Efficient Property Preservation Checking of Model Refinements Anton Wijs and Luc Engelen Department of Mathematics and Computer Science Eindhoven University of Technology P.O. Box 513, 5600 MB, Eindhoven, The Netherlands {A.J.Wijs,L.J.P.Engelen}@tue.nl Abstract. In model-driven software development, models and model re- finements are used to create software. To automatically generate correct software from abstract models by means of model refinement, desirable properties of the initial models must be preserved. We propose an explicit-state model checking technique to determine whether refine- ments are property preserving. We use networks of labelled transition systems (LTSs) to represent models with concurrent components, and formalise refinements as systems of LTS transformation rules. Property preservation checking involves determining how a rule system relates to an input network, and checking bisimilarity between behaviour subjected to transformation and the corresponding behaviour after transformation. In this way, one avoids generating the entire LTS of the new model. Ex- perimental results demonstrate speedups of several orders of magnitude. 1 Introduction Model-driven software development [2] entails creating implementations on a low level of abstraction from designs represented by models on a high level of abstraction. Implementation details, for example motivated by hardware restric- tions, are added incrementally to these abstract models by means of refining model transformations. Usually, an implementation must satisfy a number of re- quirements that can be expressed as properties of the model that forms its design. Then, the transformations should preserve these properties. Model checking [4] can help to determine whether this is the case, but verifying the properties from scratch for each new model along the development chain not only requires much time, but it is also likely to become unfeasible very quickly, as the related state space of a model tends to grow exponentially when applying a refinement. In this paper, we present an explicit-state model checking technique tailored for incremental refinement of models of concurrent systems. If the model that forms the initial design of such a system is relatively small, then at this stage, properties can still be verified using traditional techniques based on explicit state space exploration. When a refinement needs to be applied, then instead of the refined model, the technique analyses the formal semantics of the refinement, and determines whether application of the refinement is guaranteed to preserve N. Piterman and S. Smolka (Eds.): TACAS 2013, LNCS 7795, pp. 565–579, 2013. c  Springer-Verlag Berlin Heidelberg 2013