A

RD

a

ARRAA

KSMGG

I

wtaabasf

isghtiva[ti

r

h1

Down

Applied Soft Computing 24 (2014) 169–180

Contents lists available at ScienceDirect

Applied Soft Computing

j ourna l h o mepage: www.elsev ier .com/ locate /asoc

heuristic solution for model checking graph transformation systems

osa Yousefian, Vahid Rafe ∗, Mohsen Rahmaniepartment of Computer Engineering, Faculty of Engineering, Arak University, Arak 38156-8-8349, Iran

r t i c l e i n f o

rticle history:eceived 24 April 2013eceived in revised form 5 April 2014ccepted 27 June 2014vailable online 12 July 2014

a b s t r a c t

One of the commonly used techniques to verify software and hardware systems which have been specifiedthrough graph transformation system (GTS), especially safety critical ones, is model checking. However,the model checking of large and complex systems suffers from the state space explosion problem. Sincegenetic algorithm (GA) is a heuristic technique which can be used to search the state space intelligentlyinstead of using exhaustive methods, in this paper, we propose a heuristic approach based on GA to find

eywords:tate space explosionodel checkingraph transformation systemsenetic algorithm

error states, such as deadlocks, in systems specified through GTS with extra large state space. To do so, ineach step of space exploration our algorithm determines which state and path should be explored. Theproposed approach is implemented in GROOVE, a tool for model checking graph transformation systems.The experimental results show that our approach outperforms significantly in comparison with existingtechniques in discovering error states of models with large state space.

© 2014 Elsevier B.V. All rights reserved.

ntroduction

Correctness is one of the most desirable properties for any soft-are system. A great part of each developing approach is devoted

o assess the correctness of the system; however, faults and errorsre common. The sooner errors are found the better results can bechieved [1]. Hence, model-based verification techniques shoulde used before implementation to decrease the cost and the risknd also to increase the quality of the product. To do so, it is neces-ary to use an accurate approach to specify models, and thus, usingormal methods for this purpose can be one of the best solutions.

Graphs and diagrams provide a very useful, direct, and intu-tive means to describe software systems [2]. Graph transformationystems (GTS) [2,3] provide the formal foundations to convertraphs and diagrams into formal specifications. Even though GTSas not been very popular for years, it is able to capture the sys-ems behavior naturally and succinctly. However, modeling per-ses not enough. Proper verification solutions are mandatory to con-ince people of the actual benefits provided by modeling. Differentpproaches already exist to verify GTS through model checking4–6]. All these approaches only deal with a priori bounded transi-

ion systems because of the nature of model checking techniquesn general. However, in many cases, the transition system tends to

∗ Corresponding author. Tel.: +98 86 32625524.E-mail addresses: Rosa8a81@yahoo.com (R. Yousefian), v-rafe@araku.ac.ir,

afe@iust.ac.ir (V. Rafe), m-rahmani@araku.ac.ir (M. Rahmani).

ttp://dx.doi.org/10.1016/j.asoc.2014.06.055568-4946/© 2014 Elsevier B.V. All rights reserved.

loaded from http://www.elearnica.ir

be too large. Thus, the state space explosion problem occurs. In thiscase the usual verification approaches like [4–11] cannot be useful.

Although there exists different approaches, like symbolic verifi-cation [12,13], partial order reduction [14,15], symmetry checkingmethods [16–19] and scenario-driven model checking [1] for thesystems specified through GTS, almost all of these methods useexhaustive search on the state space and thus suffer from the stateexplosion problem. For the cases in which the usual approachescannot be employed due to the size of the state space, using heuris-tic approaches like GA can be a proper solution.

Genetic algorithms are usually used for optimization problemsbut in this work, we propose a method using GA to find errorssuch as deadlocks in systems specified through GTS. Since it isnot possible to search all the states, our approach chooses a sub-set of them to be explored using GA. We implement the proposedapproach through GROOVE [20,21], a toolset to generate state spacefor GTS specification. In this paper, we concentrate more on search-ing deadlocks which are a sort of safety properties.

The rest of the paper is organized as follows. In Related worksSection, we review some of the already proposed solutions fordealing with state space explosion. In Background Section, webriefly introduce the required background. Proposed method Sec-tion presents our proposed approach to exploration of the statespace using GA. Our algorithm implementation is described inImplementation Section. In Evaluation Section, we employ the pro-

posed method for several known problems and consequently wediscuss the results of our experiments. Finally, we conclude thepaper and highlight the future works in Conclusion and futureworks Section.

1 oft Co

R

ef

C

itomibt

S

wotlmimepaFtuc

M

upas

sfivat

amltr

consiituio

70 R. Yousefian et al. / Applied S

elated works

Generally, proposed approaches for overcome the state spacexplosion that can be found in the literature fall into one of theollowing four broad categories:

lassic approaches

To cope with the state space explosion problem in model check-ng systems, some classic solutions like the ones based on reducinghe size of the model’s state space [17–19,22–27] and those basedn memory saving [28–32] have been presented. There also existodel abstraction techniques that reduce the state space by reduc-

ng the size of the model. The general idea in methods which areased on memory saving is to use various algorithms for reducinghe memory space required for saving the states.

imple heuristic approaches

A simple heuristic search algorithm is the best-first search,hich is applied for protocol validation to achieve significant gains

ver depth-first search [33]. Heuristics for choosing a search orderhat favors visiting first successor states that are most likely toead to an error are discussed in [34] in the context of symbolic

odel checking and in [35] in the context of explicit model check-ng. A best-first search with binary decision diagram (BDD) based

odel checking within the Murф tool has been used in [36]. Bloemt al. [37] used heuristics to reduce the bottlenecks of image com-utation in symbolic model checking. In another work [38], theuthors proposed an OBDD-based version of the A* algorithm.riedman et al. [39] applied a Coverage First Search related to struc-ural heuristics to generate test suites. Ganai and Aziz [40] alsosed coverage-based techniques to guide a state-space search forontrol-dependent hardware.

eta heuristic approaches

In recent years, some artificial intelligence algorithms have beensed to improve the memory utilization. To bring up a few exam-les, frameworks based on reinforcement learning [41], ant colonylgorithm [42–44] and GA in studying and exploring the large statepace models can be mentioned.

A framework based on reinforcement learning has been pre-ented for checking the linear temporal properties [41]. In thisramework, the goal is to improve the memory utilization throughncreasing the probability of occurrence of the paths that lead toiolation of the properties. In reinforcement learning algorithm thegent learns about the concepts by interacting with its environmenthrough rewards and punishments.

