1 Introduction
Graphs and graph transformations [8] are a good means for system modelling and specification. Graph structures naturally relate to the structures typically found in many (computer) systems and graph transformations provide intuitive tools to specify the semantics of a model or implement refinement and analysis techniques for specifications.
In all of these scenarios, it is important that the graphs used are consistent; that is, that their structures satisfy a set of constraints. Some constraints can be captured by typing graphs over socalled type graphs [8]—these allow capturing basic structural constraints such as which kinds of nodes may be connected to each other. To allow the expression of further constraints, the theory of nested graph constraints has been introduced [12]. A graph is considered consistent if it is correctly typed and satisfies all given constraints. Note that this notion of consistency is binary: a graph either is consistent or it is not consistent. It is impossible to distinguish different degrees of consistency.
In software engineering practice, it is often necessary to live with, and manage, a degree of inconsistency [23]. This requires tools and techniques for identifying, measuring, and correcting inconsistencies. In the field of graphbased specifications, this has led to many practical applications, where a more finegrained notion of graph consistency is implicitly applied. For example, research in model repair has aimed to automatically produce graphtransformation rules that will gradually improve the consistency of a given graph. Such a rule may not make a graph completely consistent in one transformation step, but performing a sequence of such transformations will eventually produce a consistent graph (e.g., [13, 21, 22, 25]). In the area of searchbased model engineering (e.g., [5, 11]), rules are required to be applicable to inconsistent graphs and, at least, not to produce new inconsistencies. In earlier work, we have shown how such rules can be generated at least with regard to multiplicity constraints [5]. However, in all of these works, the notion of “partial” graph consistency remains implicit. Without explicitly formalising this notion, it becomes difficult to reason about the validity of the rules generated or the correctness of the algorithm by which these rules were produced.
In this paper, we introduce a new notion of graph consistency as a graduated property. A graph can be consistent to a degree, depending on the number of constraint violations that occur in the graph. This conceptualisation allows us to introduce two new characterisations of graph transformations: a consistencysustaining transformation does not decrease the overall consistency level, while a consistencyimproving transformation strictly decreases the number of violations in a graph. We lift these characterisations to the level of graph transformation rules, allowing rules to be characterised as consistency sustaining and consistency improving, respectively. We show how these definitions fit with the already established terminology of constraintpreserving and constraintguaranteeing transformations / rules. Finally, we introduce formal criteria that allow checking whether a given graphtransformation rule is consistency sustaining or consistency improving w.r.t. constraints in specific forms.
Thus, the contributions of our paper are:

We present the first formalisation of graph consistency as a graduated property of graphs;

We present two novel characterisations of graph transformations and transformation rules with regard to this new definition of graph consistency and show how these refine the existing terminology;

We present static analysis techniques for checking whether a graphtransformation rule is consistency sustaining or improving.
The remainder of this paper is structured as follows: We introduce a running example in Sect. 2 before outlining some foundation terminology in Sect. 3. Section 4 introduces our new concepts and Sect. 5 discusses how graphtransformation rules can be statically analysed for these properties. A discussion of related work in Sect. 6 concludes the paper. The proofs of all results in this paper can be found in Appendix 0.A.
2 Example
Consider class responsibility assignment (CRA, [4]), a standard problem in objectoriented software analysis. Given is a set of features (methods, fields) with dependencies between them. The goal is to create a set of classes and assign the features to classes so that a certain fitness function is maximized. The fitness function rewards the assignment of dependent features to the same class (cohesion), while punishing dependencies that run between classes (coupling) and solutions with too few classes. Solutions can be expressed as instances of the type graph shown in the left of Fig. 1. For realistic problem instances, an exhaustive enumeration of all solutions to find the optimal one is not feasible.
Recently, a number of works have addressed the CRA problem via a combination of graph transformation and metaheuristic search techniques, specifically evolutionary algorithms
[10, 29, 5]. An evolutionary algorithm uses genetic operators such as crossover and mutation to find optimal solution candidates in an efficient way. In this paper, we focus on mutation operators, which have been specified using graph transformation rules in these works.Figure 1 depicts four mutation rules for the CRA problem, taken from the available MDEOptimiser solution [6]. The rules are specified as graph transformation rules [8] in the Henshin notation [1, 28]: Rule elements are tagged as delete, create, preserve or forbid, which denotes them as being included in the LHS, the RHS, in both rule sides, or a NAC. Rule assignFeature assigns a randomly selected asyetunassigned feature to a class. Rule createClass creates a class and assigns an asyetunassigned feature to it. Rule moveFeature moves a feature between two classes. Rule deleteEmptyClass deletes a class to which no feature is assigned.
Solutions in an optimization problem such as the given one usually need to be consistent with regard to the constraints given by the problem domain. We consider three constraints for the CRA case:

[label=(), itemsep=0pt]

Every feature is contained in at most one class.

Every class contains at least one feature.

If a feature has a dependency to another feature ,
and is contained in a different class than ,
then must have a dependency to a feature in the same class.
Constraints and come from Fleck et al.’s formulation of the CRA problem [10]. Constraint can be considered a helper constraint (compare helper objectives [14]) that aims to enhance the efficiency of the search by formulating a constraint with a positive impact to the fitness function: Assigning dependent features to the same class is likely to improve coherence.
