=Paper=
{{Paper
|id=Vol-2019/exe_2
|storemode=property
|title=Executing Models by Filmstripping: Enhancing Validation by Filmstrip Templates and Transformation Alternatives
|pdfUrl=https://ceur-ws.org/Vol-2019/exe_2.pdf
|volume=Vol-2019
|authors=Nisha Desai,Martin Gogolla,Hilken Frank
|dblpUrl=https://dblp.org/rec/conf/models/DesaiGH17
}}
==Executing Models by Filmstripping: Enhancing Validation by Filmstrip Templates and Transformation Alternatives==
https://ceur-ws.org/Vol-2019/exe_2.pdf
Executing Models:
Enhancing Validation by Filmstrip Templates and
Transformation Alternatives
Nisha Desai Martin Gogolla Frank Hilken
Department of Computer Science Department of Computer Science Department of Computer Science
University of Bremen University of Bremen University of Bremen
D-28334 Bremen, Germany D-28334 Bremen, Germany D-28334 Bremen, Germany
nisha@informatik.uni-bremen.de gogolla@informatik.uni-bremen.de fhilken@informatik.uni-bremen.de
Abstract—This paper discusses an approach to execute models for the filmstrip realization using binary association, aggre-
with filmstrip templates in order to enhance the validation and gation, or composition. By performing a feasibility study we
execution process so that model execution time is decreased. check and show the performance of the filmstrip templates
A filmstrip template identifies recurring model parts. When
such recurring model parts are constructed only once, model for different architectures and compare the execution time of
validation time is reduced. We also improve our previous filmstrip particular test cases.
approach by employing more efficient architectures for the The rest of this paper is organized as follows. Section II pro-
needed filmstrip transformation. By performing a feasibility vides some background on filmstripping. Section III describes
study we check and show the performance of our filmstrip different architectures for filmstripping. Section IV introduces
templates for different architectures and compare execution times
for particular test cases. Among the developed and tested seven and explains the approach enhancing the validation process,
architectures, three show particular good results with respect to i.e., the concepts behind filmstrip templates. Section V and VI
execution and validation time. illustrate the execution and the results of the comparative
Index Terms—UML and OCL model, Operation contract, study that we have conducted. Related work is addressed in
Model execution, Model validation and verification, Filmstrip- Sect. VII. Finally, in Sect. VIII, the paper is closed with
ping, Filmstrip template, Filmstrip architecture
conclusions and some future work.
I. I NTRODUCTION II. F ILMSTRIPPING
Recently, modeling languages as UML and OCL and ex- An ordinary UML and OCL application model can involve
ecutable models [1], [2] are gaining more and more impor- structural aspects in form of OCL invariants and dynamic
tance in designing systems. For a given application model, aspect in form of operation pre- and postconditions. Changes
it is crucial to validate and verify system properties during in object states are triggered by operation calls. The model
the design phase. A variety of validation and verification validator in the tool USE is designed for structural analysis
techniques are currently available. For the purpose of model of UML class diagrams. In order to validate dynamic aspects
behavior validation, the tool USE [3] can be employed to of the model, our filmstrip approach is used. Filmstripping
transform a given UML and OCL application model into an transforms a given UML and OCL model which is comprised
equivalent so-called filmstrip model [4]. In USE, a model of invariants and pre- and postconditions into an equivalent
validator can automatically generate a valid object diagram by model which possesses only invariants. The transformed model
using configurations, and thus automatic test case generation is called a filmstrip model. This transformed model involves
is possible. As systems and their models are getting more only structural aspects and can be validated with the USE
complex, test scenarios are getting larger, and therefore the model validator. Roughly speaking, system dynamics is ex-
execution time for model validation becomes crucial. pressed in the filmstrip model by different explicit objects
In this paper, we introduce filmstrip templates for our representing operation calls. A sequence of operation calls
filmstrip approach in order to enhance the validation and and object diagrams of an application model corresponds to a
execution process. A filmstrip template reduces the work of single object diagram of the filmstrip model [4].
our model validator by identifying recurring model parts. The filmstripping approach can be explained best in terms
Thereby validation time is reduced. Another improvement of of an example. Figure 1 shows essential parts of a library
our previous filmstrip approach is to employ more efficient ar- model [5] in which users can borrow and return book copies.