By using the ant colony algorithm, inspired by the efforts ofnts in searching for the shortest path to the food resources,odel checking systems can explore the state space of the prob-

em [42–44]. By using this algorithm, they have been able to findhe optimal solution for the problem with the least amount ofesources.

Most of the researches that have been conducted for modelhecking systems in the field of GA, for example [45,46], are basedn the textual modeling. Godefroid and Khurshid [46] introduce aew framework for reducing the state space in concurrent reactiveystems. This framework directs us into the error states by utiliz-ng heuristic practical programs that use the GA. This frameworks implemented using Verisoft [47] which is a tool for exploring

he systems’ state space. This framework, by using the GA andtilizing some heuristic methods, guides a search engine into find-

ng errors such as deadlock and assertion violations in state spacef a concurrent reactive system [46]. In Java Pathfinder a model

mputing 24 (2014) 169–180

checking system has been implemented that can identify thedeadlocks [45]. For more details about other heuristic approachesinterested readers can refer to [48].

Heuristic approaches on GTS

In [49] the authors have formalized a framework for the appli-cation of heuristic search in order to analyze structural propertiesof systems modeled by graph transition systems. They believe thatheuristic search is intended to reduce the analysis effort and alsoto deliver shorter solutions, (i.e. shorter paths in graph transitionsystems). To do so, they use A* algorithm. This framework is imple-mented in HSF-SPIN a heuristic model checker compatible with thesuccessful model checker SPIN [50].

Most of the heuristic approaches mentioned till now are exhaus-tive search approaches. In fact, the employed heuristic approachhelps the traversing algorithm to find the error states faster, butthe state space explosion still can occur. In this paper, we proposea solution in which only a subset of the state space is considered tobe searched.

Another important issue is that GTS is a graphical formal lan-guage which is used in different software development phases(e.g. meta-modeling [51], architectural style representation [52],refinement [53], refactoring [54], model transformation [55], per-formance analysis [56], etc.). So, it is very useful to propose a novelapproach to overcome the state space explosion problem in GTS.

Background

Model checking

Utilization of formal methods as an efficient way for qualityassurance and correctness checking of a designed system is highlynecessary. Model checking is an automatic method for studying theproperties given to a system and their verification. In model check-ing, properties can be classified into different groups like safety andliveness.

The safety property, informally, claims that “no bad event shouldoccur” in a system or a “good incident” should always happen in asystem. To find a state that leads into the violation of safety prop-erty, it is necessary to find a finite path into a violating state (e.g.deadlock state) [57].

If all states are valid, it becomes clear that this property is validin the system and if it is rejected, the model checking approach candemonstrate the violated path and state.

Liveness properties assert that “something good” will happeneventually. In order to find a Liveness property violation, it isneeded to find an infinite path in which a desired state never occurs(i.e. the expected good never happened) [58].

Since model checking needs to generate all the possible statespace of the model to verify its validity and the given properties,the model must be relatively small. In other words, model checkingof large models faces the problem of memory resource limitationwhich causes the state space explosion problem.

Graph transformation system

Graph transformation is a graphical formal language for systemmodeling. The mathematical foundation of graph transformationsystems returns to more than 40 years ago in response to short-comings in the expressiveness of classical approaches to rewriting

(e.g. Chomsky grammars) to deal with nonlinear grammars [59].Graphs are suitable tools for explanation and modeling the struc-ture of complex systems. One of the most fundamental features ofthe GTS is its formal and accurate mathematical basis [2].

R. Yousefian et al. / Applied Soft Computing 24 (2014) 169–180 171

of the

istaoHHt

PiKtmbm

trirai

G

ou(

n

Fig. 1. Four Stages

An attributed GTS is determined as a triple: AGT = (TG, HG, R)n which TG is the type graph, HG is the host graph, and R is theet of rules. Type graph is a tuple: TG = (TGN, TGE, src, trg), withwo functions src: TGE→ TGN and trg: TGE→ TGN. These functionsssign each edge a source and a target node. TGN and TGE are a setf node types and a set of edge types, respectively. A host graphG over TG, is a graph equipped with a graph morphism typeG:G → TG that assigns a type to every node and edge in HG. A graph

ransformation rule P over an attributed type graph TG is given by

= (Ll←−K

r−→R, type, NAC), where Ll←−K

r−→R is a rule span withnjective graph morphisms l, r and graphs L (left hand side or LHS),

(gluing graph) and R (right hand side or RHS) typed over TG,ype = (typeL: L → TG, typeK: K → TG, typeR: R → TG) is a triple of

orphisms, and NAC is a set of triples nac = (N, n, typeN) with Neing a graph, n: L → N a graph morphism, and typeN: N → TG aorphism [60].The model checking of systems specified through GTS was first

heoretically described by Heckel [61] in which each host graphepresents a state, by applying each rule on a host graph a new states formed; a transition system is generated by applying all enabledules to all generated states (host graphs). For more informationbout GTS and its verification through model checking techniques,nterested readers can refer to [2].

enetic algorithm

Genetic algorithm (GA) has been utilized in a wide variety ofptimization problems. A GA starts with a random initial pop-

lation of the coded solutions which are called chromosomesinitialization step).

In the selection step, suitable chromosomes are chosen for theext reproduction. The selection process needs to calculate the

while (not EOF Iterations){If (IsFirstIteration){

chromosomes = createNewRandomChromo}else{

previousChromosomes = chromosomeschromosomes.Clear()

chromosomes.Add(previousChromosomechromosomes.Add(previousChromosomeschromosomes.Add(previousChromosomes

}foreach(chromosome in c hromosomes){

chromosome.CalculateFitnessValue()if (chromosome.FinalStates > 0)

AnswerFound_StopGeneticAlg}

}

Fig. 2. The operation o

genetic algorithm.

suitability of the chromosomes. This is performed in a fitnessfunction. If an acceptable solution (i.e. chromosome) is found, theprocess is directed to the termination step, otherwise, in reproduc-tion step, the competent chromosomes are selected according toa suitable fitness function to be the best parents for generatingthe next generation. The selected chromosomes participate in thecrossover and mutation process and the new offspring for the futuregenerations are created. The chosen parents, as selected based onthe approach explained above, and the new offspring will repeatthe process for generating the new populations [62]. This processis described in Fig. 1.

GA does not guarantee to find the optimal solution. Therefore,the challenge is to maximize the probability of finding a suitablesolution through a genetic process.