Given an arbitrary solution model (valid or invalid), mutations may introduce new violations. For example, applying moveFeature can leave behind an empty class, thus violating . While constraint violations can potentially be removed using repair techniques [22, 13, 25], these can be computationally expensive and may involve strategies that lead to certain regions of the search space being preferred, threatening the efficiency of the search. Instead, it would be desirable to design mutation operators that impact consistency in a positive or at least neutral way. Each application of a mutation rule should contribute to some particular violations being removed, or at least ensure that the degree of consistency does not decrease. Currently, there exists no formal framework for identifying such rules. The established notions of constraintpreserving and constraintguaranteeing rules [12] assume an alreadyvalid model or a transformation that removes all violations at once; both are infeasible in our scenario.
3 Preliminaries
Our new contributions are based on typed graph transformation systems following the doublepushout approach [8]. We implicitly assume that all graphs, also the ones occurring in rules and constraints, are typed over a common type graph ; that is, there is a class of graphs typed over . A nested graph constraint [12] is a tree of injective graph morphisms.
[caption=(Nested) graph conditions and constraints] Given a graph , a (nested) graph condition over is defined recursively as follows: true is a graph condition over and if is an injective morphism and is a graph condition over , is a graph condition over again. If and are graph conditions over , and are graph conditions over . A (nested) graph constraint is a condition over the empty graph .
A condition or constraint is called linear if the symbol does not occur, i.e., if it is a (possibly empty) chain of morphisms. The nesting level of a condition is recursively defined by setting , , , and . Given a graph condition over , an injective morphism satisfies , written , if the following applies: Every morphism satisfies true. The morphism satisfies a condition of the form if there exists an injective morphism such that and satisfies . For Boolean operators, satisfaction is defined as usual. A graph satisfies a graph constraint , denoted as , if the empty morphism to does so. A graph constraint implies a graph constraint , denoted as , if for all graphs . The constraints are equivalent, denoted as , if and .
In the notation of graph constraints, we drop the domains of the involved morphisms and occurrences of true whenever they can unambiguously be inferred. For example, we write instead of . Moreover, we introduce as an abbreviation for the graph constraint . Further sentential connectives like or can be introduced as abbreviations as usual (which is irrelevant for linear constraints).
We define a normal form for graph conditions that requires that the occurring quantifiers alternate. For every linear condition there is an equivalent condition in this normal form [25, Fact 2].
[caption=Alternating quantifier normal form (ANF)] A linear condition with is in alternating quantifier normal form (ANF) when the occurring quantifiers alternate, i.e., if is of the form with and , none of the occurring morphisms is an isomorphism, and the only negation, if any, occurs at the innermost nesting level (i.e., the constraint is allowed to end with false). If a constraint in ANF starts with , it is called existential, otherwise it is called universal.
Lemma 1 (Nonequivalence of constraints in ANF)
Let and be constraints in ANF. Then .
We have since but . Lemma 1 implies that the first quantifier occurring in the ANF of a constraint separates linear constraints into two disjoint classes. This ensures that our definitions in Section 4 are meaningful.
Graph transformation is the rulebased modification of graphs. The following definition recalls graph transformation as a doublepushout.
[caption=Rule and transformation] A plain rule is defined by with and being graphs connected by two graph inclusions. An application condition for is a condition over . A rule consists of a plain rule and an application condition over .
A transformation (step) which applies rule to a graph consists of two pushouts as depicted in Fig. 2. Rule is applicable at the injective morphism called match if and there exists a graph such that the left square is a pushout. Morphism is called comatch. Morphisms and are called transformation morphisms. The track morphism [24] of a transformation step is the partial morphism defined by for and undefined otherwise.
Obviously, transformations interact with the validity of graph constraints. Two wellstudied notions are constraintguaranteeing and preserving transformations [12]. [caption=guaranteeing and preserving transformation] Given a constraint , a transformation is guaranteeing if . Such a transformation is preserving if . A rule is guaranteeing (preserving) if every transformation via is.
As we will present criteria for consistency sustainment and improvement based on conflicts and dependencies of rules, we recall these notions here as well. Intuitively, a transformation step causes a conflict on another one if it hinders this second one. A transformation step is dependent on another one if it is first enabled by that.
[caption=Conflict] Let a pair of transformations applying rules be given such that yields transformation morphisms . Transformation pair is conflicting (or causes a conflict on ) if there does not exist a morphism such that and . Rule pair is conflicting if there exists a conflicting transformation pair . If and are both not conflicting, rule pair is called parallel independent.
[caption=Dependency] Let a sequence of transformations applying rules be given such that yields transformation morphisms . Transformation is dependent on if there does not exist a morphism such that and . Rule is dependent on rule if there exists a transformation sequence such that is dependent on . If is not dependent on and is not dependent on , rule pair is called sequentially independent.