chitectures for the needed filmstrip transformation. Currently, The original application model is indicated in a gray-shaded
the transformation of a filmstrip model is realized using a style, namely the classes User and Copy together with the
ternary association. But, there are other possible architectures association Borrows in the class diagram, and the small
� Fig. 1. Application model and filmstrip model (Architecture D in Fig. 2).
sequence diagram represents the application model. Structural calls play a central role in the filmstripping approach, because
and dynamic aspects of this application model are completely they provide the glue that keeps the items together. As men-
described with OCL invariants and pre- and postconditions. tioned earlier, currently a ternary association is used to link
The application model is automatically transformed into snapshots with each other and with related operation calls.
the filmstrip model: the non-gray shaded classes and the However, there are other possible architectures through which
object diagram in Fig. 1. In essence, the application model snapshots and operation calls can be linked. Figure 2 shows
sequence diagram becomes a filmstrip model object diagram. seven different possible architectures.
Snapshot objects explicitly allow to capture single sys-
tem states from the application model. Operation call ob-
jects (suffix OpC) describe operation calls from the applica-
tion model. Basically, each operation is transformed into an
OperationCall class with attributes for the Self objects
and for the operation parameters. Thus, for example, the
call user4.return(copy2) from the sequence diagram
is represented by the object return_useropc2 in the
filmstrip object diagram. The effect of the operation call is
represented by the differences between the left and the right
snapshot: The return operation call removes the Borrows
link and increases the attribute numReturns. The two User
and the two Copy objects represent different object states
before and after the operation call. One could say that the
object copy3 is a later incarnation of the object copy2. The
library model contains another class Book not shown in Fig. 1.
III. A RCHITECTURES FOR FILMSTRIPPING
The transformation into a filmstrip model introduces new
classes for snapshots and for operation calls. Furthermore,
proper directed connections between these snapshots and oper-
ation calls are realized through links. Snapshots and operation Fig. 2. Different filmstrip architectures for the transformation.
� Figure 2(A) shows the use of a ternary association
to connect Snapshot to Snapshot as well as to
OperationCall. Figure 2(B) displays a possibility to con-
nect Snapshot to Snapshot and to an OperationCall
by means of two associations. Here the first association
connects the Snapshot sequence and the other connects the
OperationCall to Snapshot which represents the pre-
state of the OperationCall. Figures 2(C) and (D) are al-
most same as (B), except that the first uses aggregation and the
second uses composition instead of an association to connect
Snapshot to Snapshot. Figure 2(E) shows another ap-
proach to connect the classes using two associations. This time
the Snapshot class is connected to the OperationCall
and in return, this OperationCall class is again connected
to the Snapshot, which represents the post-state of the
OperationCall. Figures 2(F) and (G) are more or less
similar to (E), except that the first uses aggregation and the
second uses composition instead of an association.
All newly introduced architectures (B)-(G) can be used
to realize filmstripping and are interchangeable, but they
all have some pros and cons. The architectures (B), (C),
and (D) have a link which connects Snapshot to Snapshot
directly which makes the navigation from Snapshot to
Snapshot independent from the OperationCall class.
But it could be possible that a post-state is generated with-
Fig. 3. Overview on validation process with filmstrip templates.
out an OperationCall. Thus OCL invariants are used
to overcome this situation and to execute the architectures
successfully. In the case of architectures (E), (F) and (G), links, not the gray part) that has to be only completed by the
the Snapshot class is connected via the OperationCall USE model validator. So the model validator has only a few
class. With these architectures, it is not possible to navigate elements to construct in order to achieve a complete object
between the Snapshot objects directly, and this requires diagram. This approach enhances the validation process and
OCL expressions to navigate from Snapshot to Snapshot leads to a faster execution time.
object. The use of aggregation and composition links in the Filmstrip object diagrams using any of the architectures
architectures ensure that the connections are cycle-free. have snapshot and application objects. These objects (without
attribute values) and their links (object-object and object-
IV. E NHANCING FILMSTRIPPING WITH TEMPLATES
snapshot) can be defined in the filmstrip template. Apart
Within the filmstrip approach, the USE model validator [6] from this, in the case of architectures (B), (C), and (D),
uses configurations (which describe a number of application the Snapshot connects with itself without a need for an
and filmstrip objects and links) and constructs an object OperationCall. This allows to define snapshot-snapshot
diagram for the filmstrip model. If the number of snapshots, links in the filmstrip template for the architectures (B), (C)
operation calls and application objects are known, one can and (D).
