Formal Verification of QVT Transformations for Code Generation

  • Kurt Stenzel
  • Nina Moebius
  • Wolfgang Reif
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6981)


We present a formal calculus for operational QVT. The calculus is implemented in the interactive theorem prover KIV and allows to prove properties of QVT transformations for arbitrary meta models.

Additionally we present a framework for provably correct Java code generation. The framework uses a meta model for a Java abstract syntax tree as the target of QVT transformations. This meta model is mapped to a formal Java semantics in KIV. This makes it possible to formally prove with the QVT calculus that a transformation always generates a Java model (i.e. a program) that is type correct and has certain semantical properties. The Java model can be used to generate source code by a model-to-text transformation or byte code directly.


Formal Semantic Meta Model Dynamic Logic Java Code Mapping Operation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Balser, M., Reif, W., Schellhorn, G., Stenzel, K., Thums, A.: Formal system development with KIV. In: FASE 2000. LNCS, vol. 1783, p. 363. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  2. 2.
    Beckert, B., Hähnle, R., Schmitt, P.H. (eds.): Verification of Object-Oriented Software. LNCS (LNAI), vol. 4334. Springer, Heidelberg (2007)Google Scholar
  3. 3.
    Boronat, A., Heckel, R., Meseguer, J.: Rewriting logic semantics and verification of model transformations. In: Chechik, M., Wirsing, M. (eds.) FASE 2009. LNCS, vol. 5503, pp. 18–33. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Brucker, A.D., Wolff, B.: The HOL-OCL book. Technical Report 525, ETH Zürich (2006)Google Scholar
  5. 5.
    Büttner, F., Kuhlmann, M.: Shortcomings of the embedding of OCL into QVT imperativeOCL. In: Chaudron, M.R.V. (ed.) MODELS 2008. LNCS, vol. 5421, pp. 263–272. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  6. 6.
    Czarnecki, K., Helsen, S.: Feature-based survey of model transformation approaches. IBM Systems Journal 45(3) (2006)Google Scholar
  7. 7.
    de Lara, J., Guerra, E.: Formal support for QVT-relations with coloured petri nets. In: Schürr, A., Selic, B. (eds.) MODELS 2009. LNCS, vol. 5795, pp. 256–270. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Ehrig, H., Ehrig, K., Prange, U., Taentzer, G.: Fundamentals of algebraic graph transformation. Springer, Heidelberg (2006)zbMATHGoogle Scholar
  9. 9.
    Engels, G., Kleppe, A., Rensink, A., Semenyak, M., Soltenborn, C., Wehrheim, H.: From UML activities to TAAL - towards behaviour-preserving model transformations. In: Schieferdecker, I., Hartman, A. (eds.) ECMDA-FA 2008. LNCS, vol. 5095, pp. 94–109. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Favre, L.: A formal foundation for metamodeling. In: Kordon, F., Kermarrec, Y. (eds.) Ada-Europe 2009. LNCS, vol. 5570, pp. 177–191. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Giese, H., Glesner, S., Leitner, J., Schäfer, W., Wagner, R.: Towards verified model transformations. In: Proceedings of the MoDeVa Workshop at MoDELS 2006 (2006)Google Scholar
  12. 12.
    Gogolla, M., Büttner, F., Richters, M.: USE: A UML-Based Specification Environment for Validating UML and OCL. Science of Computer Programming 69 (2007)Google Scholar
  13. 13.
    Grandy, H., Stenzel, K., Reif, W.: A refinement method for java programs. In: Bonsangue, M.M., Johnsen, E.B. (eds.) FMOODS 2007. LNCS, vol. 4468, pp. 221–235. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    Object Management Group. Object Constraint Language, Version 2.3 (2010)Google Scholar
  15. 15.
    Object Management Group. Meta Object Facility (MOF) 2.0 Query/View/Transformation Specification, Version 1.1 (2011)Google Scholar
  16. 16.
    Haneberg, D., Bäumler, S., Balser, M., Grandy, H., Ortmeier, F., Reif, W., Schellhorn, G., Schmitt, J., Stenzel, K.: The User Interface of the KIV Verification System — A System Description. Electronic Notes in Theoretical Computer Science UITP Special Issue (2006)Google Scholar
  17. 17.
    Harel, D., Kozen, D., Tiuryn, J.: Dynamic Logic. MIT Press, Cambridge (2000)zbMATHGoogle Scholar
  18. 18.
    Huisman, M., Jacobs, B.: Java program verification via a hoare logic with abrupt termination. In: FASE 2000. LNCS, vol. 1783, pp. 284–303. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  19. 19.
  20. 20.
    Krieger, M., Knapp, A.: Executing underspecified OCL operation contracts with a SAT solver. In: Proceedings of the 8th International Workshop on OCL Concepts and Tools (OCL 2008) at MoDELS 2008. Electronic Communications of the EASST, vol. 15 (2008)Google Scholar