A weak critical sequence is a sequence of transformations such that depends on , and are jointly surjective (where is the comatch of ), and is not required to satisfy (). As rule in a rule pair will always be plain in this paper, a transformation step can cause a conflict on another one if and only if it deletes an element that the second transformation step matches. Similarly, a transformation step can depend on another one if and only if the first step creates an element that the second matches or deletes an edge that is adjacent to a node the second one deletes.
4 Consistencysustaining and consistencyimproving rules and transformations
In this section, we introduce our key new concepts. We do so in three stages, first introducing foundational definitions for partial consistency, followed by a generic definition of consistency sustainment and improvement. Finally, we give stronger definitions for which we will be able to provide a static analysis in Sect. 5.
4.1 Partial consistency
To support the discussion and analysis of rules and transformations that improve graph consistency, but do not produce a fully consistent graph in one step, we introduce the notion of partial consistency. We base this notion on relating the number of constraint violations to the total number of relevant occurrences of a constraint. For the satisfaction of an existential constraint, a single valid occurrence is enough. In contrast, universal constraints require the satisfaction of some subconstraint for every occurrence. Hence, the resulting notion is binary in the existential case, but graduated in the universal one.
In the remainder of this paper, a constraint is always a linear constraint in ANF having a nesting level .^{1}^{1}1Requiring nesting level is no real restriction as constraints with nesting level are Boolean combinations of true which means they are equivalent to true or false, anyhow. In contrast, restricting to linear constraints actually excludes some interesting cases. We believe that the extension of our definitions and results to also include the nonlinear case will be doable. Restricting to the linear case first, however, makes the statements much more accessible and succinct. Moreover, all graphs are finite.
[caption=Occurrences and violations] Let with be a constraint. An occurrence of in a graph is an injective morphism , and denotes the number of such occurrences.
If is universal, its number of relevant occurrences in a graph , denoted as , is defined as and its number of constraint violations, denoted as , is the number of occurrences for which .
If is existential, and if there exists an occurrence such that but otherwise.
[caption=Partial consistency] Given a graph and a constraint , is consistent w.r.t. if . The consistency index of w.r.t. is defined as
where we set . We say that is partially consistent w.r.t. if .
The next proposition makes precise that the consistency index runs between and and indicates the degree of consistency a graph has w.r.t. a constraint .
Fact 1 (Consistency index)
Given a graph and a constraint , then and if and only if . Consistency implies partial consistency. Moreover, for an existential constraint.
Example 1
Based on Fig. 3, we can express the three informal constraints from Section 2 as nested graph constraints. Constraint can be expressed as , constraint becomes , and constraint becomes . Graph (in the left top corner of Fig. 3) satisfies and . It does not satisfy , since we cannot find an occurrence of for the occurrence of in where f1 and f2 are mapped to f1 and f3, respectively. Graph in Fig. 3 has the consistency index 0.5 with regard to , since one violation exists, and two nonviolating occurrences are required.
4.2 Consistency sustainment and improvement
In the remainder of this section, our goal is to introduce the notions of consistencysustaining and consistencyimproving rule applications which refine the established notions of preserving and guaranteeing applications [12].
[caption=Consistency sustainment and improvement] Given a graph constraint and a rule , a transformation is consistency sustaining w.r.t. if . It is consistency improving if it is consistency sustaining, , and .
The rule is consistency sustaining if all of its applications are. It is consistency improving if all of its applications are consistency sustaining and there exists a graph with and a consistencyimproving transformation . A consistency improving rule is strongly consistency improving if all of its applications to graphs with are consistencyimproving transformations. In the above definition, we use the number of constraint violations (and not the consistency index) to define improvement to avoid an undesirable sideeffect: Defining improvement via a growing consistency index would lead to consistencyimproving transformations (w.r.t. a universal constraint) which do not repair existing violations but only create new valid occurrences of the constraint. Hence, there would exist infinitely long transformation sequences where every step increases the consistency index but validity is never restored. Consistencyimproving transformations, and therefore strongly consistency improving rules, require that the number of constraint violations strictly decreases in each step. Therefore, using only such transformations and rules, we cannot construct infinite transformation sequences.
Any consistencyimproving rule can be turned into a strongly consistencyimproving rule if suitable preconditions can be added that restrict the applicability of the rule only to those cases where it can actually improve a constraint violation. This links the two forms of consistencyimproving rules to their practical applications: in model repair [21, 25] we want to use rules that will only make a change to a graph when there is a violation to be repaired—strongly consistencyimproving rules. However, in evolutionary search [5], we want to allow rules to be able to make changes even when there is no need for repair, but to fix violations when they occur; consistencyimproving rules are wellsuited here as they can be applied even when no constraint violations need fixing.
4.3 Direct consistency sustainment and improvement
While the above definitions are easy to state and understand, it turns out that they are inherently difficult to investigate. Comparing numbers of (relevant) occurrences and violations allows for very disparate behavior of consistencysustaining (improving) transformations: For example, a transformation is allowed to destroy as many valid occurrences as it repairs violations and is still considered to be consistency sustaining w.r.t. a universal constraint.