introduce filmstrip templates. Figure 3 gives an overview on Figure 4 shows a template for a filmstrip object diagram
the validation process using filmstripping and the template which is relying on architecture (B). The model elements
approach. shown in black (snapshot and application model objects with-
The template consists of snapshot objects and application out attribute values and links) represent the filmstrip template
objects without attribute values, but with already established and the part highlighted in gray has to be generated by the
connecting links between them. For example, if n operation model validator. So the model validator has only to find the
calls on m application model objects are known from the proper OperationCall objects, application model links,
configuration, one can pre-compute the needed n + 1 snapshot and attribute values. The overhead for handling the snapshot
objects each one being connected to m application objects and application model objects are effectively reduced.
and one can establish the needed links automatically. Figure 4
sketches an example with 2 operation calls and 9 application V. S TUDY EXECUTION
objects. When the developer has made the choice for the In order to check the performance of the filmstrip template
number of snapshots and the number of objects in each approach and the different filmstrip architectures in terms of
application class, the filmstrip template approach constructs execution time, a feasibility study has been performed. The test
a partial object diagram (in Fig. 4, only black objects and cases have been executed with and without filmstrip templates
� Fig. 4. Example template in the filmstrip approach (Architecture (B) from Fig. 2).
for the filmstrip architectures. The filmstrip transformation context Snapshot inv numReturnThree:
using ternary filmstrip architecture (A) is already available in self.succ()=null implies
the tool USE. The other shown architectures (B)-(G) are now self.copy->forAll(c | c.numReturns = 3)
implemented and can be accessed directly. Here two test cases,
one for the library model and one for the concurrentAppend
There are three invariants specified in this test case for
model [7] have been considered for the study.
generating the scenario. The first invariant numReturnZero
The test cases used are shortly described in Table I. Each test
and the second invariant noLinkUserCopy are for the initial
case constructs a scenario based on initial and final snapshot
snapshot, and the third one is for the final snapshot: First the
conditions expressed as OCL invariants. The configurations
number of returns of the copy is required to be zero; second,
(determined by the developer) mentioned in the table restrict
the copies in the library are restricted; the third invariant
the number of allowed objects in the respective class and there-
numReturnThree concerns the number of returns of the
fore restrict the operation calls in a corresponding application
copy.
model sequence diagram. Based on the stated configurations
The operation specification for this test case has been
and invariants, the USE model validator constructs a valid
given in the range 0..6. Based on the externally specified
object diagram [8]. The filmstrip templates for this study
invariants, the model validator chooses the operation calls. The
have been constructed manually from the configurations for
configuration is mentioned below:
all architectures. The execution time for generating the object
diagrams with and without filmstrip templates are measured. Snapshot = 7..7
In order to obtain accurate execution times, each test case has borrow_UserOpC = 0..6
been run five times for each of the seven filmstrip architectures return_CopyOpC = 0..6
(A)-(G). We have calculated a trimmed mean by dropping borrow_CopyOpC = 0..6
the highest and lowest values from the collected execution return_UserOpC = 0..6
times [9]. A detailed description of the test cases is given
B. Test case 2: concurrentAppend model
below:
The scenario chosen for test case 2 is ”Initially three cells
exist with the values in a list and one new cell (value: 5) is
A. Test case 1: library model appended to the list and in the final state, there should not be
The scenario of test case 1 is ”Initially a copy of a book is an unfinished append”.
in the library and the copy has a number of returns equal to As test case 1, there are also external invariants that are
zero, and in the final state, the copy should have a number of used for generating the scenario and based on the specified
returns equal to three”. invariants the model validator chooses the operation calls. In
this test case, the operation specification has been given in the
context Snapshot inv numReturnZero:
range 0..4. The configuration is mentioned below:
self.pred()=null implies
self.copy->forAll(c | c.numReturns = 0) Snapshot = 5..5
append_AppendOpC = 0..4
context Snapshot inv noLinkUserCopy: found_AppendOpC = 0..4
self.pred()=null implies next_AppendOpC = 0..4
self.user.copy->size() = 0 return_AppendOpC = 0..4
� TABLE I
T EST CASES USED FOR THE FEASIBILITY STUDY.