The fitness function, selection, crossover, and mutation opera-tions are usually performed until reaching an acceptable solutionor, a predetermined number of iterations are executed. Selection,crossover and mutation are among the general operations whichare utilized in every GA and have been studied in many differentarticles. Two of the most critical problems that should be consid-ered in GA are chromosome encoding and the way that the fitnessfunction is defined. Other parameters including the size of the initialpopulation, mutation rate (the number of chromosomes that mustparticipate in the mutation operation) and also the crossover rate(the number of chromosomes participating in the crossover oper-ation) must be determined properly for each problem. A standardGA is depicted in Fig. 2.

In GROOVE toolset, to detect the final state of a GTS there is

a function called “getfinalstates()” which returns a value greaterthan zero when it encounters a deadlock state. This function isnamed “FinalState” in our pseudo code. Thus, if a chromosome doesnot contain a deadlock state the returned value is zero; otherwise

somes(population)

s.TakeTopChromosomesBasedOnFitnessValue()).Mutate()).CrossOverOnPairs())

orithm()

f a standard GA.

172 R. Yousefian et al. / Applied Soft Computing 24 (2014) 169–180

ach fo

is

P

iisTs

fItetwlasefiei

uFfttcmp

C

ai[

Fig. 3. The proposed appro

ts output will be greater than zero and the algorithm will betopped.

roposed method

The general idea of our method is to create a partial state spacenstead of a whole state space. In GTS, the state space has a uniquenitial state. The selected solutions are the finite sequences of tran-itions in a state space that were generated from this initial state.hese solutions, which are used for generating and exploring thetate space, are defined by chromosomes.

The way a model checking system works is as follows. It startsrom an initial state (S0) and generates and explores the state space.n every state, the number of possible transitions is determined, andhen the GA decides which transition must be selected for the nextxploration (see Applying genetic algorithm in model checking Sec-ion). After the selection, the model checking system determineshether the next state is a desirable state or not (to detect dead-

ock a desirable state has no transition and, for safety properties it isn erroneous state). If a desirable state is found, the current path isaved and the user will be informed of the error in the model; oth-rwise the model checking system continues its operation until itnds a desirable state or, a predetermined number of iterations arexecuted. Fig. 3 elaborates this process. All steps will be discussedn detail in the rest of the paper.

It should be considered that the implemented algorithm can besed to find error states in a given problem which is modeled in GTS.urthermore, as mentioned before, one of the most important dif-erences of the GA-based approach with the classical techniques ishat the state space is not fully generated and explored. Obviously,he advantage of using this approach is mostly for large cases whichannot be explored due to the state space explosion. We imple-ented our approach in GROOVE by adding a new strategy, so it is

ossible for each modeled system on GROOVE to be explored.

hromosome encoding

Encoding chromosomes is one of the problems that should beddressed when you are starting to solve a problem with GA. Encod-ng is very problem dependent. There are four types of encoding63,64]:

r heuristic model checking.

• Binary encoding is the most common, mainly because initialresearch efforts on GA used this type of encoding. In binary encod-ing every chromosome is a string of bits, 0 or 1.• Permutation encoding is mainly used in ordering problems. In per-

mutation encoding, every chromosome is a string of numbers,which represents number in a sequence. Given n unique objects,n! permutations of the object exist.• Value encoding is an approach in which each chromosome is rep-

resented as the string of some values. These values can be integer,real number, character, or some object. Values can be anythingconnected to the problem.• Tree encoding is used mainly for evolving programs or expres-

sions. In tree encoding every chromosome is a tree of someobjects, such as functions or commands in programming lan-guage.

In our approach, given the structure of the problem, valueencoding is employed. Each gene in a chromosome is a numberbetween 0 and the maximum number of possible outgoing transi-tions of a state in a particular problem. A gene is the representativeof a transition in each stage. Since the maximum number of tran-sitions for each problem is different, we need to determine itaccording to the nature of the problem as an input parameter. How-ever, this number is not always easy to figure out. For example, themaximum number of possible outgoing transitions in each state ofN-Phil problem is equal to N; similarly it is always 4 for N-Puzzleproblem. An example of encoding a finite path in a graph by a chro-mosome is shown in Fig. 4. The chromosome ‘1312′ encodes thepath that visits the colored states (following the colored edges) inthe state space.

The effective length of the chromosomes is considered to bedynamic based on the type of the problem. The effective length isequal to the search depth in model checking. We pick it in advanceand then pick a larger value if no deadlock state could be found. Forinstance, as seen in Fig. 4, the effective length of the chromosomeis 4.

Cost function

There are many different approaches to define the fitness func-tion. In this work, we need a way to define a function to show asimilarity between what we are searching to find (i.e. the deadlock

R. Yousefian et al. / Applied Soft Computing 24 (2014) 169–180 173

Fs

saalpcptfif

uvsdogf

F

nid

C

mboep

rate which is specified as an input parameter.Using these two methods for choosing the chromosome helps

all chromosomes to have the chance of being selected which also

ig. 4. The encoding method for a solution using the GA, the path ‘1312′ in the statepace is found by GROOVE.

tate) and what we are currently traversing (i.e. different pathsnd states). For example, hamming distance is used in differentpproaches to represent similarity. As we are searching for dead-ocks (state with no outgoing transition), the best similarity is aath in which outgoing transitions of the states are decreasing. Wehose this method because if there is less number of transitions in aath, it seems more likely to lead to a deadlock, i.e., a state in whichhere is no output. The goal is to minimize the output value of thetness function; hence, we refer to the fitness function as the cost

unction in the rest of the paper.The cost function is defined to find the best chromosomes to

se in the next generations. The goal is to minimize the outputalue of the cost function. In this algorithm, the cost function is theum of all the outputs that have been generated in a given path toetect a deadlock which is shown in (1). EL is the effective lengthf the chromosomes (i.e. the depth search) and, Li is the sum of theenerated states in ith depth. For instance in Fig. 4, the cost valueor the explored path is 14 (F(x) = 14).

(x) =EL∑

i=1

Li (1)

The goal of this GA is to minimize F(x) to find paths with lowerumber of transitions to be involved in the next generation, hop-

ng to reach a state without an output through one of the pathsetermined by the chromosomes.

rossover and mutation

Crossover is a genetic operator that combines two parent chro-osomes to produce a new chromosome (offspring). The idea

ehind crossover is that the new offspring may be better than bothf the parents if it takes the best characteristics of each of the par-nts. Three different forms of crossover are One point crossover, Noint crossover, and Uniform crossover.

