto- the validation capabilities of OCL. Here, the full approach typically implemented as an USE plugin and can be down- can be used since USE is able to check all constraints used loaded from http://cosimo.big.tuwien.ac.at/findsync. in the approach. While the consistency model has to be hand-crafted, the USE plugin merges the different involved models automat- 5.2 Threats to Validity ically, generates the change model, and finds the minimum In the evaluation, we have only shown the general fea- cost synchronized models. To give an idea about the com- sibility of the approach, but not that it is fast enough for plexity of the automatically produced models, consider the larger instances. We assume that faster, maybe heuristic running example of this paper for which the generated model model finding approaches may significantly improve the per- contains 79 classes, 124 associations, and 379 invariants. formance but we do not have any concrete evidence for this The costs are currently fixed to a constant for each primi- yet. Thus, we can not claim that the performance can be tive change operation. Due to limitations in the USE model actually improved in order that the approach scales to the validator, some constraints and structures had to be refor- synchronization of larger real-world models in the matter of mulated and only set-typed features are supported. The minutes. optimization process is run by iteratively finding a model completion with less cost than the previously found solution. If the model finder is not able to find any better solution, 6. RELATED WORK the cost-optimal solution has been found. Bounds have to While transformation models using UML/OCL have been be given for the number of instances of each class, thus cost- already introduced back in 2006 [3], to the best to our knowl- optimality is only guaranteed with regards to these bounds. edge, the model synchronization aspect has not been consid- ered in such type of models. However, since model synchro- 5.1 Evaluation nization is an important topic in model-driven engineering, We ran our performance evaluation using a simplified syn- there is already a great variety of approaches to support chronization scenario of the one shown in Figure 2 on a Intel different synchronization scenarios. For example, there is i5-6500 3.2 GHz machine with 64 GB RAM, running Ubuntu specific work on model synchronization by specifying how Linux 16.04. For simplicity reasons, all costs were assumed to deal with inconsistencies [2, 11, 14] and by using bidirec- to be one. tional transformation languages. For instance, triple graph 3 grammars [20, 30] are often employed for model synchro- Version ’15, available at: http://fmv.jku.at/ nization scenarios such as reported in [1,15,17]. In a similar lingeling/lingeling-bal-2293bef-151109.tar.gz 4 fashion, QVT Relational [33] allows synchronization, also Version 2.2.0, available at: http://minisat.se/ downloads/minisat-2.2.0.tar.gz in conjunction with unidirectional transformation languages 5 Version 2.3.1, integrated in the ModelValidator jar, such as ATL [22]. Furthermore, there are other, mostly available at: http://forge.ow2.org/project/download. rule-based, approaches available (cf. [18] for a survey). One php?group_id=228&file_id=17186 benefit of our approach when comparing it to existing work 27 is that we make use of an explicit change model which allows ness. Including optimization strategies in the USE model to adjust the synchronization strategy in a domain-specific validator for this problem, which has been done in the past way. for similar problems, may increase the performance by or- There are also some existing approaches using constraint ders of magnitude and make this approach usable in practice. solving for model synchronization such as the Janus Trans- Also, we need to evaluate in which cases, if any, a suitable formation Language (JTL) [8], also with compressed state cost definition could let our approach find least surprising space [12], and the CARE approach [29]. JTL [8] is using changes [7]. answer set programming (ASP) to find a synchronized re- sult. In contrast to JTL, we do not map a relation-based language into ASP, but we aim to describe everything with 8. ACKNOWLEDGMENTS UML/OCL. In addition, we also provide a method to pre- Acknowledgment: This work has been funded by the Vi- fer certain change results over others by having cost models enna Business Agency (Austria) within the COSIMO project attached to change models. In previous work, we have pre- (grant number 967327) and by the Christian Doppler Forsch- sented CARE [29], an approach using a constraint solver ungsgesellschaft, the Federal Ministry of Economy, Family (ASP) to re-synchronize models with their evolving meta- and Youth and the National Foundation for Research, Tech- models. However, CARE is a specific approach for the nology and Development, Austria. metamodel/model co-evolution