Next, we introduce further qualified notions of consistency sustainment and improvement. The idea behind this refinement is to retain the validity of occurrences of a universal constraint: valid occurrences that are preserved by a transformation are to remain valid. In this way, sustainment and improvement become more direct as it is no longer possible to compensate for introduced violations by introducing additional valid occurrences. The notions of (direct) sustainment and improvement are related to one another and also to the already known ones that preserve and guarantee constraints. In Sect. 5 we will show how these stricter definitions allow for static analysis techniques to identify consistencysustaining and improving rules.
The following definitions assume a transformation step to be given and relate occurrences of constraints in its start and result graph as depicted in Fig. 4. The existence of a morphism such that the left triangle commutes (and might be defined as ) is equivalent to the tracking morphism being a total morphism when restricted to which is equivalent to the transformation not destroying the occurrence .
[caption=Direct consistency sustainment] Given a graph constraint , a transformation via rule at match with trace (Fig. 4) is directly consistency sustaining w.r.t. if either is existential and the transformation is preserving or is universal and
A rule is directly consistency sustaining w.r.t. if all its applications are.
Consistency  Consistency  
sustaining  improving  
Rule  
assignFeature  +  +      +   
createClass  +  +         
moveFeature  (+)           
deleteEmptyClass  +  +  +    +*   
Legend: + denotes directly, (+) denotes  
nondirectly, * denotes strongly 
The first requirement in the definition checks that constraints that were already valid in are still valid in , unless their occurrence has been removed; that is, the transformation must not make existing valid occurrences invalid. Note, however, that we do not require that the constraint be satisfied by the same extension, just that there is still a way to satisfy the constraint at that occurrence. The second requirement in the definition checks that every “new” occurrence of the constraint in satisfies the constraint; that is, the transformation must not introduce fresh violations.
The following theorem relates the new notions of (direct) consistency sustainment to preservation and guarantee of constraints.
Theorem 2 (Sustainment relations)
Given a graph constraint , every guaranteeing transformation is directly consistencysustaining, every directly consistencysustaining transformation is consistency sustaining, and every consistencysustaining transformation is preserving. The analogous implications hold on the rule level:
The following example illustrates these notions and shows that sustainment is different from constraint guaranteeing or preserving.
Example 2
Table 1 denotes for each rule from the running example if it is consistency sustaining w.r.t. each constraint. Rule createClass is directly consistency sustaining w.r.t. (no double assignments) and (no empty classes), since it cannot assign an already assigned feature or remove existing assignments. However, it is not consistency guaranteeing, since it cannot remove any violation either. Rule moveFeature is consistency sustaining w.r.t , but not directly so, since it can introduce new violations, but only while at the same time removing another violation, leading to a neutral outcome. Starting with the plain version of rule createClass and computing a preserving application condition for constraint according to the construction provided by Habel and Pennemann [12] results in the application condition depicted in Fig. 5. By construction, equipping the plain version of createClass with that application condition results in a consistencypreserving rule. However, whenever applied to an invalid graph, the antecedent of this application condition evaluates to false and, hence, the whole application condition to true. In particular, the rule with this application condition might introduce further violations of and is, thus, not sustaining.
Similarly, the direct notion of consistency improvement preserves the validity of already valid occurrences in the case of universal constraints and degenerates to the known concept of constraintguarantee in the existential case. [caption=Direct consistency improvement] Given a graph constraint , a transformation via rule at match with trace (Fig. 4) is directly consistency improving w.r.t. if , the transformation is directly consistency sustaining, and either is existential and the transformation is guaranteeing or is universal and
We lift the notion of directly consistencyimproving transformations to the level of rules in the same way as in Def. 4.2. This leads to directly consistencyimproving rules and a strong form of directly consistencyimproving rules.
(Direct) consistency improvement is related to, but different from constraint guarantee and consistency sustainment as made explicit in the next theorem.
Theorem 3 (Improvement relations)
Given a graph constraint , every directly consistencyimproving transformation is a consistencyimproving transformation and every consistencyimproving transformation is consistency sustaining. Moreover, every guaranteeing transformation starting from a graph that is inconsistent w.r.t. is a directly consistencyimproving transformation. The analogous implications hold on the rule level, provided that there exists a match for the respective rule in a graph with :
Example 3
Table 1 denotes for each rule of the running example if it is consistency improving w.r.t. each constraint. For example, the rule deleteEmptyClass is directly strongly consistency improving but not guaranteeing w.r.t. (no empty classes), since it always removes a violation (empty class), but generally not all violations in one step. Rule assignFeature is consistency improving w.r.t. , but not directly so, since it can turn empty classes into nonempty ones, but does not do so in every possible application. Rule createClass is consistency sustaining but not improving w.r.t. , as it cannot reduce the number of empty classes.
5 Static Analysis for Direct Consistency Sustainment and Improvement
In this section, we consider specific kinds of constraints and present a static analysis technique for direct consistency sustainment and improvement. We present criteria for rules to be directly consistency sustaining or directly consistency improving w.r.t. these kinds of constraint. The restriction to specific kinds of constraint greatly simplifies the presentation; at the end of the section we hint at how our results may generalize to arbitrary universal constraints.