Fig. 5. The crossover operation.

In our implementation, a single-point crossover is utilized. Asmentioned in [65], this method is commonly used to combine chro-mosomes that are independent (i.e. are not similar). In our proposedapproach, each chromosome indicates a path in the state space, andthus, they have no dependency on each other.

In a single-point crossover, a specified position – which is aninput parameter – is chosen for each two parents, and then swapsthe genes after that position to form the offspring. An example of acrossover is depicted in Fig. 5.

Mutation also is a basic operator in GA. It alters one or more genevalues in a chromosome from its initial state. With these new genevalues, the genetic algorithm may be able to arrive at a better solu-tion. Mutation is an important part of the genetic search as it helpsto prevent the population from stagnating at any local optima. Somedifferent types of mutation are boundary, non-uniform, uniform,and Gaussian. In the implementation, uniform method is employed.This is a simple method that is appropriate for the problem. Asshown in Fig. 6, in mutation operation some genes are randomlyreplaced by new random values. These random values are selectedfrom a range between the user-specified upper and lower boundsfor that gene.

Creating new generation

To produce a new generation, chromosomes from the previ-ous generation are transmitted, unchanged, to the next generation,according to the crossover and mutation rate, specified as the ini-tial parameters of GA algorithm. The selection process in GA is doneby three known methods: Elitism [63], Tournament [63], and Ran-dom. A number of chromosomes selected by Elitism method, whichis choosing the best chromosomes based on the cost function,are transmitted to the next generation unchanged. The numberof chromosomes is identified based on the crossover and muta-tion rate. According to the crossover rate, chromosome pairs areselected by Tournament method to participate in the crossoverprocess. The number of participating chromosomes in the tour-nament algorithm is also specified as an input parameter. Finally,Random selection method is used for selecting chromosomes inthe mutation process. Chromosomes are randomly selected fromthe chromosome pool, then mutation is performed on them andthey are transmitted to the new generation. The number of selectedchromosomes for the mutation process depends on the mutation

Fig. 6. The mutation operation.

174 R. Yousefian et al. / Applied Soft Computing 24 (2014) 169–180

e of th

aa

A

sdsbpetiaafgsosatwmeetetdrc

mti

I

i

erator Engine produces the initial population of chromosomes andplaces them in the Chromosome Pool. To improve the performanceof the algorithm, all chromosomes are unique in this generation.Chromosome Iterator sends chromosomes one by one as a file to

Fig. 7. The architectur

llows less-qualified chromosomes to be chosen, with a lower prob-bility, to prevent stagnation.

pplying genetic algorithm in model checking

In our approach, the search space to be explored is the statepace of a system. The state space has a unique initial state. Candi-ate solutions are finite sequences of transitions in the state spacetarting from this initial state. Each candidate solution is encodedy a chromosome, i.e., a finite array of integer. How to encode finiteaths in a graph using chromosomes is discussed in Chromosomencoding Section in details. To evaluate the cost of a chromosome,he GA generates the path encoded by the chromosome then passest to the model checker. Afterwards, the cost values are calculatednd returned back to the GA. This is done by combining the geneticlgorithm with a model checker. To do this, the model checker ised by a chromosome generated by our proposed GA. Elements (i.e.enes) of a chromosome tell the model checker which transitionhould be selected in each step of the space exploration. If the valuef a gene is larger than the possible transitions from the currenttate, the model checker generates a random number between 0nd the maximum number of possible transitions of that state forhe rest of exploration. In addition, the value of the gene is replacedith this new random number for the rest of the process. This actionust be calculated in the model checker because GA does not have

nough information about the number of out-going transitions inach state. Since a chromosome can only encode a finite number ofransitions, the state space is explored up to a fixed depth. When-ver the model checker has explored a path, it prompts the GAo evaluate the cost of the current chromosome. This operation isiscussed further in the rest of the paper. Once the cost of the cur-ent chromosome has been computed, another chromosome of theurrent population is evaluated using the same process.

The implemented algorithm can determine whether the GAust stop after reaching the first error state or it must continue

o find more error states. The latter helps us to find all error statesn a given model.

mplementation

The algorithm is implemented in two phases. The first phases implemented with Java programming language in GROOVE and

e proposed approach.

the second phase is implemented in .Net environment using C#.Netentitled as Director. Fig. 7 shows the architecture of the proposedmethod in two environments and demonstrates how they are con-nected to each other.

In the first phase, a new strategy, called GA, is added to the exist-ing strategies of the GROOVE and also a new capability is createdfor receiving a chromosome as an input file. Hence, we manipulatedthe files Simulator.jar and Generator.jar.

In the second phase, the input parameters of the problem suchas the model, the initial number of the chromosome population, thedesired depth for limiting the exploration, crossover rate, mutationrate, and etc. are determined. In execution time, Chromosome Gen-

Fig. 8. Host graph of dinning philosophers problem with 5 philosophers and 5 forks.

oft Computing 24 (2014) 169–180 175

ttcciFcp

mds

ssiscipGpss

E

DfDspoA

T

inasegSiutp

P

Gs4

imoiPfMl

Table 1The parameters for studying and exploring the state space with GA.

Population 50Iteration 50Crossover rate 50%

R. Yousefian et al. / Applied S

he GROOVE. GROOVE evaluates the input path and returns backhe results to the Director. In case of finding an error state theorresponding chromosome is identified with a flag. Now, the exe-ution can be continued to find another error state until the definedteration or, stopped. This option is specified in input parameters.urthermore, Chromosome Manipulator Engine is responsible forreating new chromosomes for the next generations based on theroposed GA.

At the end of the execution, the erroneous files for all the chro-osomes are saved. Moreover, the path to the error state can be

epicted in GROOVE and the host graph can be seen in an erroneoustatus as well.