Test case 1 - library model Test case 2 - concurrentAppend model
Application configuration 1 User, 1 Book, 1 Copy 3 Cells, 1 Append
Initial condition: Initial condition:
Copy is in library and number of returns is zero. Mention three Cells and one Append with values.
Invariants
Final condition: Final condition:
Number of returns of the copy is three. Append should be finished.
Snapshot = 7..7 Snapshot = 5.. 5
borrow UserOpC = 0..6 append AppendOpC = 0..4
Filmstrip configuration return UserOpC = 0..6 return AppendOpC = 0..4
borrow CopyOpC = 0..6 found AppendOpC = 0..4
return CopyOpC = 0..6 next AppendOpC = 0..4
Expected Result 3 { {User|Copy} borrow and {User|Copy} return} operation calls. Next-Next-Append-Return operation calls.
TABLE II
M ODEL SIZE FOR TEST CASES
Test case 1 - library model Test case 2 - concurrentAppend model
Number of snapshot objects 7 5
Number of application objects (total) 21 26
Number of operation call objects 6 4
Object model size 34 35
TABLE III
R ESULT COMPARISION - T EST CASE 1.
Archi- A B C D E F G
tecture Tern Assoc C@Snap Assoc C@Snap Agg C@Snap Comp SnapCSnap Assoc SnapCSnap Agg SnapCSnap Comp
32.73 min 0.43 min 1.34 min 1.41 min 2.50 min 3.23 min 3.28 min
Test case 1
0.13 min 0.07 min 0.09 min 0.08 min 0.15 min 0.16 min 0.16 min
TABLE IV
R ESULT COMPARISION - T EST CASE 2.
Archi- A B C D E F G
tectureTern Assoc C@Snap Assoc C@Snap Agg C@Snap Comp SnapCSnap Assoc SnapCSnap Agg SnapCSnap Comp
90.47 min 29.13 min 20.00 min 20.46 min 20.15 min 29.24 min 27.90 min
Test case 2
0.33 min 0.21 min 0.22 min 0.23 min 0.25 min 0.29 min 0.29 min
TABLE V
AVERAGE E XECUTION TIME OF TEST CASES USING FILMSTRIP TEMPLATES .
Archi- A B C D E F G
tecture Tern Assoc C@Snap Assoc C@Snap Agg C@Snap Comp SnapCSnap Assoc SnapCSnap Agg SnapCSnap Comp
Test case 1 0.13 min 0.07 min 0.09 min 0.08 min 0.15 min 0.16 min 0.16 min
Test case 2 0.33 min 0.21 min 0.22 min 0.23 min 0.25 min 0.29 min 0.29 min
Sum 0.46 min 0.28 min 0.31 min 0.31 min 0.40 min 0.45 min 0.45 min
VI. S TUDY RESULTS AND COMPARISON are compared with the original results (execution without
filmstrip template). It can be concluded from the results that
The models for the efficiency check with respect to exe- the enhancement approach proposed in this paper makes the
cution time have been studied using a laptop with an Intel execution of the validation process faster. In comparison to the
Core i5-4210U processor running at 2.4GHz, 8GB of RAM time saving, the time needed to create a template manually is
and Java 1.8.0. The models were validated employing USE neglectable. Automatically creating these templates is part of
4.2.0. future work. The reason for the better performance is that the
In this section, the results of the execution time for the overhead for handling the snapshot and application objects of
test cases are discussed. The execution is performed with the model validator is significantly reduced, as the filmstrip
filmstrip templates and also without filmstrip templates for templates are constructed before the validation. This makes
all architectures. Tables III and IV show the final averaged the execution and validation process faster.
execution times of each architecture for both the test cases and
also the enhanced results (execution with filmstrip template) Table V shows the execution times of both the test cases
which are highlighted in a white-on-darkgray style. The results with filmstrip templates and the comparison between the
�architectures. One can notice that architectures (B), (C), and seemless integration of structure and behavior and is based on
(D) (highlighted in a black-on-lightgray style) are the fastest the support of full OCL.
