From Transpilers to Semantic Libraries Ármin Zavada, Kristóf Marussy, Vince Molnár From Transpilers to Semantic Libraries Formal Verification With Pluggable Semantics Supported by the ÚNKP-23-2-III-BME-47 New National Excellence Program of the Ministry for Culture and Innovation from the source of the National Research, Development and Innovation Fund. Supported by IncQuery Labs https://dl.acm.org/doi/10.1145/3652620.3686251

From Transpilers to Semantic Libraries Context Ever-increasing complexity Multi-paradigm modeling Dynamic environment Critical functionality Complex Cyber-Physical & Embedded Systems Automotive, Aerospace, Medical, Railway, Robotics, Industry 4.0, Nuclear Energy… Model-based Systems Engineering 2

From Transpilers to Semantic Libraries Formal Verification Formal model Formal requirement Counter example Proof Model checker Does the system behave correctly? Systems engineer Requires formal knowledge 3

The Operation state is reachable (from the initial state) From Transpilers to Semantic Libraries Hidden Formal Verification Does the system behave correctly? Systems engineer Formal model Formal requirement Model checker Engineering requirement Engineering model A → B → C → D → ↯ (Counter)example Verification tool 4

The Operation state is reachable (form the initial state) From Transpilers to Semantic Libraries Hidden Formal Verification Does the system behave correctly? Systems engineer Formal model Formal requirement Model checker Engineering requirement Engineering model A → B → C → D → ↯ (Counter)example Verification tool 5 Automated

From Transpilers to Semantic Libraries 6 • Engineering models can be seen as knowledge-bases – Process and extract data for design decisions • Behavioral engineering languages are traditionally operational – Programming languages, UML, SysML v1 (except sequence diagrams) • New trend: Ontological behavior modeling – Behaviors classify executions in 4D space-time (3 spatial + 1 temporal) – Example: KerML and SysML v2 • Ontological behavior modeling vs. Formal verification – Unexplored challanges Can we still apply our existing tools? Ontological Engineering Languages

From Transpilers to Semantic Libraries CH1: Ontological Behavior Modeling B D C E A B D C E Execute when token is here Send token on all outgoing edges Wait for all incoming tokens A → B → C → D → E A → C → B → D → E Valid traces Succession-based Token-based A → D → C → B → E A → C → B → E → D Invalid traces … Succession relationship 11 Step classification A Operational Declarative SysML v1 SysML v2 Produces Constrains

From Transpilers to Semantic Libraries 12 CH1: Ontological Behavior Modeling Model Trace Operational Declarative ✓Semantics is an algorithm – Executes the input model ✓For each step determines the next step – Produces the execution trace Difficult to check conformance ✓Semantics is an axiomatic check ✓Determines whether a trace conforms to the model – Constrains the execution trace Difficult to execute model 𝜹, 𝜻, 𝜽 𝜶 = 𝜷 Model Trace ⊤ or ⊥ CH3: Equivalence?

From Transpilers to Semantic Libraries 13 CH1: Ontological Behavior Modeling Model Trace Operational Declarative ✓Semantics is an algorithm – Executes the input model ✓For each step determines the next step – Produces the execution trace Difficult to check conformance ✓Semantics is an axiomatic check ✓Determines whether a trace conforms to the model – Constrains the execution trace Difficult to execute model 𝜹, 𝜻, 𝜽 𝜶 = 𝜷 Model Trace ⊤ or ⊥ CH3: Equivalence? RQ1: How can we operationalize the (temporal) declarative semantics of an ontology-based language and keep the two semantics synchronized?

From Transpilers to Semantic Libraries 14 S1: Operational Semantic Library System Model Core Language Library 4D Instance Model conforms to instance of refines Core Operational Library conforms to Execution Trace Back-annotation Analysis Model Model unfolding Model checking E.g., KerML Core Layer Modeled in the knowledge-base

From Transpilers to Semantic Libraries 15 • Extend Ontologies with operational constructs as first-class citizens – Model the behavioral semantics in Operational Libraries • Model unfolding to an operational representation along the ontology • Benefits: – Semantics is modeled instead of hardcoded – Explicit operational semantics S1: Operational Semantic Library

From Transpilers to Semantic Libraries 16 CH2: Detailed Ontological Trace Model S1 S2 toggle / reset exit / x := x + 1 entry / x := x + 1 Action. S1.entry Action S1.exit StateAction S1 AcceptAction toggle Action reset StateTransitionAction Action S2.entry Action S2.exit StateAction S2 Occur. S1.entry Occur. S1.middle Assign. Action Occur. accept toggle Occur. reset Assign. Action Occur. S2.middle Occur. S2.exit State space explosion++

From Transpilers to Semantic Libraries 17 CH2: Detailed Ontological Trace Model S1 S2 toggle / reset exit / x := x + 1 entry / x := x + 1 Action. S1.entry Action S1.exit StateAction S1 AcceptAction toggle Action reset StateTransitionAction Action S2.entry Action S2.exit StateAction S2 Occur. S1.entry Occur. S1.middle Assign. Action Occur. accept toggle Occur. reset Assign. Action Occur. S2.middle Occur. S2.exit State space explosion++ RQ2: How can we optimize the operationalization based on the domain-specific information encoded in the high-level model?