We can also change the model’s rules for studying the otherafety or liveness properties in such a way that the desiredtate is converted into a deadlock state. For instance, if theres a rule ‘R’ which tells two philosophers cannot take one forkimultaneously, we can change the model’s rules in which R isonsidered as deadlock. After the execution of the algorithm,f an error state is found it can be concluded that the desiredroperty in this model is satisfied. The modified version of theROOVE, the Director program along with the case studiesresented in the next section can be downloaded from http://ourceforge.net/projects/groovedirector/files/latest/download?ource=files.

valuation

The experiments using GROOVE were carried out on a Core 2uo 2.4 GHz processor with 4 GB of RAM. To identify the deadlocks,

our known case studies in model checking systems were used: theinning philosophers, Pac-Man, 8-Puzzle, and Car Platoon. In this

ection, we present the results of our experiments, comparing theerformance of our approach with exhaustive existing strategiesf GROOVE (specifically DFS, BFS) and the simple heuristic method*.

he dining philosophers

The dining philosophers problem [66] is an example in which byncreasing the number of philosophers the state space grows expo-entially. This problem includes a number of philosophers sittinground a table; each philosopher thinks and then gets hungry. Totart eating, he first picks up the left fork and then the right fork andats. Next, he puts down the left and the right fork on the table andoes into thinking mode. This process is repeated infinite times.ince several philosophers are sitting around a table and each forks shared by two adjacent philosophers, they compete for pickingp the forks. If all the philosophers pick up their left forks, the sys-em faces a deadlock. Fig. 8 illustrates the host graph of dinninghilosophers problem which has been modeled in GROOVE.

ac-Man

The second problem is the Pac-Man game which is modeled byROOVE. This problem, similar to dinning philosophers, has a largetate space. The field dimension of our model varies and starts from

× 4.The Pac-Man video game [67] is as follows: there are two agents

nvolved in this game, the Pac-Man and the Ghost both of which canove to an adjacent box in each stage of the game based on a set

f given rules. If Pac-Man moves to an adjacent box with a marblenside, it will eat it. If the ghost moves to an adjacent box in which

ac-Man already is, then the ghost will kill Pac-Man. The conditionor game termination is either all the marbles must be eaten by Pac-

an (you win) or the Pac-Man should be killed by the ghost (youose). In both cases, a deadlock state is generated. The host graph

Mutation rate 30%Position of crossover Middle of the chromosome

of Pac-Man problem which is modeled in GROOVE is depicted inFig. 9.

8-Puzzle

In 8-puzzle problem there are 9 boxes in which the 8 pieces ofthe game can move around. The goal is to insert the pieces in theircorrect position. Fig. 10 shows a definition of this problem whichhas been modeled in GROOVE. As it can be expected, generatingthe complete state space is not possible. In this puzzle, when allthe game pieces are placed in their correct place, a deadlock stateis reached.

Car Platoon

The Platoon system was designed by researchers at theCalifornia PATH program to show how vehicle automation tech-nology can be used to make a major contribution to relieving trafficcongestion [68]. Car platooning system consists of several cars driv-ing on a highway with constant speed and constant distance fromeach other. There is always one car in a platoon acts as a Leader andthe others follow it which are called Followers. In our case studythere are 25 cars each represented as a Process. The Followers areconnected to the leader through a channel. The property we intendto check is that the channel must not be created between two fol-lowers. To do this we should check if a free process (i.e. a new carwhich is not a part of the any platoons) sends a join request to afollower, then it must not receive acknowledgment. Moreover, weshould also check either if a follower is able to send a join requestto another follower or acknowledge a join request which is alreadysent by another leader. Hence these situations are not deadlock andour method can only find error states. Thus, as mentioned before,we should consider these rules in the model as deadlock. That is, ifany of the two mentioned situations happen a deadlock is occurred.A specification of this problem which has been modeled in GROOVEis depicted in Fig. 11.

Results

The initial parameters for studying and exploring the state spacewith GA are constant for all case studies and are shown in Table 1.

We considered different values as input parameters, specificallyfor mutation rate and crossover rate. However, all of the experi-ment results are almost the same and the effect of changing theseparameters, in our case, is negligible.

In verifying each model, we show the maximum search depthfor exploring the state space (Depth searched) and the average timefor reaching an error state after 10 runs (Result time). In addition, theminimum and maximum time (Min Time, Max Time) for reachingthe first error state in the total execution runs is presented. We alsoshow the depth of finding the first error state (first error depth).

Table 2 shows the comparison of our proposed GA strategy withothers for dinning philosopher problem. As shown in Table 2, the

results of running our algorithm after 8-phil is much better thanother approaches. A* strategy also suffers from state space explo-sion because, in the worst case scenario, it must exhaustively searchevery possible solution in the state space.

176 R. Yousefian et al. / Applied Soft Computing 24 (2014) 169–180

roble

p

daescl

Fig. 9. Host graph of Pac-Man p

The amount of used memory in the largest model, that is 30hilosophers, is 35 MB.

The Pac-Man problem was studied for three different fields ofimensions. In all models, 4 ghosts and 3 marbles were considerednd this resulted in a very large state space. Since there are multiple

rror states in this problem, the time for reaching the goal is veryhort. The results can be seen in Table 3. As it can be seen in thisase study, GA works better even when the state space is not veryarge because of the great number of error states.

Fig. 10. Host graph of 8

m with a 4 × 4 field dimension.

Finding the goal and execution time of the algorithm in 8-puzzleproblem is highly impressed by how we initially set the numbers inthe host graph. As illustrated in Table 4, it is clear that by disorga-nizing the host graph, the solution becomes more time consumingas it requires sliding more numbers around to achieve a given con-

figuration.

In this case study, GA does not work as good as the other strate-gies. As the error states are generally in the first levels of the statespace, A* and BFS outperform GA.

-Puzzle problem.

R. Yousefian et al. / Applied Soft Computing 24 (2014) 169–180 177

Fig. 11. Host graph of Car Platoon problem.

Table 2The results of executing the proposed GA for dinning philosophers.

Number of phil GA A* BFS/DFS

Depthsearched

Result time(s)

Min time(s)

Max time(s)

# Runs/#errors

First errordepth

Result time(s)

First errordepth

Result time(s)

8 Phil 20 52 1.6 98 10/10 17 1477.287 17 269 Phil 25 75 14.8 113.8 10/10 19

Out ofmemory

15 Phil 45 335 44 815 10/10 3116 Phil 40 624 247 1205 10/10 33 Out of memory20 Phil 70 585 45 1204 10/10 4630 Phil 140 2409 444 5775 10/10 91

Table 3The results of executing the proposed GA for PacMan problem.

Pac-Man GA A* BFS DFS

Depthsearched

Resulttime (s)

Min time(s)

Maxtime (s)

# Runs/#errors

Firsterrordepth

Resulttime (s)

Firsterrordepth

Resulttime (s)

Resulttime (s)

4 × 4 100 3 1.7 14.1 10/10 5 18.56 13 6 44 × 5 120 11 2.3 30.2 10/10 19 Out of

memoryOut ofmemory

4.5

6 × 5 150 23 2.9 79 10/10 21 Out ofmemory

Table 4The results of executing the proposed GA for 8-puzzle.