problem. The approach pre- sented in this paper may be also employed in the future 9. REFERENCES to reproduce the results of the CARE approach. An alter- native approach for metamodel/model co-evolution is pre- [1] A. Anjorin, S. Rose, F. Deckwerth, and A. Schürr. sented in [28] where the variability of different model mi- Efficient Model Synchronization with View Triple gration solutions is formalized as a feature model. We see Graph Grammars. In Proceedings of the European this research direction as an interesting line for future work Conference on Modelling Foundations and as this would allow to concisely report equally good model Applications (ECMFA), volume 8569 of LNCS, pages synchronization solutions, i.e., having the same cost, to the 1–17. Springer, 2014. user. [2] G. Bergmann, I. Ráth, G. Varró, and D. Varró. There have been many change models proposed in the Change-driven model transformations - change (in) the literature, e.g., [6, 9, 31, 34]. However, to the best of our rule to rule the change. SoSyM, 11(3):431–461, 2012. knowledge, we do not know any constraint-based approach [3] J. Bézivin, F. Büttner, M. Gogolla, F. Jouault, to define change models. I. Kurtev, and A. Lindow. Model transformations? transformation models! In Proceedings of the 7. CONCLUSION AND FUTURE WORK International Conference on Model Driven Engineering Languages and Systems (MODELS), In this paper, we have shown how to transform the prob- volume 4199 of LNCS, pages 440–453. Springer, 2006. lem of model synchronization into the problem of defining [4] J. Bézivin, R. F. Paige, U. Aßmann, B. Rumpe, and a suitable consistency model and a change model with UM- D. C. Schmidt. Manifesto - model engineering for L/OCL. This can be used to check whether a given synchro- complex systems. CoRR, abs/1409.6591, 2014. nization strategy was performed successfully and to find syn- [5] M. Brambilla, J. Cabot, and M. Wimmer. chronization strategies by model completion. As the evalu- Model-Driven Software Engineering in Practice. ation has shown, the approach can be used to build an in- Morgan & Claypool, 2012. cremental transformation which is used for our approach it- self. The approach has also been prototypically implemented [6] E. J. Burger. Flexible views for view-based which shows that automation is feasible. model-driven development. In Proceedings of the 18th In the future, we need to further develop both the con- International Doctoral Symposium on Components ceptual approach and the implementation. Sometimes, you and Architecture, pages 25–30. ACM, 2013. explicitly require a change in a model if a specific change [7] J. Cheney, J. Gibbons, J. McKinna, and P. Stevens. happened in another model [35]. Within this approach, Towards a principle of least surprise for bidirectional this would correspond to a consistency model constraining transformations. In Proceedings of the 4th change objects. A sensible consistency model or an alterna- International Workshop on Bidirectional tive representation translated into a consistency model for Transformations co-located with Software Technologies: that has to be found. The approach could be adapted to sup- Applications and Foundations, STAF 2015, L’Aquila, port metamodel/model co-evolution by (i) translating the Italy, July 24, 2015., pages 66–80, 2015. metamodel to a model a consistency relation between this [8] A. Cicchetti, D. Di Ruscio, R. Eramo, and generated model and the model to co-evolve or (ii) allowing A. Pierantonio. JTL: A Bidirectional and Change the target metamodel to differ from the source metamodel. Propagating Transformation Language. In Proceedings The first approach would be more general since it would not of the International Conference on Software Language only cover model evolutions based on metamodel changes Engineering (SLE), volume 6563 of LNCS, pages but may also cover metamodel evolutions based on model 183–202. Springer, 2011. changes, but at the same time more challenging since OCL [9] A. Cicchetti, D. Di Ruscio, and A. Pierantonio. A constraints would have to be translated into a model and metamodel independent approach to difference interpreted using OCL. Thus, we are currently evaluating representation. Journal of Object Technology, the latter approach. 