The general idea behind our static analysis technique is to check for validity of a constraint by applying a trivial (nonmodifying) rule that just checks for the existence of a graph occurring in the constraint. This allows us to present our analysis technique in the language of conflicts and dependencies which has been developed to characterise the possible interactions between rule applications [24, 8]. As a bonus, since the efficient detection of such conflicts and dependencies has been the focus of recent theoretical and practical research [17, 18], we obtain tool support for an automated analysis based on Henshin.
In the remainder of this paper, we assume the following setting: Let be a rule, a graph constraint of the form and a graph constraint of the form . Given a graph , there is the rule given.
For the statement of the following results, note that sequential independence of the (nonmodifying) rule from means that cannot create a new match for . Similarly, parallel independence of from means that cannot destroy a match for . We first state criteria for direct consistency sustainment: If a rule cannot create a new occurrence of , it is directly consistency sustaining w.r.t. a constraint of the form . If, in addition, it cannot delete an occurrence of , it is directly consistency sustaining w.r.t. a constraint of the form .
Theorem 1 (Criteria for direct consistency sustainment)
Rule is directly consistency sustaining w.r.t. constraint if and only if is sequentially independent from . If, in addition, is parallel independent from , then is directly consistency sustaining w.r.t. constraint .
The above criterion is sufficient but not necessary for constraints of the form . For example, it does not take into account the possibility of creating a new valid occurrence of . The next proposition strengthens the above theorem by partially remedying this.
Proposition 1
If is parallel independent from and for every weak critical sequence it holds that there is an injective morphism with , i.e., , then is directly consistency sustaining w.r.t. constraint .
For consistency improvement we state criteria on rules as well: If a rule is directly consistency improving w.r.t. a constraint of the form , it is either (1) able to destroy an occurrence of (deleting a part of it) or (2) to bring about an occurrence of (creating a part of it). In case (2), we can even be more precise: The newly created elements do not stem from but from the part of without ; this is what the formula in the next theorem expresses. For constraints of the form , condition (1) is the only one that holds.
Theorem 2 (Criteria for direct consistency improvement)
If rule is directly consistency sustaining w.r.t. constraint , then it is directly consistency improving w.r.t. if and only if causes a conflict for . If is directly consistency improving w.r.t. constraint , then causes a conflict for or is sequentially dependent on in such a way that
where, in this dependency, is the comatch of the first transformation applying and is the match for .
The above criterion is not sufficient in case of constraint . The existing conflicts or dependencies do not ensure that actually an invalid occurrence of can be deleted or a new occurrence of can be created in such a way that an invalid occurrence of is “repaired”.
Looking closer to the criteria stated above, we can find some recurring patterns. Table 2 lists the kinds of universal constraints up to nesting level 2 and the corresponding criteria. While we have shown the criteria in the first two rows in Theorems 1 and 2, we conjecture the criteria in the last row of Table 2. To prove generalized theorems for nesting levels , however, is up to future work.
type of constr.  crit. for direct consist. sust.  crit. for direct consist. impr. 

Consis. sust. (suff. cr.)  Consis. impr. (necc. cr.)  
seq. indep.  par. indep.  par. dep.  seq. dep.  
Rule  
assignFeature    +    +  +        +  + 
createClass        +  +        +  + 
moveFeature    +        +    +  +  + 
deleteEmptyClass  +  +  +  +  +    +       
Example 4
We can use the criteria in Table 2 to semiautomatically reason about consistency sustainment and improvement in our example. To this end, we first apply automated conflict and dependency analysis (CDA, [18]) to the relevant pairs of mutation and check rules. Using the detected conflicts and dependencies, we infer parallel and sequential (in)dependence per definition, as shown in Table 3. For example, since no dependencies between assignFeature and exist, we conclude that these rules are sequentially independent.
Consistency sustainment: Based on Table 3, we find that the sufficient criterion formulated in Theorem 1 is adequate to show direct consistency sustainment in four out of seven positive cases as per Table 1: rule assignFeature with constraint and rule deleteEmptyClass with constraints , and . Moreover, the stronger criterion in Proposition 1 allows to recognize the case of createClass with . Discerning the remaining two positive cases (assignFeature with ; createClass with ) from the five negative ones requires further inspection.
Consistency improvement: Based on Table 3, our necessary criterion allows to detect the two positive cases in Table 1: rules deleteEmptyClass and assignFeature with constraint . The former is due to parallel dependence, the latter due to sequential dependence (where inspection of the CDA results reveals a critical sequence with a suitable comatch). The criterion is also fulfilled in six negative cases: assignFeature with , createClass with and , and moveFeature with , and . Four negative cases are correctly ruled out by the criterion.
6 Related Work
In this paper, we introduce a graduated version of a specific logic on graphs, namely of nested graph constraints. Moreover, we focus on the interaction of this graduation with graph transformations. Therefore, we leave a comparison with fuzzy or multivalued logics (on graphs) to future work. Instead, we focus on works that also investigate the interaction between the validity of nested graph constraints and the application of transformation rules.
Given a graph transformation (sequence) , the validity of graph can be established with basically three strategies: (1) graph is already valid and this validity is preserved, (2) graph is not valid and there is a guaranteeing rule applied, and (3) graph is made valid by a graph transformation (sequence) stepbystep.