8-Puzzle GA A* DFS BFS

Depthsearched

Resulttime (s)

Mintime (s)

Maxtime (s)

#Runs/#errors

Firsterrordepth

Resulttime (s)

Firsterrordepth

Resulttime (s)

Resulttime (s)

50 5.8 2 22.4 10/10 3 0.046 3Out ofmemory

0.5

50 15 2.4 27.5 10/10 4 0.037 4 0.55

50 380 72.7 794.6 10/10 8 0.27 8 0.6

50 612 82.6 1130.5 10/10 11 0.59 11 0.7

178 R. Yousefian et al. / Applied Soft Computing 24 (2014) 169–180

Table 5The results of executing the proposed GA for Car Platoon.

Car platoon GA A* BFS DFS

Depthsearched

Resulttime (s)

Mintime (s)

Maxtime (s)

#Runs/#errors

Firsterrordepth

Resulttime (s)

Firsterrordepth

Resulttime (s)

Resulttime (s)

6 Cars 20 0.05 0.02 0.09 10/10 7 0.56 7 0.04 0.19 Cars 25 0.08 0.4 1.3 10/10 13 227.42 16

Out ofmemory

0.1512 Cars 30 1 0.5 1.7 10/10 13 Out of

mem-ory

0.2

25 Cars 50 1.2 0.5 2 10/10 26 3

Table 6The results of executing the multi-thread system on dinning philosophers problem.

Number of Phil Depth Result time (s) Min time (s) Max time (s) # Runs/# errors

15 Phil 50 115 29.9 155 10/1016 Phil 50 150 32.3 320 10/1020 Phil 70 281 1.1 409 10/10

odra

M

atatcntcXrTf

it

mtuaooptbhwsrwetm

30 Phil 140 1107

Table 5 compares the results of executing our method with thether algorithms on car platoon system. As it is seen in the table,eadlocks cannot be detected in some cases using typical algo-ithms such as A* and BFS due to the state space explosion. But DFSnd our proposed method could find all error states successfully.

ulti-threading implementation

To improve the execution time of the algorithm we also builtnother implementation of our work by utilizing multi-threadingechnique [69] in which in every generation, all the chromosomes of

generation can be executed synchronously. In situations in whichhe state space is large and execution time is long, we can use thisapability to drastically reduce the model checking time. It is worthoting that the hardware of the system in use must have morehan one CPU or Cores. In case the state space is very large andomplicated, the experiments are executed on a system of Intel(R)eon TM with a 3.00 GHz processor, 8 cores and 2 GB of RAM. Theesults show an improvement in the time for reaching the goal.able 6 shows the performance of executing a multi-thread systemor the dining philosophers problem.

A comparison on the results in Tables 2 and 6 shows that by tak-ng advantage of multi-threading technique, the model checking’sime will be reduced.

In other case studies mentioned before, run time has been opti-ized by using multi-threading as well. However for evaluating

his algorithm, speed up ratio and cost must be calculated. Speedp is calculated with S = T1/TN, where T1 is the time it takes to run

code on one processor, and the time it takes to run the same coden N processors is TN. In our experiments the speed up was 2.8. Inur case, we have moved from a two core processor to an eight corerocessor (resulting in a cost of 4). Given the cost of four, it seemshat the speed up does not meet our expectations. The reason cane explained through Fig. 7. As it is shown, our implementationas two major components: Director and Generator. The first oneas written in .Net by us and it is an iterative program while the

econd one was written in Java by the GROOVE team and it is aecursive program. When preparing the multi-threaded version,

e rewrite the director, while it is not possible to implement Gen-

rator as a multi-threaded program and it has a negative impact onhe speed up. Hence, the total speed up of the approach is not too

uch.

228 1604 10/10

Conclusion and future works

The main idea of this article is to cope with the problem of statespace explosion in model checking of graph transformation sys-tems. It must be mentioned that despite the proposed techniques,the problem of state space explosion, especially in problems withlarge size and high complexity, has not been completely resolvedyet and the problem of state space explosion still remains a criticalissue.

As it is seen, using the GA makes possible solving problems withlarge or infinite state space. Studying the properties and errors ofsuch problems can be impossible by using existing conventionalmethods. By considering the results, it is noticed that the proposedalgorithm makes it possible to check models with very large statespace that the existing tools like GROOVE could not initially check.However, in cases in which our approach does not report any error,we cannot be completely sure that the system is correct, but incases in which it finds an error, certainly the model is incorrect.

The proposed algorithm is implemented in order to detect dead-locks. It is also able to check the liveness property with minorchanges in the set of rules. Further research can still be done toimprove the algorithm. It is possible to define a new cost func-tion in the proposed algorithm to be used in the detection of otherproperties (currently, to verify these properties the designer shouldchange the model to convert these properties to a deadlock prop-erty). This issue will be further investigated in the future.

Acknowledgement

We would like to thank Prof. Arend Rensink and Amir Hos-sein Ghamarian (University of Twente) for their valuable commentson using GROOVE. Additionally, we would like to thank Dr. AminNikanjam (K.N Toosi University) for his valuable comments on GA.Last but not least, we also thank the anonymous reviewers for theiruseful comments to improve the paper.

References

[1] V. Rafe, Scenario-driven analysis of systems specified through graph transfor-mations, Vis. Lang. Comput. 24 (2) (2013) 136–145.

[2] L. Baresi, R. Heckel, Tutorial introduction to graph transformation: a softwareengineering perspective, in: First International Conference on Graph Transfor-mation (ICGT), 2002, pp. 402–429.

oft Com

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

[

R. Yousefian et al. / Applied S

[3] H. Ehrig, K. Ehrig, U. Prange, G. Taentzer, Fundamentals of Algebraic GraphTransformation, in: EATCS Monographs in TCS, Springer, Heidelberg, 2006.

[4] A. Rensink, The GROOVE simulator: a tool for state space generation, applica-tions of graph transformations with industrial relevance (AGTIVE), LNCS 3062(2003) 479–485.

[5] L. Baresi, V. Rafe, A.T. Rahmani, P. Spoletini, An efficient solution for modelchecking graph transformation systems, Electron. Notes Theor. Comput. Sci.213 (2008) 3–21.

[6] A. Schmidt, D. Varró, CheckVML: a tool for model checking visual modelinglanguages, in: UML 2003: 6th International Conference on the Unified ModelingLanguage, Springer, 2003, pp. 92–95.