6(9):165–185, 2007. The performance and scalability of the implementation [10] J. de Lara, E. Guerra, and P. Bottoni. Triple patterns: has to be assessed in order to increase its practical useful- Compact specifications for the generation of 28 operational triple graph grammar rules. ECEASST, 6, classification of model repair approaches. CoRR, 2007. abs/1504.03947, 2015. [11] R. Eramo, A. Pierantonio, J. R. Romero, and [24] P. Niemann, F. Hilken, M. Gogolla, and R. Wille. A. Vallecillo. Change management in multi-viewpoint Assisted generation of frame conditions for formal system using ASP. In Workshops Proceedings of the models. In Proceedings of the Design, Automation & International IEEE Enterprise Distributed Object Test in Europe Conference & Exhibition (DATE), Computing Conference (EDOCW), pages 433–440. pages 309–312, 2015. IEEE, 2008. [25] Object Management Group. Meta Object Facility [12] R. Eramo, A. Pierantonio, and G. Rosa. Managing (MOF) 2.0 Query/View/Transformation Specification. uncertainty in bidirectional model transformations. In http://www.omg.org/spec/QVT/1.0/. Proceedings of the ACM SIGPLAN International [26] J. E. Rivera, J. R. Romero, and A. Vallecillo. Conference on Software Language Engineering (SLE), Behavior, time and viewpoint consistency: Three pages 49–58, 2015. challenges for MDE. In Models in Software [13] A. Finkelstein, D. M. Gabbay, A. Hunter, J. Kramer, Engineering, Reports and Revised Selected Papers of and B. Nuseibeh. Inconsistency handling in Workshops and Symposia at MODELS 2008, pages multi-perspective specifications. In Proceedings of the 60–65, 2008. 4th European Software Engineering Conference [27] J. R. Romero and A. Vallecillo. Well-formed rules for (ESEC), volume 717 of LNCS, pages 84–99. Springer, viewpoint correspondences specification. In Workshops 1993. Proceedings of the 12th International IEEE Enterprise [14] A. Finkelstein, D. M. Gabbay, A. Hunter, J. Kramer, Distributed Object Computing Conference (ECOCW), and B. Nuseibeh. Inconsistency handling in pages 441–443, 2008. multi-perspective specifications. IEEE Trans. Software [28] D. D. Ruscio, J. Etzlstorfer, L. Iovino, A. Pierantonio, Eng., 20(8):569–578, 1994. and W. Schwinger. Supporting variability exploration [15] H. Giese and R. Wagner. From model transformation and resolution during model migration. In Proceedings to incremental bidirectional model synchronization. of the 12th European Conference on Modelling SoSyM, 8(1):21–43, 2009. Foundations and Applications (ECMFA), volume 9764 [16] M. Gogolla, L. Hamann, and F. Hilken. On static and of LNCS, pages 231–246. Springer, 2016. dynamic analysis of UML and OCL transformation [29] J. Schoenboeck, A. Kusel, J. Etzlstorfer, models. In Proceedings of the Workshop on Analysis of E. Kapsammer, W. Schwinger, M. Wimmer, and Model Transformations co-located with ACM/IEEE M. Wischenbart. CARE: A Constraint-based 17th International Conference on Model Driven Approach for Re-Establishing Conformance Engineering Languages & Systems (MoDELS 2014), Relationships. In Proceedings of the 10th Asia-Pacific pages 24–33, 2014. Conference on Conceptual Modelling (APCCM), pages [17] F. Hermann, H. Ehrig, C. Ermel, and F. Orejas. 19–28. Australian Computer Society, 2014. Concurrent Model Synchronization with Conflict [30] A. Schürr. Specification of graph translators with Resolution Based on Triple Graph Grammars. In triple graph grammars. In Proceedings of the 20th Proceedings of the International Conference on International Workshop on Graph-Theoretic Concepts Fundamental Approaches to Software Engineering in Computer Science (WG), pages 151–163, 1994. (FASE), volume 7212 of LNCS, pages 178–193. [31] C. Seidl, I. Schaefer, and U. Aßmann. Deltaecore - A Springer, 2012. model-based delta language generation framework. In [18] S. Hidaka, M. Tisi, J. Cabot, and Z. Hu. Feature-based Proceedings of Modellierung, pages 81–96, 2014. classification of bidirectional transformation [32] P. Stevens. Towards an algebraic theory of approaches. SoSyM, 15(3):907–928, 2016. bidirectional transformations. In Proceedings of the 4th [19] M. Javed, Y. M. Abgaz, and C. Paul. Composite International Conference on Graph Transformations ontology change operators and their customizable (ICGT), pages 1–17, 2008. evolution strategies. In Proceedings of the 2nd Joint [33] P. Stevens. Bidirectional model transformations in Workshop on Knowledge Evolution and Ontology QVT: semantic issues and open questions. SoSyM, Dynamics (EvoDyn), pages 1–12. CEUR-WS.org, 9(1):7–20, 2009. 2012. [34] G. Taentzer, C. Ermel, P. Langer, and M. Wimmer. A [20] E. Kindler and R. Wagner. Triple graph grammars: fundamental approach to model versioning based on Concepts, extensions, implementations, and graph modifications: from theory to implementation. application scenarios. Technical report, tr-ri-07-284, SoSyM, 13(1):239–272, 2014. University of Paderborn, 2007. [35] M. Wimmer, N. Moreno, and A. Vallecillo. Viewpoint [21] P. Langer, M. Wimmer, P. Brosch, co-evolution through coarse-grained changes and M. Herrmannsdörfer, M. Seidl, K. Wieland, and coupled transformations. In Proceedings of the G. Kappel. A posteriori operation detection in International Conference on Objects, Models, evolving software models. Journal of Systems and Components, Patterns (TOOLS), volume 7304 of Software, 86(2):551–566, 2013. LNCS, pages 336–352. Springer, 2012. [22] N. Macedo and A. Cunha. Least-change bidirectional model transformation with QVT-R and ATL. SoSyM, pages 1–28, 2014. [23] N. Macedo, J. Tiago, and A. Cunha. A feature-based 29