in both the test cases. The reason for this is that the snapshot-
snapshot link do not depend on OperationCall objects, VIII. C ONCLUSION AND FUTURE WORK
as was mentioned in the discussion of filmstrip templates for In this paper, the automatic transformation of an application
architectures (B), (C) and (D). This means that filmstrip tem- model with invariants and pre- and postconditions into a
plates of that architectures contain more elements compared filmstrip model in which the system behavior is represented
to templates of other architectures. So the number of elements with only invariants has been described. We have presented an
to be generated by model validator is again reduced, and that approach for enhancing the validation process by introducing
makes the execution smaller. filmstrip templates and by proposing different architectures for
VII. R ELATED WORK the filmstrip transformation. Through experiments, we showed
that the validation process using filmstrip templates is more
Many approaches and tools have been proposed for UML efficient in terms of execution time compared to validation
and OCL model execution and model validation. In [10], the without templates. It can be concluded from our study that
authors perform model execution by compiling the model to architectures (B), (C) and (D) yield better results and take
program code. They have proposed a model simulator tool less time than the other architectures.
which translates the UML model to Java code and execution Future work will study different and larger models and test
is performed on this generated code. In [11], the tool Matilda is cases with the same methodology as applied here in order
introduced, which accepts a UML model as an input data and to verify the current conclusions. We will also concentrate
validates it against the UML metamodel. The tool generates a on the automatic generation of the template from developer
Java abstract syntax tree (JAST) from the input UML model specifications and implement developer support for this. Last
and executes Java bytecode generated from JAST. In [12], the but not least, means for distinguishing application and filmstrip
authors discuss about a code generation tool, which transforms elements in the configuration have to be developed.
UML models (classes and state machines) into C# source code
and supports execution of the application corresponding to R EFERENCES
both structural and behavioral models. The above mentioned
[1] T. Mayerhofer, P. Langer, E. Seidewitz, and J. Gray, eds., Proc. 1st
approaches are based on the generation of code from the UML Int. Workshop Executable Modeling co-located with (MODELS 2015),
models and execution is performed on this generated code. In vol. 1560 of CEUR Workshop Proceedings, CEUR-WS.org, 2016.
contrast, our approach uses model transformation concepts and [2] T. Mayerhofer, P. Langer, E. Seidewitz, and J. Gray, eds., Proc. 2nd Int.
Workshop Executable Modeling co-located (MODELS 2016), vol. 1760
the execution is performed on this transformed model, i.e., the of CEUR Workshop Proceedings, CEUR-WS.org, 2016.
execution is performed at the modeling level. In [13], the au- [3] M. Gogolla, F. Büttner, and M. Richters, “USE: A UML-Based Specifi-
thors present the tool Populo, which is used for executing and cation Environment for Validating UML and OCL,” Science of Computer
Programming, vol. 69, pp. 27–34, 2007.
debugging UML class diagrams whose behavior is specified [4] M. Gogolla, L. Hamann, F. Hilken, M. Kuhlmann, and R. B. France,
by the UML action language and described by activity diagram “From Application Models to Filmstrip Models: An Approach to Auto-
containing actions. In contrast, the behavior of the UML model matic Validation of Model Dynamics,” in Proc. Modellierung (MODEL-
LIERUNG’2014) (H. Fill, D. Karagiannis, and U. Reimer, eds.), pp. 273–
is described by sequence diagrams using OCL invariants in 288, GI, LNI 225, 2014.
our approach. In [14], the authors generate a domain specific [5] M. Gogolla, “Teaching Touchy Transformations,” in MODELS Edu-
trace metamodel which is structurally similar to our filmstrip cators’ Symposium (EDUSYMP’2008) (M. Smialek, ed.), pp. 13–25,
Warsaw University, ISBN 83-916444-8-0, 2008.
model. However, their approach is domain-specific and uses an [6] M. Kuhlmann and M. Gogolla, “From UML and OCL to Relational
operational semantics of xDSML composed of transformation Logic and Back,” in Proc. 15th Int. Conf. Model Driven Engineering
rules for execution. Whereas our approach is generic and Languages and Systems (MoDELS’2012) (R. France, J. Kazmeier,
R. Breu, and C. Atkinson, eds.), pp. 415–431, Springer, Berlin,
we use OCL pre- and postconditions for operation execution. LNCS 7590, 2012.