Strategies (1) and (2) are supported by the incorporation of constraints in application conditions of rules as presented in [12] for nested graph constraints in general and implemented in Henshin [19]. As the applicability of rules enhanced in that way can be severely restricted, improved constructions have been considered of specific forms of constraints. For constraints of the form , for example, a suitable rule scheme is constructed in [16]. In [2] refactoring rules are checked for the preservation of constraints of nesting level . In [19], two of the present authors also suggested certain simplifications of application conditions; the resulting ones are still constraintpreserving. In [20], we even showed that they result in the logically weakest application condition that is still directly consistency sustaining. However, the result is only shown for negative constraints of nesting level one. A very similar construction of negative application conditions from such negative constraints has very recently been suggested in [3].
Strategy (3) is followed in most of the rulebased graph repair or model repair approaches. In [22], the violation of mainly multiplicity constraints is considered. In [13], Habel and Sandmann derive graph programs from graph constraints of nesting level . In [25], they extend their results to constraints in ANF which end with or constraints of one of the forms or . They also investigate whether a given set of rules allows to repair such a given constraint. In [7] Dyck and Giese present an approach to automatically check whether a transformation sequence yields a graph that is valid w.r.t. specific constraints of nesting level .
Up to now, result graphs of transformations have been considered either valid or invalid w.r.t. to a graph constraint; intermediate consistency grades have not been made explicit. Thereby, preserving and guaranteeing transformations [12] focus on the full validity of the result graphs. Our newly developed notions of consistencysustainment and improvement are located properly in between existing kinds of transformations (as proven in Theorems 2 and 3). These new forms of transformations make the gradual improvements in consistency explicit. While a detailed and systematic investigation (applying the static methods developed in this paper) is future work, a first check of the kinds of rules generated and used in [15] (model editing), [22] (model repair), and [5] (searchbased model engineering) reveals that—in each case—at least some of them are indeed (directly) consistencysustaining. We are therefore confident that the current paper formalizes properties of rules that are practically relevant in diverse application contexts. Work on partial graphs as in, e.g. [26], investigates the validity of constraints in families of graphs which is not our focus here and therefore, not further considered.
Stevens in [27] discusses similar challenges in the specific context of bidirectional transformations. Here, consistency is a property of a pair of models (loosely, graphs) rather than between a graph and constraint. In this sense, it may be argued that our formalisation generalises that of [27]. Several concepts are introduced that initially seem to make sense only in the specific context of bidirectional transformations (e.g., the idea of candidates), but may provide inspiration for a further extension of our framework with corresponding concepts.
7 Conclusions
In this paper, we have introduced a definition of graph consistency as a graduated property, which allows for graphs to be partially consistent w.r.t. a nested graph constraint, inducing a partial ordering between graphs based on the number of constraint violations they contain. Two new forms of transformation can be identified as consistency sustaining and consistency improving, respectively. They are properly located in between the existing notions of constraintpreserving and constraintguaranteeing transformations. Lifting them to rules, we have presented criteria for determining whether a rule is consistency sustaining or improving w.r.t. a graph constraint. We have demonstrated how these criteria can be applied in the context of a case study from searchbased model engineering.
While the propositions we present allow us to check a given rule against a graph constraint, their lifting to a set of constraints is the next step to go. Furthermore, algorithms for constructing consistencysustaining or improving rules from a set of constraints are left for future work.
References
 [1] (2010) Henshin: Advanced Concepts and Tools for InPlace EMF Model Transformations. In Proc. MODELS, pp. 121–135. Cited by: §2.
 [2] (2011) Iterative Development of ConsistencyPreserving RuleBased Refactorings. In ICMT, Berlin, pp. 123–137. Cited by: §6.
 [3] (2020) Commutators for Stochastic Rewriting Systems: Theory and Implementation in Z3. External Links: 2003.11010, Link Cited by: §6.

[4]
(2010)
Solving the class responsibility assignment problem in objectoriented analysis with multiobjective genetic algorithms
. IEEE Transactions on Software Engineering 36 (6), pp. 817–837. Cited by: §2.  [5] (2019) Automatic generation of atomic consistency preserving search operators for searchbased model engineering. In MODELS, pp. 106–116. Cited by: §1, §2, §4.2, §6.
 [6] (2018) MDEOptimiser: a search based model engineering tool. In MODELS, pp. 12–16. Cited by: §2.
 [7] (2017) Kinductive invariant checking for graph transformation systems. In Graph Transformation  10th International Conference, ICGT 2017, LNCS, Vol. 10373, pp. 142–158. Cited by: §6.
 [8] (2006) Fundamentals of Algebraic Graph Transformation. Monographs in Theoretical Computer Science, Springer. Cited by: §1, §1, §2, §3, §5, Proof.
 [9] (2012) Adhesive Transformation Systems with Nested Application Conditions. Part 2: Embedding, Critical Pairs and Local Confluence. Fundam. Inf. 118 (1–2), pp. 35–63. Cited by: Proof.
 [10] (2016) The class responsibility assignment case. TTC. Cited by: §2, §2.
 [11] (2015) Marrying searchbased optimization and model transformation technology. In NasBASE, Cited by: §1.