From Transpilers to Semantic Libraries 18 S2: Domain-specific Operational Libraries System Model Core Language Library 4D Instance Model conforms to instance of refines Domain Language Library refines Core Operational Library conforms to Execution Trace Back-annotation Domain-specific Operational Library Optimised Analysis Model Analysis Model Execution Trace conforms to Model unfolding Model checking Model checking congruent E.g., SysML v2 Semantic refinement

From Transpilers to Semantic Libraries 19 • Refine the Core operational semantics – Domain-specific abstractions – Tool-specific assumptions – Generic symmetry reduction • Analysis models must encode congruent execution traces S2: Domain-specific Operational Libraries Core Operational Library • Steps • Successions Action Model Library • Expressions • Actions • Control/data flow State Model Library • Regions, States, … • Do-activities • Transitions • Events, triggers, …

From Transpilers to Semantic Libraries 20 • Two different semantics = Trouble ☺ – Prove equivalence? → Might be too hard – Prove inclusion? → At least • Operational semantics must conform to the ontological one – Inclusion: Do not produce invalid traces – Equivalence: Also produce all valid traces • Even in the presence of semantic abstractions – Congruence: trace equivalence modulo projection CH3: Semantic Conformance RQ3: How can we prove the conformance of the declarative and operationalized semantics?

From Transpilers to Semantic Libraries 21 S3: Semantic Conformance Validation System Model Core Language Library 4D Instance Model conforms to instance of refines Domain Language Library refines Core Operational Library conforms to Execution Trace Back-annotation Domain-specific Operational Library Optimised Analysis Model Analysis Model Execution Trace congruent conforms to Model unfolding Model checking Axiomatic conformance validation (for inclusion) Doerr et al., Verifying Executability of SysML Behavior Models Using Alloy Analyzer Trace Checker

From Transpilers to Semantic Libraries • We implemented the approach via a new Ontological- Operational Modeling Language: OXSTS • Inspired by KerML – Extended with Operational elements – Ontological: types, composition, references, polymorphism, graph-pattern support – Operational: variables, explicit steps, operational semantics • Elements of this approach have been proposed to the SysML v2 Semantics Working Group to enhance KerML Proof of Feasibility – Implementation 24

From Transpilers to Semantic Libraries 25 Proof of Feasibility – Implementation Semantifyr OXSTS Szemantikai könyvtár Szemantikai könyvtár Szemantikai könyvtár Operational library OXSTS mapping Operational Model Model Processing Choosing the appropriate library Simple mapping along the Ontology A képen Betűtípus, embléma, Grafika, szimbólum látható Automatikusan generált leírás Engineering model Model unfolding along the Ontology Model Checking Code Generation Model Simulation

From Transpilers to Semantic Libraries Spacecraft Station Communication 26 Proof of Feasibility – Validation • We demonstrated the approach and its implementation on a case study model • OpenMBEE – Space Mission model – SysML v1 – State Machines – Activity Diagrams • OXSTS representation: – State Machine Operational Library – Space Mission OXSTS model • 40 semantic formal verification cases to validate the approach

From Transpilers to Semantic Libraries 27 • Concretized open challenges in the context of Ontological Behavioral Models – Operationalization, Detailed execution traces, Conformance • Proposed an approach addressing these challenges – Model operationalized semantics directly in the knowledge-base – Allows the definition and refinement of the semantics as a model • Demonstrated feasibility through a prototype implementation • Future work: – Model the semantics of SysML v2 behavior models Summary and Conclusion

Domain Language Library Domain Language Library Domain-specific Operational Library Domain-specific Operational Library From Transpilers to Semantic Libraries 28 Vision Overview System Model Core Language Library 4D Instance Model conforms to instance of refines Domain Language Library refines Core Operational Library conforms to Execution Trace Back-annotation Domain-specific Operational Library Optimised Analysis Model Analysis Model Execution Trace congruent conforms to Model unfolding Model checking E.g., SysML v2 E.g., KerML Modeling and refinement of Operational Semantics Axiomatic conformance validation (for inclusion) Trace Checker