  21. 21.
    Lano, K.: Using B to verify UML transformations. In: Proceedings of the MoDeVa Workshop at MoDELS 2006 (2006)Google Scholar
  22. 22.
    Moebius, N., Stenzel, K., Grandy, H., Reif, W.: SecureMDD: A Model-Driven Development Method for Secure Smart Card Applications. In: Workshop on Secure Software Engineering, SecSE, at ARES 2009. IEEE Press, Los Alamitos (2009)Google Scholar
  23. 23.
    Moebius, N., Stenzel, K., Reif, W.: Modeling Security-Critical Applications with UML in the SecureMDD Approach. International Journal On Advances in Software 1(1) (2008)Google Scholar
  24. 24.
    Moebius, N., Stenzel, K., Reif, W.: Generating formal specifications for security-critical applications - a model-driven approach. In: ICSE 2009 Workshop: International Workshop on Software Engineering for Secure Systems (SESS 2009), IEEE/ACM Digital Libary (2009)Google Scholar
  25. 25.
    Moebius, N., Stenzel, K., Reif, W.: Formal verification of application-specific security properties in a model-driven approach. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 166–181. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  26. 26.
    Orejas, F., Guerra, E., de Lara, J., Ehrig, H.: Correctness, completeness and termination of pattern-based model-to-model transformation. In: Kurz, A., Lenisa, M., Tarlecki, A. (eds.) CALCO 2009. LNCS, vol. 5728, pp. 383–397. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  27. 27.
    Orejas, F., Wirsing, M.: On the specification and verification of model transformations. In: Palsberg, J. (ed.) Semantics and Algebraic Specification. LNCS, vol. 5700, pp. 140–161. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  28. 28.
    Queralt, A., Rull, G., Teniente, E., Farré, C., Urpí, T.: AuRUS: Automated Reasoning on UML/OCL Schemas. In: Parsons, J., Saeki, M., Shoval, P., Woo, C., Wand, Y. (eds.) ER 2010. LNCS, vol. 6412, pp. 438–444. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  29. 29.
  30. 30.
    Ab Rahim, L., Whittle, J.: Verifying semantic conformance of state machine-to-java code generators. In: Petriu, D.C., Rouquette, N., Haugen, Ø. (eds.) MODELS 2010. LNCS, vol. 6394, pp. 166–180. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  31. 31.
    Romeikat, R., Roser, S., Müllender, P., Bauer, B.: Translation of QVT relations into QVT operational mappings. In: Vallecillo, A., Gray, J., Pierantonio, A. (eds.) ICMT 2008. LNCS, vol. 5063, pp. 137–151. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  32. 32.
  33. 33.
    Soeken, M., Wille, R., Kuhlmann, M., Gogolla, M., Drechsler, R.: Verifying UML/OCL Models Using Boolean Satisfiability. In: Proc. Design, Automation and Test in Europe (DATE 2010). IEEE, Los Alamitos (2010)Google Scholar
  34. 34.
    Stärk, R.F., Schmid, J., Börger, E.: Java and the Java Virtual Machine: Definition, Verification, Validation. Springer, Heidelberg (2001)CrossRefzbMATHGoogle Scholar
  35. 35.
    Steinberg, D., Budensky, F., Paternostro, M., Merks, E.: EMF Eclipse Modeling Framework, 2nd edn. Addison-Wesley, Reading (2009)Google Scholar
  36. 36.
    Stenzel, K.: A formally verified calculus for full java card. In: Rattray, C., Maharaj, S., Shankland, C. (eds.) AMAST 2004. LNCS, vol. 3116, pp. 491–505. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  37. 37.
    Stenzel, K.: Verification of Java Card Programs. PhD thesis, Faculty of Informatics, Augsburg University, Germany (2005)Google Scholar
  38. 38.
    Troya, J., Vallecillo, A.: Towards a rewriting logic semantics for ATL. In: Tratt, L., Gogolla, M. (eds.) ICMT 2010. LNCS, vol. 6142, pp. 230–244. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  39. 39.
    von Oheimb, D., Nipkow, T.: Machine-checking the java specification: Proving type-safety. In: Alves-Foss, J. (ed.) Formal Syntax and Semantics of Java. LNCS, vol. 1523, pp. 119–156. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  40. 40.
    Wimmer, M., Kusel, A., Schoenboeck, J., Kappel, G., Retschitzegger, W., Schwinger, W.: Reviving QVT relations: Model-based debugging using colored petri nets. In: Schürr, A., Selic, B. (eds.) MODELS 2009. LNCS, vol. 5795, pp. 727–732. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  41. 41.

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Kurt Stenzel
    • 1
  • Nina Moebius
    • 1
  • Wolfgang Reif
    • 1
  1. 1.Institute for Software and Systems EngineeringAugsburg UniversityAugsburgGermany

Personalised recommendations