 [12] (2009) Correctness of highlevel transformation systems relative to nested conditions. Math. Struct. in Comp. Science 19, pp. 245–296. Cited by: §1, §2, §3, §3, Theorem 2, §4.2, §6, §6, Example 2, Proof.
 [13] (2018) Graph Repair by Graph Programs. In STAF, Cham, pp. 431–446. Cited by: §1, §2, §6.
 [14] (2004) Helperobjectives: using multiobjective evolutionary algorithms for singleobjective optimisation. Journal of Mathematical Modelling and Algorithms 3 (4), pp. 323–347. Cited by: §2.
 [15] (2016) Automatically deriving the specification of model editing operations from metamodels. In ICMT, Cham, pp. 173–188. Cited by: §6.
 [16] (2019) Constructing ConstraintPreserving Interaction Schemes in Adhesive Categories. In WADT, pp. 139–153. Cited by: §6.
 [17] (2019) Granularity of conflicts and dependencies in graph transformation systems: A twodimensional approach. J. Log. Algebr. Meth. Program. 103, pp. 105–129. Cited by: §5.
 [18] (2018) Multigranular conflict and dependency analysis in software engineering based on graph transformation. In ICSE, pp. 716–727. Cited by: §5, Example 4.
 [19] (2019) Constructing optimized validitypreserving application conditions for graph transformation rules. In ICGT, pp. 177–194. Cited by: §6.
 [20] (2020) Constructing optimized validitypreserving application conditions for graph transformation rules. Journal of Logical and Algebraic Methods in Programming. Note: (to appear) Cited by: §6.
 [21] (2017) Rulebased Repair of EMF Models: Formalization and Correctness Proof. In GCM, Cited by: §1, §4.2.
 [22] (2017) Rulebased repair of EMF models: an automated interactive approach. In ICMT, Cham, pp. 171–181. Cited by: §1, §2, §6, §6.
 [23] (2001) Making inconsistency respectable in software development. Journal of Systems and Software 58 (2), pp. 171–180. External Links: ISSN 01641212 Cited by: §1.
 [24] (2005) Confluence of graph transformation revisited. In Processes, Terms and Cycles: Steps on the Road to Infinity, Essays Dedicated to Jan Willem Klop, on the Occasion of His 60th Birthday, pp. 280–308. Cited by: §3, §5.
 [25] (2019) Rulebased graph repair. CoRR abs/1912.09610. External Links: Link, 1912.09610 Cited by: §1, §2, §3, §4.2, §6.
 [26] (2017) Graph constraint evaluation over partial models by constraint rewriting. In ICMT, pp. 138–154. Cited by: §6.
 [27] (2014) Bidirectionally tolerating inconsistency: partial transformations. In Int’l Conf. Fundamental Approaches to Software Engineering (FASE’14), S. Gnesi and A. Rensink (Eds.), pp. 32–46. Cited by: §6.
 [28] (2017) Henshin: a usabilityfocused framework for EMF model transformation development. In ICGT, pp. 196–208. Cited by: §2.
 [29] (2017) Generating efficient mutation operators for searchbased modeldriven engineering. In ICMT, pp. 121–137. Cited by: §2.
Appendix 0.A Detailed Proofs
In this appendix we present the detailed proofs of all statements of the paper.
Proof (of Lemma 1)
For trivial reasons, and : Since no morphism occurring in or is an isomorphism, . Hence, there does not exist a morphism from to for .
Proof (of Fact 1)
First, since in any case , i.e., .
Moreover, if and only if if and only if for all .
The last claim for existential constraints follows from the fact that by definition of and .
Proof (of Theorem 2)
Throughout the proof, let be the relevant constraint and a transformation.
We first show that a guaranteeing transformation is directly consistency sustaining. By definition, guarantee of a constraint implies its preservation [12]. In particular, the statement that guarantee implies direct sustainment is true in the case of existential constraints. For the universal case, by , either or . In either case, the definition of direct consistency sustainment is met.
Next, we show that direct consistency sustainment implies consistency sustainment. In the case of existential constraints, if , then preservation implies ; if either or may hold. In both cases, .
In the case of universal constraints, together the two conditions imply that which implies as desired.
Finally, let a consistency sustaining transformation be given.
If already
, then this implies .
In particular, the transformation is preserving.
Since the above statements are true on the transformation level, they can be directly lifted to the rule level.
Proof (of Theorem 3)
Again, throughout the proof, let be the relevant constraint and a transformation. Note that, for both notions of improvement, by definition an improving transformation assumes .
Therefore, first, let be a guaranteeing transformation where . By Theorem 2, this transformation is consistency sustaining, in particular. Hence, in case is an existential constraint, the transformation is directly consistency improving by definition. Therefore, let be a universal constraint. implies that there is a morphism with . As by definition of guaranteeing rule applications, either is not total or . This means, either the first or the second condition of the definition of a directly consistencyimproving transformation is met and therefore the transformation is directly consistency improving.
In the following we show that every directly consistencyimproving transformation is consistency improving. The last claim, that every consistencyimproving transformation is consistency sustaining, again holds by definition.