[7] A. Boronat, R. Heckel, J. Meseguer, Rewriting logic semantics and verification ofmodel transformations, in: FASE’09 Proceedings of the 12th International Con-ference on Fundamental Approaches to Software Engineering, Springer, 2009,pp. 18–33.

[8] P. Baldan, A. Corradini, B. König, Verifying finite-state graph grammars: anunfolding-based approach, in: International Conference on Concurrency The-ory (CONCUR), Springer, 2004.

[9] A.P.L. Ferreira, L. Foss, L. Ribeiro, Formal verification of object-oriented graphgrammars specifications, Electron. Notes Theor. Comput. Sci. (ENTCS) 175(2007) 101–114.

10] L. Baresi, P. Spoletini, On the use of alloy to analyze graph transformationsystems, in: Third International Conference on Graph Transformations (ICGT),2006, pp. 306–320.

11] V. Rafe, A.T. Rahmani, L. Baresi, P. Spoletini, Towards automated verifi-cation of layered graph transformation specifications, IET Softw. 3 (2009)276–291.

12] E.M. Clarke, K.L. McMillan, S.V.A. Campos, V.I. Hartonas-Garmhausen, Symbolicmodel checking, Comput. Aided Verif. 1102 (1996) 419–422.

13] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, L.J. Hwang, Symbolicmodel checking: 1020 states and beyond, Inform. Comput. 98 (1992)142–170.

14] S. Edelkamp, S. Leue, A.L. Lafuente, Directed explicit-state model checking inthe validation of communication protocols, Int. J. Softw. Tools Technol. 5 (2004)247–267.

15] D. Bosnacki, S. Leue, A.L. Lafuente, Partial-order reduction for general stateexploring algorithms, Int. J. Softw. Tools Technol. Transf. (STTT) 11 (2009)39–51.

16] A.L. Lafuente, Symmetry reduction and heuristic search for error detection inmodel checking, in: Workshop on Model Checking and Artificial Intelligence,2003.

17] E.A. Emerson, A.P. Sistla, Symmetry and model checking, Formal Methods Syst.Des. 9 (1996) 105–131 (Special issue on symmetry in automatic verification).

18] E.M. Clarke, R. Enders, T. Filkorn, S. Jha, Exploiting symmetry in temporal logicmodel checking, Formal Methods Syst. Des. 9 (1996) 77–104 (Special issue onsymmetry in automatic verification).

19] V. Gyuris, A.P. Sistla, On-the-fly model checking under fairness that exploitssymmetry, Formal Methods Syst. Des. 15 (1999) 217–238.

20] H. Kastenberg, A. Rensink, Model checking dynamic states in GROOVE, in: 13thInternational Conference on Model Checking Software, Springer-Verlag, Berlin,Heidelberg, 2006, pp. 299–305.

21] A. Rensink, I. Boneva, H. Kastenberg, T. Staijen, User manual for the GROOVEtool set, 2010, Available from: http://groove.cs.utwente.nl/wp-content/uploads/usermanual1.pdf

22] A. Valmari, Error detection by reduced reachability graph generation, in: Appli-cation and Theory of Petri Nets – APN, Venice, Italy, 1988.

23] A. Valmari, Heuristics for lazy state generation speeds up analysis of concurrentsystems, in: Finnish Artificial Intelligence Symposium STeP-88, Helsinki, 1988,pp. 640–650.

24] P. Godefroid, P. Wolper, Using partial orders for the efficient verification ofdeadlock freedom and safety properties, Formal Methods Syst. Des. 2 (1991)149–164 (Special issue on computer-aided verification: special methods II).

25] P. Godefroid, Using partial orders to improve automatic verification methods,in: 2nd International Workshop on Computer Aided Verification, Springer-Verlag, London, UK, 1991, pp. 176–185.

26] P. Willem, de Roever, The need for compositional proof systems: a survey, in:COMPOS’97 Revised Lectures from the International Symposium on Compo-sitionality: The Significant Difference, Springer-Verlag, London, UK, 1998, pp.1–22.

27] H. Peng, S. Tahar, A survey on compositional verification, 1998, Available from:http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.29.4911&rep=rep1&type=pdf

28] C. Courcoubetis, M. Vardi, P. Wolper, M. Yannakakis, Memory efficient algo-rithms for the verification of temporal properties, Formal Methods Syst. Des. 1(1992) 275–288 (Special issue on computer-aided verification).

29] U. Stern, D.L. Dill, Improved probabilistic verification by hash compaction,in: IFIP WG 10.5 Advanced Research Working Conference on Correct Hard-ware Design and Verification Methods, Springer-Verlag, London, UK, 1995, pp.206–224.

30] U. Stern, D.L. Dill, A new scheme for memory-efficient probabilistic verification,in: On Formal Description Techniques IX/Protocol Specification, Testing and

Verification XVI on Formal Description Techniques IX: Theory, Application andTools: Theory, Application and Tools, Chapman & Hall, Ltd., London, UK, 1996,pp. 333–348.

31] P. Wolper, D. Leroy, Reliable hashing without collision detection, in: ComputerAided Verification, 5th International Conference, 1993, pp. 59–70.

[

puting 24 (2014) 169–180 179

32] H. Sivaraj, G. Gopalakrishnan, Random walk based heuristic algorithms for dis-tributed memory model checking, Electron. Notes Theor. Comput. Sci. (ENTCS)89 (2003) 51–67.

33] F.J. Lin, P.M. Chu, M.T. Liu, Protocol verification using reachability anal-ysis: the state space explosion problem and relief strategies, in: ACMWorkshop on Frontiers in Computer Communications Technology, 1987,pp. 126–135.

34] C.H. Yang, Prioritized Model Checking, Stanford University, 1998.35] S. Edelkamp, A.L. Lafuente, S. Leue, Directed explicit model checking with HSF-

SPIN, in: SPIN Workshop, 2001, pp. 57–79.36] C.H. Yang, D.L. Dill, Validation with guided search of the state space, in: DAC’98

Proceedings of the 35th Annual Design Automation Conference, 1998, pp.599–604.

37] R. Bloem, K. Ravi, F. Somenzi, Symbolic guided search for CTL model checking,Des. Autom. (2000) 29–34.

38] S. Edelkamp, F. Reffel, OBDDs in Heuristic Search, in: KI, volume 1504 of LectureNotes in Computer Science, Springer-Verlag, 1998, pp. 81–92.

