Model Projection: Simplifying Models in Response to Restricting the Environment Kelly Androutsopoulos 1 David Binkley 2 David Clark 1 Nicolas Gold 1 Mark Harman 1 Kevin Lano 3 Zheng Li 1 1 University College London, Malet Place, London, WC1E 6BT, UK. 2 Loyola University Maryland, Baltimore, MD 21210-2699, USA. 3 King’s College London, Strand, London, WC2R 2LS, UK. ABSTRACT This paper introduces Model Projection. Finite state models such as Extended Finite State Machines are being used in an ever increasing number of software engineering activities. Model projection facil- itates model development by specializing models for a specific op- erating environment. A projection is useful in many design-level applications including specification reuse and property verification. The applicability of model projection rests upon three critical con- cerns: correctness, effectiveness, and efficiency, all of which are addressed in this paper. We introduce four related algorithms for model projection and prove each correct. We also present an empiri- cal study of effectiveness and efficiency using ten models, including widely–studied benchmarks as well as industrial models. Results show that a typical projection includes about half of the states and a third of the transitions from the original model. Categories and Subject Descriptors D.2.2 [Software Engineering]: Design Tools and Techniques General Terms Algorithms, Theory, Experimentation Keywords Model Projection, Extended Finite State Machines, Slicing 1. INTRODUCTION Both automatically and manually generated state-based models find many applications in software engineering. For example, they are often constructed by model checkers [8] and built by engineers in the telecommunications and embedded systems sectors [9, 10, 25]. They are also used in modelling notations such as the UML [28], which draws heavily on state-based modelling [27], and are widely used for specifying discrete-event control devices, such as automated manufacturing systems (AMS) [30]. A great deal of engineering effort is directed towards the design of an organisation’s models. As a result, it is common for models to be reused. One such scenario arises when control models are reused within a device that offers a restricted operational environment. For example, the ‘basic model’ car air conditioning system may not offer the climate control functionality found in more luxurious models. It would be wasteful to specify different models for each potential car Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. ICSE11, May 21-28 2011, Waikiki, Honolulu, HI, USA Copyright 2011 ACM 978-1-4503-0445-0/11/05 ...$10.00. configuration. Rather, there is typically a single controller for the entire product line [3]. In this situation, model projections, special- ized to the particular environment, are useful as they avoid producing bloated controllers that implement unused functionality. The design of models typically occurs earlier in the overall de- velopment process than coding where the cost of errors is, in gen- eral, higher. This makes it important to have powerful and flexible tools for model analysis. Model projection facilitates such analysis in much the same way that techniques such as program transforma- tion and program slicing assist with code level analysis [29, 16, 32]. Figure 1 presents an example of model projection in which a vending machine allows a user to insert coins and vends tea with options of large cups, small cups, sugar, and double sugar. Con- sider redeploying this controller in an environment where the ‘sugar’ button is disabled, and thus in an environment in which the event Sugar() never occurs. The projection removes all states and tran- sitions (shown in dashed grey) unreachable by event sequences in the restricted environment. This causes the state Sugar to become unreachable and subsequently the state Double Sugar, because it is only reachable from the state Sugar. When these states and their associated transitions are projected out of the model, only the black elements remain. Model projection can also be used to facilitate property verifica- tion by reducing the complexity of a model and thus making analysis more efficient. Consider the production cell example used in the in- dustrial case study of a German metal processing plant [26]. In this system, metal blanks enter the system on a feed belt and are con- veyed via a table by robot arms to one of two presses. Assume that we want to prove that the feed belt motor is off if there is a blank on the belt and a blank on the elevating rotating table. Call this property P . It turns out that property P only concerns two sensors and one actuator of the model. To prove that P holds in the original model re- quires consideration of a state space having over 3,000 states. How- ever, only four events affect P (s1on, s1off, s3on, s3off). A model projection produced by ignoring all other events has only four states and eight transitions. This substantial reduction in controller size means that P can be verified to hold in all states directly. As shown in Section 4, this implies that P holds in the original model. With these applications and others, the applicability of our ap- proach depends upon both correctness and the reduction achieved in reasonable time. Therefore, this paper concerns the theoretical and empirical underpinnings of model projection as formalized in Sec- tion 2. Section 3 then introduces four progressively more precise (and more expensive) model projection algorithms. This is followed in Section 4 by proofs of correctness for the four algorithms. Fi- nally, Section 5 investigates the effectiveness and efficiency of our approach in terms of the reduction achieved on a set of ten models (including standard benchmarks and real world models).