In [15], a model transformation approach for validating UML [7] A. Rensink, Á. Schmidt, and D. Varró, “Model Checking Graph
models comprised of class and sequence diagrams is presented. Transformations: A Comparison of Two Approaches,” in Proc. Graph
A UML model is transformed into Testable Aggregate Model Transformations, 2nd Int. Conf., ICGT 2004 (H. Ehrig, G. Engels,
F. Parisi-Presicce, and G. Rozenberg, eds.), pp. 226–241, 2004.
(TAM) for test case execution. In [16], a UML class diagram [8] M. Gogolla and F. Hilken, “Model Validation and Verification Options
along with OCL constraints is transformed to Alloy code, in a Contemporary UML and OCL Analysis Tool,” in Proc. Model-
and using the Alloy Analyzer, execution and validation is lierung (MODELLIERUNG’2016) (A. Oberweis and R. Reussner, eds.),
pp. 203–218, GI, LNI 254, 2016.
performed. In [17], the authors present an approach for the [9] T. Hu and S. Y. Sung, “A Trimmed Mean Approach to Finding Spatial
verification of EMF models annotated with OCL constraints. Outliers,” Intell. Data Anal., vol. 8, no. 1, pp. 79–95, 2004.
The input UML model along with the properties to be val- [10] G. Dévai, M. Karácsony, B. Németh, R. Kitlei, and T. Kozsik, “UML
Model Execution via Code Generation,” in Proc. 1st Int. Workshop
idated is transformed into a constraint satisfaction problem Executable Modeling co-located with MODELS 2015 (T. Mayerhofer,
(CSP), and using a constraint solver, the CSP is executed and P. Langer, E. Seidewitz, and J. Gray, eds.), pp. 9–15, 2015.
validated. In contrast to [15], [17] and [16], we transform a [11] H. Wada, J. Suzuki, M. M. B. Eadara, A. Malinowski, and K. Oba,
“Design and Implementation of the Matilda Distributed UML Virtual
UML and OCL application model into a filmstrip model and Machine,” in Proc. 10th Int. Conf. Software Engineering Applications
we are using the model validator. Our approach provides a (SEA), 2006 (A. Cheng, ed.), 2006.
�[12] A. Derezinska and R. Pilitowski, “Realization of UML Class and State
Machine Models in the C# Code Generation and Execution Framework,”
Informatica (Slovenia), vol. 33, no. 4, pp. 431–440, 2009.
[13] L. Fuentes, J. Manrique, and P. Sánchez, “Execution and Simulation of
(Profiled) UML Models using Pópulo,” in Int. Workshop Modeling in
Software Engineering, MiSE 2008 (J. M. Atlee, R. B. France, G. Georg,
A. Moreira, B. Rumpe, S. Völkel, and S. Zschaler, eds.), pp. 75–81,
2008.
[14] E. Bousse, T. Mayerhofer, B. Combemale, and B. Baudry, “Advanced
and efficient execution trace management for executable domain-specific
modeling languages,” Software & Systems Modeling, May 2017.
[15] O. Pilskalns, A. A. Andrews, A. Knight, S. Ghosh, and R. B. France,
“Testing UML designs,” Information & Software Technology, vol. 49,
no. 8, pp. 892–912, 2007.
[16] K. Anastasakis, B. Bordbar, G. Georg, and I. Ray, “UML2Alloy: A
Challenging Model Transformation,” in Proc. Model Driven Engineering
Languages and Systems, 10th Int. Conf., MoDELS 2007 (G. Engels,
B. Opdyke, D. C. Schmidt, and F. Weil, eds.), pp. 436–450, 2007.
[17] C. A. González, F. Büttner, R. Clarisó, and J. Cabot, “EMFtoCSP: A
Tool for the Lightweight Verification of EMF Models,” in Proc. First
Int. Workshop on Formal Methods in Software Engineering, FormSERA,
2012 (S. Gnesi, S. Gruner, N. Plat, and B. Rumpe, eds.), pp. 44–50,
2012.