39] G. Friedman, A. Hartman, K. Nagin, T. Shiran, Projected state machine coveragefor software testing, in: ACM SIGSOFT International Symposium on SoftwareTesting and Analysis, 2002, pp. 134–143.

40] M.K. Ganai, A. Aziz, Efficient coverage directed state space search, in: Interna-tional Workshop on Logic Synthesis, 1998.

41] R. Behjati, M. Sirjani, M.N. Ahmadabadi, Bounded rational search for on-the-fly model checking of LTL properties, in: Third IPM International Conferenceon Fundamentals of Software Engineering, Springer-Verlag Berlin, Heidelberg,2010, pp. 292–307.

42] L.M. Duarte, L. Foss, F.R. Wagner, T. Heimfarth, Model checking the ant colonyoptimisation, Comput. Sci. 329 (2010) 221–232.

43] F. Chicano, E. Alba, Ant colony optimization in model checking, in: 11th Interna-tional Conference on Computer Aided Systems Theory, Springer-Verlag, Berlin,Heidelberg, 2007, pp. 523–530.

44] G. Francesca, A. Santone, G. Vaglini, M.L. Villani, Ant colony optimization fordeadlock detection in concurrent systems, in: 2011 IEEE 35th Annual ComputerSoftware and Applications Conference, IEEE Computer Society, Washington,DC, USA, 2011, pp. 108–117.

45] E. Alba, F. Chicano, M. Ferreira, J.G. Pulido, Finding deadlocks in largeconcurrent java programs using genetic algorithms, in: 10th Annual Confer-ence on Genetic and Evolutionary Computation, New York, NY, USA, 2008,pp. 1735–1742.

46] P. Godefroid, S. Khurshid, Exploring very large state spaces using genetic algo-rithms, Softw. Tools Technol. Transf. (STTT) 6 (2004) 117–127 (Special sectionon tools and algorithms for the construction and analysis of systems).

47] P. Godefroid, Model checking for programming languages using VeriSoft, in:POPL’97 Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Princi-ples of Programming Languages, 1997, pp. 174–186.

48] A. Groce, W. Visser, Heuristics for model checking java programs, Int. J. Softw.Tools Technol. Transf. 6 (2004) 260–276.

49] S. Edelkamp, S. Jabbar, A.L. Lafuente, Heuristic search for the analysis of graphtransition systems, in: Graph Transformation (ICGT), 2006.

50] G.J. Holzmann, The model checker SPIN, IEEE Trans. Softw. Eng. 23 (1997)279–295.

51] G. Engels, J.H. Hausmann, R. Heckel, S. Sauer, Dynamic meta modeling: a graph-ical approach to the operational semantics of behavioral diagrams in UML, in:3rd International Conference on The Unified Modeling Language: Advancingthe Standard (UML’00), Springer, 2000, pp. 323–337.

52] L. Baresi, R. Heckel, S. Thöne, D. Varro, Modeling and validation of service-oriented architectures: application vs. style, in: 9th European SoftwareEngineering Conference held jointly with 11th ACM SIGSOFT InternationalSymposium on Foundations of Software Engineering (ESEC/FSE-11), 2003, pp.68–77.

53] R. Heckel, S. Thöne, Behavioral refinement of graph transformation-based mod-els, Electron. Notes Theor. Comput. Sci. (ENTCS) 127 (2005) 101–111.

54] T. Mens, On the use of graph transformations for model refactoring, in: Gen-erative and Transformational Techniques in Software Engineering (GTTSE’05),Springer, 2005, pp. 219–257.

55] G. Taentzer, K. Ehrig, E. Guerra, J. de Lara, L. Lengyel, T. Levendovszky, et al.,Model transformation by graph transformation: a comparative study, in:Workshop Model Transformation in Practice, Software and System modelings(Sosym), 2005.

56] M.R. Naddaf, V. Rafe, Performance modeling and analysis of software archi-tectures specified through graph transformations, Comput. Inform. 32 (2013)797–826.

57] L. Lamport, Verification and Specification of Concurrent Programs, A Decade ofConcurrency – Reflexions and Perspectives Lecture notes in computer science,vol. 803, Springer Verlag, 1993, pp. 347–374.

58] G. Gopalakrishnan, Computation Engineering: Applied Automata Theory andLogic, Springer Verlag, Berlin, Heidelberg, 2006.

59] H. Ehrig, G. Engels, H.J. Kreowski, G. Rozenberg, Handbook of graph grammarsand computing by graph transformation: applications, Lang. Tools (1999).

60] H. Ehrig, M. Pfender, H.J. Schneider, Graph-Grammars: An Algebraic Approach,in: Proceeding SWAT ‘73 Proceedings of the 14th Annual Symposium on

Switching and Automata Theory, IEEE Computer Society, swat 1973, pp.167–180.

61] R. Heckel, Compositional verification of reactive systems specified by graphtransformation, Fundament. Approaches Softw. Eng. (FASE) 1382 (1998)138–153.

1 oft Co

[

[

[

[

[

[

[

CTIT Workshop Proceedings, Vol. WP10-03, University of Twente, Enschede,

80 R. Yousefian et al. / Applied S

62] R.L. Haupt, S.E. Haupt, Practical Genetic Algorithms, John Wiley & Sons, Inc.,New York, NY, USA, 2004.

63] M. Mitchell, An Introduction to Genetic Algorithms, MIT Press Cambridge, MA,USA, 1999.

64] A. Kumar, Encoding schemes in genetic algorithm, Int. J. Adv. Res. IT Eng. 2

(March) (2013).

65] K.A. De Jong, W.M. Spears, A formal analysis of the role of multi-point crossoverin genetic algorithms, Ann. Math. Artif. Intell. 5 (1992) 1–26.

66] Á. Schmidt, Model Checking of Visual Modeling Languages, Budapest Universityof Technology, Hungary, 2004.

[

mputing 24 (2014) 169–180

67] R. Heckel, Graph transformation in a nutshell, Electron. Notes Theor. Comput.Sci. (ENTCS) 148 (2006) 187–198.

68] P. Backes, J. Reineke, A Graph Transformation Case Study for the Topology Anal-ysis of Dynamic Communication System, in: Transformation Tool Contest 2010,

2010, pp. 107–118.69] R.H. Carver, K.C. Tai, Modern Multithreading: Implementing, Testing, and

Debugging Multithreaded Java and C++/Pthreads/Win32 Programs, John Wiley& Sons, Inc., New York, NY, USA, 2005.