First, every directly consistencyimproving transformation is directly consistency sustaining by definition and by Theorem 2 every directly consistencysustaining transformation is consistency sustaining. This means, we only have to check the conditions on the number of constraint violations. By assumption . In case is an existential constraint, : In that case, by definition, the transformation is even guaranteeing. Hence,
and the transformation is consistencyimproving. In case is universal, there exists (at least) one occurrence that meets either the first or the second condition of the formula. In either case, this has the effect of decreasing by one. Moreover, direct consistency sustainment ensures that no new occurrences that violates the constraint is introduced. In summary, and the transformation is consistency improving.
On the rule level, (direct) consistency improvement is defined in such a way that at least one (directly) consistencyimproving transformation via that rule needs to exist. Hence, the proven statements on the transformation level lift to the rule level as long as there exists a guaranteeing transformation starting at an inconsistent graph via that rule.
We formulate a technical lemma that we are going to use in the proof of the next theorems. It relates the track morphism of a transformation to occurrences of constraints.
Lemma 2
Given a transformation and an occurrence of a constraint in , the track morphism is total, when restricted to (i.e., is a total morphism) if and only if there exists a morphism such that .
Proof
For the first direction, set for all . Since belongs to the domain of by assumption, this results in a graph morphism with the desired property.
In the other direction, also the existence of with states that belongs to the domain of , i.e., is total.
Proof (of Theorem 1)
We first consider the case of constraints . Assume that rule is directly consistency sustaining. Let there be any transformation such that there is an injective morphism (i.e., a match for ). Since , the second condition on directly consistencysustaining transformations implies that there exists a morphism such that (see Lemma 2). This means that the application of is sequentially independent from ; and since was arbitrary, is sequentially independent from .
Conversely, assume to be sequentially independent from . Let there be a transformation and an injective morphism . This morphism can be understood as a match for . By the definition of sequential independence, there is an injective morphism such that . This implies (see Lemma 2) where and is the trace morphism corresponding to the transformation. This implies that both conditions in the definition of direct consistency improvement quantify over the empty set in that case; hence, rule is directly consistency improving.
Secondly, we consider the case of constraint . Assume rule to be such that is sequentially independent from and does not cause a conflict for . As in the case of constraint , the sequential independence implies that the second condition in the definition of direct consistency sustainment quantifies over an empty set in this case. Hence, it is trivially true. We use the parallel independence to show that also the first condition is met.
For this, let be a transformation step from to via rule at match where is the context graph of that transformation step. Let be a valid occurrence of such that there exists a morphism with (compare Figure 4). By validity of the occurrence, there exists an injective morphism such that . We have to show that there exists an injective morphism such that where .
The morphism can be understood as a match for in and since does not cause a conflict for , there is an injective morphism such that . One first computes
which implies since is injective. This can then be used to compute
as desired.
Proof (of Proposition 1)
For any transformation that does not create a new occurrence of the argument is exactly the same as in the above proof of Theorem 1. Also, by absence of conflicts, that already existing occurrences remain valid is proven in the same way.
Therefore, let be a transformation that creates (at least one) such a new occurrence. This means, there is an injective morphism such that there does not exist an injective morphism with (compare Figure 4, again), i.e., the application of to at match is sequentially dependent on the transformation . We have to show that this occurrence is valid which means that there exists an injective morphism such that . By the duality between conflicts and dependencies and the completeness result for weak critical pairs (see [8, Remark 5.10] and [9, Lemma 6.4]) there is a weak critical sequence that embeds into the sequence via a. By assumption, there exists an injective morphism with . Moreover, embeds into via an injective morphism such that (by construction of weak critical pairs). Hence, for we compute
as desired.
Proof (of Theorem 2)
Here, we first consider the case of constraint .
If is directly consistency improving, there exists a transformation step that constitutes a consistency improving rule application; in particular . Hence, there exists an injective morphism such that there exists no injective morphism with (once more, compare Figure 4 for the following). Moreover, either (i) for (compare Lemma 2) there exists an injective morphism such that , i.e., , or (ii) there is no morphism such that .
Assume (i). There is a morphism such that . The morphism is a match for the rule . If were sequentially independent from , there was a morphism such that where is the context object of the transformation step. But, as in the proof of the above theorem, the resulting morphism would satisfy which contradicts the assumption. Hence, the application of is sequentially dependent on the application of .
Moreover, assume there to be an element
By , ( has been newly created in ). However, by and , which is a contradiction. Hence,
Assume (ii). The morphism can be understood as match for in and the nonexistence of by definition means that the application of caused a conflict for the application of .
Secondly, we consider the case of constraint . Since no morphism can satisfy false, the first condition on direct consistency improvement can never be satisfied in that case. Hence, to be directly consistency improving, the second condition must be true. Again, as in (ii) above, the existence of a morphism such that is not total implies that the application of caused a conflict for . Hence, directly consistency improving rules w.r.t. cause conflicts for .
Conversely, assume to be a directly consistency sustaining rule w.r.t. such that causes a conflict for . Hence, there is a transformation such that there exists an injective morphism but no morphism such that . By Lemma 2 (and since ) this means that the second condition of the definition of direct consistency improvement is met. Since additionally is directly consistency sustaining by assumption, this means that is directly consistency improving.
Comments
There are no comments yet.